Data Privacy and Protection Policy
Navigation | About us
UWCSEA Personal Data Protection Policy
- Policy Overview
- Policy Rationale
- Scope of Application
- Definitions and Clarifications
- The Policy
- Related Protocols
- References
- Contact Us
Policy Overview
Policy Rationale
UWCSEA is responsible for and must be able to demonstrate that Personal Data is being processed in accordance with the Singapore Personal Data Protection Act (PDPA) and other applicable laws, both domestic and international.
Further to these legal requirements, the Council of International School’s (CIS) accreditation process includes Data Protection requirements within its standards.
Finally, our accepted duty of care to members of our community extends to ensuring that we process their personal data lawfully, ethically and safely.
Scope of Application
This Data Privacy and Protection Policy applies in respect of all the Personal Data we process about our current, past and prospective students, their parents or guardians, staff members, suppliers and any third parties we interact with.
All our staff members, volunteers and third party suppliers we engage with are required to comply with this Policy when processing Personal Data as part of their role in connection to the College.
This policy is overseen by the College Data Protection Officer.
Definitions and Clarifications
For the purposes of this policy, the following terms apply:-
The “College” consists of the three entities “UWCSEA” “UWCSEA - East” and “The UWCSEA Foundation Limited” and their shared operational services.
Data Controller means the organisation which determines the purposes for processing Personal Data and the manner in which that processing will be carried out. In most cases, UWCSEA is the Data Controller of the Personal Data we collect and use as part of our activities.
Data Processor means any external organisation or person that processes Personal Data on our behalf and in accordance with our instructions, such as suppliers and contractors. Our staff members are typically not Data Processors.
Data Subjects are all living individuals about whom we hold and process Personal Data.
Personal Data means any information relating to a living individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions or their behaviour. Personal Data may be held on paper, in a computer or any other media whether it is owned by the organisation or a personal device.
Special Categories of Personal Data are more sensitive, and include information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs. It will also include data concerning health (physical and/or mental health), data concerning a person’s sex life or sexual orientation, data concerning safeguarding or welfare concerns about a person or people related to that individual. Genetic or biometric information where that data is used to uniquely identify a person. We will also treat data relating to criminal convictions or related proceedings in the same way as special categories of data.
Processing means any activity which is performed on any Personal Data or Special Category Data. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction of data.
Roles and responsibilities
The College will implement the following structure to support the implementation of this policy:
Data Protection Governors - Audit and Risk Board Sub-committee
Ultimate accountability for ensuring compliance to the PDPA by the College.
Chief Operating Officer
The senior operational leader in the College responsible for Data Governance.
Appointing and empowering the Data Protection Officer.
Commissioning Data Protection Impact Assessments (DPIA)
Data Protection Officer (DPO)
Operational leader responsible for ensuring and managing compliance with the policy.
- Operational leader responsible for ensuring and managing compliance with data protection obligations.
- Keeping up-to-date with data protection policies and procedures.
- Developing processes to manage data protection related queries and complaints from the public.
- Keeping senior management updated on data protection responsibilities, risks and issues.
- The DPO shall carry out the appointed role by:
- Fostering organisation’s personal data protection culture and communicating personal data protection policies to stakeholders.
- Handling access and correction requests to personal data.
- Managing personal data protection-related queries and complaints.
- Conducting risk assessment exercises to flag out any potential data protection risks and put in place data protection policies to mitigate those risks.
- Liaising with the Data Protection Authorities on personal data protection matters, if necessary.
- Keeping up to date with developments in the data protection space
Data Governance Lead (Information Security Lead)
Responsible for coordinating and supporting the implementation of the Data Protection Policy on a day to day basis within the College.
- Mapping out the College’s Data Inventory.
Data Governance Working Group
A diverse and cross-functional team with responsibility for helping to oversee and advise on the implementation of the Data Protection Policy.
Data Governance Functional Area Leads
Individuals assigned to complete the data mapping process and ensure compliance within a functional area.
The following policies and protocols are relevant to the College in order to comply with Data Protection legislations in accordance with the College’s Data Protection Principles:
Data Privacy and Protection Policy
This policy covers all the data privacy requirements. This Policy spells out the principles, guidance and processes of how the College handles the personal data of Students, their Families, Employees, Applicants, Volunteers, Vendors and their staff and other community members. It covers the collection, use and disclosure of personal data in the College’s possession or under the College’s control.
All Employees are required to comply with this Policy. The DPO is responsible for reviewing and updating this Policy periodically or as and when there is any change to the requirements of the applicable Data Protection legislation.
External Data Protection Notices/Statements
These Notices/Statements are targeted at a public audience. They fulfil the Openness Obligation by informing the general public about the College’s purposes of collecting, using and disclosing their personal data.
