Protection Policy


Singapore Buddhist Free Clinic respect the privacy and confidentiality individual’s personal data. We are committed to implementing policies, practices and processes to safeguard the collection, use and disclosure of the personal data you provide us, in compliance with the Singapore Personal Data Protection Act (PDPA) 2012.

We have developed this Privacy / Data Protection Policy to assist you in understanding how we collect, use, disclose, process and retain your personal data with regards to:

Document Control

Organisation Singapore Buddhist Free Clinic
Title Personal Data Protection Policy
Owner DPO Office
Original Issue Date 28 July 2017
Revised on 10 April 2018

Revision History

Edition Edited By Date Approved On Approved By
First Edition Tan JN 7 June 2017 17 Jun 2017 BOD
2nd Edition Tan JN 10 April 2018 13 April 2018 BOD

Document Distribution

Data Protection Unit Designation
Main Office HR Manager (Chief Data Protection Officer)
Financial Controller, Sr Accounts Assistant, Accounts Assistants
Admin Manager, Finance cum Admin Assistant
Main/Branch Clinics Branch Managers, Assistant Br Managers, Physicians, Clinic Assistants

How We Collect Your Personal Data

The PDPA defines personal data as “data”, whether true or not, about an individual who can be identified

  1. From that data; or
  2. From that data and other information to which the organisation has or is likely to have access.”

We collect the personal data of our prospects and clients through the following methods / channels:

  1. When you apply to join us as members
  2. When you accept appointment as our Trustees, Directors or Committees
  3. When you make donation online/offline
  4. When you visit us for consultation/counselling
  5. When you apply for our job vacancy
  6. When you apply for fee waiver
  7. When you participate in our fund raising events
  8. When you sign up for our seminars
  9. When you give us your feedback
  10. When you send in your personal details to us via email 

Types of Personal Data We Collect About You

The types of personal data we collect about you may include:

  1. Personal Details e.g. Name, Nationality, NRIC, Foreign Identification Numbers, Work Permit, Passport, Date of Birth, Gender
  2. Personal Contact Information e.g. Addresses, phone numbers, email addresses
  3. Marital Status
  4. Educational and Professional Qualifications
  5. Medical Details/Health Information
  6. Family Income (for application of fee waiver)
  7. Employment History (for job application)
  8. Family Background, Financial Information (for staff and job application)
  9. Bank account number (for staff)
  10. Photos & Video Footage

How We Use Your Personal Data

We use the personal data we have collected about you for one or more of the following purposes:

  1. Process and administer donations received
  2. Organising campaigns to raise funds
  3. Process applications for volunteering opportunities at our events and/or services
  4. Maintain records for medical consultation
  5. Maintain records for counselling services
  6. Process membership application and administer membership records
  7. Recruitment & selection
  8. Staff remuneration, benefits, training & development, appraisal etc.
  9. Sending out newsletters and updates
  10. Comply with legal obligations and regulatory requirements
  11. Seeking feedback/comments regarding our services
  12. Maintain and Update various records in our databases
  13. Printing of receipts
  14. Contract signing or renewal
  15. Responding to feedbacks and suggestions
  16. Feedbacks/claims/disputes investigations and responses
  17. Provide usage of online services
  18. Communicate with donors, patients, employees, members and website visitors
  19. Any other reasonable usages­­­­­

Who We Disclose Your Personal Data To

Where required to do so by law, we will disclose your personal data to the relevant authorities or to law enforcement agencies upon their requests.

A. Government and Statutory Department

  1. The Registry of Societies
  2. The commissioner of Charities
  3. Ministry of Health, Hospitals
  4. Ministry of Home Affairs, Police
  5. Ministry of Defense, Central Manpower Base
  6. Ministry of Manpower
  7. Central Provident Fund Board
  8. Inlands Revenue Authority of Singapore
  9. Housing and Development Board
  10. Marriage Registry
  11. National Counsel for Social Services
  12. Other government department/agencies

B. Private Organisations

  1. External Consultants (e.g. Auditors/Lawyers)
  2. Banks or Financial Institutions
  3. Information Technology Service Providers
  4. Insurance Companies (Group Insurance for Employees)
  5. Post Office, delivery and courier services
  6. Our authorized printing agencies
  7. Events/Programs/Videos Producers
  8. Multi-Media

How We Manage the Collection, Use and Disclosure of Your Personal Data

We take our responsibilities under the PDPA seriously. We are committed to implementing policies, practices and processes for data protection that comply closely with the PDPA obligations. These are elaborated in the rest of this Policy document.

