Personal Data Protection Policy

Definitions

Data:

A set of facts in their raw or unorganized form such as numbers, characters, still images, video, audio recordings or emoticons.

Personal data:

Any information, regardless of source or form, that would lead to the identification of an individual, or make him or her identifiable, directly or indirectly, when gathered with other data.

Verification:

It refers to the verification of the identity of any user, process or device as an essential prerequisite; to allow access to technical resources.

Processing Personal-Data:

All operations performed on personal data by any manual or mechanical means including, but not limited to, data collecting, transmitting, archiving, storing, sharing, destroying, analyzing, patterning, inferring and linking them with other data.

Owner of personal data:

The natural person, or anyone on his behalf, a representative or legal guardian, to whom the personal data relate.

Control unit:

It refers to any administrative unit of the university that operates on personal data.

Leaking Personal Data:

It is the disclosing, obtaining or even enabling access to personal data without authorization or legal authority, whether intentionally or unintentionally.

Implicit consent:

It is a consent that is not expressly granted by the data owner, but is implicitly granted through his/her actions, events and circumstances of the situation, such as signing contracts or agreeing to terms and conditions.

Objective

The purpose of the personal data protection policy is to maintain the confidentiality of personal information in a way to first ensure that the rights of individuals are preserved, secondly to regulate, process, share and organize the personal data, and thirdly to maintain digital national sovereignty over it, as well as to comply with national data governance policies and basic legislation for the protection of the rights and privacy of individuals with respect to their personal data, which is subject to a system of personal data protection. Definitely, the policy aims to comply with the relevant data management and governance, legislative and regulatory requirements, which is a legislative requirement in the National Data Management and Governance specification (No.DG.1.2) and Personal Data Protection (Version No. 1.5) issued by the Office of National Data Management.

Scope

The conditions of this policy apply to all control units processing, whether wholly or partially, personal data, as well as external entities processing the UNI's staff personal data via the Internet or any other means. However, the personal data that have been collected with the absence of its owner or have been processed to serve a different purpose or disclosed or even transferred abroad without the approval of the owner, would be excluded from the scope of this policy, as in the following cases:
1- If collecting or processing personal data is required to meet systemic requirements in accordance with the effective laws, regulations and policies of the Kingdom or to meet judicial requirements or to even perform an obligation under an agreement in which the Kingdom is a party.
2- If collecting or dealing with personal data is necessary for the protection of public health, safety or individuals' vital interests.

Key Principles for the Protection of Personal Data

1st Principle: Responsibility

The University's privacy policies and procedures shall be defined and documented by the Data Management Office along with the approval of the UNI's Rector (or his/her representative). Then, it shall be disseminated to all concerned parties.

ا2nd Principle: Transparencyً

A notice of the University's privacy policies and procedures should be prepared stating the purposes for which the personal data were processed clearly and explicitly.

3rd Principle: Selection and Approval

All possible options would be identified to the owner of the personal data as well as his/her (implicit or explicit) consent that would be obtained regarding the collection, utilization or disclosure of his/her data.

4th Principle: Limiting Data Collection

The collection of personal data should be limited to the minimum amount of data as a procedure to guarantee achieving the purposes set out in the privacy notice.

5th Principle: Limiting the Utilization, Retention and Disposal of Data

The processing of personal data shall be restricted to the purposes specified in the privacy notice for which the data owner expressed his/her implied or explicit consent, and shall be retained as long as necessary to accomplish the specified purposes or as required by the effective laws, regulations and policies of the Kingdom, and to be destroyed in a safe manner that would prevent leakage, loss, embezzlement, misuse or unauthorized access to a system.

6th Principle: Access to Data

The means by which the data owner can access his/her personal data shall be identified and provided; to ease its review, correction and update.

7th Principle: Limiting Data Disclosure

Disclosure of personal data of external parties shall be restricted to the purposes specified in the privacy notice for which the data owner has given his/her implicit or explicit consent.

8th Principle: Data security

Personal data shall be protected against leakage, damage, loss, embezzlement, misuse, alteration or unauthorized access, and that is of course in accordance with the regulations of the National Cyber Security Authority and the competent authorities.

9th Principle: Data Quality

All of the personal data shall be preserved accurately and completely not to mention that the importance of being directly related to the purposes specified in the privacy notice.

10th Principle: Monitoring and Compliance

The compliance with privacy policies and procedures shall be monitored and all of the privacy inquiries, complaints and disputes shall be processed.