These Notice/Statement shall provide the business contact information of the College’s DPO. It shall also contain instructions on how a member of the public can make an inquiry, request, or complain to the College on data protection matters.
The Data Protection Notices/Statements are posted on the College’s website, other online platforms and around the campus, as relevant. The DPO is responsible for reviewing and updating these Notices/Statements periodically or as and when there is any change to the requirements of the Data Protection legislation.
Information Security Policy
This policy complements the Data Privacy and Protection Policy, as Security is a crucial component to enable privacy. The Information Security Policy spells out the preventive security measures to protect the personal data under the College’s possession or control against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.
All Employees are required to comply with this Policy. The Information Security Policy shall be reviewed and updated periodically or as and when there is a need to modify existing security measures or implement new ones.
Information Security Incident Response Protocol
This protocol describes the steps that must be taken to manage a data breach and limit its impacts. It shall also define mandatory requirements to fulfil the Data Breach Notification obligation, and the templates required to log and report incidents.
Data Retention Schedule Protocol
This protocol specifies the retention period of various classes of personal data and types of documents maintained by the College and requires that data or documents are to be disposed of or destroyed once there is no longer any business or legal/statutory purpose for retaining them.
Departments that hold these data and documents are required to abide by the retention schedules. The Data Protection Officer is responsible for ensuring that the Retention Schedule shall be reviewed and updated periodically or as and when there is change in applicable privacy legislation requirements.
Each Department is responsible for reviewing and updating their retention schedules, and for disposing/destroying their own personal data or documents (both in paper and electronic forms) that have reached the end of the retention periods.
Data Privacy & Protection Policy Management of Requests Protocol
This protocol sets out how the College Data Protection Officer, or their designates, will manage and respond to any requests related to the College Data Privacy and Protection Policy. Such requests may include requests to update or correct data, or withdrawals of consent to process data.
All the policies and protocols listed in this section shall be shared to all internal employees and with the wider community, where relevant. The policies are made available via the College intranet.
The Policy
- 1. Our Data Protection Obligations & Provisions
- 2. Consent
- 3. The Purpose for Collection
- 4. What Data We May Collect
- 5. Methods of Collection
- 6. The Legal Basis for Collection
- 7. Disclosure and Data Sharing
- 8. Data Security
- 9. Data Subject Rights
- 10. Data Retention and Disposal
- 11. Data Protection Processes and Mechanisms
1. Our Data Protection Obligations & Provisions
1. Our Data Protection Obligations & Provisions
In order to discharge our duty we will fulfil all the obligations under the PDPA (2021), as follows:
1.1 Appropriate Purpose
The College shall ensure that personal data collected is necessary for the purpose.
- Purposes are appropriate and consistent with requirements under the applicable Privacy legislations.
- DPO shall conduct a review on an annual basis, or when there are significant changes in people, process, and technology affecting personal data, to ensure that purposes for which collection of personal data are still necessary and appropriate. The reviews shall take into consideration the types of personal data collected in relation to the purposes identified.
- Where collection involves sensitive data (e.g., data that may result in significant harm to an individual if breached), the College shall limit the collection of such data to the necessary purposes identified.
- The purposes of the personal data collected shall be documented in the Data Inventory Map.
1.2 Appropriate Notification
The College shall ensure that individuals are notified of the purposes for collecting their personal data on or before collecting their personal data.
- The College shall ensure information relating to how individuals may exercise choice in the collection, use or disclosure of their personal data is easily accessible and provided in a clear and concise manner, clearly worded and easy to understand.
- The College shall provide notification to individuals that indicates if collection of their personal data is obligatory (e.g., governed/required under applicable laws or required in order to provide the product/service) or voluntary.
- The College shall provide notifications to individuals that their personal information may be disclosed to third parties.
- The College shall clearly indicate, if applicable, the consequences of not providing the personal data necessary for a transaction or service.
- When there are new purposes for collection, use and disclosure of personal data, the College shall update the notification accordingly to reflect these new purposes, and notify individuals of the new purpose(s) of use or disclosure.
- The College shall ensure that the Data Privacy Notice shall have a clear documentation of the last updated date.
1.3 Appropriate Consent
The College shall ensure that consent for purposes has been obtained on or before collecting the personal data.
- The College shall ensure individuals to exercise choices in relation to the collection (and use or disclosure) of their personal data where appropriate to the circumstances.
- The College shall ensure that when there are new purposes for the collection, use and disclosure of personal data, fresh consent shall be obtained through the distribution of an updated privacy notice stating the updated purposes, or such other mechanisms that may be required under other legal requirements or statutes.
- The College shall provide individuals with information on how to withdraw consent to use and disclosure of their personal data.
- The College may only collect, use, or process personal data without obtaining consent if pursuant to an exception under the applicable privacy legislation or as required/authorised under any other written law.
