Data Protection and Privacy Notice

Introduction

This Student, Families & Households Privacy Notice (“Notice”) sets out how United Nations International School Hanoi (“UNIS Hanoi”, “The School”, “we”, “our”, “us”) collects and uses students’, families and their households’ personal data before, during and after their relationship with us.

This Notice applies to all students, their families and households at UNIS Hanoi.  

Definitions

Applicant shall mean any person who has applied for studying at UNIS Hanoi.

Student means any past, present or future student of UNIS Hanoi.

Family or Household member shall mean any individual who is either a family member of a UNIS Hanoi past, present or future student e.g. parents, legal guardian, relative through blood or legal relationship or an individual who serves the family under an agreement akin to employment e.g. maid, driver etc. 

Student, Family or Household Personal Data means personal data pertaining to a prospective, current, or former student or a member of their family or household.

Personal Data means any information relating to an individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, family details, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions or their behaviour as well as records pertaining to academics, disciplinary proceedings, references, exam scripts and exam marks.  Personal Data may be held on paper, in a computer or any other media whether it is owned by the organisation or a personal device.

Special Categories of Personal Data are more sensitive, and include information revealing an individual's racial or ethnic origin, political opinions and religious or philosophical beliefs. It will also include exact or live location data and data concerning health (physical and/or mental health),  data concerning a person’s sex life or sexual orientation, and genetic and biometric information where that data is used to uniquely identify a person. We will also treat data relating to criminal convictions or related proceedings in the same way as special categories of data. 

Processing means any activity which is performed on Personal Data or Special Category Data. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data.

SOR means School Operating Regulations (generally known as policies)

SOP means School Operating Procedures (generally known as standard operating procedures)

General Policy

In accordance with our Data Privacy and Protection SOR, we commit to ensuring the correct and lawful treatment of personal data in accordance with all applicable data protection laws e.g. Europe’s GDPR, United States’ COPPA, HIPAA and specifically with Viet Nam’s Personal Data Protection Law (PDPL).  We will only process personal data of students or members of their families and households if we have a lawful ground for processing such data.

We shall recognize and respect the personal data privacy rights of students, and members of their families or households and we shall protect the confidentiality and integrity of the personal data of students or members of their families and households that we obtain and maintain.  

We shall utilise the Students, Families & Households Privacy Notice to inform our students, and members of their families or households whenever we process their personal data, except as required or permitted by law. 

Personal data of students or members of their families and households shall be stored in accordance with our ‘Records and Information Management’ and ‘Records Retention’ SORs.

Notice and Consent

Except where otherwise permitted or required by law, we shall notify students, and members of their families or households before their personal data is collected through appropriate channels regarding the collection of such personal data.  Such notice shall include the purposes for which we are collecting the personal data, how we use such personal data, whom to contact in case a student, or member of their family or household have any concerns.  Moreover such notices will also include information about the rights of students, and members of their families or households with respect to their personal data. This document serves as the said notice..

While we strive to provide students, and members of their families or households with notice and opportunity to object to the processing of their personal data prior to processing, in limited certain circumstances where permitted/required by law, we may process personal data of students or members of their families and households without providing notice.  Such situations include where such processing would be in the vital interests of a student, or member of their family or household, safeguarding or where necessary to establish legal claims or defences.

Where a particular processing of personal data of students or members of their families and households is based on consent as the legal basis, students, and members of their families or households will be provided in the notice with the right to refuse such consent as well as information on how you can withdraw your consent at a later time.  In such circumstances, if a student, or member of their family or household decides not to provide us with certain personal data that we have requested, we may not be able to perform contracts between us and that student, or member of their family or household (such as admission to school or campus), or we may be prevented from complying with our legal obligations.

What Student, Families & Households Personal Data is Collected

We collect the following personal data from students, and members of their families or households:

• Contact and person details info: name, address, email address, telephone number, date of birth, gender, pronouns, title, marital status, dependants, languages, hobbies and interests.
• Emergency contact information for next of kin (name, address and telephone numbers).
• Past academic record, exam transcripts, disciplinary records, qualifications, and references.
• Parents’ or guardians’ employment and employer information.
• Identity and Travel documentation including nationality, citizenship, birth certificates, identity card, passport and visa information.
• Documentation pertaining to legal custody.
• Household vehicle(s) identification details.
• CCTV images or other surveillance data.
• Computer network and electronic device usage data, including visits to our website and online portals/platforms.
• Photographs and videos.

