Privacy Policy

Introduction

HEBRON BIBLE-PRESBYTERIAN CHURCH ("HBPC", "the Church", "we", "us", "our") is committed to protecting the personal data entrusted to us and to handling such data in accordance with the Personal Data Protection Act 2012 of Singapore ("PDPA") and applicable guidance issued by the Personal Data Protection Commission of Singapore ("PDPC").

This Privacy Policy explains how HBPC collects, uses, discloses, stores, protects and disposes of personal data in the course of its worship services, ministries, events, pastoral work, volunteer management, employment, communications, website operations and related church activities.

This Policy applies to personal data in our possession or under our control, including personal data processed on our behalf by service providers engaged by us.

Scope

This Policy may apply to, among others:

• members (communicant & non-communicant) and regular attendees;
• visitors and guests;
• children, youths and their parents or guardians;
• volunteers, ministry leaders and pastoral workers;
• donors and supporters;
• staff, interns and job applicants;
• vendors, contractors and service providers;
• persons who contact us, register for events, submit forms, or use our online services.

Definitions

• "Personal data" means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which HBPC has or is likely to have access.
• "Identification" means distinguishing one person from another, for example by name, mobile number, email address or internal member record.
• "Authentication" means proving that a person is who he or she claims to be before granting access to services, systems or information intended only for that person.
• "Storage" includes holding personal data in paper files, forms, spreadsheets, databases, church management systems, email systems, chat tools, cloud services, media archives, CCTV systems and backup systems.
• "Minor" means, for the purpose of this Policy, a person below 18 years of age.
• "Child" means, for the purpose of this Policy, a person below 13 years of age.

Data Protection Officer

HBPC shall designate at least one Data Protection Officer ("DPO") responsible for overseeing compliance with the PDPA and this Policy.

Questions, access requests, correction requests, withdrawal requests and complaints relating to personal data should be directed to the DPO.

Personal Data We May Collect

Depending on the nature of your interaction with HBPC, we may collect personal data such as:

• full name and preferred name;
• contact details such as mobile number, email address and residential address;
• date of birth or age range where reasonably necessary;
• family and household information, including parent or guardian details and emergency contacts where reasonably necessary;
• ministry, pastoral and membership-related information;
• attendance and participation records for services, classes, courses, camps, meetings and events;
• volunteer, internship and employment information;
• donation, pledge, payment and transaction records;
• correspondence, feedback, prayer requests and support requests;
• photographs, video recordings, livestream recordings, audio recordings and CCTV footage;
• website, app and technical information such as IP address, cookies and browser information where applicable;
• any other personal data reasonably required for a lawful and appropriate church purpose.

Purposes for Collection, Use and Disclosure

HBPC may collect, use and disclose personal data for purposes such as:

• administering membership, attendance, pastoral care, discipleship and church communications;
• organising and managing worship services, classes, fellowships, camps, meetings, events and ministry activities;
• contacting individuals regarding church matters, registrations, scheduling, support or follow-up;
• safeguarding children, youths, vulnerable persons and event participants;
• processing donations, payments, reimbursements and financial records;
• managing volunteer recruitment, deployment, training and service;
• evaluating and processing internship and employment applications;
• ensuring building, premises and event security, including by CCTV where applicable;
• operating the Church's website, forms, digital platforms and media channels;
• documenting church life and communicating church activities through publications, announcements, archives, websites, livestreams and official social media;
• complying with applicable legal, regulatory, audit, accounting, governance and risk-management requirements;
• handling requests for access, correction, complaints, incidents and investigations;
• any other purpose notified at or before the point of collection, or otherwise permitted by law.

HBPC will seek to collect only the personal data that is reasonably necessary for the relevant purpose.

Consent, Notification and Third-Party Data

Where required, HBPC will notify individuals of the purposes for which personal data is collected, used or disclosed, and obtain consent in accordance with the PDPA.

Consent may be obtained in writing, electronically, verbally where appropriate, or by conduct where permitted by law. In some cases, consent may be deemed where an individual voluntarily provides personal data for an obvious purpose and it is reasonable in the circumstances.

