The term “Personal Data” refers to any information which identifies you or can be used to identify a data subject when used in conjunction with other information.
The term “Data Subject” describes the person about whom the personal data is about.
The term “PDPA” describes Personal Data Protection Act B.E. 2562 of Thailand.
The term “Data Controller” will be regarded as Raffles American School and/or the Raffles American School Foundation.
The term “Data Protection Officer” or “DPO” refers to the assigned person in the school whose responsibility is to ensure processes and procedures are in compliance with PDPA.
The term “Process” describes the how we collect, use, store or disclose personal data directly from the data subject concerned (or often in the case of students, from their parents). In some cases, we collect data from third parties (e.g. referees/references, previous schools) or from publicly available resources. When we process any personal data (sensitive/special category or otherwise), we do so in accordance with applicable law and regulations (including with respect to safeguarding or employment). Personal data held by the school is processed by appropriate members of staff for the purposes for which the data was provided.
Raffles American School and the Raffles American School Foundation (hereafter referred to as “RAS” or “the school”) care about the data privacy of all members of our community, staff, students, and parents. We therefore provide this data privacy notice to inform our policy in relation to the individual (“you” or “Data Subject”) in accordance with the PDPA.
The purpose of this data privacy notice is to provide detailed information about how we process personal data. The personal data we process takes different forms as described in item 5) of this document. For example, we use the data:
- To assess and manage applications for students’ admission.
- To facilitate provision of education and enrichment to our students, including the administration of our curriculum; monitoring student academic progress and educational needs, reporting on the same internally and to parents; administration of students’ entries to public examinations, and providing references for students (including after a student had left the school).
- To provide the provision of extra curriculum activities and related services to students.
- To provide safeguarding of students’ welfare and provision of pastoral care, health care services and other support.
- To provide a safe and secure environment for students, staff, and visitors to the school.
- To communicate with parents/legal guardians regarding student wellbeing and other relevant matters.
- To contact parents/guardian/employers (as applicable) for billing and other finance-related purposes.
- To share school newsletters, updates, and other marketing-related information.
- To facilitate parents’ participation, we share data with the parent-teacher association.
- To assess and improve the quality of our educational services.
- To meet the compliance with legal and regulatory requirements.
- To meet the school’s operational management, including the compilation of student records; the administration of invoices, fees and accounts; the management of school property; the management of security and safety arrangements and monitoring of the school’s IT and communication systems; the administration and implementation of our school’s rules and policies for students and staff; and the maintenance of historic archives.
- To meet staff administration, including the recruitment of staff/engagement of contractors; administration of payroll, pensions, and sick leave; review and appraisal of staff performance; conduct any grievance, capability or disciplinary procedures; and the maintenance of appropriate human resources records for current and former staff; and providing references.
- To analyze website traffic, demographic, and behavior using analytical tools and cookies.
- To promote the school through our website, our prospectus and other publications and communications, including through our social media accounts.
- To maintain relationships with our alumni and former employees.
- For keeping a record of historical and memorable events relevant to the maintenance of historical records.
On a regular basis we take photographs, video, and audio recordings (digital media) of our students’ learning. Our lawful basis for processing this information is consent and/or legitimate interests. Our legitimate interest in using this digital media is for classroom displays, to celebrate student achievement and to promote the school through our school publications and media channels. We follow our Safeguarding Policy regarding media comprising students that is shared on school media channels.
We take appropriate technical steps to ensure the security and integrity of personal data about individuals, including policies around use of technology, security appliances and devices, with authorized account management for users to access to our school’s information system. Additionally, the school’s information systems can be managed and operated by third party cloud-based providers.
This data privacy notice applies to:
- Staff (Academic and Business) or individuals employed by RAS in any capacity, including full-time and part-time employees.
- Students that are current, prospective, or prior students enrolled at the school.
- Parents that are current, prospective, or prior parents, and/or legal guardians, of a student(s) at RAS.
- Third parties that are referred as individuals or organizations that are not affiliated with or employed by the school.
Please note that some of the web links on our platforms may lead to third party platforms. If you access these platforms your personal data will then be processed under the third party’s terms & condition policy. Please make sure that you have read those related data privacy notices when accessing such platforms.
