The term “Personal Data” refers to any information which identifies you or can be used to identify a data subject when used in conjunction with other information.
The term “Data Subject” describes the person about whom the personal data is about.
The term “PDPA” describes Personal Data Protection Act B.E. 2562 of Thailand.
The term “Data Controller” will be regarded as NIST International School.
The term “Data Protection Officer” or “DPO” refers to the person in the school whose responsibility is to ensure processes and procedures are in compliance with PDPA.
The term “Process” describes how we collect, use, store or disclose personal data directly from the data subject concerned (or often in the case of students, from their parents). In some cases, we collect data from third parties (e.g. referees/references, previous schools) or from publicly available resources. When we process any personal data (sensitive/special category or otherwise), we do so in accordance with applicable law and regulations (including with respect to safeguarding or employment). Personal data held by the school is processed by appropriate members of staff for the purposes for which the data was provided.
- Staff (Faculty and Support) or individuals employed by NIST in any capacity, including full-time and part-time employees;
- Students that are current, prospective, or prior students enrolled at the school;
- Parents that are current, prospective, or prior parents, and/or legal guardians, of a student(s) at NIST;
- Third parties that are referred as individuals or organizations that are not affiliated with or employed by the school, such as vendors.
NIST International School (hereafter referred to as “NIST” or “the school”) cares about the data privacy of all members of our community, staff, students, and parents. We also strive to comply with our legal obligations and to that end work to establish processes that align and support the laws and regulations of the Kingdom of Thailand. We therefore provide this data privacy notice to inform our policy in relation to the individual (“you” or “Data Subject”) in accordance with the PDPA.
The purpose of this data privacy notice is to provide detailed information about how we process personal data. The personal data we process takes different forms as described in item #5 of this document. For example, we use the data:
To assess and manage applications for students’ admission to the school, so as to identify students who are mission fit and are likely to thrive in the NIST environment;
- To facilitate provision of education and maximize the learning of our students, including the administration of our curriculum; monitoring student academic progress and educational needs, reporting on the same internally and to parents; administration of students’ entries to examinations, and providing references for students (including after a student has left the school);
- To provide the provision of extracurricular activities and related services to students;
- To provide safeguarding of students’ welfare and provision of pastoral care, health care services and other support;
- To provide a safe and secure environment for students, staff, and visitors to the school;
- To communicate with parents/legal guardians regarding student wellbeing and other relevant matters;
- To contact parents/guardians/employers (as applicable) for billing and other finance-related purposes;
- To meet the school’s operational management, including the compilation of student records; the administration of invoices, fees and accounts; the management of school property; the management of security and safety arrangements and monitoring of the school’s IT and communication systems; the administration and implementation of our school’s rules and policies for students and staff; and the maintenance of historic archives;
- To enable staff administration, including the recruitment of staff/engagement of contractors; administration of payroll, pensions, and sick leave; review and appraisal of staff performance; conduct any grievance, capability or disciplinary procedures; and the maintenance of appropriate human resources records for current and former staff; and providing references;
- To ensure compliance with all relevant legal and regulatory requirements of the Kingdom of Thailand;
- To facilitate parents’ participation, we share data with NIPTA, the school’s parent teacher association;
- To share school newsletters, updates, and other marketing-related information.
- To assess and improve the quality of our educational services;
- To analyze website traffic, demographic, and behavior using analytical tools and cookies;
- To promote the school through our website, our prospectus and other publications and communications, including through our social media accounts;
- To maintain relationships with our alumni and former employees;
- For keeping a record of historical and memorable events relevant to the maintenance of historical records.
On a regular basis we take photographs, video, and audio recordings (digital media) of our students’ learning. Our lawful basis for processing this information is consent and/or legitimate interest. Our legitimate interest in using this digital media is for displays, to celebrate student achievement and to promote the school through our school publications and media channels. We follow our Safeguarding Policy regarding media comprising students that is shared on school media channels.
4.1. How we collect, use, or disclose your personal data
We process your personal data where it is necessary and there is a lawful basis for collecting or disclosing it. This includes where we collect, use, or disclose your personal data based on the legitimate grounds of our legal obligations, performance of a contract you have with us, our legitimate interests, performance under your consent and other lawful basis. The reasons for collecting, using, or disclosing are provided below:
4.1.1. Our legal obligation
We are regulated by laws, rules, regulations, and government regulatory authorities. To fulfill our legal and regulatory requirements with these authorities it is necessary to collect, use or disclose your personal data for the following purposes, which include but are not limited to:
a) Compliance with the PDPA and any amendment to the law thereafter;
b) Compliance with laws (e.g. school child safeguarding laws; and other laws to which we are subject both in Thailand and in other countries), including conducting identity verification, criminal background checks, other checks and screenings (including screening against publicly available database of regulatory authorities and/or official sanctions lists), and ongoing monitoring that may be required under any applicable laws;
c) Compliance with regulatory obligations and/or orders of authorized persons (e.g. orders by any court of competent jurisdiction or of governmental, supervisory or regulatory authorities or authorized officers).
