Personal Data Protection
Kinabalu International School (KIS) is a not for profit International School based in Malaysia.
International Schools have the same obligations to safeguard private information as any
school within the EU, if they are processing data of EU nationals.
In view of the implementation of the Personal Data Protection Act 2010 (Act), Kinabalu
International School (KIS) recognises the need to process all personal data obtained in a lawful
and appropriate manner. KIS is committed to protecting the personal data supplied by a data
subject to ensure compliance with the legal and regulatory requirements in accordance with
The Personal Data Protection Policy explains the collection, processing and disclosure of your
Personal Data as per the Personal Data Protection Act 2010. KIS reserves the right to change,
amend and/or vary this policy at any time. You are advised to check this policy from our
website from time to time for amendments or updates.
Responsibility for Data
The Principal is responsible for Privacy and Data Protection within KIS. The School has
appointed the Office Manager as the Data Protection Supervisor. Any request for access
should be made in writing to:
Kinabalu International School
Off Jalan Khidmat, Bukit Padang
Kota Kinabalu, 88300
Or by e-mail to email@example.com
KIS requires all employees / volunteers (e.g. Board, PTASC etc.) to be vigilant and exercise
reasonable caution when asked to provide any personal data to a third party. In particular,
they must ensure that personal data is not disclosed either orally or in writing to any
unauthorised employees without express prior consent of the KIS Principal.
What is Personal Information?
Personal information is information that identifies you as an individual or relates to you either
by name or by school number. Under Privacy Data Protection Laws (PDPL), individuals are
referred to as Data Subjects. Specifically, it could be data, either manual or electronic, on a
student, alumni, parent, and member of staff, supplier or contractor. In some cases, data may
be held on donors, friends and supporters of KIS and other individuals connected to or visiting
KIS for School, AIMS, CIS or FOBISIA related activities.
Types of Personal Data We Hold / Process
The personal data we hold takes many different forms. It could be factual, expressions of
opinion, images or other recorded information. Examples include, but are not limited to:
Names, addresses, telephone numbers, e-mail addresses and other contact
details for students, parents / next of kin and staff
Dates of Birth
Admissions, academic, disciplinary and other education related records,
information about special educational needs, references, examination scripts
Education and employment data, including qualifications
Images, audio and video recordings
Courses, meetings or events attended
Religion / Ethnic group
Recruiting information including references & police background checks
How We Collect Data
Generally, the school receives personal data from the individual directly (including, in the case
of students, from their parents). This may be via a form, or simply in the ordinary course of
interaction or communication (such as email or written assessments). However, in some cases
personal data will be supplied by third parties (for example another school, or other
professionals or authorities working with that individual); or collected from publicly available
Handling and Sharing Personal Data
Personal data held by KIS is processed by appropriate members of staff for the purposes for
which the data was provided. We take all reasonable and appropriate technical and
organisational steps to ensure the security of personal data about individuals.
When physical files or any forms relating to data subject are no longer required, they will be
shredded or destroyed securely, and the hard drives consisting of those records will be erased
off via secure electronic deletion pursuant to such standard procedure by the IT Department.
Any employees or volunteers of KIS will not process any personal data belonging to any data
subjects, whether in soft copy or hard copy, outside of the premises of KIS unless prior
approval is provided by the KIS Principal or any authorised person.
If personal data of a data subject is transferred outside of Malaysia arising from the use of
cloud computing services that may be necessary in the conduct of its business to be stored
on servers including but not limited to cloud servers, KIS shall ensure that confidentiality
safeguards have been put in place to ensure that the rights of a data subject to personal data
protection remain unaffected.]
Dealing with Data Breaches
Although all reasonable steps are taken to ensure that data is handled in line with Data
protection and PDPL regulations, a data breach may occur for any of the following reasons:
Loss or theft of data or equipment on which data is stored
Inappropriate access controls allowing unauthorised use
Unforeseen circumstances such as a fire or flood
Phishing or social engineering offences where information is obtained by deceiving
the organisation who holds it
If a data protection breach is identified, the following steps will be taken:
Containment and Recovery
The Data Protection Supervisor will lead on investigating the breach. They will establish:
Who needs to be made aware of the breach and inform them of what they are expected to
do to assist in the containment exercise. This may include isolating or closing a compromised
section of the network, finding a lost piece of equipment and/or changing the access codes.
