Data Protaction Policy
Go Abroad Study Programs holds Personal Data about our users, employees, clients, suppliers and other individuals for a variety of business purposes.
This policy sets out how we seek to protect Personal Data and ensure that staff understand the rules governing their use of Personal Data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
Go Abroad Study Programs operates in several jurisdictions, including Europe, the United Kingdom and Singapore. This policy describes principles and procedures which ensure Go Abroad Study Programs complies with the various regulations across all the regions in which we operate.
The procedures described in this policy must be followed at all times by Go Abroad Study Programs, its employees, agents, contractors, or other parties working on behalf of Go Abroad Study Programs.
Go Abroad Study Programs is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
Scope
This policy applies to all staff. You must be familiar with this policy and comply with its terms. This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
Our Data Protection Officer has overall responsibility for the day-to-day implementation of this policy.
Training
All staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided at least every year or whenever there is a substantial change in the law or our policy and procedure.
Training is provided through in-house seminars and online training on an annual basis, and covers the applicable laws relating to data protection, and Go Abroad Study Programs’ data protection and related policies and procedures.
Completion of training is compulsory.
If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPO.
Applicable legislative considerations
UK Data Protection Act 1998 (DPA)
Under the UK Data Protection Act 1998, Personal Data is defined as data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
The UK Data Protection Act 1998 also defines “sensitive Personal Data” as Personal Data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Go Abroad Study Programs is registered with the Information Commissioner as a data controller under the register held by the Information Commissioner pursuant to Section 19 of the UK Data Protection Act 1998.
Singapore PDPA (PDPA)
Personal Data is defined in the PDPA as “data, whether true or not, about an individual who can be identified a) from that data; or b) from that data and other information to which the organisation has or is likely to have access.”
EU General Data Protection Regulation (EU) 2016/679 (GDPR)
The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU.
Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.
According to the European Commission, Personal Data is: " any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Personal Data
Go Abroad Study Programs defines Personal Data as the broader of the definitions contained in the PDPA, DPA, and GDPR.
Go Abroad Study Programs defines Sensitive Personal Data as the broader of the definitions contained in the PDPA, DPA, and GDPR.
Any use of sensitive Personal Data is to be strictly controlled in accordance with this policy.
While some data will always relate to an individual, other data may not, on its own, relate to an individual. Such data would not constitute Personal Data unless it is
associated with, or made to relate to, a particular individual.
For the purposes of the Singaporean PDPA, Go Abroad Study Programs is a Data Intermediary. From the Act:
“data intermediary” is an organisation which processes Personal Data on behalf of another organisation but does not include an employee of that other organisation.
Generic information that does not relate to a particular individual may also form part of an individual’s Personal Data when combined with Personal Data or other information to enable an individual to be identified.
Aggregated data is not Personal Data.
Go Abroad Study Programs gathers Personal Data for two purposes: for student enrollment, and for internal operations.
Personal Data for student enrollment relates to identifiable individual users and may include:
- user profile information such as Full name, Photograph, Address , Date of Birth, Mobile telephone number, and Personal email address;
- travel-related data such as passport number, ID number and flight ticket data
- study-related data such as enrolment documents and reference letters
Personal Data we gather for internal operational purposes relates to identifiable individuals such as job applicants, current and former employees, contract and other staff, clients, suppliers, and marketing contacts, and the data gathered may include individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
Principles
Go Abroad Study Programs collects and processes Personal Data in compliance with the following data protection principles:
Consent - The user (data subject) must give their explicit, active consent to the collection and processing of their Personal Data. This consent can be revoked at any time.
Notification - Go Abroad Study Programs notifies all users about the intended purpose of any collected data prior to collection.
Purpose Limitation - Personal Data can be used only for the purposes explained to the user, and for which they have explicitly given consent. The data collected must be necessary for the performance of the purpose, and not excessive with respect to the purposes for which it was collected.
Right to Access and Correction - Users should be able to access their personal, wearable, and messaging data, and to correct said data where applicable.
Accuracy - Go Abroad Study Programs should take all reasonable steps to ensure users’ data is accurate and up to date.
