Nikko Asset Management Asia Limited
Personal Data Protection Policy
Nikko AM Asia Compliance Department
2 July 2014
This document is strictly for Nikko Asset Management Asia Limited (the “Company”, “Nikko AM Asia” or “NAM Asia”) and, where appropriate, its operating subsidiaries’ (collectively referred to as “Nikko AM Asia Group” or “NAM Asia Group”) internal use. Copies of this document shall not be made or published unless permission has been obtained from at least the relevant department head of the Company and/or from at least the relevant department head within NAM Asia Group.
Chapter 1: Overview
The purpose of this policy is to set out NAM Asia’s procedures on protection of personal data of individuals under the company’s custody. It contains important information about how and why NAM Asia collects, uses and discloses personal data of individuals. This policy takes into consideration the Personal Data Protection Act 2012 (“PDPA”) and all applicable PDPA advisory guidelines.
Chapter 2: Personal Data Protection Act 2012
The PDPA establishes a data protection law in Singapore that comprises various rules governing the collection, use, disclosure, access to, correction and care of individuals’ personal data by organisations. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA contains 2 main sets of provisions, covering data protection (effective 2 July 2014) and a Do Not Call (“DNC”) Registry (effective 2 January 2014).
The DNC provisions generally prohibits organisations from sending certain marketing messages (in the form of voice calls, text or fax messages) to individuals with Singapore telephone numbers, registered with the DNC Registry. As NAM Asia currently does not send marketing messages to individuals, the DNC provisions are not applicable to the company.
NAM Asia intends to comply with all applicable provisions covering data protection by implementing certain procedures as set out below.
Chapter 3: Definitions
3.1 Personal Data
Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.
This includes unique identifiers (e.g. NRIC number, passport number, fingerprint); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc) which when taken together would be able to identify the individual.
3.2 Data Protection Officer
Data Protection Officer (“DPO”) means an individual designated by the organisation under Section 11(3) of the Personal Data Protection Act 2012 (“Act”) responsible for ensuring that the organisation complies with this Act or an individual to whom the responsibility of the data protection officer has been delegated under section 11(4) of the Act.
Chapter 4: NAM Asia’s Personal Data Inventory
4.1 NAM Asia has the following personal data in our custody:
NAM Asia collects personal data of our employees including but not limited to name, address, telephone numbers, e-mail address, NRIC number, passport number, fingerprint, FIN (Foreign Identification Number), date and place of birth, nationality, gender, resume, education background, employment history etc in connection with the employees’ employment or job applications with NAM Asia.
Individual investors of NAM Asia’s funds
NAM Asia has in custody personal data of individual investors in NAM Asia’s funds, such as those belonging to our legacy individual investors and investors investing via the CPFIS and the SRS. Such personal data include but not limited to name, address, NRIC number, passport number, amount of investments in our funds, amount of dividends received etc. For the avoidance of doubt, PDPA requirements do not apply to corporate investors of NAM Asia’s funds and hence are not in scope of this policy.
Copies of identity papers of directors and/or authorised signatories of our corporate clients/distributors
NAM Asia is required to comply with all applicable anti-money laundering and countering financing of terrorism (“AML/ CFT”) laws, rules and regulations. Under NAM Asia’s Anti- Money Laundering Policy and KYC Procedures, we are required to collect KYC documents relating to our corporate customers and our funds’ distributors. Such KYC documents may include copies of identity papers such as NRICs or passports of directors and/or authorised signatories of our corporate customers and our funds’ distributors. For the purpose of meeting the AML/ CFT requirements, NAM Asia will collect, use and disclose these information without the corporate customers and funds’ distributors consent as allowed by the regulations.
It is important to note that the PDPA does not apply to business contact information. Business contact information refers to individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by him or her solely for his or her personal purposes.
For the avoidance of doubt, NAM Asia is not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other obligations in the Data Protection Provisions in relation to business contact information.
Chapter 5: Collection of Personal Data
5.1 Generally, NAM Asia collects personal data from the following sources:
The personal data that we collect and process on our employees is sourced from:
- information provided by employees and/or relevant third parties in the course of a potential employee applying for a position with us; and
- information provided by employees, relevant third party information sources, or information otherwise generated upon a potential employee being hired and in the course of employment with us.
