Personal Data Protection Privacy Policy
- Background
- Consent
- Parental Consent Clause
- Staff Consent Clause
- Implied Consent
- Data Protection Policy
- Data Collected and Purpose
- Data Security
- Data Retention and Removal
- Right of Access and Correction
- Exemptions to Right of Access
- Sharing Data with Third Parties
- Appendix A: Contracts with Third Parties
Background
The Singapore Personal Data Protection Act 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data. It recognizes both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes.
The PDPA takes into account the following concepts:
- Consent – Organizations may collect, use, or disclose personal data only with the individual’s knowledge and consent (with some exceptions);
- Purpose – Organizations may collect, use, or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use, or disclosure; and
- Reasonableness – Organizations may collect, use, or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.
Consent
Parental Consent Clause
The school will collect and use personal data about you and your child in accordance with the Singapore Personal Data Protection Act (2012). You consent to us using such personal data as set out in the school’s ‘Data Protection Policy’ which is available on the school’s website and may be amended from time to time and where otherwise reasonably necessary for the school to provide appropriate services.
Staff Consent Clause
The school will collect and use personal data about you in accordance with the Singapore Personal Data Protection Act (2012). You consent to us using such personal data as set out in the school’s ‘Data Protection Policy’ which is available on the school’s website and may be amended from time to time and where otherwise reasonably necessary for the school to provide you employment. Staff who have children enrolled at the school must provide permission twice, once for themselves as an employee and once as a parent.
Implied Consent
Where a person has made a free decision to opt in to a process or situation where the collection or use of personal data can be reasonably expected, then implied permission can be assumed. This includes:
- Staff Online Applications (when applications are submitted)
- Student Online Applications (the admissions process prior to acceptance)
- Alumni Website Sign-up
- Events
- Campus - CCTV
Data Protection Policy
Data Collected and Purpose
The school holds personal data on its students, including: contact details, assessment/examination results, attendance information, behaviour, and characteristics such as ethnic group, special educational needs, any relevant medical information, photographs, and/or video footage.
The data is used in order to support the education of the students, to monitor and report on their progress, to provide appropriate personal and social care, and to assess the performance of the school as a whole, together with any other uses normally associated with this provision in an independent school environment.
The school may make use of limited personal data (such as contact details) relating to students, their parents, or guardians for fundraising, marketing, or promotional purposes and to maintain relationships with students of the school.
Data is shared as necessary with third party companies to provide extended services; examples include transport, medical, catering, travel services, and online services such as email.
In particular, the school may:
- Make available information to any internal organization or society set up for the purpose of maintaining contact with students or for administration, fundraising, marketing, or promotional purposes relating to the school, e.g. alumni. The school will remain as the data controller and this policy will govern data usage.
- Make use of photographs, videos, and/or sound recordings of students in school publications, the school website, school social media channels, and other official school communication channels.
- Make personal data, including sensitive personal data, available to staff for planning activities and trips, both in and outside of Singapore.
- Retain and use personal data after a student has graduated to provide references, educational history, and alumni services consistent with an independent school environment.
Photography and Videography
Singapore American School routinely captures photos and live or taped video of its students, employees and visitors to campus and uses these images on its website and social media channels and in the school magazine, fundraising materials, marketing materials (print, video, and digital ads), and student publications. SAS reserves the right to reproduce these images and files. Faculty members are encouraged to share the work happening within their classrooms through photos and videos on their own social media channels. By studying at, working at, or visiting SAS, an individual acknowledges this right of the school. We do not post, or permit constituents to post images that might be deemed inappropriate (vulgar, discriminatory, pornographic, explicit).
We will honor all requests by users who wish to have images of themselves removed from the website or social media sites. To make such a request, please contact communications@sas.edu.sg and your child’s teacher.
When external individuals or organizations request to use photographs of our campus or students, explicit permission must be sought from parents if students are identifiable. The communications office must be copied on permission requests and when permission is granted.
SAS has no control over materials once they are posted online, and these can be copied or sent without our knowledge or permission. All materials on this site are copyrighted by SAS unless otherwise indicated. SAS will not post copyrighted material without written permission from the appropriate parties. SAS provides links to other websites or resources. We do not control these sites and resources, do not endorse them, and are not responsible for their availability, content, or delivery of services. In particular, external sites are not bound by SAS’s privacy policy.
Data Security
The school undertakes to:
- Implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular when the processing of data involves the transmission or storage on or within a network.
