Privacy & Data Protection Policy

Data Protection & Privacy Policy — Hand in Hand OT Centre
Data Protection Policy

How Hand in Hand protects
your family’s personal information

Effective: 1 June 2026 Last Reviewed: May 2026 Governs: All HIH services & digital systems Legislation: PDPA 2012 (as amended 2021)
A note to our families At Hand in Hand OT Centre (HIH), we work with children and their families every day. We understand that the personal and clinical information you share with us is deeply private. This policy explains — in plain English — exactly what we collect, why we need it, how we protect it, and what rights you have under Singapore law. If anything is unclear, please reach out to our Data Protection Officer directly.
Section 01

Who we are

Hand in Hand OT Centre (“HIH”, “we”, “our”) is a private paediatric occupational therapy and speech therapy clinic registered in Singapore, operating since 1998 at 91 Tanglin Road, Tanglin Place #04-02, Singapore 247918.

We are a data controller under the Personal Data Protection Act 2012 (“PDPA”) — meaning we decide how and why personal data about you and your child is processed. We are subject to all 11 obligations of the PDPA and the Do Not Call provisions.

As a clinic whose services are primarily accessed by children and their families, we apply the enhanced protection standards recommended by the PDPC’s Advisory Guidelines on Children’s Personal Data (March 2024).

Section 02

What personal data we collect

We collect only what is necessary for the purpose stated. The table below maps each category of data to the system that holds it.

Category Examples Where held
Identity & contact Parent/guardian name, child’s name, NRIC/passport (for records), phone, email, address HIH internal systems (on-premises Singapore)
Clinical & assessment Developmental history, assessment scores, progress notes, therapy goals, diagnoses, school reports Private on-premises server (Singapore), encrypted
Session & scheduling Appointment dates/times, attendance records, cancellation history HIH booking system
Billing & financial Invoice records, payment status, insurance claim references HIH billing system (on-premises)
Communication Email enquiries, WhatsApp messages, form submissions HIH communication logs, retained per retention schedule
School & third-party Teacher reports, IEP goals, school correspondence shared with HIH by consent HIH document store (on-premises Singapore)

We do not collect biometric data, audio recordings, or video of your child without separate written consent. All clinical documentation is text-based.

Section 03

Why we collect it — purpose limitation

Under the PDPA, personal data may only be collected, used, or disclosed for purposes a reasonable person would consider appropriate, and only for purposes you have been informed about and consented to.

HIH collects and uses personal data for the following purposes only:

  • Delivering occupational therapy, speech therapy, and early intervention services to your child
  • Conducting standardised and clinical assessments and preparing written reports
  • Scheduling, managing, and following up on therapy sessions
  • Billing, invoicing, and processing payments
  • Communicating with schools, teachers, or other allied health professionals with your explicit consent
  • Regulatory compliance (e.g., MOH licensing requirements, financial record-keeping)
  • Service improvement through de-identified, aggregate analysis of outcomes (no individual identification)
  • Sending you relevant newsletters, resources, or updates about HIH services (with your separate marketing consent)

We will not use your personal data for any other purpose without obtaining fresh consent from you. We do not sell, rent, or trade personal data.

Section 04

Consent — including your child’s data

Consent under the PDPA must be voluntary, informed, and specific to purpose. You must be able to withdraw consent as easily as you gave it.

Enhanced protection for children’s data

All children seen at HIH are below 18 years of age. Under the PDPC’s March 2024 Advisory Guidelines on Children’s Personal Data, children’s personal data is classified as sensitive personal data requiring a higher standard of protection.

For children below 13: a parent or guardian must provide consent on the child’s behalf. Parents and guardians will always be informed of the specific purposes for which their child’s data is collected, used, or shared.

For children aged 13–17: the child may co-sign consent, but HIH’s default practice in a clinical setting is to obtain parental/guardian consent as the primary basis for processing. This is consistent with PDPC guidance that higher consent standards are appropriate in education and healthcare settings.

At first registration, we will ask you to sign an HIH Consent and Data Protection Form covering: clinical data collection and processing, AI-assisted documentation (text-based only), communications with schools or other providers, and optional marketing communications. You may withdraw any consent element at any time by contacting our DPO. Withdrawal of clinical consent may affect our ability to continue providing therapy services, and we will advise you of this before processing any withdrawal.

Section 05

How we protect your data

The PDPA requires organisations to implement reasonable security arrangements to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, or disposal.

HIH has implemented the following technical and organisational measures:

Data residency

All clinical and personal data is stored on-premises in Singapore on a private server with no direct internet exposure.

Encrypted access

All remote access to clinical systems uses Tailscale VPN with device-level authentication. No data transits unencrypted.

Access controls

Role-based access controls limit who can view which client records. Therapists can only access their own caseloads.

Credential management

All system credentials are managed in an enterprise password manager. Multi-factor authentication is enforced on all admin accounts.

AI documentation

AI-assisted note-writing uses only observation text — never audio. No personal identifiers are transmitted to external AI services.

Staff training

All therapists receive PDPA briefings before accessing client systems. Handling procedures are documented and enforced.

Section 06

How long we keep your data — retention limitation

Under the PDPA, personal data must not be retained longer than is necessary for business or legal purposes. HIH’s retention schedule is as follows:

Data type Retention period Basis
Clinical records (notes, reports, assessments) 5 years from last session date PDPA + Allied Health professionals’ practice standards
Billing and financial records 5 years from invoice date IRAS record-keeping requirements
Consent records Duration of service + 5 years Accountability obligation under PDPA
Communication logs (email, WhatsApp) 12 months from last interaction PDPA purpose limitation — operational need
School collaboration documents 5 years (year-based archive with annual review) PDPA + school engagement obligations
Website enquiry form data 90 days if no service engagement follows PDPA retention limitation

After the applicable retention period, personal data is securely deleted or anonymised. Where anonymisation is used, the resulting data cannot be re-identified and is no longer subject to PDPA obligations.

