KIS is committed to maintaining high standards of confidentiality and privacy concerning the processing of personal data. This Policy sets out the obligations of KIS and its employees when processing personal data about individuals, as well as explain the rights parents, students and staff have as determined by applicable laws, including the Thailand Personal Data Protection Act BE 2562 (PDPA) and European Union (EU) General Data Protection Regulation (GDPR).
This policy applies to all personal data collected for or on behalf of the School whether in analogue form (documents and forms in writing) or digital form (such as information systems, databases and emails). As a functioning educational organization, the School needs to know the necessary personal data of parents, staff, service providers, volunteers, candidates and interns (such as but not limited to contact details, dates of birth, languages, gender, diplomas achieved, and criminal background checks) and students and alumni (including names, addresses, dates of birth, languages, academic progress, examination results and behaviour records). Personal data can also include medical data, CCTV footage, photos and video recordings.
The Legal Process for Processing Personal Data
Personal data will be collected, processed and stored for the enrolment and education of students, contacting parents or guardians, the employment of staff or the execution of contracts and agreements with the School. This is in accordance with the lawful basis provided under the PDPA and the GDPR, that such processing is necessary for the performance of the contracts or agreements to which parents, staff, service providers, volunteers, candidates and interns are party with the School, or in order to take steps upon their explicit request prior to entering into such a contract or agreement with them.
There are further lawful bases for collecting and processing personal data. These include that the School has legitimate interests in providing children with an education, safeguarding and promoting the welfare and facilitating the efficient operation of the School, without any adversarial effect on children, and protecting vital interests to prevent injury or harm. It may also process personal data to meet a legal obligation or if it is acting in the public interest.
How is Personal data used?
KIS may use the personal data provided in many ways including the following:
- to undertake and manage the School admissions and enrollment
- to provide a safe learning environment
- to comply with child protection requirements
- to support and enable the academic, pastoral and personal objectives of students, including the monitoring and reporting process
- to provide support and care for emotional and psychological well-being (pastoral and counselling)
- to protect the health and safeguard the parents, students, staff, service providers, volunteers and interns.
- to provide a tailored learning environment and make evidence-based educational decisions for the students we serve
- to enable students to continue or progress their education at other educational organizations
- to support and develop staff in the performance of their duties
- for financial reasons to help in future planning and resource investment purposes
- to meet statutory reporting requirements
- to help investigate any concerns or complaints which parents, students, staff, service providers, volunteers and interns may have
- to communicate with parents, students, staff, service providers, volunteers and interns
In the course of its processing, the personal data may be disclosed to third parties to protect students’ vital interests (e.g. where students and/or staff are away on trips or sporting activities). Such third parties may be located both within and outside Thailand or the EU. Third parties who are located in Thailand and the EU will only have access to personal data where the law allows them to do so.
Where personal data is disclosed to third parties located in countries outside Thailand and the EU which do not ensure an adequate level of protection for personal data, the disclosure of such personal data will rely on the protection of the vital interests of students, parents, staff, service providers, volunteers, candidates and interns or explicit consent as set out in the PDPA and the GDPR respectively.
For the purposes of IT hosting and maintenance, data is located on servers within the School and where hosted external to the School, the appropriate protections are in place to evidence compliance with the PDPA and the GDPR Security of Processing measures.
Personal data will not be retained for longer than required for its processing and reasonable subsequent data retention, subject to any limitation periods provided by the law.
Why Personal Data is Collected and used
KIS collects and uses personal data to carry out the education services as described above. KIS does so under the legal basis that the processing is necessary for the performance of a contract or agreement.
In some circumstances, KIS may have to process personal data for other purposes that are not necessary for the performance of the contract. Where this is the case, KIS will either have a legitimate interest to do so, need to do so as there is a legal requirement, or that it is in the vital interests of the individual for the School to process or share the personal data. From time to time the school may ask for explicit consent to process or transfer data for reasons that sit outside those detailed herein.
Special Categories of Data
The education services require the school to collect and process special categories of data for safeguarding, the protection of vulnerable children, and the wellbeing of those within its care. KIS does not disclose or share special categories of data without explicit and unambiguous consent unless required to do so by law, or it is in the vital interests of an individual, or were not doing so would place someone else at risk.
Some categories of data such as ethnicity, age and gender may be used from time to time in forecasting and planning for educational service provision. If used in this way, personal data will be anonymised.
KIS may collect information in the form of CCTV to ensure the safety and security of parents, students, staff, service providers, volunteers and interns. The Data Subject has the right to access his/her images; parents also have the right to obtain images of their children. Access to these images can be requested through the School Data Protection Officer.
Personal data may be shared with or processed by a third party processor in the undertaking of a service or contract in the delivery of the education services provided by KIS. It may also be shared with other organizations such as IB, CIS, other schools (for trips, sports and activities), government organizations, police, health and social care. Sharing personal data will take place where KIS is required to do so by law, or where the School has explicit consent to do so or to protect the vital interests of the individual.