Furthermore, we may collect the following sensitive student or household personal data:

• Religious beliefs for the purpose of accommodating religious holidays;
• Race, ethnicity and gender for equal opportunities monitoring.
• Physical or mental health information, including details of health checks and accompanying physician statements, vaccination status.
• Health check results.

How is Student, Families & Households Personal Data Collected

We collect personal data of students, and members of their families through the admissions process, appointment bookings, social media and online platforms, surveys, school programme signups, Energise (school community’s use of gym, pool and other campus facilities) registration process, campus access and security registration process, or vehicle registration process, either directly from a student or from members of their families and households. We may sometimes collect additional information from third parties including previous schools attended by a student.
 
We may collect further personal data about students, and members of their families or households in the course of a student’s education at UNIS Hanoi.

How is Student, Families & Households Personal Data Used

We use personal data of students or members of their families and households for the following purposes:

• giving you access to our online platforms as well as to the campus.
• the selection and admission of students.
• comply with legal and regulatory requirements.
• provide education and enrichment to our students, including the administration and monitoring of our curriculum and other programmes.
• monitor student academic progress and educational needs.
• provide a safe and secure environment for students, staff, and visitors to the school including the use of CCTV.
• operational management including the compilation of student records; the administration of invoices, fees and accounts; the management of The School property; the management of security and safety arrangements.
• behaviour or other disciplinary procedures.
• facilitating parents’ and/or guardians’ participation in School Community Organisation (SCO).
• advancement including fundraising.
• the promotion of our school and its events through our website[s] and social media, other online platforms, our prospectus and other publications and communications.
• maintaining relationships with our alumni.
• compliance with health and safety requirements.
• to keep a record of historical and memorable events relevant to the maintenance of a historical record.
• for the arrangement and management of domestic and international school trips that a student joins.
• providing references.
• maintaining and monitoring our information systems and networks, in accordance with other SORs and SOPs.
• statistical and research purposes.

How is Sensitive Students, Families & Households Personal Data Used

We may process sensitive personal data of students or members of their families and households in the following limited circumstances, with your explicit written consent.

• where we need to carry out our legal obligations or exercise rights in connection with your application for admission to study at The School.
• when necessary to protect a student, or members of their families and households (or someone else’s) vital interests; and

We will use your sensitive personal data for the following purposes:

• for making admissions and school programmes related decisions
• for appropriate access to our online platforms 
• in relation to leaves of absence, which may include sickness absence or family-related leave, to comply with employment and other laws;
• in relation to your physical or mental health, or disability status, to ensure your health and safety at The School and to assess your fitness to education at The School. 
• in relation to your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful student support services, and
• in the course of responding to legal claims.

Methods of Data Processing

We process your personal data using both automated and manual methods to ensure accuracy and efficiency. Automated processing involves the use of software and algorithms to handle data collection, storage, and analysis. In various information and communication technology systems that school uses and onboards to fulfil or facilitate the business of the school e.g. School Management Information System, Learning Management System and other administrative or academic systems. Manual processing may be conducted by our authorized personnel to verify data accuracy and handle specific requests. We may also process your data in batches, in real-time. Some of our processing activities are carried out in the cloud. All processing activities are conducted in compliance with applicable laws and regulations, ensuring that your personal data is handled securely and confidentially. We implement robust technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, or destruction (see Security section below).

Disclosures Of Students, Families & Households Personal Data

We may have to share personal data of students or members of their families and households with third parties where we have a legitimate interest in doing so.

Personal data of students or members of their families and households may only be disclosed to the following third parties or data processors:

• Government ministries to fulfill any compliance or legal obligations.
• Other schools student references.
• Agencies or companies working with/for UNIS Hanoi to provide services for students education, service learning or other educational activities.
• Travel and tour companies that provide travel, accommodation and other arrangements for school trips.
• In various information and communication technology systems that school uses and onboards to fulfil or facilitate the business of the school.
• Health and safety providers such as occupational health services, health insurance providers, and medical professionals for workplace safety and employee wellbeing.
• Exam and assessment boards and companies, accreditation bodies, data analytics and dashboarding service providers.
• Online payment service providers such as Paypal, Onepay etc.
• Third party security services contractors that school uses for campus safety and security.
• Bus service contractors that work with The School to provide transportation services.
• Food, hospitality and entertainment services providers such as school canteen, restaurants, hotels, to provide food and beverage or school functions services on and occasionally off campus.

