Announcement by the Health Intervention and Technology Assessment Program Foundation
on Privacy Policy
1. Background
The Health Intervention and Technology Assessment Program Foundation (hereinafter referred to as “HITAP”, “we” or “us”) places importance on personal data and/or any other information related to the data subjects (collectively referred to as “you” or “data subject”). This is to assure the data subjects that HITAP collects, uses, and discloses the personal data in a transparent and accountable manner in accordance with the Personal Data Protection Act B.E. 2562 (2019) (“Act”) as well as other related laws and regulations. This Privacy Policy (“Policy”) was made to notify you of how your personal data are collected, used and disclosed (collectively referred to as “process/processing”) by HITAP including our staff and relevant personnel who acts on HITAP’s behalf, the details of which are as follows:
2. Scope of Application
This policy is applicable to personal data of an individual who has or will have a relationship of any kind with HITAP, and their personal data will be processed by HITAP, researchers, employees, staff or personnel, visitors, guests as well as contractors or third parties who acts on HITAP’s behalf (“Data Processor”).
In addition to this Policy, HITAP may issue a privacy notice (“Notice”) for our activities or services. It will inform the data subjects about the details of data processing activities, i.e., the types of personal data, purposes of processing, lawful basis for processing, retention period and the rights available for the data subjects relating to a particular activity or service.
In case of any major discrepancy between this Policy and other Notices, the Notice shall prevail.
3. Definition
– “HITAP” means Health Intervention and Technology Assessment Program Foundation.
– “Personal Data” means any information relating to a person which enables the identification of such person, either directly or indirectly, excluding information of deceased persons in particular.
– “Sensitive Personal Data” means personal data as stipulated in Section 26 of the Personal Data Protection Act B.E. 2562 (2019) which includes racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee.
– “Processing of Personal Data” means any operation which is performed on personal data such as collection, recording, copying, structuring, storage, adaptation, alteration, use, retrieval, disclose, transmission, dissemination, transfer, combination, erasure, or destruction.
– “Data Subject” means a natural person whose Personal Data are collected, used or disclosed by HITAP.
– “Data Controller” means a natural person or legal person having an authority to make decisions about the collection, use and disclose of personal data.
– “Data Processor” means a natural person or legal person who collects, uses, or discloses personal data under the instruction and on behalf of the Data Controller. Such natural or legal person is not the Data Controller.
– “Supervisory Authority” means Personal Data Protection Committee of Thailand or other supervisory authority under the data protection law of a foreign country, which concerns itself with HITAP’s processing of personal data.
– “Cookies” means a price of electronic files in connection with browsing history of a data subject that a web server places on a data subject’s computer device to help remember the information about the data subject’s website visits and activities. This definition shall extend to other similar tracking technologies.
In this regard, any terms which are not defined under this Policy shall refer to the terms as defined in the Act.
4. Types of Collected Personal Data
HITAP may collect or acquire the following personal data, including both general personal data and sensitive personal data, based on HITAP services or activities, the relationship between data subjects and HITAP, and other relevant considerations. The types of personal data as set out below is a non-exhaustive list, which merely exemplifies the scope of personal data generally collected by HITAP.
Types of Personal Data
– Personal details
The details as shown in the document identifying the identity of the data subjects, e.g. name title, name, middle name, surname, nickname, signature, date of birth, ID card number, copy of ID card, nationality, passport, house registration, professional license number (for each profession), license number, social security number.
– Information on individual status and characteristics
The details of data subject which includes gender, height, weight, age, marital status, enlistment status, picture, voice, dialect, behavior, preference, bankruptcy status, incompetent person status, quasi-incompetent person status.
– Contact information
Information for contacting the data subject which includes home phone number, mobile phone number, fax, email address, postal address, social media user name (e.g. Line ID, MS Teams), home location map.
– Work and academic information
The details of employment as well as work and academic history which includes types of employment, occupation, ranking, position, responsibility, expertise, work permit status, reference person, position record, work record, salary, start date, termination date, appraisal result, benefits and welfares, work materials in possession, accomplishments, academic institute, academic degree, graduation date.
– Financial information
The details relating to payment or reimbursement, such as account number, bank details, relevant transactions with HITAP, bill/invoice, payment confirmation document, receipt, tax ID number, tax invoice, other tax document.
– Insurance policy information
The details of insurance policy of staff, such as the insurer, the insured, the beneficiary, policy number, policy type, coverage, insurance claim information.
– Information on social status
The information on the data subject’s social status, such as political status, political office, director office, academic ranks, relationship with HITAP’s staff, information on contractual relationship with HITAP, conflict of interest information in relation to the business with HITAP.
