This policy applies to personal data of individuals who have a relationship with the Foundation, currently or in the future. It encompasses personal data processed by the Foundation, its officers, contractual employees, divisions, working groups, teams or other forms as operated by the Foundation, and includes third parties who process personal data on behalf of the Foundation (hereinafter “personal data processor”) under the operations supervised by the Foundation.
Individuals who have a relationship with the Foundation in accordance with the provisions of the first paragraph, include
1) Information providers for research projects.
2) Academic service recipients in the field of research data analysis, training, seminars, academic conferences or other academic events organized by the Foundation.
3) Officers or operators and civil servants of the Office of International Health Policy Program.
4) Contracting parties who are regular persons.
5) Directors, attorneys, representatives, employees, or other persons who are related in the same manner as the juristic person in relationship with the Foundation.
6) Users of the Foundation's information.
7) Visitors or users of the websites www.ihppthaigov.net and www.ihppf.ihpp.thaigov.net, including systems, applications, devices or other communication channels that are supervised by the Foundation.
8) Other persons at the Foundation who collect personal information through job applicants, family of authorities, guarantors, insurance policy beneficiaries, etc.
Articles 1) to 8) are collectively referred to as “You”.
In addition to this policy, the Foundation may issue a privacy notice (“Notice”) as required for the Foundation's operations to inform the subject of the personal data being processed, purpose and legal grounds for processing of data, period of retention of personal data, and personal data rights that the subject should have to carry out any specific tasks.
In the event of a conflict between the terms of this policy and the notice, the notice for that specific operation will take precedence.
Foundation means International Health Policy Program Foundation
Personal Data means information about a natural person that could be used for their identification, directly or indirectly, but does not include information about deceased person(s)
Sensitive Personal Data means personal data as provided for in Section 26 of the Personal Data Protection Act B.E. 2562 (AD 2019), including ethnicity, race, political affiliations, religion, cult, or philosophy, sexual behaviors and preferences, criminal records, health information, disability status, trade union information, genetic data, biological data, or any other information which affects the data subject in a similar manner as specified in the notification of the Personal Data Protection Committee.
Processing of personal data means any processing of personal data such as collecting, recording, copying, organizing, retaining, updating, changing, using, recovering, disclosing, forwarding, disseminating, transferring, merging, deleting, destroying, etc.
Data subject means the owner of the personal data being collected, used, or disclosed by the Foundation.
Data controller means a person or a legal entity who has the authority to make decisions about the collection, use or disclosure of personal data.
Data processor means a person or juristic person who collects, uses, or discloses personal data on the order of or on behalf of the data controller.
The Foundation collects or obtains various types of personal data from the following sources:
1) Personal data at the Foundation collected directly from the data subject through various operational channels, such as research, surveys, registration for training workshops or seminars, job applications, signing of contracts or documents, etc.
2) Data at the Foundation collected from the data subjects accessing the Foundation website(s), such as through tracking user behavior on the website using cookies, etc.
3) Data at the Foundation collected from sources other than the data owner, provided that the sources have the authority, legitimate grounds, or consent from the data owner to disclose data to the Foundation, such as, obtaining personal data from entities for use in data analysis for the development of measures or policies, including instances where you are the provider of data for a third party, it is your responsibility to notify the data subject in accordance to this policy and obtain consent from them in cases where consent is required in order to disclose data to the Foundation.
If the data subject refuses to provide data that is necessary for the operation, contract, or other services, it may result in the Foundation being unable to perform operations, contracts or provide other services to the data subject in whole or in part.
The Foundation considers establishing a legal basis for collecting your personal data as appropriate and in conjunction with the services provided. The legal basis for collecting personal data that is used by the Foundation include:
For public interest, relating to research or statistics in which suitable measures to safeguard the data subject's rights and freedoms are put in place. For the foundation to be able to operate in public interest according to its mission, namely, conducting research on health policy and systems research for the development of Thai health systems.
For compliance with laws to which the Data Controller is subjected. For the Foundation to be able to comply with relevant laws such as collecting computer traffic data under the Computer Crimes Act B.E. 2560 (AD 2017) or the law on taxation, etc.
For legitimate interests of the Data Controller. For the legitimate interests of the Foundation and of other person(s), of which the interests are no less important than the fundamental rights of data subjects, such as for the security of premises, or the processing of personal data for internal affairs of the Foundation, etc.
For preventing or suppressing danger or harm to a person’s life, body, or health. For preventing or suppressing danger or harm to a person’s life, body, or health.
For the performance of a contract. For the Foundation to be able to perform duties under the contract or take actions that are necessary to enter into a contract with which you are a party with the Foundation, such as employment, outsourcing, memorandum of cooperation or other forms of contract, etc.
