Privacy Notice for Job Applicants and Employees

Announcement by the Health Intervention and Technology Assessment Program Foundation

on Privacy Notice for Job Applicants and Employees

1. Background

The Health Intervention and Technology Assessment Program Foundation (hereinafter referred to as “HITAP”, “we” or “us”) recognizes and places importance on the personal data of job applicants and employees, and HITAP strictly comply with and respect their right to privacy. This Privacy Notice (“Privacy Notice”) was made to notify you, as a job applicant or employee of us, of the purposes and means of collection, use and disclose (collectively referred to as “process/processing”) of your personal data as well as your rights under the Personal Data Protection Act B.E. 2562 (2019) (“Act”).

For the avoidance of doubt, HITAP will process your personal data under this Privacy Notice as the data controller, meaning that HITAP would be responsible for making decisions regarding collection, use and disclosure of your personal data.

2. Definition

• “HITAP” means Health Intervention and Technology Assessment Program Foundation.
• “Employee” means employee or staff working for / performing duties for HITAP in exchange of wages, salary, benefits, or remuneration paid by HITAP, such as Secretary General, Program Leader, head of unit, employee, intern, personnel or any other person having a similar relationship with HITAP. This shall extend to any person whose personal data appear in the documents relating to the job application process, such as family member, father, mother, spouse, children, emergency contact person, reference person, or beneficiary.
• “Job Applicants” means any person applying for job / internship opportunity or any other person who submits their personal profile to HITAP for the purpose of applying for a job / internship opportunity or securing a permanent or part-time employment. This shall extend to applicants who are under the employment of the outsource service providers, internship applicants, and person related to such applicants whose personal data appear in the application document, such as family member, reference person or emergency contact person.
• “Personal Data” means any information relating to a person which enables the identification of such person, either directly or indirectly, excluding information of deceased persons in particular.
• “Sensitive Personal Data” means personal data as stipulated in Section 26 of the Personal Data Protection Act B.E. 2562 (2019) which includes racial, ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, biometric data, or of any data which may affect the data subject in the same manner, as prescribed by the Personal Data Protection Committee.

In this regard, any terms which are not defined under this Privacy Notice shall refer to the terms as defined in the Act.

3. Types and Sources of Personal Data

Your personal data which are collected, used or disclosed by HITAP may vary according to the cases and necessity of each processing activities. The types of personal and the sources/means of collection includes but not limited to the following:

Source/Mean of Collection

1. Personal data collected from HITAP’s job application form or any other personal data that you directly submit to HITAP through social media channels

Name, surname, nickname, date of birth, age, gender, picture, nationality, address, mobile phone, ID card number, passport number, driving license, next of kin, enlistment status, academic background, work history, skills and qualifications.

2. Personal data collected by tracking or monitoring technologies on the website.

Cookies, data usage of mobile phone, computer, email, internet, Line or Facebook.

3. Personal data collected during the employment

Personal data of employee’s family member, provident fund data, wage, remuneration, bonus, position, benefit, tax, start date, termination date, assigned task, appraisal result, transfer, promotion, training history, leave record, employee behavior, fingerprint/ image identification data, religion, health data, benefit claiming record.

4. Personal data that HITAP receives from a third-party, person or organization, and HITAP, in good faith, believes that such third party is entitled to process and disclose your personal data to HITAP, such as recruiters, HITAP’s employees or recruitment website/platform.

Name, surname, nickname, date of birth, age, gender, picture, nationality, address, mobile phone, ID card number, passport number, academic background, or work history.

4. Sensitive Personal Data

HITAP may be required to collect, use or disclose your sensitive personal data, the types and means of processing are set out below:

• In case of necessity, HITAP may process your sensitive personal data with your explicit consent in accordance with the consent form. We will do our best to provide the appropriate security measures to protect your sensitive personal data. In this regard, we will process your sensitive personal data only to achieve the purposes as permitted by law or as prescribed by the Privacy Notice and consent as follows:
  • Health information, e.g., disability, congenital disease, color blindness, medical examination result, blood type, medical certificate, medical history for the purposes of labor protection, social security, employee medical welfare, competency assessment including any other purpose as required by law.
  • Biometric data, e.g., fingerprint/ image identification data for office access record, identity verification, office area security or crime prevention.
  • Other sensitive personal data for other legally permitted purposes, for example, it is for prevention or suppression of a danger to a person’s life, body or health in case you are incapable of giving consent by whatever reason, the information is disclosed to the public with your explicit consent, it is necessary for exercise of legal claims or it is necessary to achieve the objectives of labor protection, social security and employee benefits.
• If you would not like your sensitive personal data to be collected, used or disclosed, you may reject our processing of your sensitive personal data by completing the consent form each time of processing, or by contacting our Human Resource officer to withdraw your consent at any time.

