Personnal Data Protection Policy
Purpose of this policy
The purpose of this document is to inform of Lycée Français de Singapour policies on data collection, usage, disclosure, processing and protection, which are subject to the Singapore Personal Data Protection Act 2012 (“PDPA”) and to General Data Protection Regulation (UE) 2016/679 (GDPR).
Lycée Français de Singapour is collecting the following data
Forms and interactivity
Personal data is collected through forms, namely:
- Application registration form
- School registration, re-enrolment, deregistration forms
- Other personalizes forms
Log files and cookies
Lycée Français de Singapour collect certain information through log files and cookies. This mainly concerns the following information: IP address at registration, pages visited in Parents' Portal and requests, connection time and day. The use of such files allow Lycée Français de Singapour to improve and personalize the service and to establish anonymous statistics.
Purpose of personal data collection
Lycée Français de Singapour is collecting personal data for the following purposes (list below not exhaustive):
- Regulatory Compliance (i.e. Compliance with the Singapore Ministry of Education, Agence pour l’Enseignement du Français à l’Etranger (AEFE), Immigration and Check point Authority (ICA), filing and other statutory filing, and Taxation etc.),
- Scheduling of courses and publishing students’ results,
- General Administration / Operations (i.e. Project management, Work-related/teaching-related communication, school reports),
- Educational Background (i.e. Awards / recognition, certifications received, Educational attainment, and Schools attended),
- Student Registration (New enrolment, withdrawal / cancellation),
- Communication with parents and guardians (teacher’s emails, University guidance Department and crisis communication),
- School trips (i.e. Planning & logistics, Medical requirements, Dietary requirements, Registration),
- Registration for Extra-curriculum activities (ECA and AS),
- Medical needs (i.e. allergies),
- Registration for Transit Link,
- Insurance coverage,
- Alumini services,
- Disclosure to requesting third parties schools for evaluative purposes in dealing with admission suitability,
- Medical needs, in case of emergency (i.e. to contact relatives in case of accident and major risks)
- Fundraising for School purposes
- Billing and fee payment processus (i.e. Billing of school fees, ECA and canteen, Final settlement and payment history, fee payment processing),
- Use of log files and cookies as explained above.
Subject to express consent in the “Legal Authorisations” form, Lycée may:
- Give parent’s email address to the Parents Committee and Parent Representatives
- Use student’s personal data (name, picture(s), film etc..) exclusively for non-commercial purposes, including:
- Internal uses: school’s picture, poster, yearbook, pedagogical projects etc…;
- External uses: AEFE's website and social media, School’s website and social media, documents presenting the School etc…
For the purpose of school students in grades up to and including “Terminale”, parental consent is sufficient.
Lycée Français de Singapour will collect and use personal data a in accordance with Personal Data Protection Act (2012) and GDPR. Consent to the School using such data as set out above can be given in the Student Contract, Legal Authorisation Form and Parents' Portal.
Management and Care of Personal Data
Protection of Personal Data
Lycée Français de Singapour undertakes to:
- Implement appropriate security measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular when the processing of data involves the transmission or storage on or within a network. Lycée Français de Singapour use the following technical measures:
- Access to platform via secure connection (HTTPS) on a DMZ network,
- Only authorized personnel are able to access the data,
- Network monitoring, intrusion detection and virus defense software,
- Encrypted computer backups that can only be restored on the original platform,
- Connection to Parents' Portal is protected by a login / password combination,
- The server hosting the plaform is protected by a hardware firewall and a software firewall.
- Notify data subjects about any accidental or unauthorised access of their data that may lead to damage or harm.
Right of Access, Correction and restriction
Partents have a right to see the personal data (subject to the exemptions listed below) and to request for data to be corrected if it is incorrect. Parents will be provided access to data held about their children whilst they are students at the School within the limitations of this policy.
Thanks to Parents’ Portal, parents have unlimited access to their data. Correction or withdrawal is possible at any time if needed.
The Legal Authorisation Form is submitted to parents on a yearly basis via Parents’ Portal. It is always possible to change the answers provided to this form.
Exemptions to Right of Access
Lycée Français de Singapour retains the right to refuse access to:
- Opinion data kept for evaluative purposes
- Examination papers or the results of examinations
- Confidential references written to support a student's application to other educational institutions or courses
- Data or material that would provide personal data about other individuals in contravention of this policy or of the law.
Right to restriction of processing
Under certain circumstances, GDPR provides the right for Parents to obtain from Lycée Français de Singapour restriction of processing of the Data. To exercise this right, please contact the Lycée Français de Singapour Data Protection Officer: firstname.lastname@example.org
Right to Portability
Parents have the right to receive the personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. To exercise this right, please contact the Lycée Français de Singapour Data Protection Officer: email@example.com
Data Retention & Removal
Lycée Français de Singapour shall take reasonable effort to destroy or anonymize documents containing Personal Data as soon as it is reasonable to assume that:
- The purpose for which the Data was collected is no longer being served by retention of the Data; and
- Retention is no longer necessary for legal or business purposes.
Right to be forgotten
Pursuant to GDPR, Parents will have the right to obtain erasure of the personal data under certain circumstances. To exercise this right, please contact the Lycée Français de Singapour Data Protection Officer: firstname.lastname@example.org
Sharing Data with Third Parties
Personal Data may be disclosed by Lycée Français de Singapour to its third party service providers or agents in Singapore (such as travel agents, insurance companies and data hosting companies) for one or more of the Purposes. Personal Data may also be disclosed to some schools outside of Singapore or to the French Ministry of Education, the AEFE or any other institution under its responsibility which may be located outside of Singapore, for one or more of the Purposes.
Lycée Français de Singapour will only share data for the purposes of eliciting a necessary service from these third party organisations and not for commercial gain.
Lycée Français de Singapour signs contracts to ensure that the organisation is using the data purely for the intended purpose of providing the required service and that it is taking appropriate precautions to safeguard the data. In some instances, for example for online services, explicit signed contracts do not exist.
In these instances the School will ensure that the terms & conditions of the service include clauses that:
- Lycée Français de Singapour remains the owner of the data,
- The service provider is not entitled to use any data held on its service for any purpose other than to provide the required service,
- The service provider is taking reasonable precautions to ensure the security of the data,
- Once the School terminates its agreement with the service provider, that any and all data held will be deleted and not used for any other purpose,
- The service provider is compliant with PDPA and GDPR.