For the preparation of historical documents, research or important statistics. For the Foundation to prepare or support the preparation of historical documents, research or statistics assigned to the Foundation, such as preparing the Director's office or the Board of Directors, etc.
To obtain consent from the data subject. For collection, use or disclosure of personal data in the event that the Foundation requires your consent. The purpose of collecting, using or disclosing personal data has been notified prior to requesting consent, such as collecting sensitive personal data for purposes that do not comply with the exemptions of Article 24 or 26 of the PDPA 2019, etc.
In the event that the foundation deems it necessary to collect your personal data for the performance of the contract, entering into a contract, or performance of duties under the law, refusal to provide personal data or objecting to data processing may result in the foundation inability to perform all or part of your requested service.
The Foundation may collect or obtain the following data and may include your personal data. The types of data listed below are just the Foundation's general personal data collection framework
Specific personal data. Information from official documents that identifies you personally, such as your first name, last name, middle name, nickname, signature, identification card number, nationality, driver's license number, passport number, house registration information, occupational license number, insurance identification number, social security number, etc.
Characteristic data of a person. Detailed information about you such as date of birth, gender, height, weight, age, marital status, military enlistment status, photographs, spoken language, behavioral data, preferences, etc.
Contact information. Contact information such as your home phone number, mobile phone number, fax number, e-mail address, home mailing address, username in social networks (e.g. Line ID), etc.
Data about work and education. Employment and educational background such as type of employment, occupation, rank, position, responsibilities, expertise, work permit status, reference information, tax identification number, tenure history, work history, salary information, start and leave date, assessment results, benefits, items in the possession of the worker, nature of work, bank account number(s), educational institutions, educational qualifications, educational results, graduation date, etc.
Data on insurance policies. Details about work insurance policies such as the insurer, assured beneficiaries, policy number, policy type, protection limit, claims, etc.
Data on social relationships. Information about your social relationships, such as political status, political affiliations and offices, directorship, relationship with the Foundation's practitioners, information on being a contractor with the Foundation, being a stakeholder in business with the Foundation, etc.
Data on website usage. Details about the use of the websites www.ihppthaigov.net and www.ihppf.ihpp.thaigov.net such as user account name, password, computer traffic information, geolocation, usage behavior data, browsing history data, cookies or similar technologies, etc.
Sensitive personal data. Your sensitive personal data such as race, religion, disability information, biometrics data (face photo data), health information, etc.
In case the Foundation needs to obtain data that requires consent for personal data collection of a minor, incompetent or quasi-incompetent person, the Foundation will not collect such personal information until obtaining consent from a parent or guardian authorized to act on behalf of the minor, incompetent or quasi-incompetent person, in accordance with the conditions prescribed by law.
In case the Foundation case unknowingly collected data of a minor, incompetent or quasi-incompetent person and finds out later that personal data was collected without obtaining the necessary consent, the Foundation will proceed to delete and destroy that personal data as soon as possible as there are no legitimate grounds other than consent for collection, use or disclosing of such information.
The Foundation collects your personal information for the following objectives as a general framework for the Foundation's use of personal data. Only the purposes for which your data is related or associated with will apply.
1) For public interest or relating to research studies or statistics with appropriate safeguards in accordance with the mission of the Foundation.
2) To provide services and manage the services of the Foundation, both services under contract or according to the mission of the Foundation.
3) For Foundation transactions.
4) To supervise, operate, monitor, examine and manage to facilitate and comply with your needs.
5) To maintain and update information about you, including documents referring to you.
6) To record the processing of personal data as required by law.
7) To analyze data including to solve problems related to the services of the Foundation.
8) To carry out the necessary actions for the internal management of the Foundation including job applications, nomination of directors or persons holding various positions, and assessment of qualifications.
9) To prevent, detect, avoid and examine fraud and security breaches or prohibited or illegal actions that may cause damage to the entire Foundation and data subject.
10) For identity and information verification when you contact the Foundation or use legal rights.
11) To improve or change service quality to be up-to-date.
12) For risk assessment and management.
13) To send notifications, order confirmations, and communicate with you.
14) To prepare and deliver relevant and necessary documents or information.
15) To verify your identity and prevent spam and unauthorized or illegal actions.
16) To take necessary actions to perform the duties that the Foundation has towards tax authorities, law enforcement or other legal obligations of the Foundation.
17) To take necessary actions for the legitimate interests of the Foundation or of another person or legal entities related to the operations of the Foundation.
18) To prevent or stop harm to life, body or health of persons including epidemic surveillance.
19) To prepare historical documents for public interest or researching or producing statistics that the Foundation has been entrusted with.
