Privacy policy

International Health Policy Program Foundation
1. Introduction

International Health Policy Program Foundation (hereinafter “the Foundation”) recognizes the importance of your personal information and any other information relating to you (collectively referred to as “information”). To instill your confidence in the Foundation’s transparency and responsibility in the information collected, we use or disclose your information in accordance with the Personal Data Protection Act B.E. 2562 (AD 2019), Thailand (PDPA 2019) and other relevant laws (hereinafter collectively referred to as “privacy laws”). The privacy policy (hereinafter “Policy”) has been developed to inform you of the details of collection and use or disclosure (collectively referred to as “process”) of your personal information by the Foundation, including the responsible individuals and related persons acting on behalf of the Foundation. Details are as follows.

2. Scope of Policy Enforcement

This policy applies to personal data of individuals who have a relationship with the Foundation, currently or in the future. It encompasses personal data processed by the Foundation, its staffs, contractual employees, divisions, working groups, teams or other forms as operated by the Foundation, and includes third parties who process personal data on behalf of the Foundation (hereinafter “personal data processor”) under the operations supervised by the Foundation.

Individuals who have a relationship with the Foundation in accordance with the provisions of the first paragraph, include

  1. Information providers for research projects
  2. Academic service recipients in the field of research data analysis, trainings, seminars, academic conferences or other academic events organized by the Foundation
  3. Officers or operators and civil servants of the Office of International Health Policy Program
  4. Contracting parties who are regular persons
  5. Authorized persons, representatives, employees, or other persons who are related in the same manner as the legal entity in relationship with the Foundation.
  6. Users of the Foundation's information
  7. Visitors or users of the websites www.ihppthaigov.net and www.ihppf.ihpp.thaigov.net, including systems, applications, devices or other communication channels that are supervised by the Foundation.
  8. Other persons at the Foundation who collect personal information through job applicants, family of authorities, guarantors, insurance policy beneficiaries, etc.

Articles 1) to 8) are collectively referred to as “You”.
In addition to this policy, the Foundation may issue a privacy notice (“Notice”) as required for the Foundation's operations to inform the subject of the personal data being processed, purpose and legal grounds for processing of data, period of retention of personal data, and personal data rights that the subject should have to carry out any specific tasks. In the event of a conflict between the terms of this policy and the notice, the notice for that specific operation will take precedence.

3. Definitions
  • Foundation means International Health Policy Program Foundation
  • Personal Data means information about a regular person that could be used for their identification, directly or indirectly, but does not include information about deceased person(s)
  • Sensitive Personal Data means personal data as provided for in Section 26 of the PDPA 2019, including ethnicity, race, political affiliations, religion, cult, or philosophy, sexual behaviors and preferences, criminal records, health information, disability status, trade union information, genetic data, biological data, or any other information which affects the data subject in a similar manner as specified in the notification of the Personal Data Protection Committee.
  • Processing of personal data means any processing of personal data such as collecting, recording, copying, organizing, retaining, updating, changing, using, recovering, disclosing, forwarding, disseminating, transferring, merging, deleting, destroying, etc.
  • Data subject means the owner of the personal data being collected, used, or disclosed by the Foundation
  • Data controller means a person or a legal entity who has the authority to make decisions about the collection, use or disclosure of personal data
  • Data processor means a person or juristic person who collects, uses, or discloses personal data on the order of or on behalf of the data controller
4. Sources of personal data collected by the Foundation

The Foundation collects or obtains various types of personal data from the following sources:

  1. Personal data at the Foundation collected directly from the data subject through various operational channels, such as research, surveys, registration for training workshops or seminars, job applications, signing of contracts or documents, etc.
  2. Data at the Foundation collected from the data subjects accessing the Foundation website(s), such as through tracking user behavior on the website using cookies, etc.
  3. Data at the Foundation collected from sources other than the data owner, provided that the sources have the authority, legitimate grounds, or consent from the data owner to disclose data to the Foundation, such as, obtaining personal data from entities for use in data analysis for the development of measures or policies, including instances where you are the provider of data for a third party, it is your responsibility to notify the data subject in accordance to this policy and obtain consent from them in cases where consent is required in order to disclose data to the Foundation.

