Statement of policy
The German Swiss International School Association Limited and The German Swiss International School Foundation Limited (collectively, “GSIS”) respect personal data and are committed to complying with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”).Students, student applicants, parents, guardians, alumni, staff, contractors, job applicants, board members, sub-committee members, members, and other individuals who come into contact with GSIS may be invited or requested to provide personal data to GSIS. GSIS will specify the collection purpose and intended usage of personal data when it invites or requests data subjects to provide such information. GSIS may also receive unsolicited personal data (for example, from job applicants for unadvertised positions). GSIS is committed to ensuring that all personal data collected, stored and processed is handled with the strictest standards of security and confidentiality. Personal data are kept for the fulfilment of the purpose or its directly related purpose for which the data are used.
Kinds of personal data held and main purposes of keeping personal data
There are five general categories of personal data held by GSIS:
Student information, which includes information supplied by students and parents, is collected in connection with student applications for admission, for registration, academic, administrative, alumni management, research, statistical and marketing purposes for GSIS. Student records are kept for purposes that include corresponding with, responding to and taking follow-up actions in respect of students, contacts and communications activities.
Personnel information, which includes personal particulars, job descriptions, details of compensation and benefits, performance appraisals, references and disciplinary matters relating to job applicants, employees and former employees of GSIS. Personnel records of employees are kept for human resource management purposes, relating to matters such as employees’ terms of employment, performance appraisal, providing references, professional development, discipline and termination.
Other records, which include administration and other files, contain personal data provided to GSIS by individuals for purposes other than those connected with students, contacts, communications or employment. Other records are kept to enable GSIS to carry out various functions and activities which vary according to the nature of the purpose for which such records are to be used, including the administration of GSIS functions and activities, seeking advice on operational matters, undertaking communications and training activities organised by, or on behalf of, GSIS, including the acquisition of services and handling of enquiries from members of the public.
GSIS will take photos and videos of students within the classroom and at school related events. GSIS will use the visual material(s) – including any images, video, text, photographs, graphics or audio to enable GSIS, the school community and members of the public to have a better understanding of how students are learning, and for the purpose of promoting GSIS activities. This may include placing visual material(s) in GSIS publications, on its website and in its promotional materials. In addition, GSIS may also place visual material(s) on third party websites such as Flickr and Vimeo which allow for other third parties to display or embed visual material(s) from these websites on any other website. GSIS will only use these websites as a secured repository and will not display these files to the general public.
Records collected on webservers
Records collected on webservers, which include email addresses (whereas they constitute personal data under specific circumstances that the addresses can be used to identify an individual) collected for newsletter subscriptions. Records collected on webservers are kept for the purpose of sending newsletters to subscribers registered through the websites.
Personal Information Collection Statement
When GSIS collects personal data from individuals, it will provide them with a Personal Information Collection Statement ("PICS") on or before the collection in an appropriate format and manner (e.g. in the same paper form or web page that collects the personal data, or in a notice posted up at the reception area of GSIS for reference).
Where a data subject is below 18 years of age, their parents / legal guardian will be asked to indicate their consent to the collection, holding, use, processing and disclosure of their personal data by GSIS.
A copy of the above PICS in pdf format can be viewed via this link:
Disclosure of personal data
Data of GSIS’s staff members (for example names, pictures, email, experience and/or teaching qualifications) may be made available to relevant GSIS stakeholders at the discretion of GSIS’s Principal or HR Director (e.g., on the school website or announcements of appointments in newsletters or emails.)
GSIS may disclose certain personal data to third parties (whether within or outside Hong Kong) for the purposes for which the data was collected, such as:
- members of management of GSIS, including the Board of Directors of GSIS;
- other members of the GSIS community;
- with the data subject’s consent, any persons seeking academic or employment references in respect of the data subject;
- any relevant agencies and government/regulatory authorities (including the Hong Kong government, Education Bureau and the Centre for Health Protection);
- educational institutions and examination authorities;
- any agents, contractors and service providers engaged by GSIS (including insurance providers, bankers, security/medical service providers, third party activity/expedition organisers, and any provider of administrative, payroll, support, telecommunications, computer or other services);
- with the data subject’s consent where required, any third parties for promotional or marketing purposes in relation to GSIS;
- professional advisers of GSIS (including legal advisers and auditors); and
- any third parties in connection with the administration and operation of GSIS.