– Sensitive personal data
The information that are genuinely private and sensitive, and that could potentially be used against the data subject for unlawful discrimination, such as racial, ethnic origin, religious belief, disability, political opinions, genetic data, biometric data (e.g. fingerprint/ image recognition data), health information, health-related behaviors and expenses.
– Technical information
The technical details of the device or equipment or the information acquired by HITAP through the device or equipment or from the use of HITAP’s online platform, such as user account, password, logfile, relevant records for investigation, location information, picture, video, voice record, browsing behaviors (the website in HITAP’s responsibility e.g. www.hitap.net), searching history, cookies or similar technologies, device ID, device type, connection detail, browser information, language preference, operation system, other technical information derived from the use of platform and operation system.
– Security information
Information for maintaining security of HITAP and other persons, such as picture or video from CCTV, appearance of individuals, suspicious behavior or activity.
– Information relating to research and events
Information which are obtained from individuals who volunteer to join HITAP’s research or participate in HITAP’s training, seminar, interview, meeting, or which HITAP acquires through the research or activities/events as such, which covers the general and sensitive personal data as stated above.
5. Types of Data Subject
HITAP processes your personal data in accordance with each Privacy Notice, which will divide into certain group of data subjects and related processing activities as follows:
Types of Data Subject
– HITAP employees includes employee or staff working for / performing duties for HITAP in exchange of wages, salary, benefits, or remuneration paid by HITAP, and HITAP can exercise supervision, e.g., conducting annual appraisal, issuing internal rules and regulations and ensuring compliance with the rules and regulations, over such employees or staffs. This includes Secretary General, Program Leader, head of unit, employee, personnel or any other person having a similar relationship with HITAP. This group shall extend to any person whose personal data appear in the documents relating to the job application process, such as family member, father, mother, spouse, children, emergency contact person, reference person, or beneficiary.
Please see our Privacy Notice for Job Applicants and Employees.
– Service providers or contractors includes a natural person or representative of a legal person, such as directors, authorized persons, attorney in fact, sub agents, personnel, staff and employees of the legal person which entered / is entering into any transaction with HITAP. This group shall extend to any person whose personal data appear in the related documents or any person who joins the bidding for selling goods and/or services to HITAP, such as service providers, advisor, specialist, scholar, speaker, contractor, or any other person having a similar relationship with HITAP.
Please see our Privacy Notice for Service Providers or Contractors.
– Job applicants includes any person applying for job / internship opportunity or any other person who submits personal profile to HITAP for the purpose of applying for a job / internship opportunity or securing a permanent or part-time employment. This group shall extend to applicants who are under the employment of the outsource service providers, internship applicants, and person related to such applicants whose personal data appear in the application document, such as family member, reference person or emergency contact person.
Please see our Privacy Notice for Job Applicants and Employees.
– Individuals captured in CCTV means individuals walking past the CCTV camera or entering HITAP’s area, including those who are in the area where a CCTV of HITAP is in operation.
Please see our Privacy Notice for CCTV.
– Event participants includes any person participates in HITAP’s activities or projects, registrant, training or seminar participant, interviewee as well as other similar parties.
Please see our Privacy Notice for Events.
– Visitors or online users: HITAP may deploy automated technologies to collect your personal data while browsing our website or social media through computer or mobile device, such as IP address, browser in use, operation system, website visits and the origin website redirecting you to our website. The technologies include cookies or other similar technologies.
Please see our Cookie Policy and Privacy Notice for Website Users.
6. Sources of Collected Personal Data
HITAP will collect or acquire various types of personal data from the following sources:
- Personal data that HITAP directly collect from the data subjects from various channels, such as research process, information provided in application forms, contracts / documents signing, survey /interview, cookie technology or other provided channels in HITAP’s control including HITAP’s office or other communication channels which are used by the data subjects to contact HITAP.
- Personal data that HITAP collects from the data subjects when they access our website or other services, such as behavior tracking based on website browsing, activities or HITAP’s service usage through cookies or device software of the data subjects.
- Personal data that HITAP collects from third-party sources other than the data subjects. To disclose your personal data to HITAP, such third-party sources would rely on a lawfully justified reason or the consent of the data subjects, such as integration of HITAP’s service to other entities for the interest of the data subjects, receipt of the data subject’s personal data from HITAP’s respective government authority or other government agencies with the authority to support HITAP’s operations as defined by its missions, pushing or pulling personal data from government public sources (e.g. academic institutes or other organizations), and exchanging of personal data with the contractor entity as necessary for the research purpose or performance of contractual obligations.