In case you would not like your sensitive personal data as shown in your identity card, house registration or other documents that you intend to provide to HITAP, such as racial, blood type and religious information, to be processed, and you deliver any document with the information of such kind to HITAP, whether in hard copy or any other formats, we recommend that you redact such sensitive personal data by crossing them out. However, if you do not redact the sensitive personal data by yourself, it is deemed to have HITAP authorized to redact the sensitive personal data for you; the document with redaction shall be valid and shall have a legal effect so that HITAP may process other personal data in the document according to the Personal Data Protection Act B.E. 2565 (2019). In case HITAP is not able to redact such sensitive personal data for you due to technical or other restrictions, HITAP will collect the personal data as necessary for the purpose of verifying your identity only.

5. Lawful Basis of Collection of Personal Data

HITAP determines the lawful basis for processing of your personal data as appropriate and according to the context of our activities. In this regard, the lawful basis that we rely upon for processing of your personal data include the following:

• It is necessary for performance of a task carried out in the public interest or for the exercising of official authority vested in HITAP.
• It is necessary for compliance with the laws.
• It is necessary for legitimate interest.
• It is necessary for preventing or suppressing a danger to a person’s life, body or health.
• It is necessary for performance of contract.
• It is for preparation of research and statistical documents for public interest.
• Your consent.

In case HITAP is required to collect your personal data for compliance with the laws or as necessary for entering into a contract, and if you deny providing your personal data or object to the processing of your personal data in accordance with the purpose of processing activities, HITAP would not be able to proceed or provide a service, whether in whole or in part, as requested by you. Moreover, it may have an impact on HITAP’s compliance with its legal obligations.

In some cases, HITAP may ask for your personal data for your convenience or to provide a better experience. In such cases, you may decide not to provide the personal data and as such, and it will not affect the core activities that you have with us.

6. Purposes of Processing

HITAP collects and processes your personal data for the purposes set out in this Privacy Notice as follows:

1. It is necessary for performance of contract or for entering into a contract between you and HITAP

• To support your employment agreement and other employment-related process, such as attendance record, performance appraisal, promotion, salary increase, and payment of remunerations.
• Management of wages, remunerations, overtime payments as well as provident fund and other employee benefits.
• Managing and proceeding with benefits and welfares of employee and related parties in accordance with the rules and regulations of HITAP, such as day off, leaves, group insurance, and other benefits.
• Employee appointment and registration, preparation of employee ID card, appliance, device, computer, email, and username / password for access to HITAP’s system.
• Employee training and proficiency test.
• Investigation, examination or inquiry of corruption or violation of law and HITAP’s work regulations to consider giving a warning, determining disciplinary punishment, or exercising any contractual rights.

2. For compliance with the law

• Complying with labour law, or any related act or ministerial regulations, such as managing employee tax or social security.
• Complying with the order of an officer exercising official authority, such as court orders.

3. For legitimate interest of HITAP or other third parties

• Ensuring security of HITAP’s building and area, employee, visitors, and other properties within HITAP’s responsibility, such as installing CCTV cameras to gather evidence and monitor HITAP’s area and vicinity for prevention of a danger to life, health and property.
• New employee, promotion, department transfer announcement.
• Collection of personal data prior to employment agreement for recruitment process of HITAP, whether by self-application, applicant search on any recruitment platforms, referral programs or internal recruitments.
• Interview process, consideration of academic and work background, related work experience and other qualifications of the applicants as specified by HITAP for each position.
• Verification of applicant’s work history from other sources as well as their conflict of interest with the business and service of HITAP
• Assessing the applicant’s job fit, comparing with other applicants and choosing the applicant that qualifies the criteria as determined by HITAP.
• Retaining the applicant’s profile for future positions in case of rejected applicants.
• Birthday announcement or condolence statement for employee’s loss of family member.
• Internal management or activities of HITAP, such as new year party, study trips, trainings, meetings, seminars, or other kinds of activities.