In the case of service providers and contractors, it will be a condition of passing on such data that they in turn duly abide with data protection, confidentiality and safeguarding policies of the school.
Other than those parties set out above, GSIS will not disclose any personal data to any external bodies or organisations unless:
- such disclosure is expressly provided for under the PICS under which the personal data was collected;
- the data subject has given permission for GSIS to disclose such personal data; or
- GSIS is required or permitted to do so by law.
GSIS’s internal IT systems are developed and maintained by in-house staff and a third-party service providers. The third-party service providers do not have access to personal data stored in the IT system except when it is carrying out trouble-shooting on it at GSIS under the supervision of GSIS staff.
The GSIS websites are developed and maintained by in-house staff and third-party service providers. All GSIS service providers are bound by contractual duty to keep confidential any data they come into contact with against unauthorised access, use and retention.
Security and protection measures
GSIS takes appropriate steps to protect the personal data it holds against loss, unauthorised access, use, modification or disclosure.
GSIS has implemented physical, electronic and managerial measures to secure and safeguard personal data stored on GSIS databases and online portals. GSIS utilises the Secure Socket Layer (SSL) protocol which is an industry standard for encryption of data over the Internet.
GSIS servers are protected by a firewall that operates 24 hours a day, 7 days per week. Antivirus software is installed on the servers and the software is updated regularly to combat against newly identified security threats.
GSIS and its employees and agents may from time to time intercept, record and/or otherwise monitor all communications sent and received via its systems, including telephone calls, emails, instant messaging systems, use of the internet and faxes. While GSIS does not routinely monitor all of its systems, it has the technical capability to do so and reserves the right to do so.
All monitoring will be carried out in accordance with and to the extent permissible by Hong Kong law.
GSIS does not provide users with a guarantee or right to privacy or confidentiality in connection with the use of its systems and users should have no expectation of privacy. If an individual uses GSIS’s systems, this constitutes consent to GSIS monitoring, retrieving, copying, distributing, retaining or publishing any information contained in such systems.
GSIS maintains and executes retention policies of records containing personal data to ensure personal data is not kept longer than is necessary for the fulfilment of the purpose for which the data is collected. Different retention periods apply to the various kinds of personal data collected and held by GSIS.
GSIS will take all practicable steps to erase or anonymise personal data which is no longer required for such purpose, unless otherwise prohibited by law.
Data access and correction
Under the PDPO, data subjects have the right to request access to the personal data provided. Such requests should be made in the Data Access Request Form (OPS003) which can be accessed by clicking here.
The completed form can be emailed to the GSIS Data Protection Officer: firstname.lastname@example.org
Alternatively, the form can be printed, completed and submitted in person or mailed to GSIS’s postal address:
German Swiss International School
11 Guildford Road
Attention: Data Protection Officer
Data subjects also have a right under the PDPO to request a correction of the personal data provided. Such request may be made in writing to the Data Protection Officer of GSIS via email (email@example.com) or submitted in person or mailed to the above postal address.
When handling a data access or correction request, GSIS will check the identity of the requester to ensure that he/she is the person legally entitled to make the data access or correction request. A service fee may be payable to GSIS for complying with a data access request. A Data Protection Log Book is maintained as required under section 27 of the PDPO.
GSIS will not use a data subject’s personal data or provide such data to third parties for direct marketing purposes unless it has obtained the express consent of the individual (or their parent / legal guardian) and such consent has not been withdrawn.
Note however that the following types of materials or activities are considered an extension of curriculum and do not constitute direct marketing or sending of promotional materials:
promotional activities related to the curriculum (for example, activities paid for via “Termly Costs”) including school trips, camps, etc.;
school materials or activities that are mandatory, such as school uniforms, laptops etc.;
materials related to extracurricular activities and clubs that are an extension of the curriculum, regardless of whether or not they are offered by staff or third party agencies, provided the activities primarily take place on the school campus and the extra-curricular activities are viewed as valued adding to students;
school concerts and shows are considered an extension of the curriculum unless a fee is paid or a donation is sought; and
materials related to students’ and school wide academic results, such as IB scores, Abitur results and university placement results.
Definition of terms
Data: any representation of information (including an expression of opinion), whether in computerised form or otherwise, in any document (including written documents, audio recordings, video recording etc).
Data subject: in relation to personal data, means the individual who is the subject of the data.
Data user: in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
Personal data: any data directly or indirectly relating to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained and in a form in which access to or processing of the data is practicable.