Data Subject Rights

Primarily under Viet Nam’s Personal Data Protection Law (PDPL) and generally under  applicable sections of other legal frameworks around the world concerning data privacy and protection e.g. in Europe's GDPR, students or members of their families and households have a number of rights regarding their personal data that we hold.

These rights are:

1. To be informed: Data subjects have the right to be informed of the method, scope, location, and purposes of the collection, processing, and use of their personal information. Even in circumstances where personal data can be processed without the data subject's consent, the data subject still has the right to be informed. 
2. Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
3. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
4. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see #5 below).
5. Right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
6. The right to give or withdraw consent to the processing of your personal data. Personal data processing activities, which happen before consent is withdrawn, are legal and valid. Upon receiving a request to withdraw consent UNIS Hanoi shall notify you of any potential consequences and damage if you withdraw your consent.
7. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
8. Request the transfer of your personal information to another party.

To invoke any of these rights, contact our Data Protection officer at dpo@unishanoi.org. As permitted by law, we may refuse to comply with the request in certain circumstances.

Security

We employ reasonable and appropriate measures and controls to ensure that the employee personal data we maintain is secured against unauthorised access or disclosure, in line with The School’s Data Privacy and Protection SOR and applicable laws and regulations.  

In general, we protect employee personal data by, among other things:

• Access Management policies on our information and communication technology systems including privileged access management applications, passwords, passkeys, MFAs (Multi Factor Authentication) and maintenance of access and permission matrices.
• Encryption standards and protocols for network connectivity, data collection, transmission, storage and processing.
• Firewall and endpoint protection on our network and school owned IT devices.
• Lock and key management for access to storage locations on campus where personal and sensitive data is stored in hard copies.
• Deploying electronic data destruction and sanitising equipment as well as paper shredders to dispose of electronic storage equipment and paperwork.

In accordance with our Data Breach SOR, we have procedures in place to respond to any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Potential Risks and Consequences

While we are committed to safeguarding your personal data through robust security measures, it is important to inform you of potential risks and undesirable consequences that may arise from data processing activities. These may include unauthorized access, data breaches, or misuse of your personal information, which could result in identity theft, financial loss, or harm to your reputation. We take these risks seriously and have implemented comprehensive measures to mitigate them. However, we encourage you to remain vigilant and report any suspicious activities to us immediately by emailing dpo@unishanoi.org. Should any significant changes to our data processing practices occur, we will notify you promptly and provide detailed information on the potential impact on your personal data.

Introduction

This Employee Privacy Notice (“Notice”) sets out how United Nations International School Hanoi (“UNIS Hanoi”, “The School”, “we”, “our”, “us”) collects and uses employees’ and contractors’ personal data before, during and after their working relationship with us.

This Notice applies to all employees and contractors at UNIS Hanoi. 

Definitions

Applicant shall mean any person who has applied for employment at UNIS Hanoi.

Contractor means any individual other than an employee who is paid by the school to deliver services.

Employee shall mean any individual who is currently employed by UNIS Hanoi or any former employee of UNIS Hanoi. 

Employee Personal Data means personal data pertaining to a prospective, current, or former employee, contractor or volunteer.

Personal Data means any information relating to an individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions or their behaviour.  Personal Data may be held on paper, in a computer or any other media whether it is owned by the organisation or a personal device.

Special Categories of Personal Data are more sensitive, and include information revealing an individual's racial or ethnic origin, political opinions and religious or philosophical beliefs. It will also include exact or live location data and data concerning health (physical and/or mental health),  data concerning a person’s sex life or sexual orientation, and genetic and biometric information where that data is used to uniquely identify a person. We will also treat data relating to criminal convictions or related proceedings in the same way as special categories of data. 

Processing means any activity which is performed on Personal Data or Special Category Data. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data.

Volunteer shall mean any individual who has executed a volunteer agreement with the school. 