20) For compliance with applicable laws, notices, ordinances or proceedings relating to litigation, processing information under subpoenas including the exercise of rights relating to your information.
Subject to the purposes set out in Article 9 above, the Foundation may disclose your personal data to the following persons in general and is disclosure is only in effect for persons related to the operations of the Foundation.
Government agency or authority at the Foundation to whom data must be disclosed for legal or other important purposes (such as operating in public interest). Law enforcement agencies or entities that have the power to control and supervise or have other important objectives such as the Department of Provincial Administration, Social Security Office, Department of Labor Protection and Welfare, Revenue Department, Police Office, Court, Public Prosecutor's Office, Department of Disease Control, Ministry of Digital Economy and Society, Office of the Permanent Secretary, Office of the Prime Minister, Department of Consular Affairs, Student Loan Fund, etc.
Various committees involved in the legal proceedings of the Foundation. The Foundation may disclose your data to individuals holding committee positions in various faculties, such as the Nomination Subcommittee, Committee of the Foundation, etc.
Parties involved in the welfare of Foundation employees. Third-party entities involved in welfare operations such as insurance companies, hospitals, payroll providers, banks, telephone operators, etc.
Service providers. The Foundation may assign third parties to be service providers on its behalf or support the actions of the Foundation, such as storage providers (e.g. cloud, document warehouses), system developers, software , applications, and websites developers, couriers, payment service providers, internet service providers, telephone operators, Digital ID service providers, social media service providers, risk management service providers, external consultants, transport service providers, etc.
Other persons receiving your data. The Foundation may disclose your data to other recipients such as Foundation contacts, family members, other non-profit foundations, temples, hospitals, educational institutions, or other agencies, etc., for the Foundation's operations such as training, receiving awards, making merit, donating, etc.
In some cases the Foundation may deem it necessary to send or transfer your personal data to foreign countries in order to perform operations you are involved in, for example, to send personal data to the cloud with a platform or server located abroad (e.g. Singapore or the United States, etc.) to support information technology systems located outside Thailand, depending on the needs of the Foundation.
However, while drafting this policy the Personal Data Protection Committee has not yet announced a list of recipient countries with adequate personal data protection standards. As such, when the Foundation needs to transfer your personal data to a recipient country, the Foundation will take steps to ensure that the personal data is transferred under adequate personal data protection measures in accordance with international standards or take action in accordance with the law, including:
1) It is in compliance with the law that the Foundation must send or transfer personal information abroad.
2) Notifying you and obtaining your consent in the event that the recipient country has inadequate standards for personal data protection in accordance with the list of countries to be announced by the Personal Data Protection Committee.
3) For necessity in fulfilling the contract that you have with the Foundation or as per your request before entering said contract.
4) To act in accordance with contracts that the Foundation has with other persons or juristic entities for your benefit.
5) To prevent or suppress danger to your life, body, or health or that of another person when you are unable to give consent at that time.
6) When it is necessary to carry out missions for public interest.
The Foundation will retain your personal data only for as long as it is necessary for the purpose for which it was collected. as detailed in the policy announcements or in accordance with relevant laws. However, after the expiration of the retention period and your personal data is no longer necessary for said purpose, the Foundation will delete and destroy your personal data or make your personal data unidentifiable in accordance with the forms and standards for the destruction of personal data that the committee or law will announce or in accordance with international standards. In exercising rights or litigation in connection with your personal data, the Foundation reserves the right to retain that information until the dispute receives a final order or judgment.
The Foundation may assign or procure third parties (data processors) to process personal data on behalf of the Foundation. Such third parties may offer services in various ways, such as hosting, outsourcing, or cloud computing or other outsourceable jobs.
When assigning a third party to process data, the Foundation will provide an agreement specifying the rights and obligations of the Foundation as the data controller and the third party entrusted as a data processor. This includes defining in detail the types of personal data the Foundation provides for processing, purpose, scope of processing and other related agreements. The data processor is obliged to process personal data to the extent specified in the agreement and order of the Foundation and not for any other purpose.
In the event that a data processor is assigned a sub-processor, the Foundation will require the data processor to provide a documentary agreement between the data processor and the sub-processor in the same form and standard of agreement between the Foundation and the data processor.
Measures to protect personal data include limiting the right of access to personal data to be accessible only by specific officers or authorized or designated persons who have the need to use such data for the purposes for which the data subject has been notified. Such persons must adhere to and comply with the Foundation's personal data protection measures strictly and have a duty to maintain the confidentiality of personal data they have obtained for the performance of their duties. The Foundation has measures to secure data, both organizational and technical, according to international standards announcements of the personal data protection committee.
