Data Protection

IMDA PAW_Infographic Post_FA-v2

What is Personal Data?
Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access.

What is the PDPA?
The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act.

It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore.

It also provides for the establishment of a national Do Not Call (DNC) Registry. Individuals may register their Singapore telephone numbers with the DNC Registry to opt out of receiving unwanted telemarketing messages from organizations.

Objectives of the PDPA
The PDPA recognizes both the need to protect individuals’ personal data and the need of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.

A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organizations that manage their data.

By regulating the flow of personal data among organizations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses.

Scope of the PDPA
The PDPA covers personal data stored in electronic and non-electronic formats.

It generally does not apply to:

Any individual acting on a personal or domestic basis.

Any individual acting in his/her capacity as an employee with an organization.

Any public agency in relation to the collection, use or disclosure of personal data.

Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.

ACE Purpose and Scope of PDPA Policy and Definitions

American Center for Education (ACE) has the policy regarding data collection, usage, disclosure, processing and protection, which are in accordance with the Singapore Personal Data Protection Act of 2012 (PDPA).

‘Personal Data’ refers to any data, whether true or otherwise, about an individual who can be identified (i) from that data; or (ii) from that data and other information to which ACE has or is likely to have access, including data in ACE records as may be updated from time to time.

These Personal Data include unique identifiers (e.g. passport number, NRIC or FIN number, etc.) as well as any set of data (e.g. name, age, personal email address, address, photo or video, thumbprint, DNA profile, telephone number, etc.) which, when taken together, would identify the individual.

This policy supplements but does not supersede or replace any consent an individual may have previously provided or will provide to ACE regarding his or her personal data.

ACE may also use, disclose or process an individual’s personal data collected before 2 July 2014 for the purposes of collection unless consent for such use is withdrawn in accordance with the PDPA or he or she has otherwise indicated to ACE, whether before, on or after the coming into force of the PDPA, that he or she does not consent to the use of his or her Personal Data.

To ensure that the Personal Data Protection Policy is consistent with any changes in legal or regulatory requirements, ACE may update it from time to time at its absolute discretion.

1. Collection of Personal Data

a. ACE collects Personal Data in the following ways:
i. When an individual submits a course enrollment application or submit forms for various activities or purposes
ii. When an individual interacts with ACE staff (via telephone/mobile calls, instant messengers, letters, or emails or during face-to-face meetings)
iii. During the period of an individual’s receiving ACE educational services
iv. When an individual submits his or her Personal Data to ACE for any other reasons

b. If an individual provides ACE with any Personal Data relating to a third party (e.g. parents, guardian, spouse, children, family members or employer, etc.), ACE deems in his or her so doing that the consent has been obtained from the third party to provide such for the respective purposes.

c. An individual should ensure that all Personal Data submitted is complete, accurate and up to date. The individual should update ACE about any changes to his or her Personal Data should they occur.

d. ACE only collects reasonable and necessary Personal Data to the extent that it is required for the specific purpose for which it is collected, and which has been notified to the individual.

2. Purposes of Collection/Use/Disclosure of Personal Data

Depending on the individual’s status (e.g. as an applicant, student, alumnus, staff, vendor, or university partners) with ACE, the personal data collected are used for the following purposes:

a. For evaluating the eligibility for admission or employment, maintaining personal records and communication purposes.

b. For audit, administration and emergency purposes/contact.

c. For school or Extra Curricular Activity (‘ECA’) registration.

d. Carrying out due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations or risk management procedures that may be required by law or put in place by ACE, including the obtaining of references and/or other information from prior educational institutions and employers.

e. Supporting ACE functions including, but not limited to, the teaching and personal and professional development of students.

f. Monitoring the use of ACE’s computer network resources, including ACE email accounts, portals.

g. Processing application (s) for scholarships and administering and managing scholarship and other support programs, which may include disclosure of personal data to donors, external evaluators and/or external organizations for purposes including periodic reports, event invitations, surveys and/or publicity regarding ACE’s related programs.

h. Responding to requests for information from government or public agencies, ministries, statutory boards or other similar authorities or non-government agencies authorized to carry out specific Government services or duties.

i. Investigating possible fraud, misconduct, unlawful action or omission, and utilizing electronic access and video systems to maintain campus security of persons or property, control access and investigate suspicious or inappropriate activities.

j. Processing and administering applications or enrollment activities related to health, life and travel insurance and service provision as well as school-related cards, and administering matters, and overseas exchange programs and other overseas activities.

k. Taking photos and/or videos by ACE staff or authorized third party individuals during ACE events.

l. Processing, administering, conferring and publication of awards, prizes, medals, scholarships, and other marks of distinction, and student or graduation status.

m. Any other purposes being informed by ACE in writing, with the individual’s separate consent.

3. Disclosure of Personal Data to Third Parties

ACE may disclose an individual’s personal data to third parties (service providers, agents and/or ACE affiliates or related corporations, such as ECA vendors, Fee Protection Scheme insurers etc.) without first obtaining the relevant consent in certain situations, including, but not limited to, the following;

a. Being required to be based on the relevant laws and/or regulations.

b. The purpose is clearly in the individual’s interests and consent cannot be obtained in a timely manner.

c. Be necessary to respond to an emergency that threatens the individual’s life, health or safety or that of another individual, if ACE shall, as soon as may be practicable, notify the former of the disclosure and the purposes of the disclosure.

d. Be necessary for any investigation or proceedings.

e. Being disclosed to any officer of a prescribed law enforcement agency for the purposes of the functions or duties of the office.

f. Being disclosed to a public agency as necessary in the public interest.

g. Other cases described in the exhaustive list of exceptions to the PDPA which is available at

ACE contributes its effort to provide adequate forms of protection within its ability to highlight the confidentially and security in the handling and administration of an individual’s personal data by such third parties.

4. Management of Personal Data

By applying reasonable security measures and necessary setup, ACE protects Personal Data in possession or under its control to prevent unauthorized collection, use, access, disclosure, copying, modification, disposal or other relevant risks.

ACE takes reasonable and appropriate measures in keeping the relevant personal data accurate, complete and updated.

ACE is not responsible for any unauthorized use of Personal Data by third parties which are wholly attributable to factors beyond ACE’s control.

ACE takes reasonable effort to destroy the relevant documents containing Personal Data, when it is reasonable to assume that:

a. The purpose for which the Personal Data was collected is no longer being served by retention of the Personal Data;

b. Retention is no longer necessary for legal or business purposes.

For the updating of personal data, after the individual has submitted such a request, ACE shall process the request and undertake verification activities if necessary.

5. Withdrawal of Consent

An individual may submit a request to ACE by an official letter, an email or a form at any time with reasonable notice to withdraw any consent already given, or deemed to have been given, to ACE under the PDPA, in respect of the collection, use or disclosure by ACE of his or her Personal Data.

On receiving the withdrawal of consent, ACE shall cease collecting, using or disclosing the Personal Data of the individual unless such collection, use or disclosure is required or authorized under the PDPA or other written law without the consent of the individual.

On withdrawal of consent, depending on the nature of the individual’s request, ACE might not be able to continue providing the relevant affected services to the individual, which in turn may result in the termination of the individual’s agreements with ACE. As such, the individual might breach his or her contractual obligations or undertakings. In such an event, ACE’s legal rights and remedies are expressly reserved.


For any enquires and/or feedback.

You may contact our Data Protection Officer (DPO) at :

Comments are closed.