SOR means School Operating Regulations (generally known as policies)

SOP means School Operating Procedures (generally known as standard operating procedures)

General Policy

In accordance with our Data Privacy and Protection SOR, we commit to ensuring the correct and lawful treatment of personal data in accordance with all applicable data protection laws e.g. Europe’s GDPR and specifically with Viet Nam’s Personal Data Protection Decree (PDPD).  We will only process employee personal data if we have a lawful ground for processing such data.

We shall recognize and respect the employee personal data privacy rights and we shall protect the confidentiality and integrity of employee personal data we obtain and maintain.  

We shall utilise the Employee Privacy Notice to inform our employees whenever we process their personal data, except as required or permitted by law. 

Employee personal data shall be stored in accordance with our ‘Records and Information Management’ and ‘Records Retention’ SORs.

Notice and Consent

Except where otherwise permitted or required by law, we shall notify employees before employee personal data is collected through appropriate channels regarding the collection of such personal data.  Such notice shall include the purposes for which we are collecting your personal data, how we use such personal data and whom to contact in case an employee has any concerns.  Moreover such notices will also include information about an employee’s rights with respect to the employee personal data.

While we strive to provide employees with notice and opportunity to object to the processing of their employee personal data prior to processing, in limited certain circumstances where permitted/required by law, we may process employee personal data without providing notice.  Such situations include where such processing would be in the vital interests of the employee, safeguarding or where necessary to establish legal claims or defences.

Where a particular processing of employee personal data is based on consent as the legal basis, employees will be provided in the notice with the right to refuse such consent as well as information on how you can withdraw your consent at a later time.  In such circumstances, if an employee decides not to provide us with certain personal data that we have requested, we may not be able to perform contracts between us and that employee (such as paying the employee or providing a benefit), or we may be prevented from complying with our legal obligations.

What Employee Personal Data is Collected

We collect the following personal data from employees:

• Contact and person details info: name, address, email address, telephone number, date of birth, marital status and dependants.
• Emergency contact information for next of kin (name, address and telephone numbers).
• Qualifications, employment history,  references, background checks (including criminal background checks), CVs and other materials relevant to recruitment.
• Right-to-work and travel documentation including passport and visa information.
• Criminal Record Certificate (Police Check) for the employee and any adult dependents of expat employees.
• Employment particulars (e.g. personnel files, job description, performance reviews, disciplinary or grievance records, attendance history, vacation dates, training records, professional memberships).
• Payroll and financial data (e.g. salary, pensions, expenses, taxation paid, bank account information, benefits).
• CCTV images or other surveillance data.
• Computer network and electronic device usage data.
• Photographs and videos.

Furthermore, we may collect the following sensitive employee personal data:

• Information concerning the commission or alleged commission of a criminal offence;
• Religious beliefs for the purpose of accommodating religious holidays;
• Race, ethnicity and gender for equal opportunities monitoring.
• Physical or mental health information, including details of health checks and accompanying physician statements, vaccination status, sickness leave, maternity or paternity records.
• Health check results for expat employees and their adult dependents.

How is Employee Personal Data Collected

We collect personal data about employees through the recruitment process, either directly from you or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies.

When you start your employment with us, you will directly provide us with certain personal data such as your bank account details and next of kin information.
 
We may collect further personal data about you in the course of your employment e.g. salaries, performance reviews, computer network and electronic device usage, CCTV images, pictures and videos etc.

How is Employee Personal Data Used

We use employee personal data for the following purposes:

• giving you access to our online platforms as well as to the campus.
• the recruitment and verification of employees.
• to support the employee’s role and function in the operation of UNIS Hanoi to provide education and enrichment to our students. This includes the administration of our curriculum, monitoring student academic progress and educational needs.
• for the arrangement and management of domestic and international school trips that the employee joins.
• employee management and administration including payroll, social insurance, health insurance, unemployment insurance, trade union memberships, compliance with labour and immigration laws, administering benefits and pensions.
• review and appraisal of staff performance; conduct of any grievance, capability or disciplinary procedures.
• the maintenance of appropriate human resources records for current and former staff.
• providing references.
• facilitating parents’ and/or guardians’ participation in the School Community Organisation (SCO).
• operational management including the compilation of employee records, the management of school property, the management of security and safety arrangements.
• to provide a safe and secure environment for students, staff, and visitors to the school, including use of CCTV.
• maintaining and monitoring our information systems and networks, in accordance with other SORs and SOPs.
• the promotion of our school through our website, our prospectus and other publications and communications (including through our social media accounts).
• advancement including fundraising.
• maintaining relationships and communication with our alumni and former employees.
• statistical and research purposes.
• to keep a record of historical and memorable events relevant to the maintenance of a historical record.
• to comply with legal obligations.

