Clause 1 This notification is called the “Notification of Thai Red Cross Society Re: Thai Red Cross Society’s Personal Data Security Measures, B.E. 2565 (2022)”.
Clause 2 This notification shall come into force from the date of its announcement onward.
Clause 3 Beside the definitions of specific terms provided in this notification, definitions of the relevant terms in the Regulations of Thai Red Cross Society on Personal Data Protection, B.E. 2564 (2021) shall also apply.
“Personnel of Thai Red Cross Society” means all personnel of Thai Red Cross Society according to the Regulations of Thai Red Cross Society on Personnel Management and shall also mean advisors and committees of Thai Red Cross Society.
“Security” means the maintenance of confidentiality, integrity, and availability of personal data for the purposes of preventing loss, unauthorized or unlawful access to, use, alteration, correction, or disclosure of personal data.
Clause 4 Personnel of Thai Red Cross Society must recognize the importance of personal data protection and comply with the Regulations of Thai Red Cross Society on Personal Data Protection, B.E. 2564 (2021). They shall also strictly observe the provisions of the Personal Data Protection Act, B.E. 2562 (2019) and this notification in their collection, use, and disclosure of personal data.
Clause 5 Thai Red Cross Society has formulated the personal data security measures which can be divided into the administrative, technical, and physical safeguards of access control. These security measures shall apply to the following operations:
-
- Control of access to personal data and personal data storage and processing devices by taking their functionality and security into consideration.
- Determination of access authorization or rights of access to personal data.
- Adopting user access management to control access to personal data and restrict access to only authorized persons based on the levels of user rights to import, alter, correct, disclose, erase, and destroy personal data.
- Determination of user responsibilities to prevent unauthorized access, disclosure, acquisition, or illicit copying of personal data, including theft of personal data storage or processing devices.
- Providing appropriate audit trails review of the methods and means of personal data collection, use, or disclosure.
Clause 6 Thai Red Cross Society has formulated the personal data security measures which can be divided into suitable organizational and technical measures, and necessary physical measures according to their risk levels, nature and purposes of personal data collection, use, and disclosure as well as the probabilities of occurrence and impacts of personal data breaches.
Clause 7 Thai Red Cross Society has prepared details of these security measures and implementation of such measures with consideration to its security operations, ranging from identifying key risks to its crucial information assets to prevention of key potential risks, inspection and monitoring of personal data threats and breaches, handling of detected personal data threats and breaches, remedy and rehabilitation of damages from such threats and breaches. These security measures should be implemented when it is deemed necessary, appropriate, and possible in terms of risk levels.
Clause 8 Thai Red Cross Society stipulates that any operation implemented under the security measures specified in this notification must take into consideration the ability to maintain confidentiality, integrity, and availability of personal data for its risk levels, technologies, contexts, circumstances, and acceptable standards for the same or similar operation, the nature and purposes of personal data collection, use, and disclosure as well as the required resources and operational feasibility.
Clause 9 Thai Red Cross Society stipulates that the collection, use and disclosure of electronic personal data must comply with the security measures specified in this notification and cover various parts of the information system for the collection, use and disclosure of personal data, such as the personal data retention system and devices, servers, client computers, network systems, software, and applications that are appropriate for its risk levels. These operations must take into consideration the principle of defense in depth security which comprises of multiple layer security controls for risk mitigation in the event of limitation of certain security measures in certain situations.
Clause 10 Thai Red Cross Society stipulates that access to, use, alteration, correction, erasure, or disclosure of personal data must at least consist of the following operations that are appropriate for their risk levels. Such operations must take into consideration the need for appropriate personal data access and usage for the nature and purposes of their collection, use, and disclosure as well as suitable maintenance of security for their risk levels, required resources, and operational feasibility. This should be implemented in combination with:
(a) Appropriate access control, identity proofing, authentication and authorization on the need-to-know basis and the principle of least privilege.
(b) Appropriate user access management which may include user registration and de-registration, user access provisioning, management of privileged access rights, management of secret authentication information of users, review of user access right, and removal or adjustment of access rights.
(c) Determination or user responsibilities to prevent unauthorized or unlawful access, use, alteration, correction, erasure, or disclosure of personal data, including cases of users acting beyond their assigned roles and duties, unauthorized or unlawful copying of personal data, and theft of personal data storage or processing devices.
(d) Appropriate audit trails review for the methods and means of personal data collection, use, or disclosure.
Clause 11 Thai Red Cross Society stipulates promotion of privacy and security awareness, and appropriate dissemination of its personal data protection policies, practices, and security measures to its personnel or users or persons relating to the access, collection, use, alteration, correction, erasure, or disclosure of personal data for acknowledgment and compliance. They will also be informed of any amendment to the policies, practices, and measures prescribed in this notification as propriate for the nature and purposes of personal data collection, use, and disclosure as well as their risk levels, required resources, and operational feasibility.
Clause 12 Thai Red Cross Society sets up an inspection system for the erasure or destruction of the personal data whose retention period has expired or are no longer relevant to or necessary for the data collection purpose, or the personal data that the data subjects have withdrawn their consent. Such erasure or destruction shall apply unless the personal data must be kept for the exercising of the right to freedom of opinion and expression or for the purposes specified in Section 24 (1) or (4) or Section 26 (5) (a) or (b) of the Personal Data Protection Act, B.E. 2562 (2019) regarding the use of such personal data for the establishment, compliance, exercising, or defense of legal claims. The provision of Section 33 paragraph Five shall apply mutatis mutandis to the erasure or destruction of personal data. The following actions shall be implemented:
- Periodical follow ups to determine which personal data or sets of data in Thai Red Cross Society’s care (in its capacity of a data controller) have expired retention period (as notified to the data subjects in its Privacy Notice or request of data subject’s consent). This practice is necessary for the erasure, destruction, or conversion of such personal data into personally unidentifiable information, as the case may be.
- In the event that the data subjects have exercised their right to erase or destroy (or withdraw consent) the personal data that required their consent by requesting the data controller to do so, the data controller must erase or destroy the personal data or convert them into personally unidentifiable information, as the case may be.
- Erasure and destruction of personal data or converting them into personally unidentifiable information may be exempted when the data controller has a reasonable or necessary cause to retain the personal that supersedes the data subject’s rights, such as:
- For the reparation of historical or archival documents for the public interest, or for research or statistical purposes.
- For the public interest as is the duties of a specific data controller.
- For the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care services, medical treatment, the management of health, social care system and services.
- For health protection against dangerous contagious disease or cross-border epidemics or control of the standards or quality of medicines, medicinal products, or medical devices.
Clause 13 Thai Red Cross Society will review the security measures specified in this notification when necessary or in case of changing technology to ensure efficient and suitable security measures. This will be carried out with consideration to the levels of risk from such factors as technology, contexts, the environment, acceptable standards for an agency or operation of the same or similar nature, nature and purposes of the personal data collection, use, and disclosure as well as the required resources, and operational feasibility. In case of personal data breaches, it is necessary for the data controller to review the security measures in paragraph One unless such breaches present no risk to the rights and liberties of any person.
Clause 14 Thai Red Cross Society, in its capacity of the data controller, shall enter into an agreement with the personal data processer to have the data processor provide suitable security measures to prevent loss, unauthorized or unlawful access, use, alteration, correction, or disclosure of personal data. The personal data processer is required to inform Thai Red Cross Society of any personal data breach incidents.
Clause 15 Thai Red Cross Society may issue guidelines prescribing details of compliance with the security measures specified in this notification.
Issued on 6 January 2023.