Data Privacy and Protection Policy

For the purposes of this policy, the following terms apply:-

The “College” consists of the three entities “UWCSEA” “UWCSEA - East” and “The UWCSEA Foundation Limited” and their shared operational services.

Data Controller means the organisation which determines the purposes for processing Personal Data and the manner in which that processing will be carried out. In most cases, UWCSEA is the Data Controller of the Personal Data we collect and use as part of our activities.

Data Processor means any external organisation or person that processes Personal Data on our behalf and in accordance with our instructions, such as suppliers and contractors. Our staff members are typically not Data Processors.

Data Subjects are all living individuals about whom we hold and process Personal Data.

Personal Data means any information relating to a living individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions or their behaviour.  Personal Data may be held on paper, in a computer or any other media whether it is owned by the organisation or a personal device.

Special Categories of Personal Data are more sensitive, and include information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs. It will also include data concerning health (physical and/or mental health), data concerning a person’s sex life or sexual orientation, data concerning safeguarding or welfare concerns about a person or people related to that individual. Genetic or biometric information where that data is used to uniquely identify a person. We will also treat data relating to criminal convictions or related proceedings in the same way as special categories of data

Processing means any activity which is performed on any Personal Data or Special Category Data. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction of data.

Roles and responsibilities

The College will implement the following structure to support the implementation of this policy:
Data Protection Governors - Audit and Risk Board Sub-committee
Ultimate accountability for ensuring compliance to the PDPA by the College. 

Chief Operating Officer
The senior operational leader in the College responsible for Data Governance.

Data Protection Officer
Operational leader responsible for ensuring and managing compliance with the policy.

Data Governance Lead (Information Security Lead)
Responsible for coordinating and supporting the implementation of the Data Protection Policy on a day to day basis within the College.

Data Governance Working Group
A diverse and cross-functional team with responsibility for helping to oversee and advise on the implementation of the Data Protection Policy.

Data Governance Functional Area Leads
Individuals assigned to complete the data mapping process and ensure compliance within a functional area.

In order to discharge our duty we will fulfill all the obligations under the PDPA (2020), these are as follows:

1. Consent Obligation
2. Purpose Limitation Obligation
3. Notification Obligation
4. Access and Correction Obligation
5. Accuracy Obligation
6. Protection Obligation
7. Retention Limitation Obligation
8. Transfer Limitation Obligation
9. Data Breach Notification Obligation
10. Accountability Obligation
     

In general we will only collect personal data when it has been voluntarily provided directly by an individual or a relevant family member. The main points at which consent is sought from data subjects are at the following times:

• When first applying to the College, either as a prospective family or for employment
• Upon acceptance of a place as a student or an offer of employment as a staff member

This policy and associated documents serve as the key information source for informed consent. Signing the College Terms and Conditions or an employment contract, which reference this policy, serves as the consent process in these cases. We do not normally seek further consent for collecting or processing personal data unless the reason for that collection or processing is not covered under this policy. 
 

 

Students and Families

For students and their family members, including applicants, we may collect data around some or all of the following categories:

• personal identifiers and contact information  (such as name, unique ID number, and address)
• passport, ID cards and residency passes, including NRIC numbers
• characteristics and culture (such as nationality, ethnicity and language(s))
• medical and administration (such as doctors information, child health, dental health, allergies, medication and dietary requirements)
• mental health and emotional wellbeing
• safeguarding information 
• attendance and participation across the learning programme (such as sessions attended, number of absences, absence reasons)
• assessment and attainment 
• behavioural information
• photographs and videos of participation in the learning programme or College events
• CCTV images or other surveillance data
• special educational needs 
• prior educational history, including references from previous schools
• employment and qualification details of adult family members
• bank account details and other financial details relevant to the payment of school fees and other attendant costs
• records of donations or other voluntary contributions to school life
• records of activity as alumni or parents of alumni
• records of Internet usage via the College network
• records of usage of school IT systems and devices

Employees, Prospective Employees, Volunteers or Third Party Contractors

For employees, prospective employees, volunteers or third party contractors we may collect data around some or all of the following categories:

• contact and person details info, including name, address, email address, telephone number, date of birth, marital status and dependants.emergency contact information for next of kin
• passport, ID card and residency passes, including NRIC numbers
• characteristics and culture (such as nationality, ethnicity and language(s))
• religious beliefs for the purpose of accommodating religious holidays
• qualifications, employment history, right to work documentation, references, background checks (including criminal background checks), CVs and other materials relevant to recruitment.
• employment particulars (e.g. personnel files job description, performance reviews, disciplinary or grievance records, attendance history, vacation dates, training records, professional memberships, conflict of interest declarations)
• payroll and financial data (e.g. salary, pensions, expenses, taxation paid, bank account information, benefits)
• health and medical data (sickness leave, maternity or paternity records, medical or mental health conditions, medical insurance claims)
• CCTV images or other surveillance data, including facilities access
• photographs and videos of participation in employment or engagement duties
• records of donations or other voluntary contributions to school life
• records of Internet usage via the College network
• records of school IT systems and devices usage

Visitors to Campus

For occasional visitors to one of our campuses or other College events, we may collect data around some or all of the following categories:

• contact and person details info, including name, email address and telephone number
• Photo ID details, including NRIC numbers
• Safeguarding declarations
• CCTV images or other surveillance data, including facilities access
• records of Internet usage via the College network
• records of usage of school IT systems and device

Generally, we collect Personal Data through the following processes:

• when prospective students or employees make an enquiry about joining us
• during admissions events
• during an application to become a student or employee
• upon acceptance of a place as a student or as an employee or volunteer
• via our College Information Management System (CIMS) in support of various aspects of the learning programme or employment duties
• through the normal operation and delivery of the College Learning Programme
• as part of the creation of a historical record of school life, including media records of trips, special events and sporting fixtures
• during sign-up for other events or activities run by the College
• running the CCTV system and other security and access systems
• the monitoring of the College IT network and IT devices
• in preparation for or during a campus visit

Students and Families

We collect and use personal data in order to support the education of the students, to monitor and report on their progress, to provide appropriate personal and social care, and to assess the performance of the College as a whole, together with any other uses normally associated with this provision in an independent school environment. The educational programme of the College is deliberately wide and varied and includes all aspects of the UWCSEA Learning Programme. In addition to the direct provision of the Learning Programme we also use personal data to support our Alumni and Advancement functions.

More specifically, we may collect personal data for any or all of the following reasons:

• to process an application to attend the College as a student
• to facilitate student learning and the provision of the complete learning programme
• to monitor and report on student progress
• to keep children safe (food allergies, or emergency contact details) 
• to provide support for the health, welfare and safeguarding of children
• to facilitate communication with families
• to meet the statutory duties placed upon us 
• to assess and improve the quality of our services
• the provision of alumni services
• to create an historical record of the life of the College
• the provision of the advancement function
• to provide an historical record of a students’ time at the College to facilitate ongoing support and / or deal with retrospective claims against the College
• to comply with our legal obligations, including reporting to government agencies as required 

Employees, Prospective Employees, Volunteers or Third Party Contractors

We collect and use personal data to support the employment of individuals, to monitor and report on their progress and to assess the performance of the College as a whole, together with any other uses normally associated with employment in an independent school environment. Volunteers and staff employed by our contractors may be treated similarly to employees for this purpose.

More specifically, we may collect personal data for any or all of the following reasons:

• to process an application to work at the College
• to support employment at the College, including monitoring performance and providing professional development opportunities
• the provision of employment benefits, including pay, leave and medical care
• to keep children safe
• maintaining and monitoring our information systems and networks
• to comply with our legal obligations, including reporting to government agencies as required

Visitors to Campus

We collect data on visitors to the campus for the express purpose of safeguarding the students in our care. For this purpose it is necessary for us to ensure that visitors are correctly and uniquely identified, that they are informed of their responsibilities to student care and their activities on campus are monitored to a reasonable degree.

More specifically, we may collect personal data for any or all of the following reasons:

• to accurately and uniquely identify an individual
• to ensure that visitors have received and completed our safeguarding declaration
• to ensure that visitors do not enter locations where they are not permitted or that they do not interact with students in inappropriate ways
• to ensure that College facilities, including IT systems, are not misused
   

In accordance with the Singapore PDPA the lawful basis we rely on for processing personal data are:

• explicit and informed consent
• performance of contracts
• legal obligation
• legitimate interest

Where we rely on legitimate interest as the basis of collection, we will complete a Legitimate Interest Assessment.
 