Where a person provides personal data relating to another individual, including a spouse, parent, child, family member, dependant or emergency contact, that person must ensure that he or she is authorised to do so.

HBPC may rely on exceptions to consent where the PDPA or other applicable law permits.

Photos, Videos, Livestreams and Audio Recordings

Accuracy and Updating of Personal Data

HBPC will take reasonable steps to ensure that personal data collected by or on behalf of the Church is accurate and complete if it is likely to be used to make a decision affecting the individual or is likely to be disclosed to another organisation.

Individuals should notify HBPC if their personal data changes.

Access and Correction Requests

Subject to the PDPA and applicable exceptions, an individual may request access to personal data about that individual in HBPC's possession or under its control, and correction of personal data that is inaccurate or incomplete.

HBPC may require sufficient information to verify identity before processing any request. Where necessary, HBPC may sight an identity document for verification, but will not retain a copy unless legally required.

HBPC may charge a reasonable administrative fee for access requests where permitted by law and will inform the requester in advance if such a fee applies.

Withdrawal of Consent

An individual may withdraw consent to HBPC's collection, use or disclosure of his or her personal data by giving reasonable notice in writing to the DPO.

Upon receiving a withdrawal request, HBPC will explain the likely consequences and, subject to legal and operational constraints, cease the relevant collection, use or disclosure within a reasonable time.

Disclosure to Third Parties

HBPC may disclose personal data where appropriate to:

• ministry leaders, pastoral workers, staff and authorised volunteers on a need-to-know basis;
• service providers engaged by HBPC, such as IT vendors, cloud service providers, payment processors, photographers, videographers, printers, mail service providers and event partners;
• professional advisers such as auditors, lawyers, accountants and insurers;
• banks and payment service providers;
• regulatory authorities, law enforcement agencies, courts or other public agencies where required or permitted by law;
• other third parties where the individual has consented or where disclosure is otherwise permitted by law.

HBPC will take reasonable steps to ensure that third parties processing personal data on its behalf provide a standard of protection comparable to that required under the PDPA.

Transfers Outside Singapore

Where HBPC transfers personal data outside Singapore or uses service providers that process personal data outside Singapore, HBPC will take reasonable steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA.

Protection of Personal Data

HBPC will implement reasonable administrative, physical and technical security measures to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Such measures may include:

• role-based access controls;
• restricted administrator rights;
• password and authentication controls;
• secure cloud configurations;
• device and account management;
• staff and volunteer confidentiality expectations;
• secure disposal procedures;
• incident reporting and breach response procedures;
• periodic review of forms, storage locations and data access practices.

Volunteers and ministry workers will only be given access to personal data to the extent reasonably necessary for authorised church purposes.

Retention and Disposal

HBPC will retain personal data only for as long as it is reasonably necessary for the purpose for which it was collected, and for as long as retention is required or permitted by law.

When personal data is no longer necessary for legal or business purposes, HBPC will cease to retain it, delete it, anonymise it, or remove the means by which it can be associated with particular individuals, as appropriate.

HBPC may maintain different retention periods for different categories of records, including membership records, financial records, child-safeguarding records, pastoral records, media archives, HR records and CCTV footage.

Website, Digital Platforms and Cookies

HBPC's websites, forms, digital platforms and online services may collect technical and usage information such as IP addresses, browser type, device data and cookies. Such data may be used for security, analytics, maintenance, usability improvement and site administration.

Where required, HBPC will provide appropriate notice in relation to cookies or similar technologies.

Data Breaches and Incident Response

HBPC will investigate suspected personal data incidents and take reasonable steps to contain, assess and remediate them. Where required by law, HBPC will notify the PDPC and affected individuals of a notifiable data breach.

All staff, ministry leaders and volunteers who become aware of an actual or suspected personal data incident must promptly report it through HBPC's internal incident reporting process.

Policy Updates

HBPC may amend this Policy from time to time to reflect changes in law, PDPC guidance, Church operations or data handling practices. The latest version of this Policy will be made available through HBPC's official channels.

Contact

If you have any questions, requests or complaints relating to this Policy or HBPC's handling of personal data, please contact: