Personal Data Protection
Kinabalu International School (KIS) is a not for profit International School based in Malaysia. International Schools have the same obligations to safeguard private information as any school within the EU, if they are processing data of EU nationals.
In view of the implementation of the Personal Data Protection Act 2010 (Act), Kinabalu International School (KIS) recognises the need to process all personal data obtained in a lawful and appropriate manner. KIS is committed to protecting the personal data supplied by a data subject to ensure compliance with the legal and regulatory requirements in accordance with the Act.
The Personal Data Protection Policy explains the collection, processing and disclosure of your Personal Data as per the Personal Data Protection Act 2010. KIS reserves the right to change, amend and/or vary this policy at any time. You are advised to check this policy from our website from time to time for amendments or updates.
Responsibility for Data
The Principal is responsible for Privacy and Data Protection within KIS. The School has appointed the Office Manager as the Data Protection Supervisor. Any request for access should be made in writing to:
Kinabalu International School
Off Jalan Khidmat, Bukit Padang
Kota Kinabalu, 88300
Or by e-mail to firstname.lastname@example.org
KIS requires all employees / volunteers (e.g. Board, PTASC etc.) to be vigilant and exercise reasonable caution when asked to provide any personal data to a third party. In particular, they must ensure that personal data is not disclosed either orally or in writing to any unauthorised employees without express prior consent of the KIS Principal.
What is Personal Information?
Personal information is information that identifies you as an individual or relates to you either by name or by school number. Under Privacy Data Protection Laws (PDPL), individuals are referred to as Data Subjects. Specifically, it could be data, either manual or electronic, on a student, alumni, parent, and member of staff, supplier or contractor. In some cases, data may be held on donors, friends and supporters of KIS and other individuals connected to or visiting KIS for School, AIMS, CIS or FOBISIA related activities.
Types of Personal Data We Hold / Process
The personal data we hold takes many different forms. It could be factual, expressions of opinion, images or other recorded information. Examples include, but are not limited to:
- Names, addresses, telephone numbers, e-mail addresses and other contact details for students, parents / next of kin and staff
- Dates of Birth
- ID numbers
- Family details
- Admissions, academic, disciplinary and other education related records, information about special educational needs, references, examination scripts and marks
- Education and employment data, including qualifications
- Images, audio and video recordings
- Financial information
- Courses, meetings or events attended
- Medical details
- Behavioural records
- Religion / Ethnic group
- Recruiting information including references & police background checks
- Personal files
How We Collect Data
Generally, the school receives personal data from the individual directly (including, in the case of students, from their parents). This may be via a form, or simply in the ordinary course of interaction or communication (such as email or written assessments). However, in some cases personal data will be supplied by third parties (for example another school, or other professionals or authorities working with that individual); or collected from publicly available resources.
Handling and Sharing Personal Data
Personal data held by KIS is processed by appropriate members of staff for the purposes for which the data was provided. We take all reasonable and appropriate technical and organisational steps to ensure the security of personal data about individuals.
When physical files or any forms relating to data subject are no longer required, they will be shredded or destroyed securely, and the hard drives consisting of those records will be erased off via secure electronic deletion pursuant to such standard procedure by the IT Department.
Any employees or volunteers of KIS will not process any personal data belonging to any data subjects, whether in soft copy or hard copy, outside of the premises of KIS unless prior approval is provided by the KIS Principal or any authorised person.
If personal data of a data subject is transferred outside of Malaysia arising from the use ofcloud computing services that may be necessary in the conduct of its business to be stored on servers including but not limited to cloud servers, KIS shall ensure that confidentiality safeguards have been put in place to ensure that the rights of a data subject to personal dataprotection remain unaffected.
Dealing with Data Breaches
Although all reasonable steps are taken to ensure that data is handled in line with Data
protection and PDPL regulations, a data breach may occur for any of the following reasons:
- Loss or theft of data or equipment on which data is stored
- Inappropriate access controls allowing unauthorised use
- Equipment failure
- Human error
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- Phishing or social engineering offences where information is obtained by deceiving the organisation who holds it.
If a data protection breach is identified, the following steps will be taken:
Containment and Recovery
The Data Protection Supervisor will lead on investigating the breach. They will establish: Who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. This may include isolating or closing a compromised section of the network, finding a lost piece of equipment and/or changing the access codes. Whether there is anything that can be done to recover any losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of backup hardware to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts.
Which authorities need to be informed.
Assessment of Ongoing Risk
The following points will be considered in assessing the ongoing risk of the data breach:
- What type of data is involved?
- How sensitive is it?
- If data has been lost or stolen, are there any protections in place such as encryption?
- What has happened to the data? If data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relates; if it has been damaged, this poses a different type and level of risk
- Regardless of what has happened to the data, what could the data tell a third party about the individual?
- How many individuals’ personal data are affected by the breach?
- Who are the individuals whose data has been breached?
- What harm can come to those individuals?
- Are there wider consequences to consider such as a loss of public confidence in an important service we provide
Notification of Breach
Notification will take place to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.
Evaluation and Response
Once a data breach has been resolved, a full investigation of the incident will take place. This will include:
- Reviewing what data is held and where and how it is stored
- Identifying where risks and weak points in security measures lie (for example, use of portable storage devices or access to public networks)
- Reviewing methods of data sharing and transmission
- Increasing staff awareness of data security and filling gaps through training or tailored advice
- Reviewing contingency plans
- Why Does KIS Collect/Process Data
Data is vital to the smooth running of the school. Ultimately data is collected to provide education to students including admissions, timetabling, monitoring progress and educational needs, reporting to parents, access to public examinations, reporting on and publishing results and providing references to students, including after they have left KIS. In addition, data allows us to provide support and related services to students and parents such as:
- Library services
- Sports and arts
- School trips
- Work experience
- Provision of school IT and communications
- Compliance with legislation and regulatory requirements, including preparing for and receiving inspections and accreditation
- Administration of school fees, invoices and accounts
- Security and safety arrangements such as CCTV recordings
- Management planning and research and statistical analysis
- Maintenance of historical archives
- Staff administration
- Promotion of KIS through its own website, social media, prospectus and other publications
We do not collect personally identifying information about you when you visit our website, unless you choose to provide such information to us. Providing such information is strictly voluntary. If you use our site to request admissions information then we will normally store your contact details on a database. This is to allow us to send you other related information in the future and we do not share this information with third parties.
