VERSO International School:
Data Protection Policy
This policy sets out the expectations of how VERSO International School (VERSO) will collect, process, secure and protect personal data. It also outlines the standards that must be adhered to for compliance with data protection legislation.
At VERSO International School (VERSO), we acknowledge the importance of data protection and recognize that individuals have rights in respect of the Personal Data we handle, in accordance with the Personal Data Protection Act ("PDPA").
During the course of our business activities, we will collect, store and process personal data. We will endeavor to treat this data in accordance with legal safeguards and in a manner consistent with the high standards individuals have come to expect from our organization.
All our staff members are required to comply with this Data Protection Policy when processing Personal Data as part of their role. Failure to comply with this policy may lead to disciplinary action.
The School Leadership Team is responsible for ensuring compliance with this policy in their respective areas of responsibility.
This policy is overseen by our Data Protection Officer who may be contacted at this email address email@example.com.
This Data Protection Policy applies in respect of all the Personal Data we process about our current, past and prospective students (and their parents/carers), our current and former staff members, our suppliers and any third parties we communicate with.
This policy sets out how we will process Personal Data. The following policies and notices are also relevant for this purpose:
For the purposes of this policy, the following terms apply:
Data Controller means the organization which determines the purposes for processing Personal Data and the manner in which that processing will be carried out. In most cases, VERSO will be the Data Controller of the Personal Data it collects and uses as part of its business activities.
Data Processor means the organization or person that processes Personal Data on our behalf and in accordance with our instructions, such as suppliers and contractors. Our staff members are not Data Processors.
Data Subjects are all living individuals about whom we hold Personal Data.
Personal Data means any information relating to a living individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions or their behavior. Personal Data may be held on paper, in a computer or any other media whether it is owned by the organization or a personal device.
Sensitive Personal Data is special category data that is more sensitive, and includes information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. It will also include data concerning health (physical and/or mental health), criminal records data concerning a person’s sex life or sexual orientation, and genetic and biometric information where that data is used to uniquely identify a person.
Processing means any activity which is performed on Personal Data or Sensitive Personal Data. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data.
VERSO is responsible for and must be able to demonstrate that Personal Data is being processed in accordance with the principles of VERSO International School and the Thai Personal Data Protection Act ("PDPA").
The principles of data protection under which we operate are:
Principle One: Lawfulness, Fairness & Transparency
Personal Data must be processed lawfully, fairly and in a transparent manner.
In order to comply with this principle, we will ensure that we only process Personal Data where we are lawfully permitted to do so. We will be open and honest with individuals about the data we collect, why we use it, and which lawful basis justifies that use. We will do this via privacy notices, whether or not we collect information directly from the individuals concerned.
In addition, for each processing activity that we undertake, we will consider how that processing affects the individuals concerned.
In order to process personal data lawfully, we will ensure that at least one of the following lawful bases applies:
In order to process sensitive personal data lawfully, we will ensure that one of the following exemptions applies:
Principle Two: Purpose Limitation
Personal Data should be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
In order to comply with this principle we will only process Personal Data for the specific lawful purposes set out in our Record of Processing Activity and Privacy Notices, unless we are specifically permitted to process the data by law.
Principle Three: Data Minimization
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
In order to comply with this principle, the data we collect will be sufficient to fulfil the purpose of collection (adequate), there will be a rational link between that data and the purpose (relevant) and we will only collect the Personal Data we need to fulfil the specific purpose we have collected the data for.
Principle Four: Accuracy
Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
In order to comply with this principle, we will ensure that all Personal Data is kept up to date and is accurate. We have appropriate processes in place to check the accuracy of the data we collect and the sources of data are always recorded. We will also comply with an individual’s right to rectification (see below) and we will carefully consider any challenges to the accuracy of the Personal Data.
Principle Five: Storage limitation
Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
In order to comply with this principle, we will only keep Personal Data for as long as we need it and we will take all reasonable steps to destroy or erase all data which is no longer required. Personal Data will be kept in accordance with our Retention Policy to ensure that data is not kept any longer than necessary and we will ensure that individuals understand the duration for which their Personal Data will be held.
Principle Six - Integrity and confidentiality
Personal Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
In order to comply with this principle, we will ensure that we have appropriate organizational and technical measures in place to safeguard the security of the Personal Data we process. This includes ensuring the confidentiality, integrity and availability of the systems and services used to process the Personal Data.
We will ensure that we have appropriate security measures in place to protect Personal Data against unlawful or unauthorized processing, and accidental loss or destruction.
In accordance with Principle Six (Integrity and Confidentiality, above):
Our security measures include:
Where we collect Personal Data directly from individuals or via a third party source, we will inform those individuals about the use of their data through our Privacy Notices, which will include the following details:
We recognize that Data Subjects have a number of rights regarding our use of their Personal Data, some of which are subject to conditions. All requests will be dealt with by our Data Protection Officer in accordance with our Information Rights Policy.
Right of access (commonly referred to as a subject access request)
This gives individuals the right to ask us about the Personal Data we use about them. This can include what we use it for, who we share it with, how long we store it and where we have obtained it from. Individuals can also ask for a copy of their personal data.
Right to rectification
This gives individuals the right to ask for inaccurate Personal Data to be corrected or for incomplete Personal Data to be completed.
Right to erasure (‘right to be forgotten’)
This gives individuals the right to ask for their Personal Data to be erased but the obligation for us to erase Personal Data only applies in certain circumstances.
Right to object
This gives individuals the right to ask us not to use their Personal Data. This will include the use of their data for direct marketing, or where automated decisions have been made about them .
Right to data portability
This gives individuals the right to ask us to transfer any personal data held in a structured electronic format to another data controller where the personal data has been provided to us by the data subject, and if we are processing such data on the basis of consent or to perform a contract with the data subject.
If we are unable to comply with a request then we will clearly inform Data Subjects about the reasons why. We will keep a record of reasons why access to records have been denied.
We will only transfer Personal Data to a Data Processor where they have provided us with sufficient guarantees that they will protect the data in compliance with data protection legislation and in line with our expectations. We will also ensure that these requirements are governed by contract or other legally binding agreement.
We will also enter into Data Sharing Agreements with other Data Controllers, where this is considered appropriate.
We do not encourage the retention of any Personal Data for any longer than necessary, in accordance with Principle Five (Storage Limitation, above). We will ensure that all Personal and Sensitive Personal Data is disposed of in a way that protects the privacy of Data Subjects.
We will retain a Retention Schedule that details the specific types of information we handle and the appropriate periods for retention.
We will manage data protection incidents in accordance with the process set out in our Incident Management Policy. As part of this process, we require all our staff members to follow specific guidelines on reporting data incidents, including completing a data incident form which we will investigate and log.
We may carry out a Data Protection Impact Assessment when the processing of Personal Data is likely to result in a high risk to the rights and freedoms of individuals. This process is designed to identify the nature of the risks so that mitigating actions can be taken to reduce or eliminate these risks.
We use CCTV in accordance with our CCTV Policy to ensure any images we collect and use are handled appropriately.
The name and address of our school, as the Data Controller:
VERSO International School
198 Moo 4, Soi Sarasetthasiri Suvarnabhumi 3 Road
Bangchalong Bang Plee, Samut Prakan 10540
Phone: +66 02 080 6200
The contact details of our Data Protection Officer: firstname.lastname@example.org