NAM Asia collects customers’ personal data from the following sources:
- Personal data provided by the customers:
- through customers’ relationship with us, for example information provided in application forms, meeting proxy forms and/or agreements entered into with us, when using our products or services;
- through verbal and written communications with us;
- from an analysis of the way customers’ use and manage their investment products and/services with us, from the transactions they make and from the payments which are made to/from their investment(s); and/ or
- through NAM Asia’s Intermediaries Hotline and Investors Enquiries Mailbox.
- Personal data from third party sources connected with customers:
- from any relevant third parties connected with the customers, such as organisations that are our clients or distributors of our funds or lawyers in relation to estate accounts etc.; and/ or
- from any other sources which the customer has consented to as provided for in our terms and conditions and/or application form or where lawfully permitted.
- Through funds’ trustees and transfer agents, for example fund activity reports, contract notes, statement of accounts, register holdings report and daily and historical transfer agent’s datafeed etc.
Unless permitted under the PDPA or any other laws, regulations and guidelines, NAM Asia shall not collect personal data without the consent of the individual.
Chapter 6: Purposes for the Collection, Use and Disclosure of Personal Data
Generally, NAM Asia collects, use and discloses personal data for the following purposes as described below. An outline of these purposes has been published on NAM Asia’s corporate website – please refer to a document entitled “PDPA/FATCA Notice” dated 23 June 2014.
NAM Asia may collect, process and use, and retain employees’ (including potential employees) personal data for our legitimate activities, including but not limited to:
- assessing employee’s suitability for the job;
- verifying employee’s information and conducting reference checks;
- conducting background checks if the employee is offered a job;
- general administrative and record keeping purposes;
- headcount and payroll planning;
- workforce development, training and certification;
- performance management;
- approving and monitoring employee benefits and entitlements;
- posting employee’s photograph on the intranet and email directory;
- maintain emergency contact details;
- audit, risk management and security and/or compliance purposes;
- internal investigations and legal proceedings;
- purposes as required by regulators; and/ or
- other purposes as may be required by any laws, regulations and guidelines.
NAM Asia may collect, use and disclose customers’ personal data for one or more of the following purposes:
- to confirm and verify the customer’s identity;
- to assess application(s) /inquiry(ies) for our products and services;
- to process the customer’s transaction in relation to his/her investment(s) in any of our products and services;
- to manage and maintain customers’ investment(s) portfolios with us;
- to manage our business and the customer’s relationship with us;
- to notify customers about benefits and changes to the features of products and services;
- to respond to customers’ enquiries and complaints and generally to resolve disputes;
- to update, consolidate and improve the accuracy of our records;
- to produce data, reports and statistics which have been anonymised or aggregated in a manner that does not identify the customer as an individual;
- to conduct research for analytical and/or statistical assessments;
- to facilitate audit, risk management and/or compliance;
- to assess financial and insurance risks;
- to conduct AML/ CFT checks for risk detection and prevention; and/or
- to provide to relevant regulatory authorities and for any other purpose that is required or permitted by any laws, regulations and guidelines.
NAM Asia may continue to use personal data about an individual collected before 2 July 2014, the effective date of the data protection provisions of the PDPA, for the purposes for which the personal data was collected unless the employee or the customer has withdrawn consent.
NAM Asia may disclose personal data for the purposes indicated above to our employees, third parties, service providers, advisors, related entities, which includes, without limitation, the following persons or entities:
To the extent necessary, NAM Asia may disclose employees’ personal data to a limited number of NAM Asia’s employees whose job necessitates that they maintain, compile or otherwise have access to employees’ personal data. NAM Asia may also disclose employees’ personal data to third parties that NAM Asia deals with for the purpose of providing our products and services to our customers and generally operating our business.
NAM Asia may disclose customers’ personal data (to the extent necessary) to the following third parties:
- companies and/or organisations that act as our agents and/or professional advisers;
- companies and/or organisations that assist us in processing and/or otherwise fulfilling transactions that the customer has requested;
- any person notified by the customer as authorised to give instructions on his/ her behalf;
- any third party as a result of any restructuring of the customer’s investments, or the acquisition or sale of any company by NAM Asia, provided that any recipient uses the customer’s information for the same purposes as it was originally supplied to NAM Asia and/or used by NAM Asia; and/ or
- any competent authority(ies) and/or regulator(s),
subject at all times to any laws (including regulations, guidelines and/or obligations) applicable to NAM Asia.