Whether there is anything that can be done to recover any losses and limit the damage the
breach can cause. As well as the physical recovery of equipment, this could involve the use of
backup hardware to restore lost or damaged data or ensuring that staff recognise when
someone tries to use stolen data to access accounts.
Which authorities need to be informed.
Assessment of Ongoing Risk
The following points will be considered in assessing the ongoing risk of the data breach:
What type of data is involved?
How sensitive is it?
If data has been lost or stolen, are there any protections in place such as encryption?
What has happened to the data? If data has been stolen, it could be used for purposes
which are harmful to the individuals to whom the data relates; if it has been damaged,
this poses a different type and level of risk
Regardless of what has happened to the data, what could the data tell a third party
about the individual?
How many individuals’ personal data are affected by the breach?
Who are the individuals whose data has been breached?
What harm can come to those individuals?
Are there wider consequences to consider such as a loss of public confidence in an
important service we provide
Notification of Breach
Notification will take place to enable individuals who may have been affected to take steps to
protect themselves or to allow the appropriate regulatory bodies to perform their functions,
provide advice and deal with complaints.
Evaluation and Response
Once a data breach has been resolved, a full investigation of the incident will take place. This
Reviewing what data is held and where and how it is stored
Identifying where risks and weak points in security measures lie (for example, use of
portable storage devices or access to public networks)
Reviewing methods of data sharing and transmission
Increasing staff awareness of data security and filling gaps through training or tailored
Reviewing contingency plans
Why Does KIS Collect/Process Data
Data is vital to the smooth running of the school. Ultimately data is collected to provide
education to students including admissions, timetabling, monitoring progress and
educational needs, reporting to parents, access to public examinations, reporting on and
publishing results and providing references to students, including after they have left KIS.
In addition, data allows us to provide support and related services to students and parents
Sports and arts
Provision of school IT and communications
Compliance with legislation and regulatory requirements, including preparing for and
receiving inspections and accreditation
Administration of school fees, invoices and accounts
Security and safety arrangements such as CCTV recordings
Management planning and research and statistical analysis
Maintenance of historical archives
Promotion of KIS through its own website, social media, prospectus and other
We do not collect personally identifying information about you when you visit our website,
unless you choose to provide such information to us. Providing such information is strictly
voluntary. If you use our site to request admissions information then we will normally store
your contact details on a database. This is to allow us to send you other related information
in the future and we do not share this information with third parties.
We automatically collect some data about our users’ browser actions and patterns through
to allow you to access restricted areas and to monitor usage by tracking which URLs are
accessed and the sequence in which they are accessed. The data does not identify any
individual, but instead aids in improving our understanding of our users and their preferences.
It also helps us to review the usage of our website.
We use Google Analytics to analyse the use of our website. The information collected does
not include any information which identifies you. You can set up your browser to reject
cookies, although some functionality of the website may be impaired if you do this. By
accessing the Kinabalu International School website you consent to us collecting the data
Who Has Access to Data
For the most part, personal data collected by the school will remain within the school, and
will be processed by appropriate individuals only in accordance with access protocols i.e. on
a ‘need to know’ basis. Particularly strict rules of access apply in the context of:
Staff Records. Held and accessed only by the Principal, Office Manager, HR Officer,
Finance Executive and the Executive Secretary.
Medical records. Held and accessed only by the Nurse and appropriate medical staff
under his/her supervision, or otherwise in accordance with express consent
Pastoral or safeguarding files. These are held by the DSL, Heads of School, or in
particularly sensitive cases, the Principal
Counselling records. Held and accessed only by the Counsellor
Disciplinary issues. Held by Pastoral Heads, Heads of School, or in particularly sensitive
cases, the Principal
Occasionally, the schools will need to share personal information with third parties, such as:
Appropriate regulatory bodies
Hosted databases such as websites, school portal. This is subject to contractual
assurances that personal data will be kept secure and not passed on
A certain amount of any special educational needs data on a student will need to be shared
with staff more widely in the context of providing the necessary care and education that the
For specific purposes personal data, including contact details and specific medical details,
maybe taken from the school for the purposes of a school trip. This will be stored in a ‘trip
folder’ which would include ‘hard copies’. For specific trips, particularly overseas and
organised by a third party, organisers will obtain specific consent to this data being shared as
appropriate with travel agents, for example to enable the trip and for essential
contact/medical information to be taken / shared.
