As more and more academic institutions are moving their teaching almost entirely online, the need to protect data has gotten even more important.
This article is the first part of a series of three and gives an overview of Thailand’s Personal Data Protection Act (PDPA) as it affects international schools and universities. It also discusses the Data Protection Officer’s (DPO) role, as well as the data mapping and training required to help schools comply with the regulations.
PDPA overview as it affects international schools
If you’ve heard of GDPR – a term nearly every business is familiar with – then you are probably aware of why the PDPA exists: to protect data owners (data subjects) in Thailand in the event their personal data is collected, used, disclosed or collected in an unlawful way.
It’s important to understand in what context this applies to international schools operating in Thailand. So, in this case, schools collecting personal data on their students would be the data user, while the students who are giving out their personal data for the sake of registration and studying online, would be the data subject.
The PDPA also applies to international schools operating outside Thailand that are extending their services to Thai residents. In fact, the law is expected to have a sizable impact on online service providers (including academic institutions) outside Thailand that hope to serve the Thai market.
As data used within an international school system, you should understand a few things about PDPA laws:
- Thailand’s PDPA laws borrow quite a few requirements from GDPR. For example, it establishes a set of principles that schools and universities must use as a base to process data subjects’ information.
- Much like the GDPR, these bases include a legal obligation, consent, legitimate interest and public interest. Furthermore, individual rights under the PDPA look a lot like those found in GDPR – including the right to access, object, delete and modify/rectify data.
Much like the GDPR’s data protection authorities commonly referred to as DPAs, Thailand has also established its own Personal Data Protection Committee, which shall enforce the law to its full effect and publish guidance in order to help international academic institutions remain compliant.
Appointment of a DPO
The appointment of a DPO or Data Protection Officer is mandatory for every international school operating within Thailand or outside Thailand while catering to Thai students. An appointed DPO can perform the DPO role for a group of schools.
A DPO is required if all conditions under the PDA or any future sub-regulations have been satisfied. For instance, a DPO’s appointment is deemed necessary if the core responsibility of the personal data processor/controller with the school is collecting, using or disclosing sensitive personal data – which nearly all schools do.
Data controllers/processors within an international school system who handle large volumes of data must appoint a DPO to monitor and verify that all compliance with PDPA laws is in order. Furthermore, during the course of regular compliance audits and inspections, the DPO will collaborate with the designated regulator should any issues arise.
Data Mapping
Online schools and universities must be familiar with data mapping in order to understand how they should collect, process, transmit and store students’ personal data – this also includes identifying the legal reasoning for collecting and using such data.
Data is the lifeline of any organization and not just international schools. Unless you know how it should flow, you cannot protect it in accordance with PDPA laws. It is, in fact, a very critical step in protecting your school’s critical data assets.
Therefore, schools must understand how they should be collecting, processing, transmitting and storing personal data on their students – in addition to how it’s used within the school system and who is authorized to use it. This forms the foundation of a solid data privacy program and is the key to remaining compliant with Thailand PDPA laws.
Training for schools to comply with PDPA
Much like GDPR and other similar privacy laws, PDPA also requires a highly proactive and risk-based approach. Therefore, in order to train your staff to remain compliant, you must put all the necessary preventive measures in place to protect your school from non-compliance.
If the designated staff within your academic institution responsible for handling, storing and processing students’ personal data does not have the proper training around PDPA compliance, then you could face up to one-year imprisonment and fines as high as 5 million baht.
For starters, you need to have a PDPA-compliant Privacy Policy and that you have every student who visits or registers on your website for enrolling in online courses. Furthermore, your website also needs to be PDPA-compliant according to the laws set out by the Thai government for international schools operating within Thailand or those catering to Thai students from overseas.
Our data privacy consultants at FormitiPDPA make dealing with Thailand’s PDPA regulations a breeze and you’ll never have to worry about compliance issues or facing penalties due to non-compliance. From data mapping to appointing a DPO and much more, we’ll help you achieve and maintain maximum regulatory compliance.
In part 2, you’ll find some of the challenges schools face when it comes to data processing.