Family Data

The College recognises that whilst we hold personal data about individuals it is normal for schools to interact with families as a whole and not as separate individuals. So we will share data between family members as a matter of routine and allow relevant family members, i.e. parents, to update each other's information without further permission. 

The “family” in this case will be defined as a group of individuals identified to us as a single family during the application process and normally related as wife/husband, mother/father, brother/sister or any similar step relationship or legal guardianship. Any changes to these relationships and desired attendant changes to data sharing should be notified to the College in writing.

Internal Data Sharing 

Data is shared as necessary internally within the College to deliver the full range of services consistent with a private independent school educational programme. 

In particular, the College may: 

• make information available to any internal organisation or society set up for the purpose of maintaining contact with students and families including administration, fundraising, marketing or promotional purposes relating to the College, e.g. The Alumni Department or the Parents Association. 
• make use of photographs, videos or sound recordings of students in College publications, the College website and other official College communication channels, as well as in external media.
• make personal data, including sensitive personal data, available to staff for planning activities and trips relating to all five elements of the UWCSEA Learning Programme, both in and outside of Singapore.
• retain and use personal data after a student has graduated to provide references, educational history and alumni services

In all cases the College will remain as the data controller and this policy will govern data usage.

Third Parties

Data is shared as necessary with third party companies to provide extended services, examples include transport, medical, catering, travel services and online services such as email and office productivity tools, communication platforms, alumni and advancement services and a range of educational support tools.

In particular, the College may share data with the following: 

• External SaaS providers for the provision of:
  • email and document storage
  • admissions management
  • learning management systems
  • library management
  • specific educational tools
  • finance and procurement services
  • visitor management
  • network monitoring and security solutions
  • data backup
  • mass communication platforms
  • alumni services
  • advancement services
• External educational organisations, such as:
  • Examination boards
  • Accrediting agencies
  • Other schools or universities
• Third-party contractors for the provision of campus support services, such as:
  • Medical care
  • Catering
  • Transport
  • Security
• Third party contractors for the provision of off-campus activities or trips, such as:
  • Sports activities
  • Other activities
  • Local trips and expeditions
  • Overseas trips and expeditions

We will only transfer Personal Data to a Data Processor where they have provided us with sufficient guarantees that they will protect the data in compliance with data protection legislation and in line with our expectations. We will also ensure that these requirements are governed by contract or other legally binding agreement.

We will also enter into Data Sharing Agreements with other Data Controllers, where this is considered appropriate.

We may transfer your data outside of Singapore for storage or processing by third-party data processors. In all cases we will only share personal data with data processors or other data controllers where this is necessary to deliver the College educational programme and the supporting operational requirements. Where this occurs it will be in line with the requirements of the PDPA and this policy.  

Legal Obligations

We will, where necessary, share data with external agencies as required under the PDPA in order to meet our legal obligations. This may include, for example, complying with requests from appropriate law enforcement agencies or other Singapore government departments.
 

The separate College Information Security Policy provides the details of the measures that the College undertakes to protect Personal Data against unlawful or unauthorised processing, and accidental loss or destruction. 

In summary, our security measures include:

• Keeping Personal Data on paper records or on removable devices in lockable rooms, desks or cupboards and disposing of these records securely when required by our retention schedule
• Keeping digital Personal Data in line with our agreed policies
• Ensuring staff members only share Personal Data they use in the course of their work with authorised personnel
• Maintaining up to date firewalls and other IT security measures, with regular audits of our IT systems
• Training staff on the importance of cybersecurity and data protection to ensure compliance with our policies and processes
• Regularly auditing our governance and information management processes, including cybersecurity and data protection practices.
   

We recognise that Data Subjects have a number of rights regarding our use of their Personal Data, some of which are subject to conditions. All requests will be dealt with by our Data Protection Officer or our Data Protection Lead in accordance with this policy and associated protocols.

Right to be informed
This policy serves as notice to data subjects as to the reasons that the College collects, uses and discloses personal data.

Right to access (commonly referred to as a subject access request)
This gives individuals the right to ask us about the Personal Data we use about them. This can include what we use it for, who we share it with, how long we store it and where we have obtained it from. Individuals can also ask for a copy of the personal data that we hold about them.