4. Compliance with the consent of data subjects

• Collection of biometric data for attendance record.
• Collection of religion data and health information for employee benefits.
• Advertisement or public relations with an employee as part of the campaign.

7. Disclosure of Personal Data

HITAP may disclose your personal data, for the specified purposes and as permitted by law, to the following individuals and/or organizations:

• Service providers and data processors assigned or hired by HITAP to manage or process personal data for HITAP to provide its services, including a person acting on HITAP’s behalf or jointly working with HITAP to achieve the purposes as set out in this Privacy Notice, and your personal data being required by such person to complete their task.
• Insurance companies and/or hospitals for employee health benefits and welfares.
• Government officers or authorities lawfully requesting the disclosure of personal data, such as employee report as required by law, disclosure of personal data in accordance with the court’s order.
• Contractors, partners, or other organizations relating to HITAP’s activities, such as academic institutes, training centers, non-profit organizations, private contractors, hotels, temples, foundations and other related organizations.
• Consultants or specialists giving advice on HITAP’s undertakings, whether an individual or organization, such as legal counsels, accounting consultants as well as other consultant with a specific profession.
• Entities or organizations which are the channels for HITAP’s public relations, including social media platforms.

HITAP will oblige the receiving individuals/organizations to set up appropriate safeguards for your personal data and process such personal data as necessary. HITAP will have agreements with them to prevent your personal data from being used or disclosed without authorization or in violation of data protection law or other relevant law, and it will proceed with the disclosure of your personal data under the purposes as specified in this Privacy Notice or other purposes as permitted by law. If a consent is required, HITAP will obtain your consent prior to the disclosure.

8. Cross-border Transfer of Personal Data

In some cases, HITAP may send or transfer your personal data outside Thailand for the purposes of HITAP’s services and activities. This includes transferring personal data to a cloud server in a foreign country.

However, HITAP will only send or transfer your personal data to a third country with adequate level of data protection, otherwise, HITAP will ensure that appropriate safeguards as required by law are established for your personal data, as well as an agreement being made with the relevant third party to guarantee their compliance with data protection measures as determined by HITAP.

9. Retention period of Personal Data

HITAP will keep your personal data for as long as it is necessary for achieving the purposes of processing in this Privacy Notice. The retention periods are as set out below:

• In terms of rejected applicants, HITAP will retain the personal data for 1 year from the date of receipt of personal data; or
• In terms of employee, HITAP will retain the personal data throughout the employment, and for another 5 years after termination of employment.

After expiration of the retention period, HITAP will erase, destroy, or take any other actions as required by personal data protection law, to ensure that such data will not be able to identify a data subject.

However, in case of any dispute / legal claim / legal proceedings relating to your job application or employment, HITAP reserves the right to retain the personal data until the final order or judgment has been rendered.

10. Security of Personal Data

HITAP sets up security measures, comprising of both technical and organizational measures for handling your personal data, such as implementing access control measure to allow only staff or individual that are authorized or assigned to use your personal data according to the Privacy Notice. Such people with authorization will have to strictly adhere to and comply with HITAP’s data protection measures, and they will also have an obligation to keep confidentiality of the personal data they became known in the performance of their duties.

Moreover, if HITAP requires your personal data to be sent or transferred to any third party, whether for the purposes of HITAP’s mission, contract, or other form of agreements, HITAP will determine the level of security and confidentiality measures as appropriate and as required by law to ensure your personal data with HITAP is always safe and secure.

11. Data Subject Right According to the Personal Data Protection Act B.E. 2562 (2019)

The Personal Data Protection Act B.E. 2662 (2019) stipulates various rights of data subjects. A data subject or an authorized person, such as a parent or a guardian, is entitled to submit a request to exercise the rights through the channel as set out in Clause 14. The details of the available data subject rights are as follows:

1. Right to be informed: The data subject is entitled to be informed of the purposes and details of collection, use, and disclosure of their personal data through a privacy policy or privacy notice (as the case may be), including any changes to the existing purposes.

2. Right to Access: The data subject is entitled to have access, obtain a copy, or request the disclosure of their personal data collected by HITAP unless HITAP has a justified reason to reject the request as permitted by the law or court order, or in case the exercise of this right may have an adverse effect to the rights and freedom of other individual.