Who Has Access to Data
For the most part, personal data collected by the school will remain within the school, and will be processed by appropriate individuals only in accordance with access protocols i.e. on a ‘need to know’ basis. Particularly strict rules of access apply in the context of:
- Staff Records. Held and accessed only by the Principal, Office Manager, HR Officer, Finance Executive and the Executive Secretary.
- Medical records. Held and accessed only by the Nurse and appropriate medical staff under his/her supervision, or otherwise in accordance with express consent
- Pastoral or safeguarding files. These are held by the DSL, Heads of School, or in particularly sensitive cases, the Principal
- Counselling records. Held and accessed only by the Counsellor
- Disciplinary issues. Held by Pastoral Heads, Heads of School, or in particularly sensitive cases, the Principal Occasionally, the schools will need to share personal information with third parties, such as:
- Government authorities
- Competent Authorities
- Appropriate regulatory bodies
- Examination boards
- Hosted databases such as websites, school portal. This is subject to contractual assurances that personal data will be kept secure and not passed on
A certain amount of any special educational needs data on a student will need to be shared with staff more widely in the context of providing the necessary care and education that the student requires.
For specific purposes personal data, including contact details and specific medical details, maybe taken from the school for the purposes of a school trip. This will be stored in a ‘trip folder’ which would include ‘hard copies’. For specific trips, particularly overseas and
organised by a third party, organisers will obtain specific consent to this data being shared as appropriate with travel agents, for example to enable the trip and for essential contact/medical information to be taken / shared.
How Long We Keep Data
Data is retained only for as long as necessary. No current act or code of conduct places a specific time on retention of data. All student files are kept for future use at present. The School will not retain more information than is necessary. Irrelevant information will be
destroyed. Student files may be destroyed once the student has attained 25 years of age.
Employees’ personal data will be destroyed when it is no longer required. However this must be read in line with other statutory obligations to retain data which may be imposed on employers (e.g. the Employment Act requires information registers of employees to be kept for at least 6 years).
All employees and volunteers of KIS are required to contact the Designated Data Protection Supervisor (email@example.com) should the need to dispose of any personal data arises by completing the pertinent Disposal Form. Appropriate measures will be taken by KIS to ensure that the data destroyed are not reconstructed or processed by third parties.
Individuals can ask to access their data for the purposes of understanding what is held, in some cases ask for it to be erased or amended or for it to cease being processed, but this is subject to certain exemptions and limitations.
Right of access. Access to records must be made in writing to the Principal. The School will endeavour to respond within 30 days during term time, longer if the request is received outside of term time. An administration fee of RM 250 per request for access will be applied.
Requests that cannot be fulfilled. Certain information is exempt from right of access. This can include, but not limited to, data that identifies other individuals, information that the School reasonably believes is likely to cause damage or distress, examination scripts, confidential references and information that is subject to legal privilege.
Schools can also apply exemptions for data relating to any reference given by the School for the purpose of the education, training or employment, or prospective education, training or employment of any student or member of staff. References from other schools on the
individual can only be released with the express permission of the originator.
Right to withdraw consent. Students and staff have the right to withdraw consent, where given, to receiving generic communication. The School retains the right to keep data for historical or contractual reasons.
How We Use Data
KIS may make use of personal data relating to students, their parents or guardians, or members of staff. Parents do have the opportunity to opt out of certain uses of their children’s images. Uses may include:
- Use of photographic images of students in School publications and on the School website. If the student is named, only the first name will be used
- Fundraising, marketing or promotional purposes
- Maintaining relationships with students, parents or members of staff (past or present) of the School, including transferring information to any association, society or club set up for the purpose of establishing or maintaining contact or for fundraising, marketingor promotional purposes. This specifically includes the provision of parents’ names and addresses to the School’s Parents’ Associations.
- Examinations. The school may publish results. If so it will be in alphabetical order or at times anonymously
Individuals have the right to know if the School is holding data on them, what the information is, the source of the information, how the school uses it and who it has been disclosed to. Ultimately the right to data belongs to the individual to whom the data refers. For those under 18 parental consent is required. This is stipulated in the admission process and is taken as informed consent. There are exemptions. Parents should be aware that they may not be consulted, depending on the interest of the child and their request for confidentiality. These decisions will be made in consultation with the appropriate Head and the Principal. Students retain the right to raise concerns confidentially with a member of staff and expressly withhold their consent. Only when required by law or in exceptional circumstances will this be overturned.
For full time students, parents or nominated next of kin they have the right of access to ordinary data for the purposes of keeping parents informed about the student’s activities, progress and behaviour and in the interests of the student’s welfare, unless, in the school’s opinion, there is a good reason to do otherwise.
Once an individual is over 18 and no longer in full time education at KIS, access to data has to be with the express consent of the individual and not the parent or next of kin. Individuals have the right to formally ask that their personal data not to be used for direct marketing purposes. This application must be made in writing. Individuals have a legal right to ask for incorrect Personal Data to be corrected or annotated.
This policy may be reviewed and amended from time to time. You are advised to visit the KIS website on a regular basis to check for any updates and changes.