Data Protection Policy
In addition to the Cybersecurity Law of the People’s Republic of China (PRC), enacted on 1 June 2017, the American International School of Guangzhou (AISG) has developed its own standards of proprietary data protection of both the School’s and its students, families, and employees.
- Data Collected and purpose
- Data Security
- Data Retention and Removal
- Exemptions to Right of Access
- Sharing Data with Third Parties
- Appendix A: Terms and Conditions of Contracts with Third Parties
Data Collected and purpose
The School holds personal data on its students, including: contact details, assessment/examination results, attendance information, behavior, and characteristics such as ethnic group, special educational needs, any relevant medical information, photographs, and/or video footage.
The data is used in order to support the education of the students, to monitor and report on their progress, to provide appropriate personal and social care, and to assess the performance of the school as a whole, together with any other uses normally associated with this provision in an independent school environment.
The School may make use of limited personal data (such as contact details) relating to students, their parents, or guardians for fundraising, marketing, or promotional purposes and to maintain relationships with students of the School.
Data is shared as necessary with third party companies to provide extended services; examples include transport, medical, catering, travel services, and online services such as email.
In particular, the School may:
1. Make available information to any internal organization or society set up for the purpose of maintaining contact with students or for administration, fundraising, marketing, or promotional purposes relating to the school, e.g. alumni. The School will remain as the data controller and this policy will govern data usage;
2. Make use of photographs, videos, and/or sound recordings of students in School publications, the School website, school social media channels, and other official School communication channels. Photographs, videos, and/or sound recordings of students will not be used in publicity campaigns placed with external media outlets without the express permission of the relevant family;
3. Make personal data, including sensitive personal data, available to staff for planning activities and trips, both in and outside of the PRC;
4. Retain and use personal data after a student has graduated to provide references, educational history, and alumni services consistent with an independent School environment.
The School is committed to the following security measures:
1. Implementing appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular when the processing of data involves the transmission or storage on or within a network;
2. Notifying data subjects about any accidental or unauthorized access of their data that may lead to damage or harm.
Data Retention and Removal
Exemptions to Right of Access
Regarding access to personal data, the School retains the right to refuse access to:
- Opinion data kept for evaluative purposes;
- Examination papers or the results of examinations;
- Confidential references written to support a student’s application to other educational institutions or courses;
- Data or material that provides personal data about other individuals in violation of this policy.
Sharing Data with Third Parties
In a variety of instances, AISG may share personal data with third parties for the purposes of the third party providing a relevant service to the School. Examples of these services include, but are not limited to, transport, catering, travel services, accommodation, and medical.
The School will only share data for the purposes of eliciting a necessary service from these third-party organizations and not, or ever, for commercial gain.
Where the School signs explicit contracts with third party organizations, it will include clauses from Appendix A: Terms and Conditions of Contracts with Third Parties rules and guidelines to ensure that the organization is using the data purely for the intended purpose of providing the required service and that it is taking appropriate precautions to safeguard the data.
In some instances, for example, for online services provided by companies outside of the PRC, explicit signed contracts do not exist. In these instances, the School will ensure that the terms and conditions of the service include clauses that:
- The School remains the owner of any data;
- The service provider is not entitled to use any data held on its service for any purpose other than to provide the required service being contracted;
- The service provider is taking reasonable precautions to ensure the security of the data;
- And provides material proof of that security upon demand of the School;
4. Once the School terminates its agreement with the service provider, that any and all data held will be deleted and not used for any other purpose.
- This deletion is due no later than seven (7) working days after termination of the contract, unless mutually agreed upon.
Appendix A: Terms and Conditions of Contracts with Third Parties
When signing contracts with any third-party organizations that the School will share personal data with the contract should include the following clauses or entries to the same effect.
The School collects and uses personal data about staff, students, and families as a function of maintaining its quality data. Only School leaders may have access to personal data about the School’s employees, students (faculty exception), parents, and/or other contacts. They are bound to ensure that employees, agents, sub-contractors, and representatives will keep all such data secure and protected against improper disclosure or use as detailed in this agreement.
The School will incorporate the following Terms and Conditions into each signed contract undertaken:
1. ‘Personal data’ shall refer to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has, or is likely to have, access and all other data protected by the School;
2. ‘The School’ shall refer to the entity that transfers the data to be used, and is the ‘Client’ of the contract;
3. ‘The company’ shall mean the processor or third-party agency that agrees to accept the School’s personal data intended for processing and use in accordance with this agreement. The company also guarantees protection of said data.
Data Use Terms and Conditions Verbiage
The company agrees and warrants:
1. That any personal data shared by the School or collected by the company as a result of providing the services covered in this agreement will be used solely for the purposes of providing the service detailed in this agreement;
2. That no personal data collected or shared will be used to offer or solicit further services from the individuals concerned;
3. To process the personal data only on behalf of the School and in compliance with its instructions;
4. That the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law(s) of the nation where the company resides and does not violate any relevant laws of the nation in which the School resides;
5. That it shall promptly notify the School about any request for disclosure received directly from any authority or individual.
Data Security Terms and Conditions Verbiage
The company agrees and warrants:
1. To implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular when the processing of data involves the transmission or storage on or within a network;
2. That it shall promptly notify the School about any accidental or unauthorized access of the data, or any loss of the data whether leading to unauthorized access or not.
Data Retention - Obligations After the Termination of Contract or Services
The company agrees and warrants:
1. That on the termination of the contract or services that required data processing services, that the company shall at the request of the School transfer all the data transferred and copies thereof to the data exporter or shall destroy all the personal data and certify that he has done so, unless legislation imposed on the data importer prevents it from returning or destroying all or part of the data transferred;
2. In the case of legislation initiation, the company warrants that it will guarantee the confidentiality of the personal data and will not actively process any personal data processing. Once the legal requirement for retention has passed, the company warrants that it will destroy all data retained.
Data Correctness and Right of Correction
The company agrees and warrants:
1. To provide the School, upon request, all the personal details of individuals that have been collected as the result of this agreement and to amend or delete such data on request within the lifetime of the agreement within seven (7) working days.
All parties agree that if one party is held liable for a violation of the clauses committed by the other party in violation of agreed upon terms or the People’s Republic of China Cybersecurity law enacted on 1 June 2017, the offending party will, to the extent it is liable, indemnify the first party from any cost, charge, damages, expenses, or losses it has incurred.