If the data subject refuses to provide data that is necessary for the operation, contract, or other services, it may result in the Foundation being unable to perform operations, contracts or provide other services to the data subject in whole or in part.

5. Legal basis for obtaining personal data

The Foundation considers establishing a legal basis for collecting your personal data as appropriate and in conjunction with the services provided. The legal basis for collecting personal data that is used by the Foundation include:

Legal basis for data collection (according to Section 24 of the PDPA 2019) Details
For public interest, relating to research or statistics in which suitable measures to safeguard the data subject’s rights and freedoms are put in place For the foundation to be able to operate in public interest according to its mission, namely, conducting research on health policy and systems research for the development of Thai health systems
For compliance with laws to which the Data Controller is subjected For the Foundation to be able to comply with relevant laws such as collecting computer traffic data under the Computer Crimes Act B.E. 2560 (AD 2017), Thailand or the law on taxation, etc.
For legitimate interests of the Data Controller For the legitimate interests of the Foundation and of other person(s), of which the interests are no less important than the fundamental rights of data subjects, such as for the security of premises, or the processing of personal data for internal affairs of the Foundation, etc.
For preventing or suppressing danger or harm to a person’s life, body, or health For preventing or suppressing danger or harm to a person’s life, body, or health
For the performance of a contract For the Foundation to be able to perform duties under the contract or take actions that are necessary to enter into a contract with which you are a party with the Foundation, such as employment, outsourcing, memorandum of cooperation or other forms of contract, etc.
For the preparation of historical documents, research or important statistics For the Foundation to prepare or support the preparation of historical documents, research or statistics assigned to the Foundation, such as list of the Directors or the Board members, etc.
To obtain consent from the data subject For collection, use or disclosure of personal data in the event that the Foundation requires your consent. The purpose of collecting, using or disclosing personal data has been notified prior to requesting consent, such as collecting sensitive personal data for purposes that do not comply with the exemptions of Article 24 or 26 of the PDPA 2019, etc.

In the event that the foundation deems it necessary to collect your personal data for the performance of the contract, entering into a contract, or performance of duties under the law, refusal to provide personal data or objecting to data processing may result in the foundation inability to perform all or part of your requested service.

6. Types of personal data collected by the Foundation

The Foundation may collect or obtain the following data and may include your personal data. The types of data listed below are just the Foundation's general personal data collection framework

Type of personal data Detail(s) and example(s)
Specific personal data Information from official documents that identifies you personally, such as your first name, last name, middle name, nickname, signature, identification card number, nationality, driver's license number, passport number, house registration information, occupational license number, insurance identification number, social security number, etc.
Characteristic data of a person Detailed information about you such as date of birth, gender, height, weight, age, marital status, military enlistment status, photographs, spoken language, behavioral data, preferences, etc.
Contact information Contact information such as your home phone number, mobile phone number, fax number, e-mail address, home mailing address, username in social networks (e.g. Line ID), etc.
Data about work and education Employment and educational background such as type of employment, occupation, rank, position, responsibilities, expertise, work permit status, reference information, tax identification number, tenure history, work history, salary information, start and leave date, assessment results, benefits, items in the possession of the worker, nature of work, bank account number(s), educational institutions, educational qualifications, educational results, graduation date, etc.
Data on insurance policies Details about work insurance policies such as the insurer, assured beneficiaries, policy number, policy type, protection limit, claims, etc.
Data on social relationships Information about your social relationships, such as political status, political affiliations and offices, directorship, relationship with the Foundation's practitioners, information on being a contractor with the Foundation, being a stakeholder in business with the Foundation, etc.
Data on website usage Details about the use of the websites www.ihppthaigov.net and www.ihppf.ihpp.thaigov.net such as user account name, password, computer traffic information, geolocation, usage behavior data, browsing history data, cookies or similar technologies, etc.
Sensitive personal data Your sensitive personal data such as race, religion, disability information, biometrics data (face photo data), health information, etc.
7. Cookies

The Foundation collects and uses cookies and other similar technologies on its websites, www.ihppthaigov.net and www.ihppf.ihpp.thaigov.net, for the purpose of safety in use and for convenience and improved experience for the user in using the websites. This information will be used to improve the Foundation's website and to meet your needs more. You can manually set or delete the use of cookies from the settings in your web browser.

