Q1) What are the security arrangements in place to prevent unauthorised access and processing of residents’ personal data?

A1) Consistent with the requirements of the Personal Data Protection Act (PDPA) with regard to security of personal data, Sentosa Cove Resort Management (SCRM) has put in place reasonable security arrangements to prevent unauthorised access and processing of residents’ personal data. They include:
1.Computer and network security including deployment of firewalls and passwords to protect systems, networks and equipment used to store and process personal data. Endpoint security is deployed to protect the network against unauthorised intrusion; 
2.Prohibiting staff from circumventing any system, network or equipment security features or access controls put in place by SCRM;
3.Ensuring that hard copy documents containing personal data are disposed of by shredding or by other secure means,
4.Having secure storage processes, for example by keeping documents containing personal data locked in cabinets;
5.Requiring staff to adhere to access control measures such as requiring that physical access to documents and systems containing personal data are restricted only to employees whose job responsibilities require such access;
6.Physical access to SCRM offices are security controlled requiring access by security cards and/or codes that record the identity of employees gaining access including date and time. CCTVs are also deployed at key points in our offices for security reasons;
7.Key to locked cabinets containing documents and personal data are kept by authorised personnel;
8.Requiring staff to report any actual or suspected breach of personal data security;
9.PDPA training has been conducted for staff and they are required to comply with SCRM’s internal policies to comply with the PDPA;
10.Electronic form of personal data are kept in a secure server, with access control and monitored by CCTV. Environment and fire control measures are in place to safeguard against accidental loss. Such personal data is not stored in a cloud. Only authorised personnel are allowed entry; 
11.Technological measures have been put in place to maintain an audit trail of which staff gains access to which electronic folder that may contain personal data such as assigning a unique password to each staff. This is further supported by administrator controls that are put in place to only allow authorised staff on a need to know basis to gain access to specific personal data; 
12.Failure by an employee to comply with our policies dealing with the PDPA is a ground of termination of employment;
13.Imposing confidentiality obligations on employees which covers personal data of individuals that the employees come into contact with. 

Q2) Will all documents be destroyed as soon as the security passes have been issued?

A2) Yes. All documents will be destroyed as soon as the security passes have been issued. In terms of retention or destruction of personal data, we are mindful of the retention obligation under the PDPA and consistent with that, our policy is to destroy or anonymize documents containing personal data as soon as the purpose for which the data was collected is no longer being served by its retention and retention is no longer necessary for legal or business purposes.