4.1.2. Contract made by you with us
We will process personal data with the request and/or agreement made by you with us, for the following purposes, which include but not limited to:
- Process your request prior to entering into an agreement, consider for approval in relation to the provision of our services, and deliver products, including any activities that if we do not proceed, then our operations or our services may be affected or may not be able to provide you with fair and ongoing services.
- Authenticate when entering or executing any transactions;
- Carry out your instructions (e.g. to debit amounts from bank accounts, or respond to your enquiries); provide online training, and other online learning platforms;
- Track or record your transactions;
- Produce transaction reports requested by you or for our internal usage reports;
- Notify you with transaction alerts and notify the due date of the school’s fees and services;
- Proceed with any acts relating to insurance policy or claim for compensation (e.g. proceed with or monitor any claim under your insurance policy, claim against third party).
4.1.3. Our legitimate interests
We rely on our legitimate interests by considering our benefits or third party’s benefits with your fundamental rights in personal data in which we will collect, use, or disclose for the following purposes, which include but are not limited to:
- Conduct our school operations (e.g. to audit, to conduct risk management, to monitor, prevent, and investigate misconduct, or other crimes, including but not limited to carrying out the criminal record checks of any persons related to our school);
- Conduct our management relationships (e.g. to serve parents and students, to conduct parent/student surveys, to handle complaints);
- Ensure our standard security services (e.g. to maintain body temperature checks, CCTV footage records, to register, exchange identification cards and/or take photos of visitors before entering our school campus, to monitor network activity logs and security incidents);
- Ensure school-provided medical services to students and staff.
- Develop and improve our school communication, services, and systems to enhance our service standards;
- Use your personal data for the greatest benefits in fulfilling your needs, including to conduct research, analyze data and benefits suitable to you by considering the fundamental rights of your personal data;
- Record images and/or voices or videos in relation to meetings, teaching, training, seminars, or marketing activities.
4.1.4. Your consent
Under PDPA, the rights belong to the individual to whom the data relates (”Data subject”). However, where consent is required as the lawful basis for processing personal data relating to students, we often rely on parental consent. Unless, given the nature of the processing in question, and the student’s age and level of understanding, it is more appropriate to use student consent. Parents should be aware that in such situations, they may not be consulted, depending on the interests of the child, the parent’s rights at law or under their contract, and considering all the relevant circumstances.
In general, we will assume that student consent is not required (and that other lawful bases are more appropriate, as described above) for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student’s activities, progress and behavior, and in the interest of the student’s welfare, unless in the school’s opinion, there is a good reason to do otherwise.
However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of the student or other students or is required by law.
In certain cases, we may ask for your consent to collect, use or disclose your personal data to maximize your benefits and/or to enable us to provide services to fulfill your needs for the following purposes, which include but is not limited to:
- Collect and use your sensitive personal data as necessary (e.g. your identification card photo for verification of your identity before continuing a transaction);
- To collect and use your personal data and any other data to conduct research and analyze to help enhance and improve our educational offerings;
- Send or transfer your personal data overseas, to entities that have adequate personal data protection standards (unless the PDPA specifies that we may proceed without obtaining consent);
- Disclose your personal data and any other data as shown on the school’s website and/or our trusted business partners for the following purposes: (1) conducting research and analyzing your web application access and other personal data and any other data for the greatest benefits in developing products and services to truly fulfill your needs; and (2) contacting you for offering products, services, and benefits exclusively suitable to our students.
4.1.5. Other lawful basis
Apart from the lawful basis mentioned above, we may collect, use, or disclose your personal data based on the following lawful basis:
- Prepare historical documents or archives for the public interest, or for purposes relating to research statistics;
- Prevent or suppress a danger to you or another person’s life, bodily harm, or physical/mental health;
- Necessary to carry out a public task, or for exercising official authority.
If the personal data we collect from you is required to meet our legal obligations or to enter into an agreement with you, we may not be able to provide (or continue to provide) some or all the school’s products or services to you if you do not provide such personal data when requested.
The type of personal data, namely personal data, and sensitive personal data, in which we collect, use, or disclose, varies on the scope of products and/or services that you may have used or had an interest in. The type of personal data shall include but is not limited to:
Normally, we will collect your personal data directly from you, but sometimes we may get it from other sources, in such cases we will ensure the compliance with the PDPA. Personal data we collect from other sources may include but is not limited to:
Information obtained by us from other school, financial institution, business partners, and/or any other persons who we have relationship with;
- Information obtained by us from persons related to you (e.g. your family, friends, referees);
- Information obtained by us from corporate customers as you are a director, authorized person, attorney, representative or contact person;
- Information obtained by us from governmental authorities, regulatory authorities, financial institutions, credit bureau and/or third-party service providers;
- Information obtained by us from insurance companies and/or other persons in relation to insurance policy or claim for compensation;
- Information obtained by us from publicly available resources.