In addition, a third-party source shall extend to the case where a data subject provides the personal data of other individuals to HITAP. In such case, the data subject is responsible for notifying the individuals of the details set out in this Policy as well as obtaining their consent for the disclosure to HITAP, such as providing the name of reference person in case of job application with HITAP.
7. Lawful Basis for Processing of Personal Data
HITAP determines the lawful basis for processing of your personal data as appropriate and according to the context of our activities. In this regard, the lawful basis that we rely upon for processing of your personal data include the following:
- It is necessary for performance of a task carried out in the public interest or for the exercising of official authority vested in HITAP.
- It is necessary for compliance with the laws.
- It is necessary for legitimate interest.
- It is necessary for preventing or suppressing a danger to a person’s life, body or health.
- It is necessary for performance of contract.
- It is for preparation of research and statistical documents for public interest.
- Your consent.
In case HITAP is required to collect your personal data for compliance with the laws or as necessary for entering into a contract, and if you deny providing your personal data or object to the processing of your personal data in accordance with the purpose of processing activities, HITAP would not be able to proceed or provide a service, whether in whole or in part, as requested by you. Moreover, it may have an impact on HITAP’s compliance with its legal obligations.
In some cases, HITAP may ask for your personal data for your convenience or to provide a better experience. In such cases, you may decide not to provide the personal data and as such, and it will not affect the core activities that you have with us.
8. Purpose of Processing
HITAP collects your personal data for various purposes, significantly based on the types of services or activities along with the relationship with HITAP or other considerations in each context. Some or all of the purposes as set out below may apply to your case, hence please consider the applicable purposes, on a case-by-case basis, taking into account the relationship with HITAP.
In this regard, HITAP collects and processes your personal data for the purposes set out in this Policy as follows:
- For performance of contract or at the data subject’s request prior to entering into a contract
- Processing of transactions or contracts between the data subject and HITAP.
- Retention and improvement of personal data of the data subject who has a transaction or contract with HITAP.
- The use, control, utilization, tracking, investigation and management of services or activities to accommodate and align with the needs of the data subject.
- Job application, evaluation of applicant qualifications to secure a position, employment contract process, providing benefits and reimbursement process.
- Taking actions as necessary for the performance of HITAP’s contractual obligations.
- For compliance with the law and the order of an officer exercising official authority
- Providing or processing data in accordance with the order of the courts or the justice officers.
- Retention of personal data as required by law.
- Maintaining the record of data processing activities as required by law.
- Taking any action to comply with HITAP’s obligations as required by law.
- For legitimate interest of HITAP or other third parties
- Prevention, detection, avoidance and investigation of security breach or prohibitive / unlawful action and any action which may cause damages to HITAP and the data subject.
- Identity verification / authentication and other information verification when the data subject applies for HITAP’s services or contacts HITAP for the services.
- HITAP’s public relations with an opt-out option for the data subject.
- Risk evaluation and management as well as anti-corruption.
- Spam prevention or prevention of unauthorized / unlawful actions.
- Necessary administrative activities within HITAP.
- Legal proceeding management.
- Analysis and solving of problems relating to HITAP’s services.
- Processing of data as necessary for the public interests, or preparation of documents relating to research or statistics for public interest in relation to the assessment of health technologies and programs according to HITAP’s missions and objectives, such as conducting research, learning and teaching, preparing a policy, and preventing/monitoring of epidemics.
- For preventing or suppressing a danger to life, body or health of individuals, such as an emergency contact
- For performance of a task carried out in the public interest regarding health intervention and technology assessment by HITAP, or it is necessary for the exercising of official authority vested in HITAP to comply with its missions, law, regulations, rules or related orders.
- Compliance with the data subject’s consent
- In necessary case of collection of general personal data and sensitive personal data, such as racial, ethnic origin, religious belief, health-related behaviors, health information, disability, genetic data, biometric data (e.g. facial recognition data) or health-related expenses.
- Collection and use of cookies including similar technologies.
- Passing or transferring personal data to a destination country with inadequate level of data protection standard.
9. Personal Data of Minors, Incompetent or Quasi-incompetent Persons
In case HITAP becomes aware that the consent of the legally incapacitated data subject, i.e., a minor, incompetent or quasi-incompetent person, is required for the processing, HITAP will not collect their personal data unless the consent as such has already been given by their parent, guardian or curator (as the case may be) and to the extent as permitted by law.
