This policy aims to meet the requirements of the National Data Management Office, enhance the protection of data for users of Najran University systems and their privacy, and how data is handled, stored, and disposed of through:
- Protecting the privacy of personal data and the confidentiality of sensitive data and not sharing it with other parties without the consent of system users.
Guarantee of individual rights in dealing with personal data at Najran University.Enhancing transparency and solidifying governance through the distribution of roles and responsibilities.Support integrity and combat corruption.And this is based on my documentation of Data Management Controls, Governance and Personal Data Protection (Version 1.5 - January 2021), and the National Data Governance Policies (Version 2 dated 26/05/2021), issued by the National Data Management Office.
Scope of Work
This policy applies to all entities of Najran University and its branches to ensure the protection of personal data processed in whole or in part by them. It also applies to external entities that process the data of individuals residing in the Kingdom via the internet or any other means.
However, the following cases are excluded from the scope of this policy: collecting personal data without the knowledge of the subject, processing it for purposes other than those for which it was collected, disclosing it without consent, or transferring it outside the Kingdom, subject to the following conditions:
- If the controlling party is a government entity, personal data may be collected or processed if it is necessary to meet regulatory requirements in accordance with the systems, regulations, and policies approved in the Kingdom of Saudi Arabia, or to comply with judicial requirements, or to fulfill obligations arising from a contract in which the Kingdom of Saudi Arabia is a party.
To protect public health and safety, or to ensure the vital interests of individuals.Principle 1: Responsibility
Najran University is committed to establishing data privacy requirements and policies, documenting them, reviewing them annually, and approving them by the University President or his designee. It also works to disseminate them to all concerned parties to ensure their effective implementation.
Second Principle: Transparency
A notice is being prepared to clarify the privacy policies and procedures regarding personal data at Najran University, clearly stating the purposes for which personal data is processed, in a specific and explicit manner.
Principle 3: Choice and Consent
All possible options must be provided to the data subject, and their consent must be obtained, whether explicit or implicit, regarding the collection, use, or disclosure of their data.
Principle Four: Data Minimization
Data collection is limited to the minimum necessary to achieve the specific purposes outlined in the privacy notice.
Fifth Principle: Limiting and retaining the use of data
Data processing is restricted to the specific purposes outlined in the privacy notice agreed to by the data subject, whether explicitly or implicitly. Data is retained as long as it is necessary to achieve the specified purposes or as required by applicable systems, regulations, and policies in the Kingdom of Saudi Arabia, and is disposed of securely through methods that prevent leaks, loss, theft, or unauthorized access.
Principle Six: Data Access
That means providing means for the data subject to access their data for review, updating, and correction.
Principle Seven: Limiting Data Disclosure
The disclosure of personal data to third parties within or outside the Kingdom of Saudi Arabia for purposes specified in the privacy notice that the data subject has consented to, either expressly or implicitly.
Principle Eight: Data Security
Najran University provides full data protection against leakage, corruption, loss, theft, misuse, or unauthorized access, in accordance with the directives of the National Cyber Security Authority and relevant authorities.
Principle Nine: Data Quality
Personal data is stored accurately and completely, and relates directly to the purposes specified in the privacy notice.
Principle Ten: Monitoring and Compliance
Monitoring compliance with the privacy policies and procedures of Najran University, addressing inquiries, complaints, and disputes related to them.
Data Subject Rights
- First: The right to data and includes that awareness of its systemic or actual need for collecting its personal data, and the purpose of that, and that it will not be processed later in a way that contradicts the purpose of its collection for which it provided implicit or explicit consent.
Secondly: The right to withdraw his consent to the processing of his personal data - at any time - unless there are legitimate grounds requiring it to continue.Third: The right to access his personal data at Najran University; for the purpose of reviewing it, requesting corrections, or updating it.- Najran University Commitments
التزامات جامعة نجران
- Najran University is committed to preparing and implementing policies and procedures related to the protection of personal data, and the primary responsible party – or the one delegated to him – is responsible for approving and adopting them.
