Personal Data Protection Policy

A. Purpose
A.1 The Methodist School of Music (“MSM” or “We”) is committed to safeguarding the personal data entrusted to us by individuals and complies with the Personal Data Protection Act 2012 (“PDPA”) of Singapore.
A.2  By interacting with MSM—submitting information, registering for courses or events—you consent to MSM collecting, using, disclosing, and sharing your personal data among our staff, representatives, agents, and authorised service providers, in line with this Policy.
A.3  This Policy outlines MSM’s principles and practices for personal data protection and works in conjunction with any specific notices or terms we issue.

B. Definitions
B.1  “Personal data” means any data, whether true or not, about an individual who can be identified from it or from other data MSM has access to.
B.2  “Individual” refers to any natural person whose data MSM collects, including but not limited to students, staff, volunteers, donors, beneficiaries, event participants, and website users.
B.3  “Purpose” refers to the reasons MSM collects, uses, and discloses personal data.

C. Responsibilities
C.1  MSM’s leadership is responsible for ensuring compliance with the PDPA.

1. Consent Obligation
1.1 MSM collects, uses and discloses personal data only with your consent (express or deemed), or where permitted by the PDPA.
1.2 At the point of collection, MSM will inform you of the purpose for which we intend to use or disclose the data.
1.3 MSM may deem the individual has consented to the collection, use and disclosure of their personal data as follows:

(a) Deemed consent by conduct – where an individual: (i) voluntarily provides personal data to MSM; (ii) is aware of the purpose for which the personal data is collected; and (iii) where it is reasonable in the circumstances that the personal data would be provided.

(b) Deemed consent by contractual necessity – where the individual provides such information for the purpose of a transaction and it is reasonably necessary in order for MSM to fulfil the contract or conclude the transaction.

(c) Deemed consent by notification – where an individual has been notified of the purpose and how to opt out, but has not taken any action to opt out.

1.4  Generally, MSM will collect personal data directly from the individuals. However, MSM may also collect the individual’s personal data from third parties if required or permitted under the PDPA or any other written law, including where the individual has provided consent or is deemed to consent to such collection.
1.5  Data may be used for legitimate purposes such as security, service integrity, and programme delivery.
1.6  You may withdraw consent—reasonable notice required—after which MSM will cease processing unless PDPA allows retention.
1.7  Withdrawal of consent may affect MSM’s ability to fulfil certain services; however, data collection without consent may continue if permitted or required by law.

2. Purpose Limitation
2.1 MSM will only process personal data for purposes that are reasonable in the given context.
2.2  Purposes include: education and training; course and event management; marketing communications; donations administration; HR and volunteer management; regulatory compliance; and IT or facility security.

3. Notification Obligation
3.1  MSM will inform you of the purposes for collection, use or disclosure before or during collection, unless notification is not required under PDPA.
3.2  MSM may disclose personal data to authorised third parties including service providers, banks, regulators, auditors, or professional advisers, subject to PDPA compliance.

4. NRIC Data
4.1  MSM will only collect, use, or disclose NRIC numbers where required by law or necessary for identity verification.
4.2  Examples include but are not limited to registration for official certifications, examination administration, or compliance-related automation.

5. Media Capture
5.1  Video, audio, or photo recordings at MSM events constitute personal data if individuals are identifiable. Thus, MSM shall state clearly in its invitations or put up appropriate notices to inform volunteers and participants at events, about the use of photography and videography, and use of closed-circuit television (CCTV) and its purpose.
5.2  MSM will notify individuals and seek consent for any use beyond the immediate context of the event. Examples include but are not limited to using it for future marketing, unrelated programmes, or general publicity.

6. Access & Correction
6.1  You may request access to personal data held by MSM, including usage/disclosure history from the past year.
6.2  Requests will be processed within 30 days or MSM will notify you of any delay.
6.3  Access may be denied in specific cases (e.g. risk to health/safety or is contrary to public interest).
6.4  You may request correction of inaccurate data; MSM will notify any relevant parties to whom the data was disclosed in the last year.
6.5  MSM may charge a reasonable fee for access requests.

7. Accuracy Obligation
MSM will make reasonable efforts to ensure personal data is accurate, complete and up-to-date where it’s used for decision-making or external disclosure.

8. Protection Obligation
MSM will implement reasonable security policies, procedures, and practices to protect personal data from unauthorised access, disclosure, and alteration.

9. Retention Limitation
MSM retains personal data only as long as necessary for the stated purposes or as required by law.

10. Data Breach Notification
In the event of a notifiable data breach, MSM will notify affected individuals and the Personal Data Protection Commission (PDPC) as required under PDPA.

11. Accountability & Openness
MSM’s PDPA Policy is publicly accessible. All PDPA-related enquiries, complaints, or requests should be directed to dpo@methodist.org.sg.

12. Policy Changes
MSM reserves the right to amend this Policy in compliance with legislation or operational requirements. We encourage you to review it regularly. Continued engagement implies acceptance.