In case HITAP is not aware that the data subject is a minor, incompetent or quasi-incompetent person and that HITAP discover the processing without the consent of their parent, guardian or curator (as the case may be) at a subsequent time, HITAP will erase or destroy their personal data in due course if HITAP does not rely on any other lawful basis of processing than the consent.
10. Collection of Personal Data through recording devices
- When you enter HITAP’s area, HITAP may record the footage of you via CCTV devices. HITAP will notify you of CCTV in operation within the area of HITAP.
- When you enter the event/meeting/seminar or other activity area, HITAP may capture your image or video as well as audio for the purpose of such activity or public relations of HITAP. HITAP will notify you of the recordings within such area.
11. Disclosure of Personal Data
HITAP may share or disclose your personal data to other persons or organizations in accordance with the purposes as provided in this Policy, including but not limited to the followings:
- Government authorities or other persons as required by law
- Service providers and other entities supporting HITAP’s operation (please refer to Clause 14)
- Advisors or specialists who provide consultation services to HITAP
- Attorney in fact or other lawful representatives
- Any person assigned or appointed to enter into transactions on behalf of HITAP
- Social media service providers
- Any organization or person in cooperation with HITAP for a project or activity
- Any person whom you have a contractual or transactional relationship with
- The public
HITAP will oblige the receiving individuals/organizations to set up appropriate safeguards for your personal data and process such personal data as necessary. HITAP will have agreements with them to prevent your personal data from being used or disclosed without authorization or in violation of data protection law or other relevant law, and it will proceed with the disclosure of your personal data under the purposes as specified in this Policy or other purposes as permitted by law. If a consent is required, HITAP will obtain your consent prior to the disclosure.
12. Cross-border Transfer of Personal Data
In some cases, HITAP may send or transfer your personal data outside Thailand for the purposes of HITAP’s services and activities. This includes transferring personal data to a cloud server in a foreign country or sending personal data to foreign organization for research purposes.
However, HITAP will only send or transfer your personal data to a third country with adequate level of data protection, otherwise, HITAP will ensure that appropriate safeguards as required by law are established for your personal data, as well as an agreement being made with the relevant third party to guarantee their compliance with data protection measures as determined by HITAP.
13. Retention period of Personal Data
HITAP will keep your personal data for as long as it is necessary for achieving the purposes of processing in this Policy. After the retention period expires and the specified purposes are achieved, HITAP will erase, destroy, anonymize the personal data according to the standard and format as required by the Personal Data Protection Committee, the personal data protection law or international standard.
HITAP may retain certain personal data as required by relevant prescription periods or other relevant law, such as accounting, tax, labour or other law for HITAP’s compliance.
However, in case of any dispute / legal claim / legal proceedings relating to personal data, HITAP reserves the right to retain the personal data until the final order or judgment has been rendered.
14. Third-party Service Providers or Sub-service Providers
HITAP may assign or hire a third party (Data Processor) to process the personal data on HITAP’s behalf. The third party may offer an outsourcing service or other types of services to HITAP.
HITAP will provide an agreement for the assignment of third party to process the personal data, where the rights and responsibilities of HITAP, as the Data Controller, and the third party, as the Data Processor would be stipulated, including the types of personal data, the purposes / scopes of processing and other relevant terms. The Data Processor shall be responsible for complying with the stipulated terms and instructions of HITAP. Processing of personal data beyond the agreement is prohibited.
In case the Data Processor assign another sub-service provider (Sub-processor) to process the personal data on their behalf, HITAP will oblige the Data Processor to enter into an agreement with the Sub-processor with the terms and standard not less stringent that those set out under the agreement between HITAP and the Data Processor.
15. Security of Personal Data
HITAP sets up security measures, comprising of both technical and organizational measures for handling your personal data, such as implementing access control measure to allow only staff or individual that are authorized or assigned to use your personal data according to the Policy. Such people with authorization will have to strictly adhere to and comply with HITAP’s data protection measures, and they will also have an obligation to keep confidentiality of the personal data they became known in the performance of their duties.
Moreover, if HITAP requires your personal data to be sent or transferred to any third party, whether for the purposes of HITAP’s mission, contract, or other form of agreements, HITAP will determine the level of security and confidentiality measures as appropriate and as required by law to ensure your personal data with HITAP is always safe and secure.
16. Data Subject Right According to the Personal Data Protection Act B.E. 2562 (2019)
The Personal Data Protection Act B.E. 2662 (2019) stipulates various rights of data subjects. A data subject or an authorized person, such as a parent or a guardian, is entitled to submit a request to exercise the rights through the channel as set out in Clause 20. The details of the available data subject rights are as follows:
1. Right to be informed: The data subject is entitled to be informed of the purposes and details of collection, use, and disclosure of their personal data through a privacy policy or privacy notice (as the case may be), including any changes to the existing purposes.