How is Sensitive Employee Personal Data Used

We may process sensitive employee personal data in the following limited circumstances, with your explicit written consent.

• where we need to carry out our legal obligations or exercise rights in connection with employment.
• where it is needed in the public interest, such as for equal opportunities monitoring, and
• when necessary to protect the employee’s (or someone else’s) vital interests.

We will use your sensitive personal data for the following purposes:

• in relation to leaves of absence, which may include sickness absence or family-related leave, to comply with employment and other laws.
• in relation to your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
• in relation to your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting, and
• in relation to compliance with any employment law obligations concerning protected employees.
• in the course of responding to legal claims.

Methods of Data Processing

We process your personal data using both automated and manual methods to ensure accuracy and efficiency. Automated processing involves the use of software and algorithms to handle data collection, storage, and analysis. In various information and communication technology systems that school uses and onboards to fulfil or facilitate the business of the school e.g. Human Resource Management software, School Management Information System. Manual processing may be conducted by our authorized personnel to verify data accuracy and handle specific requests. We may also process your data in batches, in real-time. Some of our processing activities are carried out in the cloud. All processing activities are conducted in compliance with applicable laws and regulations, ensuring that your personal data is handled securely and confidentially. We implement robust technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, or destruction (see Security section below).

Disclosures Of Employee Personal Data

We may have to share employee personal data with third parties where we have a legitimate interest in doing so.

Employee personal data may only be disclosed to the following third parties or data processors:

• Government ministries to fulfill visa, labour law, taxation and employment contract requirements, as well as to comply with legal obligations, audits, or investigations.
• Other schools or workplaces that may request employment references.
• Agencies or companies working with/for UNIS Hanoi to provide legalisations of documents and/or police and background checks.
• Payroll and benefits providers including banks and insurance companies for salary payments and employee benefits.
• Health and safety providers such as occupational health services, health insurance providers, and medical professionals for workplace safety and employee wellbeing.
• On campus and cloud hosting and technology systems service providers for various operational, administrative and educational technology systems that are deployed to provide services to The School community.
• Exam and assessment boards and companies, accreditation bodies, data analytics and dashboarding service providers.
• Online payment service providers such as Paypal, Onepay.
• Third party security services contractors that school uses for campus safety and security.
• Bus service contractors that work with The School to provide transportation services.
• Food, hospitality and entertainment services providers such as school canteen, restaurants, hotels, to provide food and beverage or school functions services on and occasionally off campus.
• Pension providers and trade unions where and when applicable.
• Travel and relocation service providers assisting with work permit application, customs clearance, relocation, and travel arrangements for employees.

Data Subject Rights

Primarily under Viet Nam’s Personal Data Protection Decree (PDPD) and generally under  applicable sections of other legal frameworks around the world concerning data privacy and protection e.g. Europe's GDPR, employees have a number of rights regarding employee personal data that we hold.

These rights are:

1. To be informed: Data subjects have the right to be informed of the method, scope, location, and purposes of the collection, processing, and use of their personal information. Even in circumstances where personal data can be processed without the data subject's consent, the data subject still has the right to be informed. 
2. Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
3. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
4. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see #5 below).
5. Right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
6. The right to give or withdraw consent to the processing of your personal data. Personal data processing activities, which happen before consent is withdrawn, are legal and valid. Upon receiving a request to withdraw consent UNIS Hanoi shall notify you of any potential consequences and damage if you withdraw your consent.
7. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
8. Request the transfer of your personal information to another party.

To invoke any of these rights, contact our Data Protection officer at dpo@unishanoi.org. As permitted by law, we may refuse to comply with the request in certain circumstances.

Security

We employ reasonable and appropriate measures and controls to ensure that the employee personal data we maintain is secured against unauthorised access or disclosure, in line with The School’s Data Privacy and Protection SOR and applicable laws and regulations.  

