Make sure of the politically sensitive information.
Applied on all of the university system.
1. Personal information known as: “any information about someone, this includes information that can be used to identify individuals such as name, used to reach them or contact them such as postal address and phone numbers, or any information that can be linked to the individuals such as medical reports.
2. The university administration responsible for ensuring the implementation of the policy and its related document, control the scientific application, and take an appropriate process in case of lack of commitment.
3. Information security management is review this policy and see how it reach its commitment and make a report about it, at least once during the year.
4. This policy must be posted as soon as approved by the university administration so that all users in Saudi Electronic University can found. Information security administration and deanship of information technology must ensure the necessary access for all users in all possible ways. It also should be alert users in case of changing, posting, or completing any document of the policy.
5. All users have a full commitment with the terms of this agreement and all its complementary documents.
6. Incoming alert of the availability of such policy for users or dealers with the university from inside or outside the university is a guarantee notification for reading the policy with all its items and ensuring agree for working on all its items.
Types of personal information: classified as personal information as stated in the first item of distinguish individuals information; the information which they can distinguish a specific individual, such as:
Full name, or one part of the name in any context could indicate a particular person.
National identification number.
Bank account number.
Pursuit of Individual's Information:
Information that can be accessed for a particular person, such as:
Personal e-mail addresses.
Personal phone numbers and all its related.
Qualifier names in social media.
It is information which cannot define anyone by itself, but it can give a linking personal information about individuals, such as:
7. Saudi Electronic University represented by deanship of information technology assure to do a maximum effort and providing all the necessary techniques and resources to protect personal information from deletion, damage or loss, leakage or modification, or any other unauthorized use.
8. Security information management makes a record of personal information, called “personal information guide", and one of the members of the information security team is known as an administrator to protect personal information.
9. Personal information protector is responsible for guide management.
10. Personal information protector is responsible for the authenticity of the incoming information at “personal information guide" continuously, and is responsible for all audits to ensure following all systems and users of the procedures and instructions in the guide.
11. The Deanship of information technology at the university have to provide the techniques and sponsor procedures to limit the whereabouts of all forms of personal information on all IT systems owned by the university. And those places are documented in the “personal information guide".
12. After collecting the personal information, it must be documented under the “personal information guide" which includes:
Type of information:
The sensitivity of information: and it must be complied with all of your personal information at the university, according to the sensitivity to one of three categories:
Low sensitive information.
Middle sensitive information.
Highly sensitive information.
You must define the detailed use of this information.
Definition of all users who have the authority to access this information or any part of it.
13. The “personal information guide" have to contain a detailed information about all procedures of collecting the personal information. That includes:
The reason of collecting information.
The way of collecting information.
Details and classified of the collected information.
Systems that will store the collected information, and it prefers to define a unified copy about all types in the personal information on a unified system, and it is all copied or part of it to other systems when needed.
Definition of a specified owner of the information by the various business side inside the university “Information Business Owner".
Definition of a specified owner of the information by the IT “Information IT Owner".
All types that allows the information to take, such as:
- Oracle database.
- Excel file.
- Word file CSV.
The life cycle of information.
The person who is entitled to access the information or part of it, and define the form of entry.
The person who is entitled to permit access to the information, and give authorization procedures, and ways to document and control and scrutiny of those procedures.
14. After limiting the personal information and document all information with its procedures in “personal information guide", the Deanship of Information Technology must redefine and restructure the procedures for obtaining information.
15. Procedures to access personal information: the procedure is defined through electronic form to achieve the following:
You must mention the request for the personal information of all forms of use, whether it is temporary or permanent, and determine the ending time of use.
The form should include detailed information on the required information.
The form should include the method of access to information, whether it is access to information through the system, or to obtain a copy of them.
The form should include an obligation to delete the information after the end of reason to get it.
You should know how to access the information, in case to have a copy from it.
If you have a personal information request with a third party, the form have to contain a detailed information about this party.
If you share information with a third party or more, either party from inside or outside the university, all requesting information parties have to ensure that:
Fill out the form to obtain personal information.
Written acceptance of this document in case the party demanded information from outside the university, and it could be approved by sending an e-mail sent from the requesting information party, and personal e-mail addresses are not accepted.
The form should include a pledge of commitment from the party who requested information to commit the policy and the procedures.
The form should include acceptance from the personal information protector and dean of IT.
16. The university has the right to withdraw the demographic data from personal information, and use it to perform statistical process for the purposes of scientific research and planning administrative without returning to the users, on condition that to delete any data that could lead to discrimination or tracking persons.
17. To use demographic data you have to follow these steps:
The requested information has to fill a form to have an information.
Uses logged in “personal information guide".
The official of protecting personal information has to review the requested data, to make sure they are free of discrimination data or tracking persons.
The official of protecting personal information and the dean of IT agreement.
To publish or share any personal information, you must obtain an agreement from the information owner explicitly before posting personal information.
18. All users have the ability to access and review their personal information to make sure it is correct. And they should have a clear way to modify this information either directly or by reference to the staff of the university.
19. Privacy officer shall be responsible for checking the information periodically to ensure its accuracy and integrity if it exist in more than one system.
20. The usage of personal data must be minimize in testing and development, with constant guidance using fake data to fake users as far as possible in the various testing process that may be carried out by the IT teams or the rest of organization team.
21. To use personal information for testing and development purposes, you must also fill in a special form to obtain a personal information.
22. The IT staff must be trained to deal with the personal data of users exclusively and with concern, and the users explicitly agrees in writing to deal with personal data policy. This applies to all university employees who require access to this information directly or indirectly as the nature of their work.
23. Training on dealing with personal data must include training the employees to create an alert in case of any breaking of privacy procedures.
24. Clarify an obvious procedures for dealing with cases of breaking privacy, according to the classification of the information that has a doubt leakage, which include:
Date and time of the breakthrough.
Categories of affected users.
Evaluate the extent of damage and the danger that might result.
Report to the information owner about the breakthrough.
Escalation procedures that must be followed.
25. Any personal data can be shared with other government agencies in Saudi Arabia, through an official letter.
26. Deanship of IT is responsible to define a form of a pledge of non-disclosure of information, including an obvious personal information, and follow up the approval of the companies and contractors individual in writing on this form.
27. The websites of the university can record information about users and this is through a Cookies technique without having an explicit agreement from the user, and any use of the sites that refers to the university is an implicit approval of this policy and on the use of this technique.
All employees have to commit to follow these policies, and the irregularities will be dealt according to the procedures of legal action.
All employees, managers of deanship of information technology management, and educational technology specially the manager of information security management and the dean of the deanship.