Data Protection Consent Clause and Policy Background



Similar documents
singapore american school

Clause 1. Definitions and Interpretation

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

DATA PROTECTION POLICY

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

ATMD Bird & Bird. Singapore Personal Data Protection Policy

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

AlixPartners, LLP. General Data Protection Statement

ANGUS COUNCIL SUPPLEMENTARY CONDITIONS OF CONTRACT. SC 01 - Contract Performance Guarantee Insurance

Data Protection Act a more detailed guide

Data Protection Policy June 2014

Firm Registration Form

UGANDA REVENUE AUTHORITY TERMS AND CONDITIONS FOR WEB PORTAL USE

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Recommendations for companies planning to use Cloud computing services

Merthyr Tydfil County Borough Council. Data Protection Policy

Appendix 11 - Swiss Data Protection Act

DATA PROTECTION POLICY

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Guidelines on Data Protection. Draft. Version 3.1. Published by

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

1.3 By requesting us to register or manage a domain names or names on your behalf, you agree to:

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

How To Protect Your Data In European Law

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Personal Data Act (1998:204);

Scottish Rowing Data Protection Policy

Article 29 Working Party Issues Opinion on Cloud Computing

Terms and Conditions for Online Services of BOC Credit Card (International) Limited

BOC Credit Card (International) Limited - Terms and Conditions for Online Services

Data Protection and Privacy Policy

NATIONAL UNIVERSITY OF SINGAPORE STUDENT DATA PROTECTION POLICY

technical factsheet 176

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Compliance. And. Your Obligations

AASA Online Privacy Policy CRP.020

SAMPLE RETURN POLICY

Microsoft Online Services - Data Processing Agreement

Data Protection in Ireland

Privacy Policy Draft

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

ELECTRONIC TRADING FACILITIES SUPPLEMENTAL TERMS AND CONDITIONS OF TRADING

TERMS OF USE 1 DEFINITIONS

Software Support and Maintenance Terms

DATA PROTECTION POLICY

DATA AND PAYMENT SECURITY PART 1

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

REQUEST FOR QUOTE. RFQ Reference Number: RFQ <<INSERT e.g SWR 03-11/12>> <<Enter Course Name>>

DATA PROTECTION ACT 1998 COUNCIL POLICY

BUSINESS ASSOCIATE AGREEMENT

The potential legal consequences of a personal data breach

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

MYACCLAIM PRIVACY POLICY

Corporate Policy. Data Protection for Data of Customers & Partners.

USER AGREEMENT FOR: ELECTRONIC DEALINGS THROUGH THE CUSTOMS CONNECT FACILITY

MTS GUI LICENCE SCHEDULE TO. MTS Data Terms & Conditions End Customer; or. MTS and EuroMTS Membership Documentation; or. MTS Registered ISV Agreement

Information Governance Policy

Kawartha Credit Union - Kawartha Direct AGREEMENT

Data Protection Policy

Data controllers and data processors: what the difference is and what the governance implications are

The supplier shall have appropriate policies and procedures in place to ensure compliance with

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

Last updated: 30 May Credit Suisse Privacy Policy

You may purchase additional Services from us, which will also, once we have accepted an order, be subject to this Agreement.

HIPAA BUSINESS ASSOCIATE AGREEMENT

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

Data protection policy

The Manitowoc Company, Inc.

CORK INSTITUTE OF TECHNOLOGY

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

APPLICANT VERIFICATION SERVICES TERMS AND CONDITIONS OF USE

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Louisiana State University System

For the purpose of this agreement the following words and phrases shall have the meanings detailed below:

Data protection compliance checklist

South East Asia: Data Protection Update

HIPAA BUSINESS ASSOCIATE AGREEMENT

Delaware State University Policy

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

This form may not be modified without prior approval from the Department of Justice.

Transcription:

Data Protection Consent Clause and Policy Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes. The PDPA takes into account the following concepts: Consent Consent Organisations may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions); Purpose Organisations may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and Reasonableness Organisations may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances. For the purposes of College students it is reasonable and accepted that parental consent is sufficient. In addition to parents, we will also need to get explicit permission from staff (any adult who we store data on) in order to use their data as an employer. Parental Consent Clause The College Data Protection Policy sets out how we collect and use personal data about you and your child, so that we can provide services necessary to your child s education and appropriate to your membership of our College community. The policy is written in accordance with the Singapore Personal Data Protection Act (2012). The Data Protection Policy is available on the College website and may be amended from time to time. I/we agree to the school using our and our child(ren) s data in accordance with the stated policy. Implied Consent Where a person has made a free decision to opt in to a process or situation where the collection or use of personal data can be reasonably expected, then implied permission can be assumed, but should still be highlighted.

Situations where implied consent should be highlighted Staff Online Applications (when applications are submitted) Student Online Applications (the admissions process prior to acceptance) CIE Course/Conference Sign-up Alumni Website Sign-up Events (either displayed at the entrance or on tickets to cover the taking and use of photos) Campus - CCTV Data Protection Policy The College collects and uses personal data about staff, students and families in accordance with the Singapore Personal Data Protection Act - 2012 (PDPA) and other relevant laws and requirements on private education institutions in Singapore. Data Collected and Purpose The College holds personal data on its students, including: contact details, assessment/examination results, attendance information, behaviour, characteristics such as ethnic group, special educational needs, any relevant medical information, and photographs. The College consists of the two entities UWCSEA - Dover and UWCSEA - East and shared administrative services. The data is used in order to support the education of the students, to monitor and report on their progress, to provide appropriate personal and social care, and to assess the performance of the College as a whole, together with any other uses normally associated with this provision in an independent school environment. The College may make use of limited personal data (such as contact details) relating to students, their parents or guardians to maintain relationships with students of the College and for fundraising, marketing or promotional purposes. Data is shared as necessary with third party companies to provide extended services, examples include transport, medical, catering, travel services and online services such as email. In particular, the College may: a. Make available information to any internal organisation or society set up for the purpose of maintaining contact with students or for administration, fundraising, marketing or promotional purposes relating to the College, e.g. Alumni. The College will remain as the data controller and this policy will govern data usage. b. Make use of photographs, videos or sound recordings of students in College publications, the College website and other official College communication channels, as well as in external media. c. Make personal data, including sensitive personal data, available to staff for planning activities and trips relating to all five elements of the UWCSEA Learning Programme, both in and outside of Singapore.