In general, we protect employee personal data by, among other things:

• regular and annually mandated training for all employees on data protection and cyber security.
• deploying Access Management policies on our information and communication technology systems including privileged access management applications, passwords, passkeys, MFAs (Multi Factor Authentication) and maintenance of access and permission matrices.
• deploying the principle of least privilege (PoLP) based on job roles, for access to data stored in our systems.
• logging, monitoring and regular auditing of access for all HR records.
• implementing Industry standards and protocols for encryption of data at points of collection, storage, transition and processing.
• implementing and maintaining a firewall and endpoint protection service as well as event management logs collection, aggregation, monitoring and alerts on our network and school owned IT devices.
• implementing Data Loss Prevention (DLP) technology from Google to monitor, alert and prevent unauthorised and unintended sharing or loss of personally identifiable information (PII).
• using Google’s monitoring and alert mechanisms for abnormal email or files downloads.
• having lock and key management for access to storage locations on campus where personal and sensitive data is stored in hard copies.
• deploying electronic data destruction and sanitising equipment as well as paper shredders to dispose of electronic data storage equipment and paperwork.

In accordance with our ‘Data Breach Management’ SOR, we have procedures in place to respond to any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Potential Risks and Consequences

While we are committed to safeguarding your personal data through robust security measures, it is important to inform you of potential risks and undesirable consequences that may arise from data processing activities. These may include unauthorized access, data breaches, or misuse of your personal information, which could result in identity theft, financial loss, or harm to your reputation. We take these risks seriously and have implemented comprehensive measures to mitigate them. However, we encourage you to remain vigilant and report any suspicious activities to us immediately by emailing dpo@unishanoi.org. Should any significant changes to our data processing practices occur, we will notify you promptly and provide detailed information on the potential impact on your personal data.

Introduction

This Visitor Privacy Notice (“Notice”) sets out how United Nations International School Hanoi (“UNIS Hanoi”, “The School”, “we”, “our”, “us”) collects, uses, and protects personal data belonging to visitors to our campus and our website.

This Notice applies to all visitors to the campus and websites of UNIS Hanoi.  
 

Definitions

Visitor: Any individual who is not a current student or employee but who accesses the School campus (e.g., guest speakers, contractors, prospective parents, alumni, delivery personnel) or interacts with the School’s official website.

Personal Data means any information relating to an individual who can be identified from that information or from any other information we may hold. Personal Data can include names, identification numbers, addresses (including IP addresses), dates of birth, financial or salary details, education background, job titles and images. It can also include an opinion about an individual, their actions or their behaviour.  Personal Data may be held on paper, in a computer or any other media whether it is owned by the organisation or a personal device.

Special Categories of Personal Data are more sensitive, and include information revealing an individual's racial or ethnic origin, political opinions and religious or philosophical beliefs. It will also include exact or live location data, login names, passwords, IP addresses, location data and data concerning health (physical and/or mental health), data concerning a person’s sex life or sexual orientation, and genetic and biometric information where that data is used to uniquely identify a person. We will also treat data relating to criminal convictions or related proceedings in the same way as special categories of data. 

Processing means any activity which is performed on Personal Data or Special Category Data. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction of data.

SOR means School Operating Regulations (generally known as policies)

SOP means School Operating Procedures (generally known as standard operating procedures)

General Policy

In accordance with our Data Privacy and Protection SOR, we commit to ensuring the correct and lawful treatment of personal data in accordance with all applicable data protection laws e.g. Europe’s GDPR, United States’ COPPA, HIPAA and specifically with Viet Nam’s Personal Data Protection Law (PDPL).  We will only process personal data of visitors if we have a lawful ground for processing such data.

We shall recognize and respect the personal data privacy rights of visitors and we shall protect the confidentiality and integrity of the personal data of visitors that we obtain and maintain.  

We shall utilise the Visitors Privacy Notice to inform our visitors whenever we process their personal data, except as required or permitted by law. 

Personal data of visitors shall be stored in accordance with our ‘Records and Information Management’ and ‘Records Retention’ SORs.

Notice and Consent

Except where otherwise permitted or required by law, we shall notify visitors before their personal data is collected through appropriate channels regarding the collection of such personal data.  Such notice shall include the purposes for which we are collecting the personal data, how we use such personal data, whom to contact in case a visitor has any concerns.  Moreover such notices will also include information about the rights of visitors with respect to their personal data. This document serves as the said notice..