- Where consent is not obtained, the College shall ensure that the personal data collected is pursuant to an exception under the applicable privacy legislation or as required/authorised under any other written law.
Where the College obtains personal data via a third-party source, the College shall obtain reasonable assurance, through either contractual clauses or a review of the third party’s service agreements and privacy policy, that the third party source will obtain consent from individuals to collect, use or disclose their personal data for specified purposes.
1.3.1 Withdrawal of Consent
The two main purposes that the College collects personal data for are:
- providing an educational service
- employment.
In these two situations it is not possible for an individual to withdraw consent for the College to process their personal data whilst still remaining a student or an employee. Once a person has been a student, their family member or an employee the College will need to retain a level of personal data, even after they have left, in order to meet our full legal obligations in various areas.
For personal data collected for other purposes, such as an unsuccessful application, the College shall ensure provision for the withdrawal of consent for the collection, use or disclosure of an individual's personal data.
- The College shall make available information on how individuals may withdraw consent.
- The College shall ensure proper handling of withdrawal of consent requests.
- Depending on the nature and scope of the request, the College may not be in a position to continue providing services to the individual and the College shall, in such circumstances, notify the individual before completing the processing of the request.
- Upon receiving a withdrawal request, the DPO shall inform the Data Owner to review if the data is disclosed to any third parties. Consulting with the DPO, the Data Owner should instruct the third party, which the College disclosed the data to, to cease to process the data.
Refer to the “Data Privacy & Protection Policy Management of Requests Protocol” for further details of this process.
1.4 Appropriate Use
The College shall ensure that use of personal data is restricted to purposes for which consent has been obtained.
- The College shall ensure use of personal data collected is consistent with the purposes for which the individual has given consent.
- Where consent is not obtained, the College shall only use personal data pursuant to an exception under the applicable privacy legislation or as required / authorised under any other written law.
1.5 Appropriate Disclosure
The College shall ensure that the disclosure of personal data is solely for purposes for which consent has been obtained or where an exception applies.
- The College shall ensure that disclosure of personal data collected (whether directly from the individual or through third parties acting on the College’s behalf) is consistent with the purposes for which the individual has given consent.
- Where consent is not obtained, the College shall only disclose personal data pursuant to an exception under the applicable privacy legislation or as required / authorised under any other written law.
- The College shall obtain reasonable assurance, through either contractual clauses or a review of the third party’s service agreements and privacy policy, that third parties to whom it discloses personal data for a specified purpose shall not use or disclose the personal data for other purposes or otherwise in accordance with applicable laws.
- The College may share Personal Data with government, regulatory or other public agencies / public authorities (including, but not limited to, courts, law enforcement, tax authorities and criminal investigation agencies); and third-party civil legal process participants and their accountants, auditors, lawyers and other advisors and representatives as we believe to be necessary or appropriate.
- Requests for the disclosure of personal data shall be managed in accordance with the College Data Privacy & Protection Policy Management of Requests Protocol (see below.)
1.6 Compliant Overseas Transfer
The College shall ensure that personal data is only transferred to recipients outside of its jurisdiction shall provide a comparable standard of data protection in accordance with the requirements under the privacy law of the local jurisdiction. the College shall keep track of personal data that is transferred overseas and the recipients of the transferred data.
- The College shall obtain reasonable assurance, through either contractual clauses or a review of the third party’s service agreements and privacy policy, that the third party which will be receiving the data has policies, practices and measures in place and is compliant with the applicable privacy legislation requirements.
- As part of the above assessment process, the DPO and Legal department shall review and confirm the adequacy of the data transfer mechanisms, including but not limited to review of (where applicable):
- Contractual / service agreement template
- Confidentiality and Non-Disclosure Agreements
- Data Privacy Certifications / Assessment reports
- Security arrangements
1.7 Appropriate Protection
The College shall ensure that security policies and practices are implemented for the
- protection of personal data and shall follow the below maintenance protocols:
- The College shall perform a review of its security policies and practices on an annual basis or when there are significant changes in people, process, and technology affecting personal data.
- The College shall ensure that third parties that the College discloses personal data to, or which are engaged to process personal data on the College’s behalf, have reasonable security arrangements to protect personal data. Due diligence shall be performed on those third parties in accordance with the College’s Third Party Risk Management policy.
- The College shall test the effectiveness of security measures on an annual basis.
1.8 Appropriate Retention
The College shall ensure that personal data retention policies are implemented.
- The College shall set out specific retention periods for various sets or types of personal data in the Data Inventory map.
- The College shall provide information to individuals about the retention of their personal data.
- The College shall cease retention, use or disclosure of personal data which it did not solicit or in the event that it is unable to determine if such data can be lawfully collected.
- The College shall review the retention periods of the personal data as part of the Data Inventory Map review.