Section 07

Who we share your data with

HIH does not disclose personal data to third parties without your consent, except where required by law. The limited categories of disclosure are:

  • Schools and teachers: We share reports, progress notes, or IEP-related documentation only with your written consent and only to the named recipients you have approved.
  • Other allied health professionals: With your consent, we may correspond with paediatricians, psychologists, speech therapists, or other treating clinicians for coordinated care.
  • Technology service providers: Our systems are hosted on services that may process technical data on our behalf (as data intermediaries). All intermediaries are bound by data processing agreements requiring PDPA-equivalent protection. See Section 8 for overseas transfers.
  • Regulatory authorities: We may disclose data where required by law, court order, or government directive (e.g., MOH licensing inspections).

We do not share data with marketing partners, data brokers, or research bodies without your separate, explicit consent.

Section 08

Overseas transfers of personal data

The PDPA’s Transfer Limitation Obligation requires that when personal data is transferred overseas, the receiving organisation must provide a standard of protection comparable to the PDPA. HIH’s overseas transfer position is as follows:

Service Location What transfers PDPA safeguard
DigitalOcean (web hosting) Singapore region Website enquiries, non-clinical Singapore data centre — no cross-border transfer
Cloudflare (CDN/DNS) Global Anonymous web traffic metadata No personal data — DPA in place
Email provider Varies Appointment and administrative email Data Processing Agreement in place
Clinical systems Singapore (on-premises) All clinical and sensitive personal data Fully on-premises — no overseas transfer

Where any overseas transfer is introduced in future, we will update this policy and ensure a binding data processing agreement or equivalent contractual safeguard is in place before any transfer occurs.

Section 09

Your rights under the PDPA

The PDPA grants individuals — and parents/guardians acting on behalf of a child — the following rights. HIH will respond to valid requests within 30 days.

  • A
    Right of Access You may request a copy of the personal data HIH holds about you or your child, and information about how it has been used or shared in the past 12 months.
  • C
    Right of Correction If data we hold is inaccurate or incomplete, you may request a correction. Where we have shared that data with a third party in the past 12 months, we will send the correction to them as well.
  • W
    Right to Withdraw Consent You may withdraw consent for any non-essential processing at any time with reasonable notice. We will inform you of any consequences (e.g., impact on ongoing therapy) before processing the withdrawal.
  • D
    Right to Data Portability Upcoming The PDPA’s Data Portability Obligation has been passed but not yet brought into force. When effective, you will be able to request that your data be transmitted to another organisation in a portable format.

To exercise any right, contact our Data Protection Officer (see Section 12). We may need to verify your identity before processing the request. We do not charge a fee for reasonable access requests.

Section 10

Do Not Call (DNC) Registry

Singapore’s DNC Registry allows individuals to opt out of receiving telemarketing calls, SMS, fax, and MMS messages from organisations. HIH complies fully with the DNC provisions of the PDPA.

Our DNC commitment

  • Before sending any marketing message to a Singapore telephone number (SMS, call, or fax), HIH checks the DNC Registry within the required 30-day window.
  • We will only send marketing communications to your phone number if: (a) your number is not registered on the DNC Registry, or (b) you have given us clear, explicit consent to receive such messages, regardless of registration status.
  • You may provide or withdraw marketing consent at any time via the HIH Consent Form or by contacting our DPO.
  • General appointment reminders, billing notifications, and clinical updates are operational communications, not marketing, and are not subject to DNC restrictions.
  • To register your number on the DNC Registry, visit www.dnc.gov.sg.
Section 11

Data breach notification

Under the PDPA 2020 amendments, organisations must notify the PDPC within 3 calendar days of becoming aware of a data breach that is likely to result in significant harm to individuals, or where 500 or more individuals are affected.

As a clinic serving children, HIH treats any breach of clinical or personal data as potentially significant. Our response process includes:

  • Immediate containment of the breach and assessment of scope
  • Notification to the PDPC within 3 days where the mandatory threshold is met
  • Direct notification to affected individuals (and their parents/guardians for children) as soon as practicable
  • Corrective action to prevent recurrence and documentation of the incident

If you believe your personal data held by HIH has been compromised, please contact our DPO immediately (Section 12).

Section 12

Contact our Data Protection Officer

Under the PDPA’s Accountability Obligation, HIH has designated a Data Protection Officer (DPO) responsible for ensuring compliance with the PDPA and serving as the first point of contact for all data protection matters.

GG

Gerald Goh

Data Protection Officer · Senior Occupational Therapist
Email [email protected]
Phone +65 6777 1322
Address 91 Tanglin Road, Tanglin Place #04-02, Singapore 247918
Response Within 3 business days for acknowledgement; 30 days for full response

For general information about your rights under the PDPA, you may also contact the Personal Data Protection Commission at www.pdpc.gov.sg or call 1800-PDPA-LAW (1800-7372-529).

This policy is reviewed annually and updated whenever significant changes to HIH’s data processing practices occur. The effective date at the top of this page reflects the most recent review.

Our Affiliated Centres
Inurture Land Inurture Land Visit Bridging Stars Bridging Stars Visit SpEd SG SpEd SG Visit