Website Privacy Notice/Policy
Last update : 01/06/2022
At Harrow International School Bangkok we value the rights and freedoms of all people. This includes respecting your privacy and protecting your personal data. This privacy notice describes how we collect and use (or "process") your information. It also tells you how to contact us as well as outlining what rights you have with regard to your personal data.
Who are we?
Harrow International School Bangkok (“we”, “our”, “us”) is an independent school located in Bangkok and Thailand. We provide education to children between the ages of 18 months to 18 years. Harrow International School Bangkok is a licensed private school under the Private School Act, License No. Kor. Nor. 005/2541, with Licensee of Harrow Asia Limited, Registration No. 0105541052067, both having registered address at 45 Soi Kosumruamchai 14, Kosumruamchai Rd., Don Muang Sub-district, Don Muang District, Bangkok, 10210 Thailand.
What is the purpose of this website privacy notice?
The purpose of this privacy notice is to provide detailed information about how we process personal data.
Our privacy notice should be read in conjunction with our other policies and terms and conditions which make reference to personal data, including our Safeguarding Policy, Acceptable Use Policy and CCTV policy to name a few.
Please read this notice carefully and, if you have questions regarding your personal data or its use, please contact the Data Protection Officer at DPO@harrowschool.ac.th.
If you consider your personal data is not being used appropriately in accordance with this policy, you may contact us at DPO@harrowschool.ac.th. Additionally, you are entitled to lodge a complaint with the Personal Data Protection Committee of Thailand.
We will update this Privacy Notice from time to time. Any substantial changes that affect how we process your personal data will be notified on our website and to you directly, as far as practicable.
What is personal data?
The term ‘personal data’ refers to any information which identifies you or can be used to identify a data subject when used in conjunction with other information.
The term ‘data subject’ describes the person about whom the personal data is about.
What personal data do we collect about you?
We process personal data about visitors to our website; prospective, current and past: students and their parents; staff and contractors; donors and supporters; and other individuals connected with or visiting our school.
The personal data we process takes different forms.
- names, addresses, telephone numbers, e-mail addresses, emergency contact information;
- IP addresses, location data, and website statistics and analytics;
- website cookies (Cookie Wow);
- students' date of birth, nationality, family details;
- admissions, academic, disciplinary and other education related records, references, examination scripts and marks;
- parents’ employment data;
- images, audio and video recordings;
- financial information and identification documents (e.g. for bursary assessment or for fundraising);
- employee and former employee data including recruitment, training, performance management, payroll, and other HR information.
As a school, from time to time we also need to process personal data which is designated under Section 26 of the PDPA as “sensitive” or “special category personal data” in order to facilitate our school operations and activities. Such data includes personal data regarding a data subject concerning:
- special education needs;
- biometric data (e.g. fingerprints, face recognition)
- information relating to safeguarding and child protection/welfare
- counselling records
- race ethnicity;
- religion or
- criminal records
How do we obtain your information?
We collect most of the personal data we process directly from the data subject concerned (or often in the case of students, from their parents. In some cases, we collect data from third parties, such as referees/references, and previous schools or from publicly available resources.
We also collect data about you when:
- you have expressed an interest in having a student attend our school;
- you have registered to attend (or have attended) one of our events;
- you visit our website;
- You want to enroll as a parent or student
- you sign up to receive email our newsletter and/or prospectus;
- you have expressed an interest in working for, or with, us; or
- you are employed by us or an organisation with whom we have a business relationship.
How do we use your personal data?
Whenever we use (or “process”) any personal data (sensitive/special category or otherwise), we do so in accordance with applicable laws and regulations (including with respect to safeguarding or employment).
We take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to school systems.
In the course of school business, we share personal data (including personal data under Section 26 of the PDPA, or commonly referred to as “special category” or “sensitive” personal data, where appropriate) with third parties such as examination boards, the school’s Nurse/Doctor, the school’s professional advisors and relevant authorities. We may also be required to share your personal data with other organisations for legal or statutory purposes, or where we have your consent to do so.
We may also share data with the parent–teacher association in order to facilitate parental participation. Moreover, some of our systems are managed or operated by third parties (e.g. hosted databases, school website, school calendar, school post and my school portal or cloud storage providers).
Sharing data with these parties is always subject to contractual assurances that personal data will be kept securely and only in accordance with our specific directions. We do not transfer personal data you have provided unless we are satisfied that the personal data will be afforded an equivalent level of protection.
Additionally, the School will provide information to each pupil/parent (which can include relevant personal data of the respective child) as necessary to facilitate school operations.
Moreover, we may transfer data to other countries but in doing so will rely either on the existence of standard contractual clauses as part of agreements with data processors. For more information on how we transfer data to other countries is available upon request by contacting our Data Protection Officer at DPO@harrowschool.ac.th.
Purposes for which we process personal data
We process personal data to support our operation as an independent school. In particular, we use the data for:
- The selection and admission of students;
- The provision of education and enrichment to our students, including the administration of our curriculum; monitoring student academic progress and educational needs; reporting on the same internally and to parents; administration of students’ entries to public examinations, and providing references for students (including after a student has left);
- The provision of educational support and related services to students;
- The safeguarding of students’ welfare and provision of pastoral care, welfare, health care services and support.