- The College shall delete all unwanted copies of unsolicited data. Unsolicited data shall not be used, disclosed, or retained.
Specifically, the DPO shall be performing a regular review, on at least an annual basis, to ensure that personal data are deleted after its defined retention period.
1.9 Appropriate Disposal
The College shall ensure that appropriate implementation of processes and methods of disposal, destruction, or anonymisation of personal data when there are no longer legal or business purpose to retain the personal data:
- The College shall determine appropriate data disposal, destruction, or anonymisation methods. The College shall ensure that disposed or destroyed data cannot be recovered, and anonymised data cannot be re-identified.
- Any physical documents containing personal data must be disposed via a paper shredder.
1.10 Accurate and Complete Records
The College shall ensure that personal data under its possession or control is accurate and complete for the intended purposes of use or disclosure. This includes personal data that may be disclosed to a third-party organisation.
- Where there are reasonable grounds for believing that personal data to be used to make a decision affecting the individual is inaccurate, incomplete or out-dated, the College shall ensure that the inaccurate/incomplete/out-dated personal data is corrected before using it to make the decision.
- The College collects job applicants and employee data. In order to ensure accuracy and completeness of the personal data:
- Data Owners (HR) rely on employees to provide accurate and complete information. In the event that there are reasons to believe personal data is inaccurate or incomplete, Data Owners (HR) shall contact the employees via email or phone to verify the personal data. After the employee provides the correct information via email or phone, Data Owner (HR) shall keep the revised version in HR online storage platform.
- Job applicants have to go through screening procedures, whereHR and hiring managers shall verify through interviews on their education and work experience. HR may also contact external references for validation.
- The College shall, where applicable, shall communicate the corrections to third parties to whom the personal data was disclosed.
The College shall ensure that appropriate measures have been implemented to provide for individuals to request and obtain access to, or to request corrections to, any copies of their personal data that are in the College’s control.
2. Consent
In general the College only collects personal data when it has been voluntarily provided directly by an individual or a relevant family member. The main points at which consent is sought from data subjects are at the following times:
- When first applying to the College, either as a prospective family or for employment
- Upon acceptance of a place as a student or an offer of employment as a staff member
This policy and associated documents serve as the key information source for informed consent during these processes. Signing the College Terms and Conditions or an employment contract, which reference this policy, serves as the consent process in these cases. We do not normally seek further consent for collecting or processing personal data unless the reason for that collection or processing is not covered under this policy.
3. The Purpose for Collection
3.1 The Purposes for Collecting Data on Students and Families
We collect and use personal data in order to support the education of the students, to monitor and report on their progress, to provide appropriate personal and social care, and to assess the performance of the College as a whole, together with any other uses normally associated with this provision in an independent school environment. The educational programme of the College is deliberately wide and varied and includes all aspects of the UWCSEA Learning Programme. In addition to the direct provision of the Learning Programme we also use personal data to support our Alumni and Advancement functions.
More specifically, we may collect personal data for any or all of the following reasons:
- to process an application to attend the College as a student
- to facilitate student learning and the provision of the complete learning programme
- to monitor and report on student progress
- to keep children safe (food allergies, or emergency contact details)
- to provide support for the health, welfare and safeguarding of children
- to facilitate communication with families
- to meet the statutory duties placed upon us
- to assess and improve the quality of our services
- the provision of alumni services
- to create an historical record of the life of the College
- the provision of the advancement function
- to provide an historical record of a students’ time at the College to facilitate ongoing support and / or deal with retrospective claims against the College
- to comply with our legal obligations, including reporting to government agencies as required
3.2 The Purposes for Collecting Data on Employees, Prospective Employees, Volunteers or Third Party Contractors
We collect and use personal data to support the employment of individuals, to monitor and report on their progress and to assess the performance of the College as a whole, together with any other uses normally associated with employment in an independent school environment. Volunteers and staff employed by our contractors may be treated similarly to employees for this purpose.
More specifically, we may collect personal data for any or all of the following reasons:
- to process an application to work at the College
- to support employment at the College, including monitoring performance and providing professional development opportunities
- the provision of employment benefits, including pay, leave and medical care
- to keep children safe
- maintaining and monitoring our information systems and networks
- to comply with our legal obligations, including reporting to government agencies as required
3.3 The Purposes for Collecting Data on Visitors to Campus
We collect data on visitors to the campus for the express purpose of safeguarding the students in our care. For this purpose it is necessary for us to ensure that visitors are correctly and uniquely identified, that they are informed of their responsibilities to student care and their activities on campus are monitored to a reasonable degree.
