Common Data Protection Principles Schools in Asia Can Follow to Ensure Compliance
By Mark Orchison - January 11, 2022
Over the course of 2021, we wrote about a variety of upcoming privacy laws around the world. However, we can see that countries in Asia are likely to encounter a wave of new and updated privacy laws over the next few years. Last year we saw either new or updated provisions implemented with Singapore’s PDPA and China’s PIPL. Within the next couple of years we could see even more provisions surrounding data protection in Thailand, Japan, and possibly Indonesia, Hong Kong and Vietnam. Cynthia J. Rich from Morrison Foerster wrote an article on the transformation of the privacy landscape in Asia. Within the article, she highlights some key aspects of what we can expect to see in the near future for these countries’ privacy laws. It is important to look at the common principles that lie within data privacy laws as they encompass a standard in which many future privacy laws will likely be built upon.
It’s not unusual to see similar characteristics within jurisdictions in a similar area. We even see laws such as the GDPR spreading over the majority of a continent. However, even then we see slight differences in data protection laws like Germany’s TTDSG. This can be said for Asia too, and it is understandable seeing as countries are likely to be sharing data with their neighbours. No matter the differences, we still see a number of common principles throughout.
Rich notes some common requirements that appear within countries in Asia’s privacy laws, this is great for understanding some laws you may need to follow in the future:
Cross-border transfers - Countries with whom you share student data should protect data in a similar way to your country or enable supplementary tools to do so.
Breach notification - Some countries require breaches to be reported to authorities and data subjects correspondingly within a specific time frame.
Legal bases for processing - you must have a valid, legal reason to process a data subject’s personal/sensitive information (this varies from country to country).
Individual Rights - Within privacy law, data subjects have rights and freedoms in which they can exercise. This allows them to have a general sense of control over what happens to their data.
Data Protection Officer (DPO) - Japan, Kazakhstan, Korea, New Zealand, Philippines, Singapore, and Thailand require a DPO. A Data Protection Officer is a job role within the school whose responsibility is to ensure the advancement and progression of the data protection compliance programme.
Although understanding these requirements is important, and some of them do exhibit the common principles that we see throughout data laws globally, we don’t gain an extensive understanding of the principles that these laws are based upon. These principles include: lawful and fair processing, purpose limitation, data minimisation, accuracy, storage limitation, and integrity & confidentiality. There is a seventh principle that is included within the GDPR and other new privacy laws, and that is accountability, ensuring that these laws are upheld and evidenced. In countries that promote accountability, there are administrative fines, and sometimes prison sentences to uphold the law.
Here at 9ine, we have found 64 overarching practices that adhere to the common data privacy principles. From these principles, we have created a framework which simplifies everything that your school should implement to become compliant with your local laws. These are education specific components which will ensure your school can meet compliance requirements. The framework consists of nine major modules:
Leadership & Governance encourages accountability within compliance. Laying out clear lines of what accountability is, and evidencing that through documentation. Managing roles and responsibilities with a DPO, and taking a strategic, risk based approach to compliance will advance your data protection programme.
Record of Processing & Data Mapping means knowing how data is processed within your school, and outside of it. Documenting the basis of the processing, consistently reviewing them, and having cross departmental participation will ensure that your school knows exactly where data is shared and where it is stored.
Incident & Breach Management compiles of establishing procedures to identify, assess and manage personal data incidents and breaches. You should also have processes in place to ensure that the affected individuals are notified with templated letters of notification that are regularly reviewed.
Information Rights & Data Ethics includes the likes of allowing data subjects to opt-out of processing. Handling the rights of your data subjects means handling complaints and queries, and allowing them to exercise their rights through subject access requests and more. Maintaining a record of consent, including withdrawn consent from your data subjects gives you confidence in your compliance programme too.
Training & Awareness creates a good data privacy culture within your school. If everyone understands what they should be looking out for within a phishing email or potential data breach and who they should contact, alert systems are stronger within the school community.
Data Sharing & Contracts means documenting who you share your data with, and ensuring that they adequately protect it. Ensuring that disclosures and data sharing decisions for audit, monitoring and investigations are documented and periodically reviewed is also important.
Information Security & Operations essentially means ensuring that privacy is incorporated into any IT audits or operations that are carried out. This includes performing vendor assessments to provide privacy and security when sharing data to external vendors that provide edtech services.
Risk Management & Controls means not just identifying risks, but managing and mitigating them. The use of data protection impact assessments (DPIAs) present the risks that are posed within specific processes. Self-assessments can also ensure that your compliance programme meets legal obligations.
Policies & Notices is about ensuring that processes are lawful and fair. Informing your data subjects on exactly how their data will be used and the operations involved with their data protection. Policies and notices should be easily accessible and easily understandable.
In adhering to this framework, schools in Asia will be well equipped to comply with any new or updated privacy laws. Although privacy requirements can sometimes seem like a list of rules, they are mainly principle based, and following a framework is the most effective way to ensure compliance. Authorities will often release a framework in which organisations can follow, however the 9ine Data Privacy Framework is designed and adapted specifically for schools, creating comprehensive guidelines that adhere to the ways in which schools operate.
The 9ine Privacy Management App has been built on the foundations of this framework. By following a question based approach, with subscription options that provide assistance from our global privacy consultants, your school will be able to meet compliance requirements should you encounter new provisions in your country. With the rapid development of privacy laws in Asia, even a general understanding of how compliance works within a school will prepare you to implement a sufficient privacy programme and culture within your school.
Talk to one of the team to see how 9ine could help your school prepare for data privacy compliance.
Let’s Stay in Touch
Subscribe to our newsletter to receive product announcements & other updates.