8. Personal Information of minors, incompetent and quasi-incompetent persons

In case the Foundation needs to obtain data that requires consent for personal data collection of a minor, incompetent or quasi-incompetent person, the Foundation will not collect such personal information until obtaining consent from a parent or guardian authorized to act on behalf of the minor, incompetent or quasi-incompetent person, in accordance with the conditions prescribed by law.

In case the Foundation case unknowingly collected data of a minor, incompetent or quasi-incompetent person and finds out later that personal data was collected without obtaining the necessary consent, the Foundation will proceed to delete and destroy that personal data as soon as possible as there are no legitimate grounds other than consent for collection, use or disclosing of such information.

9. Purpose of collecting personal data

The Foundation collects your personal information for the following objectives as a general framework for the Foundation's use of personal data. Only the purposes for which your data is related or associated with will apply.

  1. For public interest or relating to research studies or statistics with appropriate safeguards in accordance with the mission of the Foundation
  2. To provide services and manage the services of the Foundation, both services under contract or according to the mission of the Foundation
  3. For Foundation transactions
  4. To supervise, operate, monitor, examine and manage to facilitate and comply with your needs
  5. To maintain and update information about you, including documents referring to you
  6. To record the processing of personal data as required by law
  7. To analyze data including to solve problems related to the services of the Foundation
  8. To carry out the necessary actions for the internal management of the Foundation including job applications, nomination of directors or persons holding various positions, and assessment of qualifications
  9. To prevent, detect, avoid and examine fraud and security breaches or prohibited or illegal actions that may cause damage to the entire Foundation and data subject
  10. For identity and information verification when you contact the Foundation or use legal rights
  11. To improve or change service quality to be up-to-date
  12. For risk assessment and management
  13. To send notifications, order confirmations, and communicate with you
  14. To prepare and deliver relevant and necessary documents or information
  15. To verify your identity and prevent spam and unauthorized or illegal actions
  16. To take necessary actions to perform the duties that the Foundation has towards tax authorities, law enforcement or other legal obligations of the Foundation
  17. To take necessary actions for the legitimate interests of the Foundation or of another person or legal entities related to the operations of the Foundation
  18. To prevent or stop harm to life, body or health of persons including epidemic surveillance
  19. To prepare historical documents for public interest or researching or producing statistics that the Foundation has been entrusted with
  20. For compliance with applicable laws, notices, ordinances or proceedings relating to litigation, processing information under subpoenas including the exercise of rights relating to your information
10. Types of persons at the Foundation to whom your information may be disclosed

Subject to the purposes set out in Article 9 above, the Foundation may disclose your personal data to the following persons in general and is disclosure is only in effect for persons related to the operations of the Foundation.

Type of person(s) Details
Government agency or authority at the Foundation to whom data must be disclosed for legal or other important purposes (such as operating in public interest). Law enforcement agencies or entities that have the power to control and supervise or have other important objectives such as the Department of Provincial Administration, Social Security Office, Department of Labor Protection and Welfare, Revenue Department, Police Office, Court, Public Prosecutor's Office, Department of Disease Control, Ministry of Digital Economy and Society, Office of the Permanent Secretary of the Prime Minister Office, Department of Consular Affairs, Student Loan Fund, etc.
Various committees involved in the legal proceedings of the Foundation The Foundation may disclose your data to individuals holding committee positions in various faculties, such as the Nomination Subcommittee, Board Committee of the Foundation, etc.
Parties involved in the welfare of Foundation employees Third-party entities involved in welfare operations such as insurance companies, hospitals, payroll providers, banks, telephone operators, etc.
Service providers The Foundation may assign third parties to be service providers on its behalf or support the actions of the Foundation, such as storage providers (e.g. cloud, document warehouses), system developers, software , applications, and websites developers, couriers, payment service providers, internet service providers, telephone operators, Digital ID service providers, social media service providers, risk management service providers, external consultants, transport service providers, etc.
Other persons receiving your data The Foundation may disclose your data to other recipients such as Foundation contacts, family members, other non-profit foundations, temples, hospitals, educational institutions, or other agencies, etc., for the Foundation's operations such as training, receiving awards, making merit, donating, etc.
11. International transfer or sending of personal data

In some cases the Foundation may deem it necessary to send or transfer your personal data to foreign countries in order to perform operations you are involved in, for example, to send personal data to the cloud with a platform or server located abroad (e.g. Singapore or the United States, etc.) to support information technology systems located outside Thailand, depending on the needs of the Foundation.