4.1. How we collect, use, or disclose your personal data
We process your personal data where it is necessary and there is a lawful basis for collecting or disclosing it. This includes where we collect, use, or disclose your personal data based on the legitimate grounds of our legal obligations, performance of a contract you have with us, our legitimate interests, performance under your consent and other lawful basis. Reasons for collecting, using, or disclosing are provided below:
4.1.1. Our legal obligation
We are regulated by laws, rules, regulations, and government regulatory authorities. To fulfil our legal and regulatory requirements with these authorities it is necessary to collect, use or disclose your personal data for the following purposes, which include but are not limited to:
a)Compliance with the PDPA and any amendment to the law thereafter;
b) Compliance with laws (e.g. school child safeguarding laws; and other laws to which we are subject both in Thailand and in other countries), including conducting identity verification, criminal background checks, other checks and screenings (including screening against publicly available database of regulatory authorities and/or official sanctions lists), and ongoing monitoring that may be required under any applicable laws;
c) Compliance with regulatory obligations and/or orders of authorized persons (e.g. orders by any court of competent jurisdiction or of governmental, supervisory or regulatory authorities or authorized officers).
4.1.2. Contract made by you with us
We will process personal data with the request and/or agreement made by you with us, for the following purposes, which include but not limited to:
- Process your request prior to entering into an agreement, consider for approval in relation to the provision of our services, and deliver products, including any activities that if we do not proceed, then our operations or our services may be affected or may not be able to provide you with fair and ongoing services.
- Authenticate when entering or executing any transactions.
- Carry out your instructions (e.g. to debit amounts from bank accounts, or respond to your enquiries); provide online training, and other online learning platforms.
- Track or record your transactions.
- Produce transaction reports requested by you or for our internal usage reports.
- Notify you with transaction alerts and notify the due date of the school’s fees and services.
- Proceed with any acts relating to insurance policy or claim for compensation (e.g. proceed with or monitor any claim under your insurance policy, claim against third party).
4.1.3. Our legitimate interests
We rely on our legitimate interests by considering our benefits or third party’s benefits with your fundamental rights in personal data in which we will collect, use, or disclose for the following purposes, which include but are not limited to:
- Conduct our school operations (e.g. to audit, to conduct risk management, to monitor, prevent, and investigate misconduct, or other crimes, including but not limited to carrying out the criminal record checks of any persons related to our school).
- Conduct our management relationships (e.g. to serve parents and students, to conduct parent/student surveys, to handle complaints).
- Ensure our standard security services (e.g. to maintain body temperature checks, CCTV footage records, to register, exchange identification cards and/or take photo of visitors before entering our school campus, to monitor network activity logs and security incidents).
- Ensure school provided medical services to students and staff.
- Develop and improve our school communication, services, and systems to enhance our service standards.
- Use your personal data for the greatest benefits in fulfilling your needs, including to conduct research, analyze data and benefits suitable to you by considering the fundamental rights of your personal data.
- Record images and/or voices or videos in relation to meetings, teaching, training, seminars, or marketing activities.
4.1.4. Your consent
Under PDPA, the rights belong to the individual to whom the data relates (”Data subject”). However, where consent is required as the lawful basis for processing personal data relating to students, we often rely on parental consent. Unless, given the nature of the processing in question, and the student’s age and level of understanding, it is more appropriate to use student consent. Parents should be aware that in such situations, they may not be consulted, depending on the interests of the child, the parent’s rights at law or under their contract, and considering all the relevant circumstances.
In general, we will assume that student consent is not required (and that other lawful bases are more appropriate, as described above) for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student’s activities, progress and behaviour, and in the interest of the student’s welfare, unless in the school’s opinion, there is a good reason to do otherwise.
However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of the student or other students or is required by law.
In certain cases, we may ask for your consent to collect, use or disclose your personal data to maximize your benefits and/or to enable us to provide services to fulfil your needs for the following purposes, which include but is not limited to:
- Collect and use your sensitive personal data as necessary (e.g. to use face recognition or your identification card photo (which contains your sensitive personal data, namely religion and/or blood type) for verification of your identity before continuing a transaction).
- Collect and use your personal data and any other data to conduct research and analyze for the greatest benefits in developing products and services to truly fulfil your needs and/or to contact you for offering products, services, and benefits exclusively suitable to you.
- Send or transfer your personal data overseas, to entities that have adequate personal data protection standards (unless the PDPA specifies that we may proceed without obtaining consent).