More specifically, we may collect personal data for any or all of the following reasons:
- to accurately and uniquely identify an individual
- to ensure that visitors have received and completed our safeguarding declaration
- to ensure that visitors do not enter locations where they are not permitted or that they do not interact with students in inappropriate ways
- to ensure that College facilities, including IT systems, are not misused
4. What Data We May Collect
4.1 About Students and Families
For students and their family members, including applicants, we may collect data around some or all of the following categories:
- personal identifiers and contact information (such as name, unique ID number, and address)
- passport, ID cards and residency passes, including NRIC numbers
- characteristics and culture (such as nationality, ethnicity and language(s))
- medical and administration (such as doctors information, child health, dental health, allergies, medication and dietary requirements)
- mental health and emotional wellbeing
- safeguarding information
- attendance and participation across the learning programme (such as sessions attended, number of absences, absence reasons)
- assessment and attainment
- behavioural and disciplinary information
- photographs and videos of participation in the learning programme or College events
- CCTV images or other surveillance data
- special educational needs
- prior educational history, including references from previous schools
- employment and qualification details of adult family members
- bank account details and other financial details relevant to the payment of school fees and other attendant costs
- records of donations or other voluntary contributions to school life
- records of activity as alumni or parents of alumni
- records of Internet usage via the College network
- records of usage of school IT systems and devices
4.2 About Employees, Prospective Employees, Volunteers or Third Party Contractors
For employees, prospective employees, volunteers or third party contractors we may collect data around some or all of the following categories:
- contact and person details info, including name, address, email address, telephone number, date of birth, marital status and dependants.
- emergency contact information for next of kin
- passport, ID card and residency passes, including NRIC numbers
- characteristics and culture (such as nationality, ethnicity and language(s))
- religious beliefs for the purpose of accommodating religious holidays
- qualifications, employment history, right to work documentation, references, background checks (including criminal background checks), CVs and other materials relevant to recruitment.
- employment particulars (e.g. personnel files job description, performance reviews, disciplinary or grievance records, attendance history, vacation dates, training records, professional memberships, conflict of interest declarations)
- payroll and financial data (e.g. salary, pensions, expenses, taxation paid, bank account information, benefits)
- health and medical data (sickness leave, maternity or paternity records, medical or mental health conditions, medical insurance claims)
- CCTV images or other surveillance data, including facilities access
- photographs and videos of participation in employment or engagement duties
- records of donations or other voluntary contributions to school life
- records of Internet usage via the College network
- records of school IT systems and devices usage
4.3 About Visitors to Campus
For occasional visitors to one of our campuses or other College events, we may collect data around some or all of the following categories:
- contact and person details info, including name, email address and telephone number
- Photo ID details, including NRIC numbers
- Safeguarding declarations
- CCTV images or other surveillance data, including facilities access
- records of Internet usage via the College network
- records of usage of school IT systems and devices
5. Methods of Collection
Generally, we collect Personal Data through the following processes:
- when prospective students or employees make an enquiry about joining us
- during admissions events
- during an application to become a student or employee
- upon acceptance of a place as a student or as an employee or volunteer
- via our College Information Management System (CIMS) in support of various aspects of the learning programme or employment duties
- through the normal operation and delivery of the College Learning Programme
- as part of the creation of a historical record of school life, including media records of trips, special events and sporting fixtures
- during sign-up for other events or activities run by the College
- running the CCTV system and other security and access systems
- the monitoring of the College IT network and IT devices
- in preparation for or during a campus visit
6. The Legal Basis for Collection
In accordance with the Singapore PDPA the lawful basis we rely on for processing personal data are:
- explicit and informed consent
- performance of contracts
- legal obligation
- legitimate interest
Where we rely on legitimate interest as the basis of collection, we will complete a Legitimate Interest Assessment.
7. Disclosure and Data Sharing
7.1 Family Data
The College recognises that whilst we hold personal data about individuals it is normal for schools to interact with families as a whole and not as separate individuals. So we will share data between family members as a matter of routine and allow relevant family members, i.e. parents, to update each other's information without further permission.
The “family” in this case will be defined as a group of individuals identified to us as a single family during the application process and normally related as wife/husband, mother/father, brother/sister or any similar step relationship or legal guardianship. Any changes to these relationships and desired attendant changes to data sharing should be notified to the College in writing.
7.2 Internal Data Sharing
Data is shared as necessary internally within the College to deliver the full range of services consistent with a private independent school educational programme.
In particular, the College may:
- make information available to any internal organisation or society set up for the purpose of maintaining contact with students and families including administration, fundraising, marketing or promotional purposes relating to the College, e.g. The Alumni Department or the Parents Association.
- make use of photographs, videos or sound recordings of students in College publications, the College website and other official College communication channels, as well as in external media.
- make personal data, including sensitive personal data, available to staff for planning activities and trips relating to all five elements of the UWCSEA Learning Programme, both in and outside of Singapore.