Protection - Go Abroad Study Programs should take all reasonable steps to ensure user data is secured and protected against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Retention Limitation - Go Abroad Study Programs should not keep personal user data for any longer than necessary to fulfil the purposes for which the user gave their consent.
Openness - Go Abroad Study Programs publicly publishes our Data Protection Policy and the direct contact details of our Data Protection Officer.
Data Portability - Upon request, a user should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
Right to be Forgotten - A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Privacy by Design and Default - Privacy by Design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
Data Audit and Register - Go Abroad Study Programs will keep a register of annual data audits & their outcomes to manage and mitigate risks. The register will detail what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
Purposes
The purposes for which Personal Data may be used by us include:
- Providing a personalised study information and enrollment service to our users
- Research and Development of AI and chat technology in support of our information service
- Compliance with our legal, regulatory, and corporate governance obligations and good practice
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
- Ensuring business policies are adhered to (such as policies covering email and internet use)
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, and security vetting
- Investigating complaints
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration, and assessments
- Monitoring staff conduct & disciplinary matters
- Marketing our business
- Improving our services
- Risk modelling for our partners
Responsibilities
The Data Protection Officer’s responsibilities include:
- Overseeing the implementation of, and compliance with this Policy, working in conjunction with the relevant employees, managers and/or department heads, agents, contractors and other parties working on behalf of Go Abroad Study Programs;
- Keeping the board updated about data protection responsibilities, risks, and issues
- Reviewing all data protection procedures and policies on an annual basis
- Arranging data protection training and advice for all staff members and those included in this policy
- Answering data protection queries or complaints from users, clients, staff, board members, and other stakeholders
- Responding to individuals such as clients and employees who wish to know which data is being held on them by Go Abroad Study Programs
- Checking and approving with third parties that handle Go Abroad Study Programs’s data any contracts or agreement regarding data processing
The Engineering Manager’s responsibilities include:
- Ensuring all systems, services, software, and equipment meet acceptable security standards;
- Researching and reviewing third-party services Go Abroad Study Programs uses to store or process data (such as cloud computing services) on a regular basis; and
Managing authentication and authorisation for engineering staff to access Go Abroad Study Programs’ infrastructure, including cloud services, databases, and application servers.
Responsibilities of the Marketing Manager
- The Marketing Manager’s responsibilities include:
- Approving data protection statements attached to emails and other marketing copy; and
- Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and Go Abroad Study Programs’s Data Protection Policy.
The Staff Manager is responsible for:
- Ensuring all Staff complete training in Go Abroad Study Programs’ policies and procedures, including the Data Protection Policy;
- Managing the authentication & authorisation of Go Abroad Study Programs’ staff.
Organisational measures
Go Abroad Study Programs shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
- All employees, agents, contractors, or other parties working on behalf of Go Abroad Study Programs are made fully aware of both their individual responsibilities and Go Abroad Study Programs’s responsibilities under this Policy, and shall be provided with a copy of this Policy;
- Only employees, agents, sub-contractors, or other parties working on behalf of Go Abroad Study Programs that need access to and use of personal data in order to carry out their assigned duties correctly shall have access to personal data held by Go Abroad Study Programs;
- All employees, agents, contractors, or other parties working on behalf of Go Abroad Study Programs handling personal data will be appropriately trained to do so;
- All employees, agents, contractors, or other parties working on behalf of Go Abroad Study Programs handling personal data will be appropriately supervised;
- Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed;
- The performance of those employees, agents, contractors, or other parties working on behalf of Go Abroad Study Programs handling personal data shall be regularly evaluated and reviewed;
- All employees, agents, contractors, or other parties working on behalf of Go Abroad Study Programs handling personal data will be bound to do so in accordance with the principles of this Policy by contract;
- All agents, contractors, or other parties working on behalf of Go Abroad Study Programs handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of Go Abroad Study Programs arising out of this Policy;
- Where any agent, contractor or other party working on behalf of Go Abroad Study Programs handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless Go Abroad Study Programs against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Our procedures
Consent - Go Abroad Study Programs ensures consent is given by making informed, explicit, active consent a requirement of the mobile app’s registration process, including a clear identification of what the relevant data is, why it is being processed, and to whom it will be disclosed.
