Global data privacy has taken centre stage today. While the discussions mostly centre around how companies and governments can adhere to data protection & privacy regulations, this is an essential consideration for academic institutions.
Asian international schools must be careful when handling their students’ data, specifically alumni data. Many students from Asian international schools study in prestigious universities and then work at global organizations, where they are entrusted with key tasks or company data. This data is often shared when former students register for the school’s alumni program.
While alumni data is typically used to send school newsletters, major announcements, and fundraising requests, there is always a risk that alumni’s information may be misused if proper safeguards aren’t in place. Compromising alumni information can jeopardize former students jobs and also affect the goodwill built by the school.
Here, we discuss how Asian international schools – particularly those located in Thailand – can adhere to the Thailand PDPA and EUGDPR global data privacy laws.
What is EU GDPR?
The General Data Protection Regulation (GDPR) is a regulation passed by the European Union (EU) to protect the data privacy of EU residents. According to the GDPR, any organization or academic institution offering services to any person who is a registered resident/citizen of an EU nation must comply with the GDPR requirements when handling their personal data.
What is Thailand PDPA?
The Personal Data Protection Act B.E.2652 (Thailand PDPA) is a rigorous data privacy & protection regulation implemented by the Kingdom of Thailand to safeguard its citizens’ data privacy. The PDPA offers guidelines that companies and academic institutions serving Thailand citizens must follow when seeking to collect and process their data.
Similarities between EUGDPA and Thailand PDPA
- Definition of personal data
Both regulations consider any information – whether individual or combined with other data types – that identifies a person’s personal data. This includes text, audio, video & photos for both, with social media posts and email IDs covered under GDPR as an addition.
- Geographical coverage
Both the PDPA and GDPR have global coverage. It doesn’t matter where your school is located in Asia. If you have/had Thailand or EU students enrolled as students in the current academic year and former students in your alumni program, then you will need to adhere to these regulations when processing their data.
- Appointment of Data Processing Officer
All Asian international schools must hire a DPO, who will be in charge of ensuring that your school meets all the data protection regulations’ requirements. The DPO will also have to submit reports to the regulatory body (when asked) showing the framework they followed to adhere to the GDPR or PDPA.
- Customer rights & consent
Under both regulations, EU nationals and Thailand citizens have the right to decide whether they want their personal data to be accessed and processed by the school/university. You must seek consent before using your alumni data for school marketing & operations.
If there has been a misuse of the data (i.e., you’ve used their data for something they have not expressly consented to), you must inform them of the issue within three days of the breach. Additionally, your alumni must have a seamless way to request the deletion of their personal data from your records, which you must comply with.
Key differences between EUGDPA and Thailand PDPA
| Criteria | Thailand PDPA | GDPR |
| Regulatory coverage of deceased individual | PDPA does not cover a person who passed away 10+ years ago but covers the individual until the 10th death anniversary. | GDPR applies only to identifiable, living people and stops applying to an individual at the moment of their death. |
| Method of data processing | Does not identify the difference between automated and non-automated data processing. | Has stringent rules regarding the type of data processing used (and devices used in certain circumstances). |
| Data anonymity | It covers data that has been anonymized. | It does not include data anonymization, and anonymous alumni data does not fall under GDPR. |
| Bodies exempted from the regulation. | Any law-making body, Governmental establishment and committees or credit bureaus hired by law-making bodies.
Additionally, according to the PDPA, Data Controllers from certain businesses – including education institutions – are exempted from PDPA Chapters 2, 3, 5, 6 & 7 and Section 95 until 31 May 2021 to prepare for the regulation.
| GDPR does not specifically state any exclusions from the regulations. |
| Nature of consent | Consent can be obtained either expressly in writing or be deemed consent, and it covers all data about the individual.
| Consent for one activity will not cover others. Schools must seek consent for each data processing activity individually. |
| What data cannot be collected, used or disclosed? | There is no explicit mention of what sensitive data international schools and companies cannot collect/use/disclose. | Schools cannot collect/use/disclose data regarding alumni’s religious & ethical leanings, political ideology, biometric data, medical information & union membership. |
| At what age should students’ consent be received? | Parental consent is necessary for students under 10 years. 10+ -20 years if data processing falls outside of the contract with the parent-student, both parental and student consent should be gained unless the student can comprehend the consent being sought and can make a balanced decision | 13 or 16 years (depending on certain legal conditions). Parental consent is mandatory. |
| Penalties for non-compliance | Up to 5mTHB for administrative fines Criminal penalties of up to 1m THB, up to one year in jail or both. Punitive damages awarded to data subjects where the controller has caused harm up to 2 x the harm suffered. | €10 million to €20 million or 2%-4% of overall school’s annual revenue, whichever is greater. |
Tips to collecting GDPA and PDPA compliant alumni data
Now that we know how the EUGDPR and Thailand PDPA apply to international schools in Asia (and particularly Thailand), let’s understand how your school can remain compliant with both:
- Create an inventory of all the alumni data you have
Identify what sources you use to collect alumni data, such as email, social media, telephone, school portal, etc. and collate the data you have. You should know where your data comes from and how much of it you have.
- Hire a Data Protection Officer to vet this data for regulatory compliance
A well-versed DPO in both the Thailand PDPA and EU GDPR can help your international school remain compliant with these regulations. If you don’t have a DPO, hire one today.
- Seek express consent from alumni before you use their data for any alumni events
If you plan to collect, use, or dispose of alumni information, be sure to send a detailed email about it. Explain in simple and non-deceptive terms what data you’re referring to, how it will be collected, used and disposed of and when you will be doing this. Explain the role of any third parties you will be working with for this. Then implement ways to gain express consent from your alumni. This is achieved within your published privacy policy.
Any data collected from your alumni before 1st June 2021 can still be processed as long as it for the same purpose originally consented to. Always provide a clear unsubscribe provision and include a section in your privacy policy explaining the continued collection.
- Share GDPR and PDPA privacy rules to all departments of the school.
This is really important to ensure that every branch of your international school is adhering to the same set of data privacy regulations.
- Implement data privacy techniques to correct any potential non-compliance
If you find that you haven’t put adequate GDPR and PDPA compliant measures in place, do so immediately. Past breaches can also make your school vulnerable to penalties.
- Audit each step for potential regulatory checks
Although you may not be asked to submit any report to the authorities to prove your compliance, it’s best to be ready. So, audit your compliance regularly and create detailed reports. This can help you show your adherence to regulators.
- Keep track of updates in the regulations.
Read up on any amendments or updates in the EU GDPR and Thailand PDPA to ensure you remain compliant always. Cross-check between both regulations to see if you have implemented what is needed in one but is missing in the other.
