Data Protection and Data Security Policy

Statement and purpose of policy

  1. Stamford International University (“Employer”) is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.
  2. We confirm for the purposes of the Data Protection Laws, that the Employer is a data controller of the personal data in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.
  3. The purpose of this policy is to help us achieve our data protection and data security aims by:
    1. notifying our employees of the types of personal information that we may hold about them, our customers, suppliers and other third parties and what we do with that information;
    2. setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer, and store personal data and ensuring employees understand our rules and the legal standards; and
    3. clarifying the responsibilities and duties of employees in respect of data protection and data security.
  4. This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, in our absolute discretion.
  5. For the purposes of this policy:
    1. Criminal Records Data means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.
    2. Data Protection Laws means all applicable laws relating to the processing of Personal Data, including, for the period during which it is in force, the Thailand’s Personal Data Protection Act, B.E.2562 (2019) and sub-legislations.
    3. Data Subject means the individual to whom the personal data relates.
    4. Personal Data means any information that relates to an individual who can be identified from that information.
    5. Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
    6. Sensitive Personal Data (or Special categories of personal data) means information about an individual’s racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual orientation/behavior, criminal records, health data, disability, trade union information, genetic data, biometric data.

Data protection principles

  1. Employees whose work involves using personal data relating to Employees or others must comply with this policy and with the following data protection principles which require that personal information is:
    1. Personal data must be processed lawfully.
    2. Personal data must be collected for specified, explicit and legitimate purposes.
    3. Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
    4. Personal data must be ensured accurate and kept up to date.
    5. Personal data must be kept for no longer than is necessary.
    6. Personal data must be processed in accordance with the individual’s rights.
    7. Personal data must be kept secure.
    8. Personal data must not be transferred to third countries which do not provide adequate protection.

Who is responsible for data protection and data security?

  1. Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This policy and the rules contained in it apply to all employees of the Employer, irrespective of seniority, tenure and working hours, including all staff, directors and officers, consultants, and contractors, casual or agency staff, trainees, homeworkers and fixed-term employees and any volunteers (“Employees”).
  2. Questions about this policy, or requests for further information, should be directed to the Data Protection Officer (DPO).
  3. All Employees have personal responsibility to ensure compliance with this policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. The Data Protection Officer must be notified if this policy has not been followed, or if it is suspected this policy has not been followed, as soon as reasonably practicable.
  4. Any breach of this policy will be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Employees or students’ personal data without authorization or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

What personal data and activities are covered by this policy?

  1. This policy covers personal data:
    1. which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
    2. is stored electronically or on paper in a filing system;
    3. in the form of statements of opinion as well as facts;
    4. which relates to Employees (present, past or future) or to any other individual whose personal data we handle or control;
    5. which we obtain, is provided to us, which we hold or store, organize, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.
  2. This personal data is subject to the legal safeguards set out in the Data Protection Laws.

What personal data do we process about Employees?

  1. We collect personal data about you which:
    1. you provide or we gather before or during your employment or engagement with us;
    2. is provided by third parties, such as references or information from suppliers or another party that we do business with; or
    3. is in the public domain.
  2. The types of personal data that we may collect, store, and use about you include records relating to your:
    1. home address, contact details and contact details for your next of kin;
    2. recruitment (including your application form or curriculum vitae, references received and details of your qualifications);
    3. pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);
    4. telephone, email, internet, fax or instant messenger use;
    5. performance and any disciplinary matters, grievances, complaints, or concerns in which you are involved.

Sensitive Personal Data

  1. We may from time to time need to process sensitive personal information (sometimes  referred to as ‘special categories of personal data’).
  2. We will only process sensitive personal information if:
    1. we have a lawful basis for doing so, e.g., it is necessary for the performance of the employment contract; and
    2. one of the following special conditions for processing personal information applies:
      1. the data subject has given explicit consent.
      2. the processing is necessary for the purposes of exercising the employment law rights or obligations of the university or the data subject.
      3. the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent.
      4. processing relates to personal data which are manifestly made public by the data subject.
      5. the processing is necessary for the establishment, exercise, or defense or legal claims; or
      6. the processing is necessary for reasons of substantial public interest.

12. Before processing any sensitive personal information, Employees must notify the Data    
        Protection Officer of the proposed processing, in order for the Data Protection
        Officer to assess whether the processing complies with the criteria noted above.

  1. Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.
  2. Our privacy notice sets out the type of sensitive personal information that we process, what it is used for and the lawful basis for the processing.

Criminal records information

  1. Criminal records information will be treated and processed in accordance with Data Protection Laws

How we use your personal data

  1. We will tell you about the reasons for processing your personal data, how we use such information and the legal basis for processing in our privacy notice. We will not process Employees personal information for any other reason.
  2. In general, we will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have, including, but not limited to:
    1. Employees Address Lists: to compile and circulate lists of home address and contact details, to contact you outside working hours.
    2. Sickness records: to maintain a record of your sickness absence and copies of any doctor’s notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
    3. Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
    4. Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.
    5. Performance Reviews: to carry out performance reviews.
    6. Equal Opportunities Monitoring: to conduct monitoring for equal opportunities purposes and to publish anonymized, aggregated information about the breakdown of the Employer’s workforce.

Accuracy and relevance

  1. We will:
    1. ensure that any personal data processed is up to date, accurate, adequate, relevant, and not excessive, given the purpose for which it was collected.
    2. not process personal data obtained for one purpose for any other purpose unless you agree to this or reasonably expect this.
  1. If you consider that any information held about you is inaccurate or out of date, then you should tell the Data Protection Officer. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.