- retain and use personal data after a student has graduated to provide references, educational history and alumni services
In all cases the College will remain as the data controller and this policy will govern data usage.
7.3 Third Parties
Data is shared as necessary with third party companies to provide extended services, examples include transport, medical, catering, travel services and online services such as email and office productivity tools, communication platforms, alumni and advancement services and a range of educational tools to support learning..
In particular, the College may share data with the following:
- External SaaS providers for the provision of:
- email and document storage
- admissions management
- learning management systems
- library management
- specific educational tools used to support the delivery of the learning programme and learning
- finance and procurement services
- visitor management
- network monitoring and security solutions
- data backup
- mass communication platforms
- alumni services
- advancement services
- screening services
- Third party service providers for the provision of activities, on or off campus and trips, such as:
- Sports activities
- Other activities
- Local trips and expeditions
- Overseas trips and expeditions
- External educational organisations, such as:
- Examination boards
- Accrediting agencies
- Other schools or universities
- Third-party service providers for the provision of campus support services, such as:
- Medical care
- Catering
- Transport
- Security
- Third-party service providers for the provision of consultancy and other support services for the operation of the College, such as:
- Auditors or other external inspectors
- Professional certification bodies
We will only transfer Personal Data to a Data Processor where they have provided us with sufficient guarantees that they will protect the data in compliance with data protection legislation and in line with our expectations. We will also ensure that these requirements are governed by contract or other legally binding agreement.
We will also enter into Data Sharing Agreements with other Data Controllers, where this is considered appropriate.
We may transfer your data outside of Singapore for storage or processing by third-party data processors. In all cases we will only share personal data with data processors or other data controllers where this is necessary to deliver the College educational programme and the supporting operational requirements. Where this occurs it will be in line with the requirements of the PDPA and this policy.
7.4 Legal Obligations
We will, where necessary, share data with external agencies as required under the PDPA in order to meet our legal obligations. This may include, for example, complying with requests from appropriate law enforcement agencies or other Singapore government departments.
8. Data Security
The separate College Information Security Policy provides the details of the measures that the College undertakes to protect Personal Data against unlawful or unauthorised processing, and accidental loss or destruction.
In summary, our security measures include:
- Keeping Personal Data on paper records or on removable devices in lockable rooms, desks or cupboards and disposing of these records securely when required by our retention schedule
- Keeping digital Personal Data in line with our agreed policies
- Ensuring staff members only share Personal Data they use in the course of their work with authorised personnel
- Maintaining up to date firewalls and other IT security measures, with regular audits of our IT systems
- Training staff on the importance of cybersecurity and data protection to ensure compliance with our policies and processes
- Regularly auditing our governance and information management processes, including cybersecurity and data protection practices.
9. Data Subject Rights
We recognise that Data Subjects have a number of rights regarding our use of their Personal Data, some of which are subject to conditions. All requests will be dealt with by our Data Protection Officer or our Data Protection Lead in accordance with this policy and associated protocols.
9.1 Right to be informed
This policy serves as notice to data subjects as to the reasons that the College collects, uses and discloses personal data.
9.2 Right to access (commonly referred to as a subject access request)
This gives individuals the right to ask us about the Personal Data we use about them. This can include what we use it for, who we share it with, how long we store it and where we have obtained it from. Individuals can also ask for a copy of the personal data that we hold about them.
However, the PDPA does not provide the right of access to any and all information held by an organisation. Therefore the College retains the right to refuse access to:
- opinion data kept for evaluative purposes or as professional judgements
- examination papers or the results of examinations
- confidential references written to support a student’s application to other educational institutions or courses
- data or material that would reveal personal data about other individuals in contravention of this policy or the PDPA
This may result in a complete request being denied or in redacted or partial information being disclosed.
Any access request can only relate to data already held at the time of the request.
Families can access and see a significant amount of the personal data we hold about them via our online college information management system, CIMS. In the event that the data in question cannot be seen here then please contact the Principal of the school in which your child is a student to request access to further data.
Employees should contact HR.
Alternatively you may contact the College Data Protection Officer using dataprotection@uwcsea.edu.sg.
The College may take up to 30 working days to process any data access request and may levy a relevant administrative fee depending on the scale of the request.
9.3 Right to rectification
This gives individuals the right to ask for inaccurate Personal Data to be corrected or for incomplete Personal Data to be completed. This right applies to factual data, but not to opinions or professional judgements that may be recorded for specific purposes from time to time.
Families can update a significant amount of their own personal data via our online college information management system, CIMS. In the event that the data in question cannot be updated in this way, then please contact itsupport@uwcsea.edu.sg with the relevant details to request an update. You can typically expect a response in 3 working days.
Employees should contact HR.
Alternatively you may contact the College Data Protection Officer using dataprotection@uwcsea.edu.sg.