The categories of personal data that are collected, held and shared include:
- personal information (such as name, ID number and address)
- special categories of data (such as medical data, race, gender)
- other relevant categories for the performance of KIS’ services (such as assessment, student special educational needs, behavioural information and psychological reports and assessments)
- attendance information (such as sessions attended, number of absences and absence reasons)
- logging and audit in the use of IT systems and education technology apps, applications and cloud-based systems
Examples of who KIS may share data with:
- schools, colleges or universities that the students attend after leaving KIS
- local education authorities, family nurses, doctors or social service organizations where sharing is in the vital interests of the individual, or where not sharing could have a negative impact on the individual providers of information systems that are necessary for the School to deliver the admissions, administration, teaching and learning, pastoral development, and child protection services
- companies that provide school services, such as caterers for school meals, bus companies for the school bus service and travel companies whenever they are used to organize trips. The School will only share personal data if there is a lawful basis to do so.
Transferred to Third Party Countries
Personal data may be transferred to organizations outside the country for student applications for college or university. Various teaching and learning applications are also based outside the country. As stated above, the School ensures that organizations outside the country who receive or process personal data are compliant with the PDPA and GDPR regulations, or that a legal basis for transferring data, such as the explicit consent or the vital interest of the child, is met.
Publications of Photos and Videos by the School
Photos and videos are essential media that significantly enhance communication about the School’s programmes and activities to the KIS community, prospective families, alumni, and the general public. For this reason, the School uses such media on its website, blogs, in its print publications, press releases, and articles for external publications. Furthermore, photos and videos are also created for educational purposes by students and teachers and play an essential role in the instructional programme.
As members of the KIS community, parents, students, staff, service providers, volunteers and interns may be filmed or photographed. These images may be used for both educational and promotional purposes.
We are conscious and respectful of the privacy of all KIS community members, and therefore the publication of these images takes place under the following conditions:
Publications destined for the general public, including the KIS public website, School publications, press releases and articles: individuals will not be identified by name in photos or video clips without prior agreement. Students who take part in School productions such as plays, concerts or other events that are open to the general public and which are publicized outside the School may be identified by name in photos or video clips that are published by the School.
Publications destined for the KIS community, including the password-protected portals and School Yearbook and School Newsletter: students, parents, staff, service providers, volunteers and interns may be identified by name in images found in publications such as the KIS Yearbook, School Newsletter or other in-house documents. On the password-protected portals, individuals may be identifiable by name. Images and video clips that appear on these pages may identify students, parents, staff, service providers, volunteers and interns either directly or indirectly depending on their context. These pages are password protected and only available to members of the KIS community.
Collecting Data and Consent
While the majority of data provided to KIS are required for the performance of a contract, agreement or by law, some of it is provided on a voluntary basis. To comply with the PDPA and the GDPR, KIS will inform parents, staff, service providers, volunteers and interns when consent is required to process the data. Where consent is provided, parents, staff, service providers, volunteers and interns are free to withdraw consent at any time.
Storing Data and Data Retention
KIS will retain personal data for as long as required by law or best educational practice. KIS retains personal data after parents, students, staff, service providers, volunteers and interns have left KIS to provide traceability. It is widely accepted that a School should hold data on the achievements and experiences of a child for their benefit in later life should they need to access that information. Subject to appropriate safeguards, KIS may keep some information during a more extended period if needed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
For the time that KIS stores and uses personal data, the School will ensure the appropriate security of this personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The School’s IT systems profile the use, access and content of all users. The profiling enables identification of safeguarding and child protection risks or concerns, on the basis of your explicit consent. Some education apps profile the behaviour, use and outcomes of children. The School has an internal process to assess the impact of this on students. In evaluating the use of these apps, the School will consider the benefit gained from using it for the student to learn, develop and explore, against the negatives identified from profiling.
Rights over Personal Data
KIS parents, staff, service providers, volunteers, interns, and in some instances, students have the following rights on their personal data:
- Right to be informed on the purpose of the collection, the data retention period, and the rights of the data subject;
- Right of access or request a copy of his/her personal data that the School collects, uses, and discloses;
- Right to rectification of his/her incomplete, inaccurate, misleading, or not up-to-date data that the School collects, uses, and discloses rectified;
- Right to be forgotten or to have personal data erased, blocked or destroyed in certain circumstances;
- Right to object/opt-out to certain collection, use, and disclosure of his/her personal data such as objecting to direct marketing;
- Right to restrict the processing of personal data that is likely to cause, or is causing, damage or distress;
- Right to withdraw consent at any time for the purposes that he/she has consented to the collecting, using, and disclosing of his/her personal data;
- Right of data portability or to obtain the personal data that the School holds about him/her, in a structured, electronic format, and to send or transfer such data to another data controller, where this is: a) personal data which the data subject has provided to the School; and b) if the School is processing such data on the basis of consent or to perform a contract with the data subject;
All KIS community members including parents, staff, service providers, volunteers, interns, and in some instances, students are expected to comply with the School’s policy to the highest standards. If any KIS community member is found to have breached this policy, they may be subject to the School disciplinary procedure. If a criminal offence is considered to have been committed, further action may be taken to assist in the prosecution of the offender(s).
Data Subjects who wish to complain to the School about how their personal information has been processed may lodge their complaint with the School Data Protection Officer (DPO).
Data Protection Officer
You may contact KIS Data Protection Officer if you have any questions or feedback relating to this Personal Data Protection Policy, or if you wish to make any request at the details below:
Adopted: June 2021
Approved by the KIS Executive Board, June 2021