Data Privacy and Protection Policy

This policy applies to all personal data we process for our current, past, and prospective students, their parents or guardians, staff members, volunteers, suppliers, and any third parties we interact with.

We collect personal data that is necessary to run the educational and operational programmes of the College.

For Students and Families

We collect data to support student education, monitor progress, provide personal and social care, and ensure student safety and welfare.

Examples of data collected:

• Personal identifiers and contact information (name, ID number, address) 
• Passport, ID cards, and residency passes
• Medical, health, and safeguarding information
• Attendance, assessment, and behavioural records
• Photographs, videos, and CCTV images
• Prior educational history, including references from previous schools
• Family employment and financial details for fee payment

For Employees, Prospective Employees, Volunteers

We collect data to support employment, manage performance, provide benefits, and comply with legal obligations:

Examples of data collected:

• Contact details, date of birth, and marital status
• Passport, ID cards, and right-to-work documentation
• Qualifications, employment particulars, employment history, and references
• Payroll, bank, and pension information
• Health and medical data (e.g., sickness leave, medical conditions)
• CCTV images and IT usage records
• Photographs and videos of participation in employment or engagement duties
• Records of correspondence, should you contact us

For Visitors to Campus

We collect data on visitors for the express purpose of safeguarding the students in our care. This includes ensuring visitors are correctly identified and have completed our safeguarding declaration.

Examples of data collected:

• Contact details and Photo ID details (including NRIC)
• Safeguarding declarations
• CCTV images and IT network usage records
   

How We Collect Data

The College generally collects personal data directly from individuals or a relevant family member, when they:

• Make an enquiry or apply to the College
• Accept a place as a student or an offer of employment
• Use our College Information Management System (CIMS)
• Visit our campus or attend an event
• Through the normal operation of College IT systems, CCTV, and security systems
• Creation of a historical record of school life, including media records of trips, special events and sporting fixtures

Our Legal Basis for Processing

The College relies on the following lawful bases for processing data under the Singapore PDPA:

• Explicit and informed consent
• Performance of contracts
• Legal obligation
• Legitimate interest

Consent is primarily sought when individuals apply to the College, accept the offer of a student place or employment or attend an event at the College.  Signing the College Terms and Conditions or an employment contract serves as the primary consent process, or voluntarily entering the College campus.
 

Data Sharing and Disclosure

The College shares data as necessary to deliver our educational programme and operational services.

• Internal Sharing: Data is shared internally as needed, for example, with the Alumni Department or Parents Association, or to make staff aware of data for planning trips.
• Third Parties: Data is shared as necessary with third-party companies that provide services, such as:
  • Email, document storage, and learning management systems
  • Transport, medical, and catering services
  • Travel providers for trips and expeditions
  • External educational organisations like examination boards or accrediting agencies
• International Transfers: The College may transfer your data outside of Singapore for storage or processing by third parties. We ensure this is done in line with PDPA requirements and that recipients provide a comparable standard of data protection.
• Legal Obligations: The College may share data with external agencies, such as law enforcement or government departments, to meet our legal obligations.
   

Security

The College has a separate Information Security Policy. Our security measures include:

• Keeping physical records in lockable storage
• Maintaining up-to-date firewalls and IT security measures
• Training staff on cybersecurity and data protection
• Regularly auditing our governance and security processes
• Data anonymisation
• Minimised collection of personal data
• Usage of multi-factor authentication (MFA) to secure access
• Keeping digital Personal Data in line with our agreed policies

Retention

We do not retain personal data longer than necessary for its required purpose.

However, the College is required to keep certain records of all staff, students, and parents in perpetuity for purposes such as:

• Historical claims against the College
• Recording our history as an educational institution
• Providing alumni and advancement services
• Supporting our advancement function consistent with an independent school context
• We will erase data not required for these purposes within a reasonable timeframe.
   

Individuals have several rights regarding our use of your personal data.

• Right to Access: You can ask for information about the personal data we hold about you and request a copy. The College retains the right to refuse access to certain information, such as opinion data kept for evaluative purposes or confidential references.
• Right to Rectification: You can ask for inaccurate factual personal data to be corrected or incomplete data to be completed. 
• Right to Erasure: You can ask for your personal data to be erased under certain circumstances. This is not an absolute right, as the College has legal and legitimate reasons to retain certain data.
• Right to Object/Opt-Out: You have the right to ask us not to use your personal data in certain cases, such as for direct marketing not related to the educational programme. 
• Right to Withdraw Consent: For data collected for purposes other than education or employment (which are our two main purposes), you may withdraw your consent. Information on how to do this is available from our DPO.
• Right to Data Portability: We will make our best efforts to support requests to port your data to another educational institution in Singapore.

To make an inquiry, request, or complaint about data protection matters, please contact our Data Protection Officer (DPO).

• Email: dataprotection@uwcsea.edu.sg

For specific routine requests:

• Families: You can access and update much of your data via our online portal, CIMS.
  • For access requests not on CIMS, please contact your child's Principal.
  • For correction requests you cannot make on CIMS, please raise a ticket on the College Support Portal: support.uwcsea.edu.sg.
• Employees: Please contact HR for data access or rectification requests.

The College may take up to 30 working days to process a data access request.