9.4 Right to erasure
This gives individuals the right to ask for aspects of the Personal Data held about them to be erased under certain circumstances. This does not mean that data subjects can ask for the entirety of their data to be erased.
The College is required to keep certain records of all staff, students and parents in perpetuity for:
- due diligence in the event of a historical claim against the College
- for the purposes of recording and celebrating our history as an educational institution
- for providing alumni services consistent with an independent school context
- for supporting our advancement services consistent with an independent school context
We will erase any data not required for these purposes within a reasonable timeframe once a data subject has ceased to be a student, parents no longer have any current students or a person has left our employ. Our data retention schedule, that details the specific types of information we handle and the appropriate periods for retention, is documented as part of our data mapping process.
9.5 Right to Object/Opt-out
This gives individuals the right to ask us not to use their Personal Data in certain cases. This will include the use of their data for direct marketing not related to the delivery of the educational programme, or where decisions have been made about them using purely automated means.
9.6 Right to Data Portability
In the event of a request to port a data subject's personal data to another educational institution in Singapore, the College will make its best efforts to support the process based on the capabilities and compatibility of the receiving institutions systems.
10. Data Retention and Disposal
We do not retain Personal Data for any longer than is necessary for its required purpose and we will ensure that all Personal and Special Category Data is disposed of in a way that protects the privacy of Data Subjects.
The College is required to keep certain records of all staff, students and parents in perpetuity for:
- due diligence in the event of a historical claim against the College
- for the purposes of recording and celebrating our history as an educational institution
- for providing alumni services consistent with an independent school context
- for supporting our advancement function consistent with an independent school context
We will erase any data not required for these purposes within a reasonable timeframe once a data subject has ceased to be a student, parents or legal guardians no longer have any students enrolled or a person has left our employ. Our data retention schedule, that details the specific types of information we handle and the appropriate periods for retention, is detailed in our Data Retention Schedule Protocol.
11. Data Protection Processes and Mechanisms
11.1 Data Inventory Map
The College shall clearly identify and document the types of personal data (including sensitive data where applicable) collected from individuals (e.g., customers, employees, contractors, etc) in the form of a data inventory.
The personal data inventory shall be developed from the bottom up by various departments to provide a holistic view of the data items that are collected, used, disclosed and maintained by each Department, how they flow within the College, and with third parties outside of the College.
The data inventory map shall include information on the business purposes for collection, use and disclosure of personal data, the individuals and third parties who handle personal data under the College’s possession or control, as well as a classification of the data, to manage user access. It shall also document when and how the organisation should dispose of personal data or anonymise data for long term archival.
The Data Inventory Map shall be reviewed on an annual basis, or when there are significant changes in people, process, and technology affecting personal data.
11.2 Data Protection Impact Assessment
The College shall conduct a DPIA to address data protection risks when introducing significant new systems or processes that may result in a risk around the processing of personal data, as there would be likely increased cost and effort to these risks after the design of a process or system has been finalised or implemented.
This process is designed to identify if risks exist and their nature if present, so that mitigating actions can be taken to reduce or eliminate the same. The DPIA documentation shall be reviewed by the DPO on an annual basis to consider the relevance of the assessment.
The College shall be able to demonstrate and document that the security arrangements implemented are reasonable and appropriate under the circumstances, supported by a relevant risk assessment or based on legal requirements.
We have a process in place for our staff members to follow which includes guidance about when a Data Protection Impact Assessment is required.
The DPIA shall take into consideration:
- The nature of the personal data and possible harm that might result from a security breach
- How the personal data has been collected (i.e., physical or electronic) and the possible impact to the individual if an unauthorised person obtained, modified or disposed of the personal data. For example, in the employment context, it would be reasonable to expect a greater level of security for highly confidential employee appraisals as compared to more general information about the projects an employee has worked on.
- When assessing whether information security arrangements are adequate, the organisation shall consider the following factors:
- Nature of the personal data held by the organisation and the possible harm that might result from a security breach.
- Size of the organisation and the amount and type of personal data it holds.
- Who within the organisation has access to the personal data.
- Whether the personal data is or shall be held or used by a third party on behalf of the organisation.
In addition, an annual audit / risk assessment shall be initiated by the DPO on all the College’s Departments and their data owners to ensure that all the College’s policies, practices and processes pertaining to personal data protection and information security are effectively implemented. The findings of the onsite audits and the corrective or remedial measures taken must be logged and tracked by the DPO until closure.
11.3 Training and Awareness Programme
All Employees must be kept abreast of the most current data protection policies and practices of the College, through continual training and awareness sessions.
The DPO, together with the HR Department, is responsible for maintaining and updating the training and awareness materials.