In addition, when the Foundation sends, transfers or discloses personal data to third parties whether for the provision of mission-based services, contractual, or other forms of agreement, the Foundation will determine personal data security and confidentiality measures that are appropriate and required by law to ensure that the personal data collected by the Foundation is always secure.
The Foundation has appointed a Personal Data Protection Officer to perform audits, supervise and advise on the collection, use or disclosure of personal data, including coordinating and cooperating with the Office of the Personal Data Protection Commission In order to comply with the PDPA AD 2019 and your rights under the PDPA AD 2019.
The PDPA AD 2019 provides several rights for data subjects. These rights will come into effect when the law is enforced. The details of various rights are as follows:
1) Right to request access to personal data You have the right to request access, receive a copy and request to disclose the origin of personal data collected by the Foundation without your consent unless the Foundation has the right to refuse your request on legal grounds, court order or if the exercise of your rights may cause damage to the rights and freedoms of others.
2) Right to request correction of personal data to be correct complete and current if you find that your personal information is inaccurate, incomplete or not up to date, you have the right to request amendments to make them accurate, current, complete and not misleading.
3) Right to delete or destroy personal data You have the right to ask the Foundation delete or destroy your personal data or make your personal data non-identifiable to the data subject. However, the exercise of the right to delete or destroy this personal data must be under the conditions prescribed by law.
4) The right to request the suspension of the use of personal data You have the right to request the suspension of the use of your personal data in the following cases.
a) During the time that the Foundation is verifying personal data to be correct, complete, and up to date at the request of the data subject.
b) The personal data of the data subject is being used or disclosed unlawfully.
c) When the personal data of the data subject no longer needs to be retained for the purposes for which the Foundation notified the data subject during collection, but the data subject may wish for the Foundation to keep that data for exercising legal rights.
d) When the Foundation is in the process of proving legitimate grounds for personal data collection or investigating the need for collecting, using, or disclosing personal data for public interest as a result of the data subject exercising their right to suspend the collection, use, or disclosure of their data.
5) Right to object to the processing of personal data You have the right to object to the collection, use or disclosure of your personal data unless the Foundation has a legitimate reason (for example, the Foundation can demonstrate that the collection, use, or disclosure of your personal data is more legitimate or for the establishment of legal claims, compliance, or exercise of legal claims, or for the public interest of the Foundation)
6) Right to withdraw consent In the event that you have given consent to the Foundation to collect, use or disclose personal data (whether that consent was given before or after the PDPA AD 2019), you have the right to withdraw consent at any point that your personal data is with the Foundation, unless there are legal constrains that make it necessary to keep the data or there is still a contract between you and the Foundation that benefits you
7) Right to claim, send or transfer personal data You have the right to obtain your personal information from the Foundation. in a form that is readable or generally usable with a tool or device that works automatically and that personal data can be used or disclosed by automated means; including requesting the Foundation to send or transfer data in such form to another data controller subject to the conditions prescribed by law.
Failure to comply with the policy may result in an offense and disciplinary action in accordance with the Foundation's rules (for staff or employees of the Foundation) or the Personal Data Processing Agreement (for data processors). However, depending on the case and the relationship you have with the Foundation, you may be subject to penalties as stipulated by the PDPA AD 2019, including secondary laws, rules, regulations and relevant orders.
In case you find that the Foundation failed to comply with personal data protection laws, you have the right to complain to the Personal Data Protection Committee. or a supervisory authority appointed by the Personal Data Protection Committee or by law. Before making a complaint, the Foundation requests that you contact the Foundation so the Foundation has an opportunity get to know the facts and clarify various issues and address your concerns at first instance.
The Foundation may consider improving, amending, or changing this policy at its discretion and will notify you through the website www.ihppthaigov.net. The effective date of each revised version will be indicated. However, the Foundation encourages you to check the applications or specific channels regularly for activities carried out by the Foundation, especially before you disclose personal data to the Foundation.
Access to the services of the Foundation after the enforcement of the new policy will constitute your acknowledgment of the terms of the new policy. Stop accessing the services immediately if you do not agree with the details in the policy and contact the Foundation for further clarification.
If you have any questions, suggestions or concerns about the Foundation's collection, use and disclosure of personal data or about this policy or you want to exercise your rights under the personal data protection laws, you can inquire at
1) Data controller
Name: International Health Policy Program Foundation
Contact address: 88/20 Satharanasuk 6 Alley, Tambon Bang Khen, Mueang Nonthaburi District, Nonthaburi 11000
2) Data protection officer (DPO)
Name: Mr. Putthipanya Rueangsom
Contact address: 88/20 Satharanasuk 6 Alley, Tambon Bang Khen, Mueang Nonthaburi District, Nonthaburi 11000