Notification -Go Abroad Study Programs ensures Consent is informed by notifying users in plain language about the intended Purpose of any data prior to collection, and by requiring users to give their consent to that Purpose as part of the mobile app registration process.
Fair and lawful processing
We must process Personal Data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process Personal Data unless the individual whose details we are processing has consented to this happening.
The processing of all data must be:
- Necessary to deliver our services
- In our legitimate interests and not unduly prejudice the individual's privacy
- In most cases this provision will apply to routine business data processing activities.
Purpose Limitation
Go Abroad Study Programs staff must not use Personal Data for any Purpose other than that consented to by the user. In the general case, this means that it must be for the purpose of study related and enrollment services and or supporting activities.
Go Abroad Study Programs staff should not access Personal Data except where required to do so in the course of their work.
Right to Access, Correction, and Accuracy
Users can use the Go Abroad Study Programs apps to access their personal, wearable, and messaging data, and to correct their profile data at any time.
Go Abroad Study Programs should take all reasonable steps to ensure users’ data is accurate and up to date.
Go Abroad Study Programs assumes that Personal Data collected directly from the user will be accurate and complete.
We will ensure that any Personal Data we process is accurate, adequate, relevant, and not excessive, given the purpose for which it was obtained. We will not process
Personal Data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate Personal Data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO.
Protection
Go Abroad Study Programs should take all reasonable steps to ensure user data is secured and protected against unauthorised or unlawful processing, accidental loss, destruction, or damage.
In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it. Printed data should be shredded when it is no longer needed.
Sensitive Personal Data should never be saved directly to local devices such as workstations, laptops, or smartphones – it should be kept secured on remote storage provided
by Go Abroad Study Programs’ selected cloud storage provider.
All digital services used by Go Abroad Study Programs should be protected on a per-user basis, by strong passwords, with role-based permissions.
We encourage all staff to use a password manager to create and store their passwords.
Personal Data should not be stored on local storage media such as CDs, DVDs, or memory sticks.
The DPO and Engineering Manager must approve any cloud service used to store data.
Data should be regularly backed up in line with Go Abroad Study Programs’s backup procedures.
All servers or services containing sensitive data must be protected by security software and firewalls.
All data should be transmitted over secure networks only. Transmission over unsecured networks is not permitted in any circumstances, including via email.
No personal data may be shared informally. If an employee, agent, sub-contractor, or other party working on behalf of Go Abroad Study Programs requires access to any personal data that they do not already have access to, such access should be formally requested from their relevant manager.
If Personal Data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
Under no circumstances should any personal passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of Go Abroad Study Programs, irrespective of seniority or department.
Retention Limitation
Go Abroad Study Programs should not keep personal user data for any longer than necessary to fulfil the purposes for which the user gave their consent.
Go Abroad Study Programs keeps personal user data for a maximum period of 12 months after the user’s most recent access, unless the user requests that their account be
deleted.
Go Abroad Study Programs will (soft) delete the user’s account within 5 working days of confirmation of the request by the user.
Deleting a user account has the following effects:
- The useris immediately disconnected from our service
- User’s name is deleted from their profile
- User’s messaging history is anonymised by redacting the user’s name wherever it appears
- User’s email address & mobile phone number are deleted
- User account is soft deleted
- Messaging history is retained
Openness
Go Abroad Study Programs publicly publishes our Data Protection Policy and the direct contact details of our Data Protection Officer.
Data Portability - Upon request, a user should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
Go Abroad Study Programs achieves this by enabling the user to instantly download a copy of their data.
Right to be Forgotten / Erasure - A user may request that any information held on them is deleted, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Go Abroad Study Programs allows users to request that their account be deleted by direct email to the DPO.
Privacy by Design and Default - Privacy by Design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.
When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
Transferring Data Internationally
No data may be transferred outside of the Go Abroad Study Programs data centres without prior approval from the DPO.