The HR Department is responsible for consulting with the Legal Department to maintain and update the Employee’s Standard Contract of Employment. This contract includes ethics, personal conduct, confidentiality and disclosure agreements. The HR department shall also ensure that each new hire is aware of the Employee Privacy Notice, Privacy training slides and acceptable use policy.
The DPO shall ensure that all existing staff shall have to perform an annual refresher Data Privacy training.
The DPO shall also adopt regular communication of Data Protection practices, primarily via email memo, or through other appropriate mediums.
11.4 Third-Party and Data Intermediary Management
The College shall perform a 3rd party risk assessment on its third parties and service providers. This shall be performed in accordance with the Third Party Risk Management Policy.
The College shall also obtain reasonable assurance that all third parties that it discloses personal data to, or obtains personal data from, complies with applicable Privacy Legislations. This can be performed either through contractual clauses or a review of the third party’s service agreements and privacy policy. The DPO shall ensure that the review of third party compliance is documented and reviewed on an annual basis.
11.5 Handling of Individual’s Requests
Requests related to any aspect of personal data shall be managed in accordance with the College Data Privacy & Protection Policy Management of Requests Protocol (see below.)
11.6 Data Breach Management
We will manage data protection incidents in accordance with the process set out in our Incident Management Policy. As part of this process, we require all our staff members to follow specific guidelines on reporting data incidents, including completing a data incident form which we will investigate and log.
The DPO should be alerted immediately if the incident involves personal data breach or loss. Depending on the severity of the data breach or data loss, the DPO may decide to notify the Personal Data Protection Commission (PDPC), or the Data Subjects affected.
Criteria for Data Breach Notification (DBN)
- Significant harm to affected individuals - Significant harm could include physical, psychological, emotional, economic, and financial harm, as well as harm to reputation and other forms of harms that a reasonable person would identify as a possible outcome of a data breach.
- Significant scale - Significant scale are those that involve the personal data of 500 or more individuals
Timeframes for notification
Upon determining that a data breach is notifiable, the College will notify:
- PDPC as soon as practicable, but in any case, no later than three (3) calendar days; and
- where required, affected individuals as soon as practicable, at the same time or after notifying PDPC.
- These timeframes for notifying the Commission and/or the affected individuals commences from the time the College determines that the data breach is notifiable. Where the College is required to notify affected individuals of a data breach, it will notify the affected individuals at the same time or as soon as practically possible after it notifies the Commission
- The Data Breach Management Plan will follow the Information Security Incident Response Protocol, refer to “ITPRO-013(POL-069) Information Security Incident Response Protocol” for details.
Exceptions from the requirement to notify affected individuals
PDPA provides for exceptions to the requirement to notify affected individuals of a notifiable data breach in certain circumstances. Where there are appropriate technological measures applied to the personal data before the data breach which renders the personal data inaccessible or unintelligible to an unauthorised party, the exception for technological protection applies. In such cases, we do not need to notify the affected individuals of the data breach. Any decision not to notify under this exception must be approved by the CLT.
Prohibition and waiver of the requirement to notify affected individuals
The College is prohibited from notifying the affected individuals if a prescribed law enforcement agency instructs them to do so. This is to cater to situations where the breach is the subject of an ongoing or potential investigation by a law enforcement agency and notifying the affected individuals will compromise investigations or prejudice enforcement efforts under the law. The College is prohibited from notifying the affected individuals if PDPC so directs them.
Information to be provided in notification of data breach
The College will adopt the Cyber Incident Response Checklist from Annex – C (Report) of the Singapore Personal Data Protection Commission (PDPC) Guide on Managing and Notifying Data Breaches when determining the information to disclose.
Arrangements for Data Intermediaries on DBN compliance
The College will obtain reasonable assurance that any third party that the College discloses personal data to will comply with the Data Breach Notification Obligation. This will be enforced through contractual agreements as far as possible.
Where it is not practicable, a due diligence will be performed to ensure that the third party has a Data Breach Plan in place to notify the College of any breach of personal data.
Communication of Data Breach Management Plan
The DPO will handle complaints of staff if there are any personal data breaches and report to Senior Management to resolve and rectify such complaints. The DPO will also liaise with the Information Security Officer to ensure that testing of the Information Security Incident Response Protocol will be performed on an annual basis. This will ensure that all relevant internal and external stakeholders are aware of their roles in the Data Breach Management Plan.
Related Protocols
This policy sets out the principles about how we will process Personal Data. The following notices and protocols provide the specific details on how this policy is implemented and should be read in conjunction with the policy.
- Information Security Incident Response Protocol
- Google Workspace Communication Records Access Protocol
- Data Retention Schedule Protocol
- Data Privacy & Protection Policy Management of Requests Protocol
References
Contact Us
If you have questions, requests or complaints in regard to data privacy, data protection please let us know how we can help. Our Data Protection Officer at dataprotection@uwcsea.edu.sg and they will respond within three working days.