Personal Data Protection
Personal Data Protection
The University respects the privacy of individuals and recognises the importance of the personal data that have entrusted to the organisation. It is the University’s responsibility to properly manage, protect and process personal data.
For NUS staff, please complete the mandatory personal data protection online course in CHRS in order to gain an understanding of the fundamentals before referring to the various resources available on this page.
View the list of  Personal Data Protection Policies for NUS Staff and Students.
NUS Data Protection & Other Relevant Policies, Notices and Guidelines
- NUS Privacy Notice (PN)
- NUS Personal Data Protection Policy & Procedures (PDPP)
- NUS Personal Data Notice for Staff
- NUS Personal Data Notice for Students
- NUS Personal Data Notice for Student Applicants
- NUS Personal Data Notice for Course Participants
- NUS IT Acceptable Use Policy
- NUS Cloud Policy
- NUS Data Management Policy
- DMP – Guidelines on Use, Classi cation and Protection of University Data
Make a Request
NUS Do Not Call Registry
If you wish to register yourself in the NUS Do Not Call Registry
NUS Do Not Call Registry
If you wish to register yourself in the NUS Do Not Call Registry
NUS Do Not Call Registry
If you wish to register yourself in the NUS Do Not Call Registry
What to Do When There’s a Personal Data Breach?
Follow C.A.R.E steps when managing a personal data breach:
1. Contain
🔸 Stop the breach.
🔸 Cut off access, shut down systems if needed.
2. Assess
🔸 Gather the facts.
🔸 What data? Who’s affected?
🔸 Any risk of harm?
3. Report
🔸 Inform your unit/department.
🔸 Submit the breach report to NUS DPO.
🔸 Alert affected individuals if needed.
4. Evaluate
🔸 Find out what went wrong.
🔸 Fix it to prevent future breaches.
Download the visual to help you get familiarised with the C.A.R.E steps.
Report a Personal Data Incident
Report a Personal Data Incident or Personal Data Breach
All reports will be taken seriously
Should there be cause to suspect a personal data incident involving NUS and/or its Staff/Students, please email to alert us at dpo@nus.edu.sg
To facilitate a timely review, the following details should be included in your report:
   i. Full name and contact information*
  ii. Affiliation to NUS (e.g. Alumni, Faculty, Staff, Student, No Affiliation etc.)
  iii. Details of the incident, including:
- Name of School/College/Centre/Department involved*
- Name of individuals involved (if known)
- Number of individuals involved (if known)
- Date/time when you became aware of the incident *
- Type(s) of PD affected (1)
- Cause (actual/suspected) of the incident (2)
- Impact on PD (3)
- Summary of the incident (Where incident occurred, means of detection, any remedial steps taken)
- Any other relevant information or supporting documentation
*These are required information you need to provide in your report.
Personal Data Breach Report
To report a personal data breach, please use this form and alert us at dpo@nus.edu.sg
Notes
(1) Types of Personal Data Affected
“Personal Data” is defined under the PDPA to mean:
- data,
- whether true or not,
- about an individual who can be identified:
- from that data; or
- from that data and other information to which an organization has or is likely to have access.
Individual’s name
Student matriculation number
Date of birth
Student academic data (e.g. assessment results)
NRIC number, FIN (Foreign Identification Number), passport numbers and other national identification numbers
Health information / medical records
Contact details such as residential address, personal phone number, personal email address
Biometric information (e.g. fingerprint, iris image, DNA profile, voice recording) and research data (4)
Human Resource data about employees (e.g. Staff ID numbers)
Facial image of an individual (e.g. photograph / video recording)
Employment appraisal or evaluation
A reference about an individual
(2) Cause (actual/suspected) of the incident
The cause could include one or more of the following:
- Cyber security issues (e.g. malware, ransomware, data exportation, hacking)
- Loss of data (e.g. loss of physical copies of data, soft copies of data, device containing the PD such as laptop/external drive)
- Theft of data
- Human error (oversight/carelessness)
- Technical error (e.g. system error, access settings)
(3) Impact on Personal Data
Examples of how PD could be affected include, inter alia:
- PD disclosed to unintended recipients
- PD disclosed without consent of the data subject
- Unauthorised transfer of PD
- Data held to ransom
- Data lost/expunged