You can exercise your rights under the PDPA as specified below, through the channels prescribed by us at our contact details (see Section 14).
7.1 Right to access and obtain copy
You have the right to access and obtain a copy of your personal data held by us, unless we are entitled to reject your request under the law or a court order, or if such request will adversely affect the rights and freedoms of other individuals.
7.2 Right to rectification (to correct your personal data)
You have the right to rectify your inaccurate personal data and to update incomplete personal data related to you.
7.3 Right to erasure
You have the right to request us to delete, destroy or anonymise your personal data, unless there are circumstances where we have the legal grounds to reject your request.
7.4 Right to restrict
You have the right to request us to restrict the use of your personal data under certain circumstances. For example, during the investigation of your request to rectify your personal data; or to object the collection, use or disclosure of your personal data, or you request to restrict the use of personal data instead of the deletion or destruction of personal data which is no longer necessary as you have necessity to retain it for the purposes of establishment, compliance, exercise of protection of legal claims.
7.5 Right to object
You have the right to object to the collection, use or disclosure of your personal data in case we proceed with legitimate interests’ basis or for the purpose of direct marketing, or for the purpose of scientific, historical or statistical research, unless we have legitimate grounds to reject your request. For example, we have compelling legitimate grounds to collect, use or disclose your personal data, or the collection, use or disclosure of your personal data is carried out for the establishment, compliance, or exercise of legal claims, or for the reason of our public interests.
7.6 Right to data portability
You have the right to receive your personal data in a format which is readable or commonly used by means of automatic tools or equipment and can be used or disclosed by automated means. Additionally, you have the right to request us to send or transfer your personal data to a third party, or to receive your personal data which we sent or transferred to a third party, unless it is impossible to do so because of the technical circumstances, or we are entitled to legally reject your request.
7.7 Right to withdraw consent
You have the right to withdraw your consent that has been given to us at any time pursuant to the methods and means prescribed by us unless the nature of consent does not allow such withdrawal. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn. You can review and change your consent to use or disclose your personal data for marketing purposes through channels as specified in Section 14 below.
7.8 Right to lodge a complaint
We may disclose your personal data to the following parties under the provisions of the PDPA:
- Our NIST business partners and/or other persons that we have a legal relationship with, including our directors, executives, staff, contractors, representatives, advisors;
- Government authorities and/or supervisory or regulatory authorities;
- Suppliers, agents and other entities (e.g. professional associations to which we belong, external auditors, depositories, document warehouses, overseas financial institutions) where the disclosure of your personal data has a specific purpose and under lawful basis, as well as having appropriate IT security measures;
- Special requests from legal authorities such police, lawyers, courts, authorities or any persons whom we are required or permitted by law, regulations, or orders to share such personal data;
- Social media service providers (in a secure format) or so they can display relevant messages to you and others on our behalf about our products and/or services;
- Third-party security service providers;
- Other persons that provide you with benefits or services associated with your services. For example, insurance agents or insurance companies who provide insurance coverage for the school;
- Our attorney, sub-attorney, your authorized persons, or legal representatives who have lawfully authorized power;
- Financial institutions on payment details to facilitate payment transactions.
- External health or medical providers on health data;
- Safeguarding information can be shared with external safeguarding professionals where necessary;
- Parental requests to provide references, recommendations, reports or transcripts to a new school or university;
- Enabling the performance of the contract between parents and the school;
- Data Processors such as educational technology providers and other parties assisting with the provision of education and support services;
- Other schools or organizations for references or educational information.
When it is necessary for us to send or transfer your personal data internationally, we will always exercise our best effort to have your personal data transferred to our reliable business partners, service providers or other recipients by the safest method to maintain and protect the security of your personal data, which includes the following circumstances:
- Comply with our legal obligation;
- Inform you of the inadequate personal data protection standards of the destination country and obtain your consent in compliance with the PDPA;
- Perform the agreement made by you with us or your request before entering into an agreement;
- Comply with an agreement between us and other parties for your own interest.
- Prevent or suppress a danger to your or other persons’ life, bodily harm or your health if you are incapable of giving consent at such time;
- Carry out activities relating to the substantial public interest in compliance with the PDPA.
All personal data is securely stored in accordance with the PDPA requirements. We retain your personal data only for legitimate purposes, relying on one or more of the lawful bases as set out above, and only for so long as necessary for those purposes, or as required by law.
The period we keep your personal data will be linked to the prescription period or the period under the relevant laws and regulations (e.g. Accounting Laws, Tax Laws, Labour Laws and other laws to which we are subject both in Thailand and in other countries).
We endeavor to ensure the security of your personal data through our internal IT security measures and strict policy enforcement. The measures extend from data encryption to firewalls. We also require our staff and third-party contractors to follow our applicable IT security standards and policies and to exercise due care and measures when using, sending, or transferring your personal data.
If you wish to exercise any of your rights under the PDPA for which we are the data controller, please make your request by emailing our Data Protection Officer and follow-up with written request with your identification documents at the school as detailed below:
NIST Data Protection Officer