While we strive to provide visitors with notice and opportunity to object to the processing of their personal data prior to processing, in limited certain circumstances where permitted/required by law, we may process personal data of visitors without providing notice.  Such situations include where such processing would be in the vital interests of a visitor, safeguarding or where necessary to establish legal claims or defences.

Where a particular processing of personal data of visitors is based on consent as the legal basis, visitors will be provided in the notice with the right to refuse such consent as well as information on how you can withdraw your consent at a later time.  In such circumstances, if a visitor decides not to provide us with certain personal data that we have requested, we may not be able to perform contracts between us and those visitors (such as admission to school or campus), or we may be prevented from complying with our legal obligations.

We may, in specific circumstances, collect, use, and process the Personal Data of children for the stated Purpose. When we do so, please ensure that

• You must be legally authorised under prevailing laws to provide the Personal Data of children. If you lack this legal authority, you must not provide such Personal Data to us.
• If you have provided a child's Personal Data without the required legal authorisation, you must notify us immediately via email.

Any processing of Personal Data of a child aged seven (7) years or older for the purpose of publishing or disclosing information requires the consent of both the child and their legal representative, in accordance with applicable laws of Vietnam. If the information you provide relates to a child aged seven (7) years or older, please ensure that you submit the child's consent along with any other legally required consent.

What Visitor Personal Data is Collected

We may collect the following personal data from visitors:

• Identification Data: Full name, ID/Passport number, phone number, and organization/company.
• Visual Data: A photograph taken at the security gate for your visitor badge and footage captured by our Closed-Circuit Television (CCTV) system throughout the campus.
• Vehicle Data: License plate numbers for visitors entering with a vehicle.
• Technical Data: Information about your computer and about your visits to and use of our websites, such as your IP address, geographical location, device, internet browser and operating system, how you got to the site, time, day and length of visit.
• Usage Data: Information about how you use our websites (via cookies), such as pages viewed and links clicked.
• Contact Data: Information provided through contact forms (Name, Email, Subject of inquiry etc.).

Furthermore, we may collect the following sensitive data:

• Health Data: Temperature checks or health declarations if required by local health authorities.

How is Visitor Personal Data Collected

We collect personal data of visitors through campus access and security registration process, visit to our websites, registration for school events or community programmes, or vehicle registration process.

Cookies

We use cookies on our websites. A cookie is a small text file that a web server sends to a web browser and the browser stores. This file is then sent back to the server each time the browser requests a page, which allows the web server to identify and track the web browser.

We may send a cookie that your browser may store on your computer's hard drive. The information we obtain from this cookie is used for several purposes: to administer the website you visit, to enhance its usability, and for marketing activities. We also use this information to recognise your computer when you visit and to personalise our website for you.

You have the right to choose to disable, block, or deactivate cookies. However, please be aware that if you refuse our cookies, you might not be able to use all elements of the website. You can manage your preferences by adjusting your internet browser settings to disable, block, or deactivate cookies, delete your browsing history, or clear your internet browser's cache.

We may utilise Google Analytics to analyse how our website is used. Google Analytics uses cookies, stored on users' computers, to generate statistical and other data about website usage. The information created regarding our website helps us generate reports on its use. Google stores this information, and their privacy policy is available for your review at: https://www.google.com/privacypolicy.html.

How is Visitor Personal Data Used

We use personal data of visitors for the following purposes:

• giving you access to our online platforms as well as to the campus.
• comply with legal and regulatory requirements.
• provide education and enrichment to our community members, including the administration and monitoring of our community programmes.
• provide a safe and secure environment for students, staff, and visitors to the school including the use of CCTV.
• operational management including the compilation of visitor records; the administration of invoices, fees and accounts; the management of The School property; the management of security and safety arrangements.
• behaviour or other disciplinary procedures.
• advancement including fundraising.
• the promotion of our school and its events through our website[s] and social media, other online platforms, our prospectus and other publications and communications.
• compliance with health and safety requirements.
• to keep a record of historical and memorable events relevant to the maintenance of a historical record.
• maintaining and monitoring our information systems and networks, in accordance with other SORs and SOPs.
• statistical and research purposes.