However, while drafting this policy the Personal Data Protection Committee has not yet announced a list of recipient countries with adequate personal data protection standards. As such, when the Foundation needs to transfer your personal data to a recipient country, the Foundation will take steps to ensure that the personal data is transferred under adequate personal data protection measures in accordance with international standards or take action in accordance with the law, including:

  1. It is in compliance with the law that the Foundation must send or transfer personal information abroad
  2. Notifying you and obtaining your consent in the event that the recipient country has inadequate standards for personal data protection in accordance with the list of countries to be announced by the Personal Data Protection Committee
  3. For necessity in fulfilling the contract that you have with the Foundation or as per your request before entering said contract
  4. To act in accordance with contracts that the Foundation has with other persons or juristic entities for your benefit
  5. To prevent or suppress danger to your life, body, or health or that of another person when you are unable to give consent at that time
  6. When it is necessary to carry out missions for public interest
12. Duration in collecting personal data

The Foundation will retain your personal data only for as long as it is necessary for the purpose for which it was collected. as detailed in the policy announcements or in accordance with relevant laws. However, after the expiration of the retention period and your personal data is no longer necessary for said purpose, the Foundation will delete and destroy your personal data or make your personal data unidentifiable in accordance with the forms and standards for the destruction of personal data that the committee or law will announce or in accordance with international standards. In exercising rights or litigation in connection with your personal data, the Foundation reserves the right to retain that information until the dispute receives a final order or judgment.

13. Services provided by third parties or sub-processors

The Foundation may assign or procure third parties (data processors) to process personal data on behalf of the Foundation. Such third parties may offer services in various ways, such as hosting, outsourcing, or cloud computing or other outsourceable jobs.

When assigning a third party to process data, the Foundation will provide an agreement specifying the rights and obligations of the Foundation as the data controller and the third party entrusted as a data processor. This includes defining in detail the types of personal data the Foundation provides for processing, purpose, scope of processing and other related agreements. The data processor is obliged to process personal data to the extent specified in the agreement and order of the Foundation and not for any other purpose.

In the event that a data processor is assigned a sub-processor, the Foundation will require the data processor to provide a documentary agreement between the data processor and the sub-processor in the same form and standard of agreement between the Foundation and the data processor.

14. Security of personal data

Measures to protect personal data include limiting the right of access to personal data to be accessible only by specific officers or authorized or designated persons who have the need to use such data for the purposes for which the data subject has been notified. Such persons must adhere to and comply with the Foundation's personal data protection measures strictly and have a duty to maintain the confidentiality of personal data they have obtained for the performance of their duties. The Foundation has measures to secure data, both organizational and technical, according to international standards announcements of the personal data protection committee.

In addition, when the Foundation sends, transfers or discloses personal data to third parties whether for the provision of mission-based services, contractual, or other forms of agreement, the Foundation will determine personal data security and confidentiality measures that are appropriate and required by law to ensure that the personal data collected by the Foundation is always secure.

15. Connecting to websites or external services

In instances where the Foundation has a link to a third-party website or service, said website or service will have posted a personal data protection policy that differs from the content of this policy. The Foundation recommends that you consult the privacy policy of that website or service in detail before use. The Foundation is not associated and has no control over the privacy protection measures of such websites or services and cannot be held responsible for the content, policies, damages or actions caused by third party websites or services.

16. Data Protection Officer (DPO)

The Foundation has appointed a Data Protection Officer to perform audits, supervise and advise on the collection, use or disclosure of personal data, including coordinating and cooperating with the Office of the Personal Data Protection Commission In order to comply with the PDPA 2019 and your rights under the PDPA 2019.