- Disclose your personal data and any other data as shown on the school’s website and/or our trusted business partners for the following purposes: (1) conducting research and analyzing your web application access and other personal data and any other data for the greatest benefits in developing products and services to truly fulfil your needs; and (2) contacting you for offering products, services, and benefits exclusively suitable to our students.
4.1.5. Other lawful basis
Apart from the lawful basis mentioned above, we may collect, use, or disclose your personal data based on the following lawful basis:
- Prepare historical documents or archives for the public interest, or for purposes relating to research statistics.
- Prevent or suppress a danger to you or another person’s life, bodily harm, or physical/mental health.
- Necessary to carry out a public task, or for exercising official authority.
If the personal data we collect from you is required to meet our legal obligations or to enter into an agreement with you, we may not be able to provide (or continue to provide) some or all the school’s products or services to you if you do not provide such personal data when requested.
5.0 What personal data we collect, use, or disclose
The type of personal data, namely personal data, and sensitive personal data, in which we collect, use, or disclose, varies on the scope of products and/or services that you may have used or had an interest in. The type of personal data shall include but is not limited to:
|#||Category||Example of personal data|
|1||Personal details||First name, middle name, last name, nickname (if any)Gender, Date of birth, Age, Educational background, Nationality|
|2||Contact details||Mailing address, E-mail address, Phone number, Name of representatives or authorized persons acting on your behalf, Social media accounts|
|3||Identification and authentication details||ID card, photo, Identification number, Passport information, Birth Certificate/Alien ID information, Driving license, Signatures|
|4||Employment details||Occupation, Employer’s details and workplace, Position, Salary/ income/ remuneration|
|5||Financial details and information about your relationship with us||Information about your Banking transactions|
|6||Geographic IT information and information about your device and software||Your GPS location, IP address, Computer Name, Hostname, MAC Address, Other IT Technical details that are uniquely identifying data|
|7||Investigation data||Data for due diligence checks|
|8||Survey research, marketing research information||Parents, Student, Health & Safety survey, Information and opinions expressed when participating in the school’s market research, Details of services you receive and your preferences|
|9||User login and subscription data||Login information for using the school website, Other applications used by the school, Other subscriptions used by the school.|
|10||Information concerning security||CCTV images, Video or Audio recordings, Visual images, Personal appearance, Body Temperature Sensor with Face capture, Detection of any suspicious and unusual activity via Drone|
|11||Sensitive Personal Data||Racial or Ethnic Origin, Political Opinions, Cult, Religious or Philosophical Beliefs, Sexual Behavior, Health Data, Disability, Trade Union Information, Genetic Data, Biometric Data, Child Safeguarding Records, Criminal Records|
|12||Other information||Records of correspondence and other communications between you and us, Information that you provide us through any other channels, Information about insurance policy and claim for your compensation|
6.0 Sources of your personal data
Normally, we will collect your personal data directly from you, but sometimes we may get it from other sources, in such case we will ensure the compliance with the PDPA. Personal data we collect from other sources may include but is not limited to:
- Information obtained by us from other school, financial institution, business partners, and/or any other persons who we have relationship with;
- Information obtained by us from persons related to you (e.g. your family, friends, referees);
- Information obtained by us from corporate customers as you are a director, authorised person, attorney, representative or contact person;
- Information obtained by us from governmental authorities, regulatory authorities, financial institutions, credit bureau and/or third-party service providers;
- Information obtained by us from insurance companies and/or other persons in relation to insurance policy or claim for compensation;
- Information obtained by us from publicly available resources.
7.0 Your rights
You can exercise your rights under the PDPA as specified below, through the channels prescribed by us at our contact details (see Section 14).
7.1 Right to access and obtain copy
You have the right to access and obtain copy of your personal data held by us, unless we are entitled to reject your request under the law or a court order, or if such request will adversely affect the rights and freedoms of other individuals.
7.2 Right to rectification
You have the right to rectify your inaccurate personal data and to update incomplete personal data related to you.
7.3 Right to erasure
You have the right to request us to delete, destroy or anonymise your personal data, unless there are circumstances where we have the legal grounds to reject your request.
7.4 Right to restrict
You have the right to request us to restrict the use of your personal data under certain circumstances. For example, during the investigation of your request to rectify your personal data; or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary as you have necessity to retain it for the purposes of establishment, compliance, exercise of protection of legal claims.
