This policy outlines how the University handles personal data, including the collection, use, or disclosure of such data, in accordance with personal data protection principles. These principles aim to prevent violations of privacy rights that may cause inconvenience or harm to data subjects, while allowing for the necessary use of personal data in line with the purposes for which it is collected.
Respect for Privacy Rights
Clause 1
The University respects and values the privacy rights and protection of personal data. The University recognizes that individuals engaging in its educational services—including the promotion, application, and development of academic and professional expertise; research and technology transfer; public academic services; and the preservation of arts and culture—expect that their personal data will be protected and that their use of University services will be secure.
Clause 2
Personal data collected by the University, such as name, age, address, telephone number, national ID number, and financial information that can identify a data subject, shall be used solely for the University’s operational purposes. The University will apply strict security measures to protect such data and prevent misuse.
Clause 3
The University will collect personal data only as necessary for its operations, as authorized by law or under Section 24 of the Official Information Act B.E. 2540 (1997). If the University intends to use the data for any other purpose, it will notify the data subject and seek their consent, unless otherwise permitted by law.
Clause 4
The University will collect and store personal data lawfully and fairly, and only as necessary for its operations or the provision of electronic services under the University’s objectives.
Clause 5
The University shall seek consent from data subjects prior to data collection, except where:
The data is collected for historical or archival purposes;
The data is used for research or statistics in line with ethical standards;
The data is required to prevent harm to life, body, or health;
The data is needed for contractual purposes, such as hiring, student admissions, or academic operations;
The data is used for compliance with applicable laws.
Clause 6
The University will not collect sensitive personal data (e.g., race, political opinions, religious beliefs, sexual behavior, criminal records, health or genetic data) unless:
Consent is obtained;
Required by law;
It benefits the data subject and obtaining consent is impractical;
It protects life, health, or safety;
It is for academic, research, or statistical purposes.
Clause 7
The University may combine personal data with data from other sources only when necessary and with the subject’s consent or with consent from the source organization.
Purpose of Personal Data Collection
Clause 8
The University collects personal data for operational, educational, research, or statistical purposes, and to improve the quality and efficiency of services—whether delivered traditionally or electronically.
Clause 9
If the purposes of data collection change, the University will notify and obtain renewed consent from the data subjects.
Clause 10
If personal data is used for purposes beyond those initially stated, data subjects retain the right to choose whether to allow the collection, storage, use, or disclosure of their data.
Clause 11
To analyze and monitor electronic services, website usage, or system problems—and to comply with the Computer Crime Act and Cybersecurity Act—the University automatically records at least the following data:
IP Address;
Browser type.
External service providers may also collect such data in accordance with legal requirements.
Clause 12
For security and the protection of life, health, and property, the University may collect identifiable data through means such as CCTV and audiovisual processing. Such data will be used strictly for the intended purposes or as required by law.
Clause 13
The University will not use personal data beyond its stated purposes unless:
The new purpose has been disclosed and consent obtained;
Required by law.
Limited Use of Personal Data
Clause 14
The University will use or disclose personal data strictly in line with its operational objectives.
Clause 15
University personnel are prohibited from disclosing personal data beyond its stated purpose or to third parties unless:
Required by law;
Consent is obtained;
Necessary for the health, safety, or life of the data subject or others;
Needed for legal investigations or court proceedings;
For academic, research, or statistical purposes.
Clause 16
In certain cases, the University may grant limited access to personal data to other individuals or entities, strictly as necessary and in line with its objectives and legal authority.
Data Security
Clause 17
The University prioritizes the security of personal data and enforces appropriate safeguards to prevent unauthorized access, loss, alteration, or disclosure in compliance with its IT security policy.
Participation of Data Subjects
Clause 18
Data subjects may request access to their data under University procedures. Upon receiving a request, the University will respond within a reasonable period.
Clause 19
If data is found to be inaccurate, data subjects may request corrections, and the University will log any objections as formal records.
Clause 20
Data subjects have the right to:
Request copies or certified copies of their personal data;
Request corrections or updates;
Suspend use or disclosure;
Request deletion or destruction;
Inquire about data acquisition if no consent was provided.
However, these rights may be limited by law or if data has been anonymized.
Data Sharing with Third Parties
Clause 21
When sharing personal data with others, the University will notify the data subject and seek consent. At minimum, such notice will include:
Identity of the individual or organization receiving the data;
Purpose of data sharing;
Method of sharing;
Types of data shared.
Clause 22
The University will clearly identify data controllers involved in sharing and keep records of the data linkage.
Clause 23
If any changes occur in data sharing, the University will notify and request consent from the data subject beforehand.
Changes to the Policy
Clause 24
This policy may be revised to reflect service or operational changes. The University will clearly announce any updates or send direct notifications before implementation.
Clause 25
For further information, please refer to this policy or contact:
Office of Legal Affairs, Khon Kaen University
123 Mittraphap Road, Nai Mueang Subdistrict, Mueang Khon Kaen District, Khon Kaen 40002, Thailand
Phone: +66-43-009700
Website: https://www.kku.ac.th/
University Data Protection Officer (DPO)
Asst. Prof. Dr. Denpong Soodphakdee
Vice President for Digital Affairs
Email: dpo@kku.ac.th
Phone: +66-43-202005