Specific consent from the user must be obtained prior to transferring their data outside their source region.
You must not transfer Personal Data to another geographic region unless 1) Go Abroad Study Programs can ensure an adequate level of protection of the rights and freedoms of users in relation to the processing of their Personal Data within the destination region, and 2) you have been given permission to do so by the DPO.
Data Audit and Register
The DPO will conduct regular data audits to manage and mitigate risks, and record the data held by Go Abroad Study Programs in a Data Register.
The Data Register contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
User Access Requests
Individuals are entitled, subject to certain exceptions, to request access to information held about them.
If you receive a subject access request, you should refer that request immediately to the DPO. We may ask you to help us comply with those requests.
Please contact the Data Protection Officer if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.
Processing data in accordance with the individual's rights
Do not send direct marketing material to someone electronically (e.g. via email) unless you have an existing business relationship with them in relation to the services being marketed.
Please contact the DPO for advice on direct marketing before starting any new direct marketing activity.
PDPA & GDPR Provisions for users
Privacy Notice - Transparency of Data Protection
Being transparent and providing accessible information to individuals about how we will use their Personal Data is important for our organisation.
The following are details on how we collect data and what we will do with it:
What information is being collected?
- Go Abroad Study Programs collects Personal Data about users including, but not limited to:
- Full name
- Photograph
- Mobile telephone number
- Personal email address
- Travel-related information such as passport number and ID number
- Study-related data such as enrollment documents, certificates and recommendation letters
How is it collected?
- Go Abroad Study Programs collects data using the Go Abroad Study Programs websites and apps.
- Go Abroad Study Programs specifically asks the individual for permission to collect their data for the purpose of study and enrolment related services & obtains the user’s consent as part of the registration process. Users can not access the Go Abroad Study Programs service if they withhold their consent.
- Go Abroad Study Programs also requires explicit consent to collect Personal Data for any additional purposes required by our clients.
- Go Abroad Study Programs only collects data from third parties once the user has provided their permission. (User permission is explicitly required to enable the retrieval of any data from third parties.)
- All of Go Abroad Study Programs’ third-party wearable providers explicitly ask the user’s consent before collecting their data.
Why is it being collected?
- Go Abroad Study Programs collects Personal Data for the purpose of providing study and enrollment related services.
- If Go Abroad Study Programs’ clients intend to use Personal Data for any purpose other than for study and enrollment related service, then Go Abroad Study Programs will explicitly request permission from the user to collect, store, and process their data for that purpose.
- Go Abroad Study Programs requires its clients to disclose any and all ways they use the Personal Data collected by Go Abroad Study Programs.
How will it be used?
- The data is used by Go Abroad Study Programs strictly to provide study and enrolment related services, and all supporting activities necessary to provide and improve that service.
- Personal Data is accessible only to authenticated and authorized Go Abroad Study Programs administrative, managerial, content, research, technical, engineering, compliance, support, and coaching staff for the purposes of:
- Providing study and enrollment services
- Monitoring and improving the quality of services
- Monitoring and improving the in-app experience and user engagement
- Research & Development of Artificial Intelligence agents to provide study and enrolment related services
- Administering the technology platform and sub-systems
- Personal Data is accessed by Go Abroad Study Programs staff only where necessary to perform the tasks of their job.(eg: Coaches and Researchers do not have access to the users’ email addresses or mobile numbers.)
- All user data is stored remotely in databases secured & hosted in data centres.
- Go Abroad Study Programs users do not extract, copy, or use local copies of user data unless it has been anonymised or aggregated.
- Database access by Go Abroad Study Programs staff is authorized on a IP-whitelisted, per-user basis according to the requirements of their job, and authenticated using strong passwords.
- Go Abroad Study Programs does not print or save to local storage any Personal Data.
- Go Abroad Study Programs does not transfer Personal Data to any third parties excepting our clients on whose behalf we are the data intermediary.
- Go Abroad Study Programs transmits Personal Data only: Between servers on our platform,
- To and from a user’s authenticated installation of the Go Abroad Study Programs apps, and
- To our clients, on whose behalf we are the data intermediary.