- That it shall notify data subjects about any accidental or unauthorized access of their data that may lead to damage or harm.
Data Retention and Removal
Right of Access and Correction
Families have a right to see the data held about them (subject to the exemptions listed below) and to request for data to be corrected if it is incorrect.
Families can access the majority of personal data held about them via the school’s online Information Management System.
To request data or for data to be changed that you do not have edit rights to, please contact data@sas.edu.sg. The school will consider the request and respond within three working days. The response may be to decline the request with reasons or to provide a time scale in which the data will be supplied.
Exemptions to Right of Access
The PDPA does not provide the right of access to any and all information held by an organization. Therefore the school retains the right to refuse access to:
- Opinion data kept for evaluative purposes
- Examination papers or the results of examinations
- Confidential references written to support a student’s application to other educational institutions or courses
- Data or material that provides personal data about other individuals in contravention of this policy or the PDPA
Sharing Data with Third Parties
The school shares personal data with a variety of third parties for the purposes of the third party providing a relevant service to the institution. Examples of these services include transport, catering, travel services, accommodation, and medical.
The school will only share data for the purposes of eliciting a necessary service from these third party organizations and not for commercial gain.
Where the school signs explicit contracts with these organizations it will include clauses from Appendix A: Contracts with Third Parties to ensure that the organization is using the data purely for the intended purpose of providing the required service and that it is taking appropriate precautions to safeguard the data.
In some instances, for example for online services provided by companies outside of Singapore, explicit signed contracts do not exist. In these instances the school will ensure that the terms and conditions of the service include clauses that:
- The school remains the owner of the data.
- The service provider is not entitled to use any data held on its service for any purpose other than to provide the required service.
- The service provider is taking reasonable precautions to ensure the security of the data.
- Once the school terminates its agreement with the service provider, that any and all data held will be deleted and not used for any other purpose.
Appendix A: Contracts with Third Parties
When signing contracts with any third party organizations that the school will share personal data with the contractshould include the following clauses or entries to the same effect.
The school collects and uses personal data about staff, students, and families in accordance with the Singapore Data Protection Act (2012) and other relevant laws and requirements on private education institutions in Singapore.
As a result of the provision of your obligations under this agreement, you may have access to personal data about the school’s employees, students, parents, and/or other contacts. You must (and must ensure that your employees, agents, sub-contractors, and representatives will) keep all such data secure and protected against improper disclosure or use as detailed in this agreement.
Definitions:
- ‘Personal data’ shall refer to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access and all other data deemed protected under the Personal Data Protection Act 2012
- ‘PDPA’ shall mean the personal Data Protection Act (2012)
- ‘The school’ shall mean the entity who transfers the data to be used
- ‘The company’ shall mean the processor who agrees to accept the school’s personal data intended for processing and use in accordance with this agreement
Data Use
The company agrees and warrants:
- That any personal data shared by the school or collected by the company as a result of providing the services covered in this agreement will be used solely for the purposes of providing the service detailed in this agreement
- That no personal data collected or shared will be used to offer or solicit further services from the individuals concerned
- To process the personal data only on behalf of the school and in compliance with its instructions
- That the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law and do not violate the relevant laws of the Republic of Singapore in which the school resides
- That it shall promptly notify the school about any request for disclosure received directly from any authority or individual.
Data Security
The company agrees and warrants:
- To implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular when the processing of data involves the transmission or storage on or within a network
- That it shall promptly notify the school about any accidental or unauthorised access of the data, or any loss of the data whether leading to unauthorised access or not.
Data Retention – Obligations After the Termination of Contract or Services
The company agrees and warrants:
- That on the termination of the contract or services that required data processing services, that the company shall at the request of the school transfer all the data transferred and copies thereof to the data exporter or shall destroy all the personal data and certify that he has done so, unless legislation imposed on the data importer prevents him from returning or destroying all or part of the data transferred. In that case the company warrants that he will guarantee the confidentiality of the personal data and will not actively process the personal data transferred anymore. Once the legal requirement for retention has passed the company warrants that it will destroy all data retained.
Data Correctness and Right of Correction
The company agrees and warrants:
- To provide the school on request all the personal details of individuals that have been collected as the result of this agreement and to amend or delete such data on request within the lifetime of the agreement.
Liability
- The parties agree that if one party is held liable for a violation of the clauses committed by the other party in contravention of the PDPA, the latter will, to the extent he is liable, indemnify the first party from any cost, charge, damages, expenses, or losses it has incurred.