Storage and retention

  1. Personal Data and Sensitive Personal Data will be kept securely in accordance with our Data Retention Policy.
  2. The periods for which we hold personal data are contained in our privacy notices.

Individual rights

  1. You have the following rights in relation to your personal data.
  2. Subject access requests:
    1. You have the right to make a subject access request. If you make a subject access request, we will tell you:
      1. whether or not your personal data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;
      2. to whom your personal data is or may be disclosed, including to recipients outside of the Kingdom of Thailand and the safeguards that apply to such transfers;
      3. for how long your personal data is stored (or how that period is decided);
      4. your rights of rectification or erasure of data, or to restrict or object to processing; 
      5. your right to right to complain to the PDPC if you think we have failed to comply with your data protection rights; and
      6. whether or not we carry out automated decision-making and the logic involved in any such decision making.
  1. We will provide you with a copy of the personal data undergoing processing. This will normally be in electronic form if you have made a request electronically unless you agree otherwise.
  2. To make a subject access request, contact us at pdpa@stamford.edu.
  3. We may need to ask for proof of identification before your request can be processed. We will let you know if we need to verify your identity and the documents we require.
  4. We will normally respond to your request within 30 days from the date your request is received. In some cases, e.g., where there is a large amount of personal data being processed, we may respond within 2 months of the date your request is received. We will write to you within 28 days of receiving your original request if this is the case.
  5. If your request is manifestly unfounded or excessive, we are not obliged to comply with it.
  1. Other rights:
    1. You have a number of other rights in relation to your personal data. You can require us to:
      1. rectify inaccurate data;
      2. stop processing or erase data that is no longer necessary for the purposes of processing;
      3. stop processing or erasing data if your interests override our legitimate grounds for processing the data (where we rely on our legitimate interests as a reason for processing data);
      4. stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the Employer’s legitimate grounds for processing the data.
    2. To request that we take any of these steps, please send the request to pdpa@stamford.edu.

Data security

  1. We will use appropriate technical and organizational measures to keep personal data secure, and in particular to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  2. Maintaining data security means making sure that:
    1. only people who are authorized to use the information can access it;
    2. where possible, personal data is pseudonymized or encrypted;
    3. information is accurate and suitable for the purpose for which it is processed; and
    4. authorized persons can access information if they need it for authorized purposes.
  3. By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.
  4. Personal information must not be transferred to any person to process (e.g., while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.
  5. Security procedures include:
    1. Any desk or cupboard containing confidential information must be kept locked.
    2. Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended, and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
    3. Data stored on CDs or memory sticks must be encrypted or password protected and locked away securely when they are not being used.
    4. The Data Protection Officer must approve of any cloud used to store data.
    5. Data should never be saved directly to personal mobile devices such as laptops, tablets, or smartphones.
    6. All servers containing Sensitive Personal Data must be approved and protected by security software.
    7. Servers containing personal data must be kept in a secure location, away from general office space.
    8. Data should be regularly backed up in line with the Employer’s back-up procedure.
  6. Telephone Precautions. Particular care must be taken by Employees who deal with telephone enquiries to avoid inappropriate disclosures. In particular:
    1. the identity of any telephone caller must be verified before any personal information is disclosed;
    2. if the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing;
    3. do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection Officer.
  7. Methods of disposal. Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CDs or memory sticks or similar must be rendered permanently unreadable.

Data impact assessments

  1. Some of the processing that the Employer carries out may result in risks to privacy.
  2. Where processing would result in a high risk to Employees rights and freedoms, the Employer will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Data breaches

  1. If we discover that there has been a breach of Employees personal data that poses a risk to the rights and freedoms of individuals, we will report it to the PDPC within 72 hours of discovery.
  2. We will record all data breaches regardless of their effect in accordance with our Data Breach policy.
  3. If the breach is likely to result in a high risk to your rights and freedoms, we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.

International data transfers

  1. In the course of carrying out our business, we may need to transfer your personal information to a country outside the Kingdom of Thailand including to any group university or to another person with whom we have a business relationship.
  2. Your personal data will only be transferred to a country outside of the Kingdom of Thailand if there are adequate protections in place. To ensure that your personal data receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with to ensure your personal data is treated by those third parties in a way that is consistent with, and which respects the law on data protection.
  3. If you wish to know more about international transfers of your personal data, you may contact the Data Protection Officer.

Individual responsibilities

  1. Employees are responsible for helping the Employer keep their personal data up to date.
  2. Employees should let the Employer know if personal data provided to the Employer changes, e.g., if you move house or change your bank details.
  3. You may have access to the personal data of other Employees members and of our customers in the course of your employment. Where this is the case, the Employer relies on Employees members to help meet its data protection obligations to Employees and to customers.
  4. Individuals who have access to personal data are required:
    1. to access only personal data that they have authority to access and only for authorized purposes;
    2. not to disclose personal data except to individuals (whether inside or outside of the Employer) who have appropriate authorization;
    3. to keep personal data secure (e.g., by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
    4. not to remove personal data, or devices containing or that can be used to access personal data, from the Employer’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
    5. not to store personal data on local drives or on personal devices that are used for work purposes.

Training

  1. We will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
  2. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy will receive additional training to help them understand their duties and how to comply with them.