1) General Principles for the Secure Use and Protection of Personal Data
Protection of Personal Data: Personal data must be handled in accordance with the Personal Data Protection Law and its implementing regulations. The confidentiality, integrity, and availability of data must be ensured in line with applicable regulations.
Classification of Information: Information must be classified according to the Data Classification Policy and the Personal Data Protection Policy of the University of Hail.
Use of Personal Data: The use of personal data is limited to specific and clearly defined purposes and must be processed in accordance with applicable laws and regulations.
Protection of Systems and Information: Installing any unauthorized software or making any modifications to university systems without official approval is prohibited.
Professional Use: Using university systems and assets for personal gain or any purpose unrelated to the university's activities and operations is prohibited.
Prohibition of Account Sharing: Sharing accounts or passwords among individuals is prohibited.
Reporting Risks: Any suspicious activity that may affect the security of systems and data must be reported.
Safe Use of Email: Using university email for non-work-related purposes is prohibited.
Non-Disclosure of Data: Disclosing any sensitive university information to any unauthorized party is prohibited.
Review and Update: This policy is reviewed periodically to ensure compliance with regulatory and security requirements.
Access Controls: Access to systems and data is restricted to authorized personnel only, with permissions limited as needed for functional requirements.
Security Incident Management: Any security incident must be reported immediately to the Cybersecurity Department to ensure a rapid response and mitigation of potential impacts.
Incident Investigation: The Cybersecurity Department reserves the right to investigate any policy violations and take appropriate action in accordance with regulations.
2) Protecting Computer Hardware and Technical Systems
The use of external storage devices is prohibited without prior authorization.
The device must be secured before leaving the office by using a screen lock or logging out (SIGN OUT or LOCK).
The installation of external tools on the computer is prohibited without prior authorization.
The Cybersecurity Department must be notified of any suspected activity that could harm university computers.
External storage devices must be stored in secure locations and never left unattended.
Connecting personal devices to the university network without prior authorization is prohibited. 3) Use the Internet and Software Safely
Internet use must comply with the university's communications and information technology system and best security practices.
Downloading or installing any unlicensed or unapproved software is prohibited.
Using proxy or firewall technologies is prohibited.
The Cybersecurity Department must be notified of any suspicious websites that should be blocked.
Registering university email addresses on any website unrelated to work is prohibited.
Using file-sharing websites without prior authorization is prohibited.
Using the internet for illegal or unprofessional purposes is prohibited.
The university network must not be used to access unsecured websites that may pose a cybersecurity threat.
4) Rights of Personal Data Subjects
Content of Personal Data to be Collected
Personal data collected includes: name, address, contact information, academic information, employment records, health data (if applicable), and any other data related to university services.
Method of Collection
Personal data is collected through electronic forms, paper applications, registration in digital systems, official correspondence, and questionnaires, while ensuring compliance with relevant laws and regulations.
Purpose of Collection
Personal data is collected for academic, administrative, and legal purposes, and to improve services provided to students and university staff. Data is also used in research and studies in accordance with applicable regulations.
Method of Storage
Personal data is stored within the university's secure systems using encryption protocols and approved cybersecurity procedures to ensure data protection against any breach or unauthorized access.
How to Destroy Data
When personal data is no longer needed, it is destroyed securely using one of the following methods:
Permanent deletion from digital databases with no possibility of recovery.
Destruction of paper documents using security shredding techniques.
Removal of any sensitive data from storage media in accordance with approved security standards.
Data Subject Rights
Right to Information: Data subjects have the right to know the purposes for which their personal data is collected, how it is used, and who has access to it, through the university's policies and published privacy notices.
Right to Access Personal Data: Data subjects can request a copy of their personal data stored by the university and know who has disclosed their data, in accordance with official procedures.
Right to Update or Correct Personal Data: Data subjects can update their data and correct errors through the official channels designated for this purpose.
Right to Object to Data Processing: Data subjects have the right to object to the processing of their data if there is no legal or operational need for it.
Right to Destruction of Personal Data: Data subjects have the right to request the destruction of their personal data if there is no longer a legal or operational need to retain it.
5) Compliance and Penalties
All employees of the University of Hail must comply with this policy.
Any violation of this policy may subject the offender to disciplinary action in accordance with university regulations.
In the event of a violation of personal data protection regulations, the offender may be subject to legal action under the regulations.