How Long We Keep Data
Data is retained only for as long as necessary. No current act or code of conduct places a
specific time on retention of data. All student files are kept for future use at present. The
School will not retain more information than is necessary. Irrelevant information will be
destroyed. Student files may be destroyed once the student has attained 25 years of age.
Employees’ personal data will be destroyed when it is no longer required. However this must
be read in line with other statutory obligations to retain data which may be imposed on
employers (e.g. the Employment Act requires information registers of employees to be kept
for at least 6 years).
All employees and volunteers of KIS are required to contact the Designated Data Protection
Supervisor (firstname.lastname@example.org) should the need to dispose of any personal data
arises by completing the pertinent Disposal Form. Appropriate measures will be taken by KIS
to ensure that the data destroyed are not reconstructed or processed by third parties.
Individuals can ask to access their data for the purposes of understanding what is held, in
some cases ask for it to be erased or amended or for it to cease being processed, but this is
subject to certain exemptions and limitations.
Right of access. Access to records must be made in writing to the Principal. The School will
endeavour to respond within 30 days during term time, longer if the request is received
outside of term time. An administration fee of RM 250 per request for access will be applied.
Requests that cannot be fulfilled. Certain information is exempt from right of access. This can
include, but not limited to, data that identifies other individuals, information that the School
reasonably believes is likely to cause damage or distress, examination scripts, confidential
references and information that is subject to legal privilege.
Schools can also apply exemptions for data relating to any reference given by the School for
the purpose of the education, training or employment, or prospective education, training or
employment of any student or member of staff. References from other schools on the
individual can only be released with the express permission of the originator.
Right to withdraw consent. Students and staff have the right to withdraw consent, where
given, to receiving generic communication. The School retains the right to keep data for
historical or contractual reasons.
How We Use Data
KIS may make use of personal data relating to students, their parents or guardians, or
members of staff. Parents do have the opportunity to opt out of certain uses of their children’s
images. Uses may include:
Use of photographic images of students in School publications and on the School
website. If the student is named, only the first name will be used
Fundraising, marketing or promotional purposes
Maintaining relationships with students, parents or members of staff (past or present)
of the School, including transferring information to any association, society or club set
up for the purpose of establishing or maintaining contact or for fundraising, marketing
or promotional purposes. This specifically includes the provision of parents’ names
and addresses to the School’s Parents’ Associations.
Examinations. The school may publish results. If so it will be in alphabetical order or
at times anonymously
Individuals have the right to know if the School is holding data on them, what the information
is, the source of the information, how the school uses it and who it has been disclosed to.
Ultimately the right to data belongs to the individual to whom the data refers. For those under
18 parental consent is required. This is stipulated in the admission process and is taken as
informed consent. There are exemptions. Parents should be aware that they may not be
consulted, depending on the interest of the child and their request for confidentiality. These
decisions will be made in consultation with the appropriate Head and the Principal. Students
retain the right to raise concerns confidentially with a member of staff and expressly withhold
their consent. Only when required by law or in exceptional circumstances will this be
For full time students, parents or nominated next of kin they have the right of access to
ordinary data for the purposes of keeping parents informed about the student’s activities,
progress and behaviour and in the interests of the student’s welfare, unless, in the school’s
opinion, there is a good reason to do otherwise.
Once an individual is over 18 and no longer in full time education at KIS, access to data has to
be with the express consent of the individual and not the parent or next of kin. Individuals
have the right to formally ask that their personal data not to be used for direct marketing
purposes. This application must be made in writing. Individuals have a legal right to ask for
incorrect Personal Data to be corrected or annotated.
This policy may be reviewed and amended from time to time. You are advised to visit the KIS
website on a regular basis to check for any updates and changes.