How is Visitor Sensitive Personal Data Used

We may process sensitive personal data of visitors in the following limited circumstances.

• to comply with requirements of local health authorities
• for appropriate access to our online platforms.
• in relation to your physical or mental health, or disability status, to ensure your health and safety at The School.
• in the course of responding to legal claims.

Methods of Data Processing

We process your personal data using both automated and manual methods to ensure accuracy and efficiency. Automated processing involves the use of software and algorithms to handle data collection, storage, and analysis. In various information and communication technology systems that school uses and onboards to fulfil or facilitate the business of the school e.g. School Management Information System, Learning Management System, Visitor Management System and other administrative or academic systems. Manual processing may be conducted by our authorized personnel to verify data accuracy and handle specific requests. We may also process your data in batches, in real-time. Some of our processing activities are carried out in the cloud. All processing activities are conducted in compliance with applicable laws and regulations, ensuring that your personal data is handled securely and confidentially. We implement robust technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, or destruction (see Security section below).

Disclosures Of Visitor Personal Data

We may have to share personal data of visitors with third parties where we have a legitimate interest in doing so.

Personal data of visitors may only be disclosed to the following third parties or data processors:

• Government ministries to fulfill any compliance or legal obligations.
• Agencies or companies working with/for UNIS Hanoi to provide services for school events, community programmes or other activities.
• In various information and communication technology systems that school uses and onboards to fulfil or facilitate the business of the school.
• Health and safety providers such as occupational health services, health insurance providers, and medical professionals for workplace safety.
• Third party security services contractors that school uses for campus safety and security.
• Bus service contractors that work with The School to provide transportation services.
• Food, hospitality and entertainment services providers such as school canteen, restaurants, hotels, to provide food and beverage or school functions services on and occasionally off campus.

Data Subject Rights

Primarily under Viet Nam’s Personal Data Protection Law (PDPL) and generally under  applicable sections of other legal frameworks around the world concerning data privacy and protection e.g. in Europe's GDPR, visitors have a number of rights regarding their personal data that we hold.

These rights are:

1. To be informed: Data subjects have the right to be informed of the method, scope, location, and purposes of the collection, processing, and use of their personal information. Even in circumstances where personal data can be processed without the data subject's consent, the data subject still has the right to be informed. 
2. Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
3. Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
4. Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see #5 below).
5. Right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
6. The right to give or withdraw consent to the processing of your personal data. Personal data processing activities, which happen before consent is withdrawn, are legal and valid. Upon receiving a request to withdraw consent UNIS Hanoi shall notify you of any potential consequences and damage if you withdraw your consent.
7. Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
8. Request the transfer of your personal information to another party.

To invoke any of these rights, contact our Data Protection officer at dpo@unishanoi.org. As permitted by law, we may refuse to comply with the request in certain circumstances.

Security

We employ reasonable and appropriate measures and controls to ensure that the employee personal data we maintain is secured against unauthorised access or disclosure, in line with The School’s Data Privacy and Protection SOR and applicable laws and regulations.  

In general, we protect employee personal data by, among other things:

• Access Management policies on our information and communication technology systems including privileged access management applications, passwords, passkeys, MFAs (Multi Factor Authentication) and maintenance of access and permission matrices.
• Encryption standards and protocols for network connectivity, data collection, transmission, storage and processing.
• Firewall and endpoint protection on our network and school owned IT devices.
• Lock and key management for access to storage locations on campus where personal and sensitive data is stored in hard copies.
• Deploying electronic data destruction and sanitising equipment as well as paper shredders to dispose of electronic storage equipment and paperwork.

In accordance with our Data Breach SOR, we have procedures in place to respond to any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Potential Risks and Consequences

While we are committed to safeguarding your personal data through robust security measures, it is important to inform you of potential risks and undesirable consequences that may arise from data processing activities. These may include unauthorized access, data breaches, or misuse of your personal information, which could result in identity theft, financial loss, or harm to your reputation. We take these risks seriously and have implemented comprehensive measures to mitigate them. However, we encourage you to remain vigilant and report any suspicious activities to us immediately by emailing dpo@unishanoi.org. Should any significant changes to our data processing practices occur, we will notify you promptly and provide detailed information on the potential impact on your personal data.