7.5 Right to object
You have the right to object the collection, use or disclosure of your personal data in case we proceed with legitimate interests’ basis or for the purpose of direct marketing, or for the purpose of scientific, historical or statistic research, unless we have legitimate grounds to reject your request. For example, we have compelling legitimate ground to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise legal claims, or for the reason of our public interests.
7.6 Right to data portability
You have the right to receive your personal data in a format which is readable or commonly used by ways of automatic tools or equipment and can be used or disclosed by automated means. Additionally, you have the right to request us to send or transfer your personal data to a third party, or to receive your personal data which we sent or transferred to a third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.
7.7 Right to withdraw consent
You have the right to withdraw your consent that has been given to us at any time pursuant to the methods and means prescribed by us unless the nature of consent does not allow such withdrawal. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn. You can review and change your consent to use or disclose your personal data for marketing purposes through channels as specified in Section 14 below.
7.8 Right to lodge a complaint
You have the right to make a complaint to the competent authority where you believe that the collection, use and disclosure of your personal data is unlawful or non-compliant with the PDPA.
8. How we share your personal data
We may disclose your personal data to the following parties under the provisions of the PDPA:
- Our RAS business partners and/or other persons that we have a legal relationship with, including our directors, executives, staff, contractors, representatives, advisors.
- Government authorities and/or supervisory or regulatory authorities.
- Suppliers, agents and other entities (e.g. professional associations to which we belong, external auditors, depositories, document warehouses, overseas financial institutions) where the disclosure of your personal data has a specific purpose and under lawful basis, as well as having appropriate IT security measures.
- Special requests from legal authorities such police, lawyers, courts, authorities or any persons whom we are required or permitted by law, regulations, or orders to share such personal data.
- Social media service providers (in a secure format) or so they can display relevant messages to you and others on our behalf about our products and/or services.
- Third-party security service providers.
- Other persons that provide you with benefits or services associated with your services. For example, insurance agents or insurance companies who provide insurance coverage for the school.
- Our attorney, sub-attorney, your authorised persons, or legal representatives who have lawfully authorised power.
- Financial institutions on payment details to facilitate payment transactions.
- External health or medical providers on health data.
- Safeguarding information can be shared with external safeguarding professionals where necessary.
- Parental requests to provide references, recommendations, reports or transcripts to a new school or university.
- Enabling the performance of the contract between parents and the school.
- Data Processors such as EdTech providers and other parties assisting with the provision of education and support services.
- Other schools or organisations for references or educational information.
9. International transfer of personal data
When it is necessary for us to send or transfer your personal data internationally, we will always exercise our best effort to have your personal data transferred to our reliable business partners, service providers or other recipients by the safest method to maintain and protect the security of your personal data, which includes the following circumstances:
- Comply with our legal obligation.
- Inform you the inadequate personal data protection standards of the destination country and obtain your consent in compliance with the PDPA.
- Perform the agreement made by you with us or your request before entering into an agreement.
- Comply with an agreement between us and other parties for your own interest.
- Prevent or suppress a danger to your or other persons’ life, bodily harm or your health if you are incapable of giving consent at such time.
- Carry out activities relating to the substantial public interest in compliance with the PDPA.
10. Retention period of personal data
All personal data is securely stored in accordance with the PDPA requirements. We retain your personal data only for legitimate purposes, relying on one or more of the lawful bases as set out above, and only for so long as necessary for those purposes, or as required by law.
The period we keep your personal data will be linked to the prescription period or the period under the relevant laws and regulations (e.g. Accounting Laws, Tax Laws, Labour Laws and other laws to which we are subject both in Thailand and in other countries). In addition, we may need to retain records of CCTV surveillance in our school campus to ensure security, including investigating suspicious activities of which related persons may inform us in the future.
12. Use of personal data for original purposes
We are entitled to continue collecting and using your personal data, which has previously been collected by us before the enactment of the PDPA in relation to the collection, use and disclosure of personal data, in accordance with the original purposes.
We endeavour to ensure the security of your personal data through our internal IT security measures and strict policy enforcement. The measures extend from data encryption to firewalls. We also require our staff and third-party contractors to follow our applicable IT security standards and policies and to exercise due care and measures when using, sending, or transferring your personal data.
14. How to contact us
If you wish to exercise any of your rights under the PDPA for which we are the data controller, please make your request by emailing our Data Protection Officer and follow-up with written request with your identification documents at the school as detailed below:
The Data Protection Officer