Unless permitted under the PDPA or any other laws, regulations and guidelines, NAM Asia shall not use or disclose the personal data for any other purpose, without first identifying and documenting the other purpose and obtaining the consent of the affected employee or customer.
Chapter 7: Withdrawal of Consent
Employees or customers are able to withdraw their consent to NAM Asia’s continued use and disclosure of personal data as described in this Policy at any time. Such withdrawal should be made formally in writing to any of the Data Protection Officers (“DPOs”) of NAM Asia.
If consent is withdrawn by an employee, NAM Asia may need to discontinue his/her employment with the company. If consent is withdrawn by a customer, NAM Asia may no longer be able to provide the requested products or services and our relationship with the customer may have to be terminated.
Chapter 8: Protection of Personal Data
NAM Asia places great importance on ensuring the security of our personal data against risks of authorised access, collection, use, disclosure, copying, modification, disposal or destruction. NAM Asia has implemented security measures which include computer safeguards and password-protected files to enhance the security of our personal data stored. In addition, all employees’ hardcopy personal files are maintained by the HR Department under lock and key. NAM Asia will regularly review and implement appropriate security measures when processing and retaining personal data.
Employees of NAM Asia are required to handle the personal data securely and with strict confidentiality, failing which they may be subject to disciplinary action. NAM Asia has a Compliance Manual (“Compliance Manual”) as well as a Code of Ethics and Business Conduct (“Code”) which serves as a guideline and represents NAM Asia’s ’s commitment to upholding a high standard of integrity, fair dealing, quality of services and ethical behaviour, including handling any data with strict confidentiality, in all its relationships. The Compliance Manual also outlines procedures and guidelines to report violations by any member of staff.
Further, NAM Asia will impose compliance with data confidentiality requirements on our agents, third party service providers, consultants and professional advisors in our working relationships and/ or agreements with these parties.
Chapter 9: Access to Personal Data
A customer not in the care of any of our funds’ distributors may make a request to access his/her personal data which is in NAM Asia’s possession or control. The customer must complete a data access request (“DAR”) form (Refer to Appendix 2), provide all necessary documents and making the requisite payment, where relevant, as prescribed in the DAR form. NAM Asia aims to revert within 30 days from the receipt of the DAR form. If NAM Asia is unable to comply with the DAR requirements within the said timeframe, NAM Asia will have to inform the customer the reasonably soonest time by which response will be provided in relation to the request.
To the extent required by PDPA, upon request by a customer, NAM Asia shall provide information relating to how the customer’s personal data has been or may have been used or disclosed within a year before the date of such request. NAM Asia may also provide a standard list of possible third parties as part of its response to all access requests for information relating to the disclosure of personal data during such period.
Employees who wish to access their personal data should contact the HR Department. Potential employees who were subsequently not employed by NAM Asia or former employees of NAM Asia should complete the DAR form as mentioned in Chapter 9.1 above.
NAM Asia may not be able to provide access to all of the personal data that they hold about an individual. For example, NAM Asia may not provide access to personal data if such provision could reveal personal data about another individual, if such information is subject to legal privilege or if provision will be contrary to national interest or where such refusal is permitted under the PDPA. If access to personal data cannot be provided, the reasons for denying access will be provided to the customer within 30 days of receipt of the DAR form, subject to any legal or regulatory constraints.
Chapter 10: Accuracy and Correction of Personal Data
A customer not in the care of any of our funds’ distributors or who is a CPFIS or SRS investor may make a request to correct or update his/her residential address which is in NAM Asia’s possession or control. The customer must complete a data correction request (“DCR”) form (Refer to Appendix 3) and provide all necessary documents or information as prescribed in the DCR form. NAM Asia will correct or update his/her residential address found to be inaccurate or incomplete as soon as practicable. Any unresolved differences as to accuracy or completeness of his/her residential address shall be noted in the customer’s records.