However, the PDPA does not provide the right of access to any and all information held by an organisation. Therefore the College retains the right to refuse access to:

• opinion data kept for evaluative purposes or as professional judgements
• examination papers or the results of examinations
• confidential references written to support a student’s application to other educational institutions or courses
• data or material that would reveal personal data about other individuals in contravention of this policy or the PDPA

This may result in a complete request being denied or in redacted or partial information being disclosed.

Any access request can only relate to data already held at the time of the request.

Families can access and see a significant amount of the personal data we hold about them via our online college information management system, CIMS. In the event that the data in question cannot be seen here then please contact the Principal of the school in which your child is a student to request access to further data. 

Employees should contact HR. 

Alternatively you may contact the College Data Protection Officer using dataprotection@uwcsea.edu.sg.

The College may take up to 28 working days to process any data access request and may levy a relevant administrative fee depending on the scale of the request.

Right to rectification
This gives individuals the right to ask for inaccurate Personal Data to be corrected or for  incomplete Personal Data to be completed. This right applies to factual data, but not to opinions or professional judgements that may be recorded for specific purposes from time to time.

Families can update a significant amount of their own personal data via our online college information management system, CIMS. In the event that the data in question cannot be updated in this way, then please contact itsupport@uwcsea.edu.sg with the relevant details to request an update. You can typically expect a response in 3 working days. 

Employees should contact HR. 

Alternatively you may contact the College Data Protection Officer using dataprotection@uwcsea.edu.sg. 

Right to erasure 
This gives individuals the right to ask for aspects of the Personal Data held about them to be erased under certain circumstances. This does not mean that data subjects can ask for the entirety of their data to be erased. 

The College is required to keep certain records of all staff, students and parents in perpetuity for:

• due diligence in the event of a historical claim against the College
• for the purposes of recording and celebrating our history as an educational institution
• for providing alumni services consistent with an independent school context
• for supporting our advancement services consistent with an independent school context

We will erase any data not required for these purposes within a reasonable timeframe once a data subject has ceased to be a student, parents no longer have any current students or a person has left our employ. Our data retention schedule, that details the specific types of information we handle and the appropriate periods for retention, is documented as part of our data mapping process.

Right to Object/Opt-out
This gives individuals the right to ask us not to use their Personal Data in certain cases. This will include the use of their data for direct marketing not related to the delivery of the educational programme, or where decisions have been made about them using purely automated means.

Right to Data Portability
In the event of a request to port a data subject's personal data to another educational institution in Singapore, the College will make its best efforts to support the process based on the capabilities and compatibility of the receiving institutions systems.
 

We do not retain Personal Data for any longer than is necessary for its required purpose and we will ensure that all Personal and Special Category Data is disposed of in a way that protects the privacy of Data Subjects.

The College is required to keep certain records of all staff, students and parents in perpetuity for:

• due diligence in the event of a historical claim against the College
• for the purposes of recording and celebrating our history as an educational institution
• for providing alumni services consistent with an independent school context
• for supporting our advancement function consistent with an independent school context

We will erase any data not required for these purposes within a reasonable timeframe once a data subject has ceased to be a student, parents or legal guardians no longer have any students enrolled or a person has left our employ. Our data retention schedule, that details the specific types of information we handle and the appropriate periods for retention, is detailed in our Data Retention Schedule Protocol. 
 

We will manage data protection incidents in accordance with the process set out in our Incident Management Policy. As part of this process, we require all our staff members to follow specific guidelines on reporting data incidents, including completing a data incident form which we will investigate and log.
 

We will carry out a Data Protection Impact Assessment when introducing significant new systems or processes that may result in a risk around the processing of personal data. This process is designed to identify if risks exist and their nature if present, so that mitigating actions can be taken to reduce or eliminate the same.

We have a process in place for our staff members to follow which includes guidance about when a Data Protection Impact Assessment is required. 
 

Related Protocols

This policy sets out the principles about how we will process Personal Data. The following notices and protocols provide the specific details on how this policy is implemented and should be read in conjunction with the policy.

• Information Security Incident Response Protocol
• Google Workspace Communication Records Access Protocol
• Data Retention Schedule Protocol

Associated Policies and Protocols

These are separate policies that cover areas closely related to this one:

• Information Security Policy
• Communications Policy
• Security Policy
• Remote Working Policy

References

Singapore PDPA Act (Updated 2020)