Personal Data Protection Policy
Data Protection Guidelines
“Personal Data” and “Personal Information” in this policy is defined as data that can identify an individual.The Company owns and operates a software product called CAMPUS, which follows the Software as A Service (SaaS) model. CAMPUS is a prepaid school account that can be used either online or may be linked to an identification card.In essence, it creates a cashless school environment.
Students, parents, and school client employees can use CAMPUS to purchase meals, textbooks, and stationery. They may also perform other administrative tasks such as photocopying and document printing and access control functions. Their card can be used as a form of identification, library card, and prepaid debit card amongst its many usage capabilities.
Purpose of Data Collection
The exclusive purpose of collecting this information is for the functioning (developing, implementing, hosting, operating, and maintaining) of the CAMPUS software to provide it as a service to the Customer.
Personal Information Collected
- The Company will collect the following information or related information to enable the correct functioning of its CAMPUS software product:
- Customers ( Students or Staff )
- Customer Type
- Customer Id
- Name (First Name & Last Name)
- Date Of Birth
- Family Code
- Graduation Year
- Student Homeroom
- School Division
- School Division
- Family Code
- Parent vs Staff Classification
- Parent Name
- Email IDs
- Date of Birth
- Student ID
- Smart Card ID
Manner and Method of Data Collection
The Company will exclusively collect data through express and written permission from its School Client (“The Customer”).The Customer will in turn seek necessary written permissions from the Designated Guardians and other users of the software.
Data will be gathered through the software that the Company has installed for the Customer, and through no other means.The Customer will periodically provide evidence of these permissions to the Company, upon request.
If the Company discovers that the Customer is not in possession of the express, relevant, and/or current permissions, the Company will take steps to immediately delete this information from the CAMPUS software. This will affect the functioning of the software and thus its deliverable to the Customer.
Disclosure of Data Collection
The Company will, under no circumstance, voluntarily disclose any obtained information to any third party that is not bound to the Company by the PDPA of the Republic of Singapore and/or Confidentiality clauses through appropriate third-party agreements (sub-contractor agreement) with the Customer.
Third-Party Hosting and Disclosure
The Company may (upon request from its Customer) host the software application through third-party cloud hosting vendors such as Amazon.In such an instance, the standard agreements with such vendors will govern all data protection and confidentiality aspects that comply with the PDPA.
The research and choice of any third-party vendor will be made in association with the Customer and/or will be expressly communicated to the Customer prior to the collection and deployment of any personal data. If the Customer initiates the third-party request, the Company must agree to the request and vet both data compliance and protection compliance with any chosen vendor.By agreeing to the choice of the third party, the Customer accepts all liabilities and indemnifies the Company from any data violations or infringements.
The Company’s CAMPUS software will periodically use location-based services of Customer-authorized devices. Location data is collected from only those devices. The Company may extend the functionality of the CAMPUS software for other location-based functionality. This will be done exclusively through express permissions, as stated in clause 3 of this document.
Personal Data Protection
The Company takes the security of all personal data in its possession very seriously. The Company employs appropriate technical and physical security arrangements while maintaining safeguards to protect against accidental or unauthorized access, collection, use and disclosure, copying and modification, disposal and deletion, and other similar risks to personal data.
Data Integrity and Personal Information Retention
The Company will retain all relevant personal data only for the period necessary to fulfil its contractual obligations to the Customer for the service of the CAMPUS software unless a longer retention period is required by Law.
Company Practices and Commitment to Privacy
To ensure total security of all personal data, the Company communicates this privacy and security policy to all its employees and sub-contractors and strictly enforces it through valid legal agreements.The Company has appointed a designated Data Protection Officer (DPO) to ensure implementation and compliance with this policy.
Personal Data Access and Correction
If you wish to know about your personal data in the Company’s possession or under its control, or how your personal data has been used or to whom it has been disclosed, you may write to us by filling out the Access Request Form (available at your request).The Company shall charge a standard fee of $5 SGD for each Access Request.
However, if much effort and time are required to retrieve the personal data, VPS shall charge a higher fee of approximately $20 SGD for each request. The Company may also assess an incremental fee for photocopying or courier costs if more copies are requested.This fee shall cover all our actual costs incurred. Examples: photocopying, locating, retrieving, shipping, transport, time spent in preparing the disclosure. It should reflect our time and efforts taken to retrieve the personal data.
The Company shall provide the personal data requested within 30 days after receiving the Access Request. If the Company cannot respond within 30 days, it shall inform the Applicant (in writing) when it can.There may be some circumstances, as outlined under the 5th Schedule and Section 21 of the PDPA that exempts the company from having to accede to an Access Request.If you wish to correct any personal data in our possession or under our control, you may write the Company by filling in a Correction Request Form (available at your request through the Data Protection Officer).
The Company shall forward the corrected personal data to every organisation the Company has sent the personal data to in the calendar year prior to the receipt of the Correction Request.The Company shall correct the personal data requested, where practical, within 30 days.The Company does not charge any fees for correcting personal data.There may be certain circumstances, as outlined under the 6th Schedule and Section 22 of the PDPA, that exempt the Company from having to accede to Correction of Personal Data.
Data Protection Officer (DPO) Contact Information
The contact details of the Company's DPO Shermaine Lowe
Phone: +65 63429305
46 East Coast Road, 08-04
EastGate, Singapore 428766
Current as of 15 July 2021