Employees who wish to correct or update their personal data should contact the HR Department. Potential employees who were subsequently not employed by NAM Asia or former employees of NAM Asia should complete the DCR form as mentioned in Chapter 10.1 above.
NAM Asia may refuse to correct or update personal data as requested in the DCR form in certain instances. For example, NAM Asia is unable to confirm the customer’s identity or where such refusal is permitted under the PDPA. If NAM Asia denies customer’s correction request, NAM Asia will inform the customer the reason for the refusal within 30 days of receipt of the DCR form, subject to any legal or regulatory constraints.
Chapter 11: Offences and Penalties
An organisation or person commits an offence if the organisation or person —
- with an intent to evade a request under section 21 or 22, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing:-
- personal data; or
- information about the collection, use or disclosure of personal data;
- obstructs or impedes the Commission* or an authorised officer in the exercise of their powers or performance of their duties under this Act; or
- knowingly or recklessly makes a false statement to the Commission*, or knowingly misleads or attempts to mislead the Commission*, in the course of the performance of the duties or powers of the Commission* under this Act.
* Personal Data Protection Commission
An organisation or person that commits an offence under Chapter 11.1 (a) above is liable:-
- in the case of an individual, to a fine not exceeding $5,000; and
- in any other case, to a fine not exceeding $50,000.
An organisation or person that commits an offence under Chapter 11.1 (b) or (c) is liable:-
- in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
- in any other case, to a fine not exceeding $100,000.
Where an offence under this Act committed by a body corporate^ is proved:-
- to have been committed with the consent or connivance of an officer#; or
- to be attributable to any neglect on his part, the officer as well as the body corporate^
shall be guilty of the offence and shall be liable to be proceeded against and punished
Where the affairs of a body corporate^ are managed by its members, Chapter 11.3 (a) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate^.
^ includes a limited liability partnership
# in relation to a body corporate, means any director, partner, member of the committee of management, chief executive, manager, secretary or other similar officer of the body corporate and includes any person purporting to act in any such capacity;
the officer or member shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
Any act done or conduct engaged in by a person in the course of his employment (“the employee”) shall be treated for the purposes of this Act as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or approval.
In any proceedings for an offence under this Act brought against any person in respect of an act or conduct alleged to have been done or engaged in, as the case may be, by an employee of that person, it is a defence for that person to prove that he took such steps as were practicable to prevent the employee from doing the act or engaging in the conduct, or from doing or engaging in, in the course of his employment, acts or conduct, as the case may be, of that description.
Chapter 12: Retention of Personal Data
NAM Asia will retain employees and/or customers’ personal data in compliance with the terms and conditions of the trust deeds of our funds, customers’ agreement(s) with Nikko AM entities and as set out below:
- for the duration of the employee and/or customers’ relationship with us;
- for such period as may be necessary to protect NAM Asia’s interests and/or our customers or employees;
- where otherwise required by laws, regulations and guidelines; and/or
- where required by NAM Asia in order for us to perform our duties in the discharge of our fiduciary obligations.
Chapter 13: Data Protection Officer
13.1 Personal Data
Please refer to Appendix 1 for the appointed Data Protection Officers of NAM Asia. Business contact information of the Data Protection Officers will be available on the NAM Asia’s website. Under the PDPA, the Data Protection Officers are responsible for facilitating NAM Asia’s compliance with the PDPA. For the avoidance of doubt, the compliance with the PDPA remains the responsibility of NAM Asia.
Chapter 14: Complaints Procedures
14.1 Personal Data
If a customer or an employee of NAM Asia has reason to believe that his/her personal data has been misused by NAM Asia, the customer or the employee is advised to lodge a complaint with any of the Data Protection Officers of NAM Asia who will handle the complaints in accordance with NAM Asia’s Complaints Handling Procedure stipulated in the Compliance Manual.
Appendix 1 – Data Protection Officers of NAM Asia
Appendix 2 – Data access request (“DAR”) form
Appendix 3 – Data correction request (“DCR”) form
Appendix 4 – Listing of reports provided by fund’s Transfer Agent (for confidentiality reason, this list is not attached to this policy)
Appendix 5 – Listing of forms used by Intermediary Business Client Services and Product Development & Management which may contain personal data belonging to an individual customer of NAM Asia’s fund (this will be made available at a later date)