1. Personal Data Security and Storage

If data are stored on paper, it should be safe kept by the responsible employees. For data kept in server:

  1. The server should be protected by physical lock,
  2. There must be regular backup (at least weekly),   there must be quarterly restoration to ensure the successful back up and restoration.
  3. Access to server must be protected by login ID and password,
  4. The data server must be protected by firewall to minimize the risk of cyber attack. 

2. Obtaining Consent

Before we collect, use or disclose your personal data, we will notify you of the purpose why we are doing so via our data protection policy available at our website. We next obtain written confirmation from you on your expressed consent. As far as possible, we will not collect more personal data than necessary for the stated purpose.

Under certain circumstances, we may assume deemed consent from you when you voluntarily provide your personal data for the stated purpose, e.g. when you visit our clinics for consultation, or when you make a donation online/office and provide personal particulars for tax deduction purposes .

3. Third-Party Consent

If you have a one-on-one meeting with us or do a transaction with us on behalf of another individual, you must first obtain consent from that individual in order for us to collect, use or disclose his/her personal data.

4. Withdrawal of Consent for receiving communication from us

If you wish to withdraw consent for receiving communication from us, you should give us reasonable advance notice. You have to be aware, though, of the likely consequences of your withdrawal of consent, e.g. without your consent, we may not be able to inform you of future updates.

Your request for withdrawal of consent can take the form of an email or letter to us.

Accessing and Making Correction to Your Personal Data

You may write in to us, based on reasonable grounds, to find out how we have been using or disclosing your personal data. We are obligated under the PDPA to allow you access to your personal data of the past one year, and to make any correction if there is any error or omission. Before we accede to your request, we may need to verify your identity by checking your NRIC or other legal identification document. We will try to respond to your request within 30 days. We will give you an estimate of how long it is going to take to retrieve all the relevant data if it requires more than 30 days to retrieve the data you requested.

Accuracy of Your Personal Data

We will take reasonable precautions and verification checks to ensure that the personal data we have collected from you is reasonably accurate, complete and up-to-date. From time to time, we will do a verification exercise for you to update us on any changes to your personal data. If you are our members, staff, patients, donors or volunteers, it is important that you update us if there are any changes in your personal information such as your home address, phone number etc

Protection of Personal Data

We have implemented an Information Security Policy that governs how personal data and confidential information are protected within our organisation.

  1. We will take the necessary security arrangements to protect your personal data that is under our charge or control to prevent unauthorised access, collection, use, disclosure, or similar risks.
  2. All our employees will take reasonable and appropriate measures to maintain the confidentiality and integrity of your personal data, and will only share your data with authorised persons on a ‘need to know’ basis.
  3. External data intermediaries who process and maintain your personal data on our behalf will be bound by contractual data security arrangements we have with them.

Retention of Personal Data

We will not retain any of your personal data under our charge or control when it is no longer necessary for any business or legal purposes. We have a Document Retention Policy that spells out how long we ought to retain each type of confidential document or personal data. Certain retention periods are based on statutory or regulatory requirements.

We will ensure that your personal data that no longer has any business or legal use will be destroyed or disposed of in a secure manner. This applies to both paper documents and electronic data stored in databases. 

Disposal of Personal Data no longer required

  1. Generally, for Personal Data no longer required, it must be disposed of in the following manner,
  2. Need to confirm data are due for disposal/destruction by referring to data retention policy.
  3. All personal data must be disposed in a secured way, eg: by shedding, incineration, safe disposal companies with certifications.
  4. Need to perform secure deletion, erase data written on media meant for disposal, redeploying or exchanging,
  5. Record keeping for disposal – stating the date, brief description of documents destroyed, method of disposal, name of staff responsible.

Transfer of Personal Data

If there is a need for us to transfer your personal data to another country, (eg.the servers are located outside Singapore)

Please note that your personal data may be transferred to — and maintained on — computers located outside Singapore where the data protection laws may differ from those in your state, province, country or other governmental jurisdiction.

If you are located outside Singapore and choose to provide your personal data to us, please note that we transfer the information to Singapore for processing here.

What to do if you have a concern/feedback

If you have any concerns or problems with the way your personal data has been handled, please contact our Data Protection Officer at

To assist us in dealing with your complaint, please provide the following:

  1. Full name and NRIC or Passport number of the person lodging the complaint;
  2. A clear photocopy of his/her NRIC or Passport;
  3. Contact details;
  4. Name of the officer, employee (and his/her division) by whom the Personal Data was collected;
  5. Details of the complaint;
  6. Time frame over which the suspected wrongdoing occurred; and
  7. Documentary evidence in support of the complaint.