The Personal Data is disclosed to the following:
- Go Abroad Study Programs AI agents
- to generated suggested responses to user messages
- Go Abroad Study Programs coaching staff
- to provide QA over AI responses, and to respond to user requests where the AI cannot
- Go Abroad Study Programs research and service staff
- to improve the study and enrollment service
- Go Abroad Study Programs management staff (for QA & service management)
- to ensure the service conversations meet the standard of quality required by Go Abroad Study Programs
- Our client, on whose behalf Go Abroad Study Programs is acting as a data intermediary
- for their own purposes, as negotiated on a per-contract basis.
- Go Abroad Study Programs requires its clients to handle any Personal Data (transferred to them via Go Abroad Study Programs) to the standard required by PDPA.
- Go Abroad Study Programs does not provide Personal Data to third parties excepting the clients on whose behalf we are the intermediary.
How can it be accessed or corrected?
- Users can access and update their own Personal Data using the Go Abroad Study Programs apps or websites.
- Go Abroad Study Programs assumes that Personal Data collected directly from the user will be accurate and complete.
(As per Guidelines for Life Insurers c.43.)
How can Consent be Withdrawn?
- The Go Abroad Study Programs app provides a single step process for users to retrieve data from third party providers.
- Users can use the Go Abroad Study Programs apps to submit a request for their account be deleted (via chat with the service staff).
Details of transfers to third countries and safeguards
- Go Abroad Study Programs stores data on hosting platforms in data centres in Europe.
- Go Abroad Study Programs keeps all data secured in accordance with the standards required by relevant UK, EU, and Singaporean legislation.
- Go Abroad Study Programs keeps all data encrypted both in transmission and at rest.
Identity and contact details of any data controllers?
- Go Abroad Study Programs’ designated Data Protection Officer is: dpo@goabroadstudyprograms.com
Retention periods
- Go Abroad Study Programs keeps personal user data for a maximum period of 12 months after the user’s most recent access of the app, unless the user requests that their account be deleted.
- Go Abroad Study Programs will delete the user’s account within 5 working days of confirmation of the request by the user.
- Deleting a user account has the following effects:
- The user’s wearables (if any) are immediately disconnected from our service
- User’s name is deleted from their profile
- User’s messaging history is anonymised by redacting the user’s name wherever it appears
- User’s email address & mobile phone number are deleted
- User account is soft deleted
- Wearable data is retained to train our AI
- Messaging history is retained to train our AI
Conditions for processing
- We will ensure any use of Personal Data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing Personal Data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
REPORTING BREACHES
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the Supervisory Authority of any compliance failures that are material either in their own right or as part of a pattern of failures
- Under the GDPR, the DPO is legally obliged to notify the Supervisory Authority within 72 hours of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, Go Abroad Study Programs must notify any affected clients without undue delay after becoming aware of a personal data breach (Article 33).
- However, Go Abroad Study Programs does not have to notify the data subjects if anonymized data is breached. Specifically, the notice to data subjects is not required if the data controller has implemented pseudonymisation techniques like encryption along with adequate technical and organizational protection measures to the personal data affected by the data breach (Article 34).
Monitoring
Everyone must observe this policy.
- The DPO has overall responsibility for this policy.
- The DPO will monitor this policy regularly to make sure it is being adhered to.
Data protection complaints
Data Protection Complaints can be received via:
- Go Abroad Study Programs website
- Email or Phone Call to Data Protection Officer
The Complaint Process is:
- Within 1 working day: DPO will respond to the complaint to notify the complainant that the complaint is being investigated
- DPO to conduct investigation, escalating to client / board as required
- DPO to investigate & resolve complaints within 5 working days where possible
- DPO to regularly update complainant at least weekly on progress of investigation & expected time to resolution
- Upon completion of investigation, DPO to provide written report to complainant containing the investigation findings and steps to resolution
- DPO to carry out steps to resolution
- DPO to confirm with user that complaint has been satisfactorily resolved
Consequences of failing to comply
We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.