3. Right to Rectification: In the event that the data subject finds that their personal data are not accurate, complete or up-to-date, they are eligible to have their personal data rectified to ensure they are accurate, up-to-date, complete and not misleading, to the extent permitted by relevant law.

4. Right to Erasure: The data subject is entitled to have their personal data erased, destroyed, or anonymized, to the extent allowed by relevant law.

5. Right to Restriction of Processing: The data subject is entitled to restrict their personal data from being processed in the following cases:

• when the request to rectify your personal data for accuracy, completeness and being up-to-date (Right to Rectification) is under review by HITAP;
• when HITAP unlawfully processes your personal data;
• when their personal data is no longer necessary for HITAP, but the data subject requests HITAP to keep their personal data in support of their legal claim, such as establishment or defense of a legal claim; and
• when HITAP is in the process of verifying your objection request (Right to Object).

6. Right to Object: The data subject is entitled to object to the collection, use or disclosure of personal data relating to them in case HITAP relies upon legitimate interest, or processes their personal data for the scientific or historical research, or statistical purposes, unless HITAP has a legally justified reason to reject the request (such as HITAP is able to demonstrate that there is a compelling, legitimate ground for the collection, use and disclosure, or it is necessary for establishment, compliance or exercise of legal claims or it is for the public interest).

7. Right to Withdraw Consent: In case where the data subject gives consent to HITAP for collection, use or disclosure of personal data (whether such consent has been given before or after the effective date of the Personal Data Protection Act B.E. 2562 (2019)), the data subject is entitled to withdraw their consent at any time throughout the period where their personal data is being kept by HITAP unless there is any restriction by law that permits HITAP to continue retaining the personal data, or there is a contract between the data subject and HITAP. The withdrawal of consent will not affect the lawfulness of the collection, use, or disclosure of your personal data based on your consent before it was withdrawn.

8. Right to Data Portability: The data subject is entitled to receive their personal data being processed by HITAP in a readable and commonly used, by automated devices or equipment, and can be used or disclosed by automated means. Moreover, the data subject may request their personal data in such format be sent to other data controller, subject to the conditions in the law.

9. Right to File a Complaint: The data subject is entitled to make a complaint to HITAP for investigation, clarification, or resolution of their concerns, including filing a complaint to the Personal Data Protection Commission if the processing of personal data by HITAP is in violation of the personal data protection law.

In case the data subject submits the request to exercise their rights under the Act, upon the receipt of the request, HITAP will proceed with the request within 30 days. HITAP reserves its right to reject or refuse to comply with the request and its right to extend the request respond timeline, including charging a fee if permitted by law.

12. Use of Personal Data for the Original Purposes

HITAP is entitled to collect and use the personal data given by the data subjects before the effective date of the personal data protection law for its original purposes. If the data subject no longer wishes HITAP to continue collecting and using such personal data, the data subject may withdraw their consent.

13. Amendment to the Privacy Notice

HITAP may consider updating, amending, or making changes to the Privacy Notice from time to time to be in line with its internal practice and the data protection law. HITAP will notify you of the changes via the HITAP website.

By submitting your application document, you hereby acknowledge the terms under this Privacy Notice. We recommend that you refrain from submitting the document or contact our Human Resource officer in case you do not agree with any terms of this Privacy Notice, otherwise you are deemed to have acknowledge this Privacy Notice.

14. Contact Details for Enquiry or Exercise of Rights

If there is any enquiry, suggestion, or concern regarding HITAP’s collection, use and disclosure of personal data, or if you would like to contact the data protection officer or exercise your rights under the personal data protection law, please contact us at:

Health Intervention and Technology Assessment Program

6th Floor, 6th Building, Department of Health, Ministry of Public Health,

Tiwanon Rd., Muang, Nonthaburi 11000

Tel.: 02-590-4549, 02-590-4374-5 or email: [email protected]

You can download the Data Subject Right Request Form here

Effective on 1^st June 2022

——

Related Privacy Notice(s) and document(s)

Privacy Policy

Privacy Notice for Service Providers or Contractors

Privacy Notice for CCTV

Privacy Notice for Events

Cookie Policy

Privacy Notice for Website Users

Data Subject Right Request Form