Complaints procedure

Upon receiving your complaint, our Data Protection Officer(s) will confirm that your complaint will be investigated within 3 working days and provide you with an estimate of how long you should expect to wait to receive a full response. While SBFC endeavours to respond as promptly as possible, response times will vary depending on the nature of the complaint.

Our Data Protection Officers will liaise with the relevant departments to investigate your complaint. You will be notified of the investigation outcome in writing within reasonable time and any action(s) taken if your complaint has been upheld, or otherwise.

Appeal Procedure

If you feel that your complaint has not been resolved satisfactorily by our Data Protection Officers, you may appeal to the Board Members of the SBFC within fourteen (14) days of receipt of the written notice of our Data Protection Officers informing you of the outcome of the investigations into your complaint.

SBFCs Senior Management will inform you of the outcome of their re-investigation.

How to handle Data Breach (if any)

  1. The reporting party will fill up an incident report providing as much details as possible as suggested in the form (Appendix 1)
  2. The DPO will analyze the Breach and classify them into:
    1. Malicious Activities
    2. Staff errors
    3. Vendor’s errors
    4. Physical Security Breach
    5. Computer Security Breach
    6. Cyber Attack
  3. Containing the Breach
    1. Shut down the compromised system that led to the data breach
    2. Put a stop to practices that led to the data breach
    3. Isolate the causes of the data breach in the system, and where applicable, change the access rights to the compromised system and remove external connections to the system
    4. Establish whether steps can be taken to recover lost data and limit any damage caused by the breach
    5. Address lapses in processes that led to the data breach
    6. Prevent further unauthorized access to the system. Reset passwords if accounts and passwords have been compromised
  4. Assessing Risks and Impact
    1. Risk and Impact on Individuals
      1. How many people were affected?
      2. Whose personal data had been breached?
      3. What types of personal data were involved?
      4. Any additional measures in place to minimize the impact of a data breach
    2. Risk and Impact on Organizations
      1. What caused the data breach?
      2. When and how often did the breach occur?
      3. Who might gain access to the compromised personal data?
      4. Will compromised data affect transactions with any other third parties?
  5. Reporting the Incident
    1. Who to notify?
      1. Individuals whose personal data have been compromised. This includes guardians or parents of young children whose personal data have been compromised.
      2. Other parties such as banks, credit card companies or the police, where relevant.
      3. PDPC especially if data breach involves sensitive personal data. Details Required:
        • Extent of the data breach
        • Type and volume of personal data involved
        • Cause or suspected cause of the breach
        • Whether the breach has been rectified
        • Measures and processes that the organization had put in place at the time of the breach
        • Information on whether affected individuals of the data breach were notified
        • Contact details of persons whom the PDPC could liaise with for further information or clarification
      4. Details (listed in item iii above) of data breach can be sent to the PDPC at For urgent notification of major cases, organizations may also contact the commission at +65 63773131
    2. When to notify?
      1. Affected individuals immediately if a data breach involves sensitive personal data. This allows them to take necessary actions early to avoid potential abuse of the compromised data.
      2. Affected individuals when the data breach is resolved.
    3. How to notify?
      1. Adopt the most effective ways to reach out to affected individuals, taking into consideration the urgency of the situation and number of individuals affected. (eg media releases, social media, e-mails, telephone calls, faxes and letters)
    4. What to notify?
      1. How and when the data breach occurred, types of personal data involved in the data breach.
      2. What the organization has done or will be doing in response to the risks brought about by the data breach
      3. Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused.
      4. Contact details and how affected individuals can reach the organization for further information or assistance (eg helpline numbers, e-mail addresses or websites).

Changes to This Data Protection Policy

We will update our Data Protection Policy when need arises. We will notify you of any changes by posting the policy on this page.

Please revisit this page for the latest update. Changes to this Policy are effective when they are posted on this page.

Contacting Us

If you have any questions about our collection, use, and/or disclosure of your personal data; feedback regarding this Policy, or any complaint you have relating to how we manage your personal data, you may contact our Data Protection Officer(s) at

Name:  Data Protection Officer
Contact Number:  63090599  
Email Address:  

Any query or complaint should include, at least, the following details:

  1. Full name and email address
  2. Brief description of the query or complaint

We treat such queries and complaints seriously and will deal with them confidentially and within reasonable time.