2. Right to Access: The data subject is entitled to have access, obtain a copy, or request the disclosure of their personal data collected by HITAP unless HITAP has a justified reason to reject the request as permitted by the law or court order, or in case the exercise of this right may have an adverse effect to the rights and freedom of other individual.
3. Right to Rectification: In the event that the data subject finds that their personal data are not accurate, complete or up-to-date, they are eligible to have their personal data rectified to ensure they are accurate, up-to-date, complete and not misleading, to the extent permitted by relevant law.
4. Right to Erasure: The data subject is entitled to have their personal data erased, destroyed, or anonymized, to the extent allowed by relevant law.
5. Right to Restriction of Processing: The data subject is entitled to restrict their personal data from being processed in the following cases:
- when the request to rectify your personal data for accuracy, completeness and being up-to-date (Right to Rectification) is under review by HITAP;
- when HITAP unlawfully processes your personal data;
- when their personal data is no longer necessary for HITAP, but the data subject requests HITAP to keep their personal data in support of their legal claim, such as establishment or defense of a legal claim; and
- when HITAP is in the process of verifying your objection request (Right to Object).
6. Right to Object: The data subject is entitled to object to the collection, use or disclosure of personal data relating to them in case HITAP relies upon legitimate interest, or processes their personal data for the scientific or historical research, or statistical purposes, unless HITAP has a legally justified reason to reject the request (such as HITAP is able to demonstrate that there is a compelling, legitimate ground for the collection, use and disclosure, or it is necessary for establishment, compliance or exercise of legal claims or it is for the public interest).
7. Right to Withdraw Consent: In case where the data subject gives consent to HITAP for collection, use or disclosure of personal data (whether such consent has been given before or after the effective date of the Personal Data Protection Act B.E. 2562 (2019)), the data subject is entitled to withdraw their consent at any time throughout the period where their personal data is being kept by HITAP unless there is any restriction by law that permits HITAP to continue retaining the personal data, or there is a contract between the data subject and HITAP. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.
8. Right to Data Portability: The data subject is entitled to receive their personal data being processed by HITAP in a readable and commonly used, by automated devices or equipment, and can be used or disclosed by automated means. Moreover, the data subject may request their personal data in such format be sent to other data controller, subject to the conditions in the law.
9. Right to File a Complaint: The data subject is entitled to make a complaint to HITAP for investigation, clarification, or resolution of their concerns, including filing a complaint to the Personal Data Protection Commission if the processing of personal data by HITAP is in violation of the personal data protection law.
In case the data subject submits the request to exercise their rights under the Act, upon the receipt of the request, HITAP will proceed with the request within 30 days. HITAP reserves its right to reject or refuse to comply with the request and its right to extend the request respond timeline, including charging a fee if permitted by law.
17. Cookies
HITAP will collect and use cookies including other similar technologies on the website in HITAP’s responsibility e.g. www.hitap.net or on any other devices of you, depending on their subscribed services, to ensure the security of HITAP’s service and to accommodate you or provide better experience to you. The personal data will also be used for improvement of HITAP’s website to match the data subject’s interest. However, you may block HITAP’s cookies through our cookie banner.
You may learn more about this from our “Cookie Policy”
18. Use of Personal Data for the Original Purposes
HITAP is entitled to collect and use the personal data given by the data subjects before the effective date of the personal data protection law for its original purposes. If the data subject no longer wishes HITAP to continue collecting and using such personal data, the data subject may withdraw their consent.
19. Amendment to the Privacy Notice
HITAP may consider updating, amending, or making changes to the Policy from time to time to be in line with its internal practice and the data protection law. HITAP will notify you of the changes via the HITAP website.
20. Contact Details for Enquiry or Exercise of Rights
If there is any enquiry, suggestion, or concern regarding HITAP’s collection, use and disclosure of personal data, or if you would like to contact the data protection officer or exercise your rights under the personal data protection law, please contact us at:
Health Intervention and Technology Assessment Program Foundation
6th Floor, 6th Building, Department of Health, Ministry of Public Health,
Tiwanon Rd., Muang, Nonthaburi 11000
Tel.: 02-590-4549, 02-590-4374-5 or email: hitap@hitap.net
You can download the Data Subject Right Request Form here
Effective on 1st June 2022
——
Related Privacy Notice(s) and document(s)
Privacy Notice for Job Applicants and Employees
Privacy Notice for Service Providers or Contractors
Privacy Notice for Website Users
Data Subject Right Request Form