The PDPA 2019 provides several rights for data subjects. These rights will come into effect when the law is enforced. The details of various rights are as follows:

  1. Right to request access to personal data have the right to request access, receive a copy and request to disclose the origin of personal data collected by the Foundation without your consent unless the Foundation has the right to refuse your request on legal grounds, court order or if the exercise of your rights may cause damage to the rights and freedoms of others.
  2. Right to request correction of personal data to be correct complete and current If you find that your personal information is inaccurate, incomplete or not up to date, you have the right to request amendments to make them accurate, current, complete and not misleading.
  3. Right to delete or destroy personal data You have the right to ask the Foundation delete or destroy your personal data or make your personal data non- identifiable to the data subject. However, the exercise of the right to delete or destroy this personal data must be under the conditions prescribed by law.
  4. The right to request the suspension of the use of personal data You have the right to request the suspension of the use of your personal data in the following cases.
    1. During the time that the Foundation is verifying personal data to be correct, complete, and up to date at the request of the data subject
    2. The personal data of the data subject is being used or disclosed unlawfully
    3. When the personal data of the data subject no longer needs to be retained for the purposes for which the Foundation notified the data subject during collection, but the data subject may wish for the Foundation to keep that data for exercising legal rights.
    4. When the Foundation is in the process of proving legitimate grounds for personal data collection or investigating the need for collecting, using, or disclosing personal data for public interest as a result of the data subject exercising their right to suspend the collection, use, or disclosure of their data
  5. Right to object to the processing of personal data You have the right to object to the collection, use or disclosure of your personal data unless the Foundation has a legitimate reason (for example, the Foundation can demonstrate that the collection, use, or disclosure of your personal data is more legitimate or for the establishment of legal claims, compliance, or exercise of legal claims, or for the public interest of the Foundation)
  6. Right to withdraw consent In the event that you have given consent to the Foundation to collect, use or disclose personal data (whether that consent was given before or after the PDPA 2019), you have the right to withdraw consent at any point that your personal data is with the Foundation, unless there are legal constrains that make it necessary to keep the data or there is still a contract between you and the Foundation that benefits you
  7. Right to claim, send or transfer personal data You have the right to obtain your personal information from the Foundation. in a form that is readable or generally usable with a tool or device that works automatically and that personal data can be used or disclosed by automated means; including requesting the Foundation to send or transfer data in such form to another data controller subject to the conditions prescribed by law.
17. Penalty for non-compliance with the Privacy Policy

Failure to comply with the policy may result in an offense and disciplinary action in accordance with the Foundation's rules (for staff or employees of the Foundation) or the Personal Data Processing Agreement (for data processors). However, depending on the case and the relationship you have with the Foundation, you may be subject to penalties as stipulated by the PDPA 2019, including secondary laws, rules, regulations and relevant orders.

18. Complaints to supervisory authorities

In case you find that the Foundation failed to comply with personal data protection laws, you have the right to complain to the Personal Data Protection Committee. or a supervisory authority appointed by the Personal Data Protection Committee or by law. Before making a complaint, the Foundation requests that you contact the Foundation so the Foundation has an opportunity get to know the facts and clarify various issues and address your concerns at first instance.

19. Updates to the Privacy Policy

The Foundation may consider improving, amending, or changing this policy at its discretion and will notify you through the website www.ihppthaigov.net and www.ihppf.ihpp.thaigov.net. The effective date of each revised version will be indicated. However, the Foundation encourages you to check the applications or specific channels regularly for activities carried out by the Foundation, especially before you disclose personal data to the Foundation.

Access to the services of the Foundation after the enforcement of the new policy will constitute your acknowledgment of the terms of the new policy. Stop accessing the services immediately if you do not agree with the details in the policy and contact the Foundation for further clarification.

20. Inquiries or exercise of rights

If you have any questions, suggestions or concerns about the Foundation's collection, use and disclosure of personal data or about this policy or you want to exercise your rights under the personal data protection laws, you can inquire at

  1. Data controller
    - Name: International Health Policy Program Foundation
    - Contact address: 88/20 Satharanasuk 6 Alley, Tambon Bang Khen, Mueang Nonthaburi District, Nonthaburi 11000
    - Email: ihpp_thailand@ihpp.thaigov.net
  2. Data protection officer (DPO) - Name: Mr. Putthipanya Rueangsom
    - Contact address: 88/20 Satharanasuk 6 Alley, Tambon Bang Khen, Mueang Nonthaburi District, Nonthaburi 11000
    - Email: putthipanya@ihpp.thaigov.net