d. Retain and use personal data after a student has graduated to provide references, educational history and alumni services consistent with an independent school environment. Data Security The College undertakes to: a. implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular when the processing of data involves the transmission or storage on or within a network. b. notify data subjects about any accidental or unauthorised access of their data that may lead to damage or harm. Data Retention & Removal The College undertakes that it shall only keep the data collected as long as is necessary to provide the services outlined above. Right of Access and Correction Families have a right to see the data held about them (subject to the exemptions listed below) and to request for data to be corrected if it is incorrect. Families can access the majority of personal data held about them via the College s online Information Management System (CIMS) through the website portal. Much of this data is also editable by families in the same location. To request for data to be changed that you do not have edit rights to, please contact itsupport@uwcsea.edu.sg. To request access to other data please contact the Principal of the relevant school with details of the data that you would like to see and your reasons. The College will consider the request and respond within three working days. The response may be to decline the request with reasons or to provide a time scale in which the data will be supplied. Exemptions to Right of Access The PDPA does not provide the right of access to any and all information held by an organisation. Therefore the College retains the right to refuse access to: Opinion data kept for evaluative purposes Examination papers or the results of examinations

Confidential references written to support a student's application to other educational institutions or courses Data or material that provide personal data about other individuals in contravention of this policy or the PDPA. Sharing Data with Third Parties The College shares personal data with a variety of third parties for the purposes of the third party providing a relevant service to the institution. Examples of these services include transport, catering, travel services, accommodation, medical. The College will only share data for the purposes of eliciting a necessary service from these third party organisations and not for commercial gain. Where the College signs explicit contracts with these organisations it will include clauses from Appendix A - Contracts with Third Parties to ensure that the organisation is using the data purely for the intended purpose of providing the required service and that it is taking appropriate precautions to safeguard the data. In some instances, for example for online services provided by companies outside of Singapore, explicit signed contracts do not exist. In these instances the College will ensure that the terms & conditions of the service include clauses that: the College remains the owner of the data the service provider is not entitled to use any data held on its service for any purpose other than to provide the required service the service provider is taking reasonable precautions to ensure the security of the data once the College terminates its agreement with the service provider, that any and all data held will be deleted and not used for any other purpose

Appendix A - Contracts with Third Parties When signing contracts with any third party organisations that the College will share personal data with the contract should include the following clauses or entries to the same effect. Data Protection and UWCSEA UWCSEA and UWCSEA - East (henceforth the College ) collect and use personal data about staff, students and families in accordance with the Singapore Data Protection Act (2012) and other relevant laws and requirements on private education institutions in Singapore. As a result of the provision of your obligations under this agreement, you may have access to personal data about the College s employees, students, parents and/or other contacts. You must (and must ensure that your employees, agents, subcontractors and representatives will) keep all such data secure and protected against improper disclosure or use as detailed in this agreement. Definitions: a) Personal data shall refer to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access and all other data deemed protected under the Personal Data Protection Act 2012 b) PDPA shall mean the personal Data Protection Act (2012) c) the College shall mean the entity who transfers the data to be used d) the company shall mean the processor who agrees to accept the College s personal data intended for processing and use in accordance with this agreement 1. Data Use a. that any personal data shared by the College or collected by the company as a result of providing the services covered in this agreement will be used solely for the purposes of providing the service detailed in this agreement b. that no personal data collected or shared will be used to offer or solicit further services from the individuals concerned. c. to process the personal data only on behalf of the College and in compliance with its instructions.

d. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law and do not violate the relevant laws of the Republic of Singapore in which the College resides. e. that it shall promptly notify the College about any request for disclosure received directly from any authority or individual. 2. Data Security a. to implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular when the processing of data involves the transmission or storage on or within a network. b. that it shall promptly notify the College about any accidental or unauthorised access of the data, or any loss of the data whether leading to unauthorised access or not. 3. Data Retention - obligations after the termination of contract or services a. that on the termination of the contract or services that required data processing services, that the company shall, at the request of the College transfer all the data transferred and copies thereof to the data exporter or shall destroy all the personal data and certify that he has done so, unless legislation imposed on the data importer proevents him from returning or destroying all or part of the data transferred. In that case the company warrants that he will guarantee the confidentiality of the personal data and will not actively process the personal data transferred anymore. Once the legal requirement for retention has passed the company warrants that it will destroy all data retained. 4. Data Correctness and Right of Correction a. to provide the College on request all the personal details of individuals that have been collected as the result of this agreement and to amend or delete such data on request within the lifetime of the agreement. 5. Liability a. The parties agree that if one party is held liable for a violation of the clauses committed by the other party in contravention of the PDPA, the latter will, to the extent he is liable, indemnify the first party from any cost, charge, damages, expenses or losses it has incurred.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information