- The provision of a safe and secure environment for students, staff, and visitors to the school.
- Compliance with legal and regulatory requirements;
- Operational management including the compilation of student records; the administration of invoices, fees and accounts; the management of school property; the management of security and safety arrangements (including the use of CCTV in accordance with our CCTV Policy and monitoring of the school’s IT and communications systems in accordance with our Acceptable Use Policy; the administration and implementation of our school’s rules and policies for students and staff; and the maintenance of historic archives;
- Staff administration including the recruitment of staff/engagement of contractors; administration of payroll, pensions and sick leave; review and appraisal of staff performance; conduct of any grievance, capability or disciplinary procedures; and the maintenance of appropriate human resources records for current and former staff; and providing references;
- Advancement including fundraising;
- Analyzing website traffic, demographics and behaviour through the use of analytical tools and cookies;
- The promotion of our school through our website[s], our prospectus and other publications and communications (including through our social media accounts);
- Maintaining relationships with our alumni and former employees.
- For keeping a record of historical and memorable events relevant to the maintenance of a historical record.
What is our legal basis for processing your personal data?
We may process your personal data for the above purposes based one or more of the following legal bases:
- we have an individual’s consent to do so (or their parent’s, if appropriate). You can withdraw your consent at any time by emailing DPO@harrowschool.ac.th.
- it is necessary for the performance of a contract (e.g. an employment contract with a member of staff);
- it is necessary for our compliance with our legal obligations. In this respect, we may use personal data to exercise or perform any right or obligation conferred or imposed by law in connection with employment; and/or for the prevention and detection of crime, and in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities;
- it is necessary for our or a third party’s legitimate interests. These “legitimate interests” include our interests in providing high quality education, fostering relationships with those in the school community, and our interests in managing and operating the school to the best of our abilities.
- it is necessary to protect an individual’s vital interests (in certain limited circumstances, for example where a student has a life-threatening accident or illness while at school and we have to process that student’s personal data in order to ensure the student receives prompt and appropriate medical attention);
- it is necessary for the establishment, exercise or defence of legal claims;
- it is necessary for reasons of substantial public interest, including safeguarding purposes;
- it is necessary for medical purposes, including medical diagnosis and the provision of health care or treatment for students, managing related health care systems, and/or for assessing the working capacity of staff;
- it is necessary for archiving, research or statistical purposes;
Under the Personal Data Protection Act B.E. 2562 (2019) of Thailand (“PDPA”), the rights belong to the individual to whom the data relates (i.e. the data subject). However, where consent is required as the lawful basis for processing personal data relating to students we will often rely on parental consent unless, given the nature of the processing in question, and the student’s age and understanding, it is more appropriate to rely on the student’s consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and taking into account all the relevant circumstances.
In general, we will assume that students’ consent is not required (and that other lawful bases are more appropriate, as described above) for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student’s activities, progress and behaviour, and in the interests of the student’s welfare, unless, in the school’s opinion, there is a good reason to do otherwise.
However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example where the school believes disclosure will be in the best interests of the student or other students, or is required by law.
What are our responsibilities for looking after your personal data?
In every case, when we are collecting or using personal data, we will comply with the requirements of the Personal Data Protection Act B.E. 2562 (2019) of Thailand (“PDPA”) and other relevant laws and/or regulations should that be applicable.
What rights do you have over your personal data?
Under data protection laws, you have the right to:
- obtain access to, and copies of, the personal data that we hold about you (subject to legal exceptions);
- correct the personal data we hold about you if it is incorrect;
- require us to erase your personal data in certain circumstances;
- require us to restrict our data processing activities in certain circumstances;
- receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of your transmitting that personal data to another data controller;
- object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights (including a right to object to receiving fundraising or communications, and to object to our profiling you for the purposes of fundraising or keeping in touch);
- where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal.
If you would like to exercise any of your rights under data protection law for which we are the data controller, please make your request by emailing us at DPO@harrowschool.ac.th.
Please note that these rights are not absolute, and we may be entitled or required to refuse requests where exceptions or exemptions apply.
We will respond to any such written requests as soon as is reasonably practicable and in any event within statutory time limits.
We try to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Please notify DPO@harrowschool.ac.th of any significant changes to important information, such as contact details, held about you.
If you have any questions or concerns about how we are using your personal data or if you would like to exercise any of your information rights, please contact us at DPO@harrowschool.ac.th.
How do we retain and store your personal data?
All personal data is securely stored in accordance with legal requirements. We retain personal data only for legitimate purposes, relying on one or more of the lawful bases as set out above, and only for so long as necessary for those purposes, or as required by law.
If you have questions, requests or issues, please let us know how we can help. Our Data Protection Officer can be reached at DPO@harrowschool.ac.th.
The Data Protection Officer
Harrow International School Bangkok
45 Soi Kosumruamchai 14,
Don Mueang, Don Mueang
Bangkok 10210, Thailand