The University commits to establishing a data governance unit linked to the Data Management Office and tasked with developing, documenting, and monitoring the implementation of policies and procedures approved by the highest authority, on which the unit's tasks and responsibilities and appropriate standards to determine levels of sensitivity for personal data will be included.The University commits to assessing risks and potential impacts of processing personal data and presenting the results of the assessment to the University President – or whoever delegates to him – to determine the risk acceptance level and approve them.The University commits to reviewing and updating service and operating contracts and agreements to align with the privacy policies and procedures established by the Higher Administration of the Entity.Conducting the preparation and documentation of the necessary procedures for managing and addressing privacy breaches, identifying the tasks and responsibilities related to the specialized work team, and the cases in which notification to the regulatory authority and the Office are carried out according to the administrative sequence based on impact severity measurement.The University is preparing awareness programs for personnel to enhance the culture of privacy and raise awareness levels in accordance with the privacy policies and procedures adopted by the Supreme Authority of the relevant body.The data subject will be notified - via an appropriate method and data collection timing - of the purpose and legal/actual basis for collecting and processing personal data, as well as the means and methods used for data collection, processing, and sharing, as well as security measures to ensure the protection of privacy, in accordance with the systems, regulations, and policies in effect throughout the Kingdom.The data owner will be notified of other sources used if additional data is collected indirectly (from other agencies).Data subjects are notified of the privacy notice and consent to the processing of their personal data based on the nature and methods of data collection.That consent of the data subject be obtained for the processing of personal data after determination of the type of consent (explicit or implicit) based on the nature of the data and methods of collection.that the purpose of data collection is consistent with systems, regulations, and policies in effect within the Kingdom and directly related to the entity's activity.That the content of the statements should be limited to the minimum necessary data to achieve the purpose of its collection.That data collection should be restricted to content previously defined (as explained in Rule 12) and conducted fairly (directly, clearly, safely, and without deception or misleading methods).That use of the data shall be restricted to the purpose for which it was collected.The University prepares and documents policies and procedures for record retention in accordance with specified purposes, systems, and related laws and regulations.The University stores and processes personal data within the geographical boundaries of the Kingdom of Saudi Arabia to ensure the preservation of its digital sovereignty for this data, and it is not permissible to process it outside the Kingdom of Saudi Arabia unless the University obtains a written approval from the regulatory authority, after coordination by the authority with the Office.that the University prepares and documents a policy and procedures for the disposal of data by securely destroying the data to prevent loss, misuse, or unauthorized access – including operational, archived, and backup data – in accordance with what is issued by the National Cybersecurity Authority.that the University incorporates the provisions of my data retention and disposal policies in contracts when assigning these tasks to other processing entities.that the University determines and provides the means by which a holder of personal data can access their data and review and update it.that the University verifies the identity of individuals before granting them access to their personal data in accordance with the standards adopted by the National Cybersecurity Authority and relevant authorities.It is prohibited to share personal data with other parties except in accordance with the specific purposes determined after obtaining the data owner’s consent and in accordance with the systems, regulations, and policies, providing the other parties with the privacy policies and procedures followed and including them in contracts and agreements.that the University feels owners of data and takes approval from them in case of sharing data with other parties for uses other than those specified.that the University takes approval from the Office - after coordinating with the regulatory authority - before sharing personal data with other external parties outside the country.that the University prepares and documents and applies the necessary measures to ensure the accuracy and completeness and currency and linkage of personal data for the purpose for which it was collected.That controls administrative and technical procedures approved in the policies of the authority for information security to ensure the protection of personal data, including, for example, not limited to:
- Granting access rights to data according to the tasks of employees and their responsibilities in a way that prevents interference in jurisdiction and avoids fragmentation of responsibilities.
Implementing administrative procedures and technical regulations that document the stages of data processing and provide the ability to identify the user responsible for each stage of these stages (usage logs).Signature of personnel who undertake data processing on a mandate to maintain the data and protect its confidentiality, except in accordance with policies, procedures, systems, and legislation.Selection of personnel who conduct data processing operations, those who are characterized by integrity and responsibility, and in accordance with the nature and sensitivity of the data and the access policy adopted by the entity.Use appropriate security measures – such as encryption, and isolate the development and testing environment from the production environment – to protect personal data and protect it in a manner consistent with its nature and sensitivity, and the media used to transmit and store it, in accordance with what is issued by the National Cyber Security Authority and the relevant authorities.
that Najran University is responsible for monitoring compliance with privacy policies and procedures on a regular basis, and these are displayed to the Head of the Authority – or whoever delegates to him – as well as defining and documenting corrective measures that will be taken in the event of non-compliance and notifying the regulatory authority and the Office according to the organizational sequence.
- First: Regulatory authorities coordinate the provisions of this policy with their regulatory documents and implement them across all entities subordinate to them or related to them, as long as it achieves integration and ensures the achievement of the intended goal of preparing this policy.
Secondly: Regulatory bodies periodically monitor compliance with this policy.Third: The University must comply with this policy and document compliance according to the mechanisms and procedures specified by regulatory authorities.Fourth: The University must immediately and without delay notify the regulatory authorities upon the occurrence or discovery of any personal data breach, within 72 hours, in accordance with the mechanisms and procedures established by the regulatory authorities.Fifth: The University, upon contracting with treatment agencies, must periodically verify their compliance with this policy according to the mechanisms and procedures defined by regulatory bodies, including any subsequent contracts undertaken by these agencies.Sixth: The Data Office practices the roles and tasks of regulatory agencies on non-regulatory agencies offices.Seventh: Regulatory bodies may establish additional rules for processing specific types of personal data in accordance with the nature and sensitivity of such data, following coordination with the Office.Eighth: Regulatory bodies coordinate with the Office – to prepare the mechanisms and procedures that regulate the complaint processing process according to a specific timeframe and according to the University’s organizational sequence.Ninth: The University Data Office establishes the necessary standards to help the University determine whether designating a Data Protection Officer is a mandatory or optional requirement.