Home > Policies > Policy & Procedure
Data Protection policy
Name of Policy
Data Protection policy
Policy Number
XII. 8
Original Policy Date
Last Revised Date
Other Related Regulatory Rules Laws & Policies Next Scheduled review Date
Associated Procedures & Forms (Attachments)
Cycle of Reviews


This policy sets out the responsibilities of the University, its staff and faculty to comply fully with data protection. It provides information and guidance on different aspects of data protection. This policy forms the framework which everybody processing sensitive and confidential data* should follow to ensure compliance with data protection legislation.


1.      Prince Mohammad University (PMU) is committed to data protection by default and by design and supports the data protection rights of all those with whom it works, including, but not limited to, potential staff, faculty, and students (applicants), current staff, faculty, and students, former staff, faculty, and students, current and former workers, contractors, website users and contacts, collectively referred to in this policy as data subjects. When processing sensitive or confidential data, the university is obliged to fulfill individuals’ reasonable expectations of privacy by complying with the data protection legislation.

* The legal definition of confidential or sensitive data describes it as information that must be protected against unauthorized disclosure, including personal Information, business Information, and classified information.

2.       This policy therefore designed to ensure that the institution's affiliated individuals:

2.1         are clear about how sensitive and confidential data must be processed and the university’s expectations for all those who process sensitive or confidential data on its behalf;

2.2         Comply with the data protection law and with good practice;

2.3         Protect the university’s reputation by ensuring the personal and sensitive data entrusted to us is processed in accordance with data subjects’ rights;

2.4         Protect the university from risks of sensitive, confidential, and personal data breaches and other breaches of data protection law.

3.       The scope of this policy is to all confidential and sensitive data regardless of the location where that confidential and sensitive data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff, faculty, and others processing personal data on the university’s behalf must comply with it. A failure to comply with this policy may result in disciplinary action.

All heads of colleges and directors of departments are responsible for ensuring that all university faculty and staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.

4.       Confidential and sensitive data protection principles:

When staff and faculty process personal, confidential, and sensitive data, you should be guided by the following principles, that require confidential and sensitive data to be:

4.1         Processed lawfully, fairly and in a transparent manner;

4.2         Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;

4.3         Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

4.4         Accurate and where necessary kept up to date;

4.5         Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed;

4.6         Processed in a manner that ensures its security, using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and against accidental loss, destruction or damage.

5.       Responsibilities

5.1         University Responsibilities

As the data controller, the university is responsible for establishing policies and procedures in order to comply with data protection law.

5.2         Staff and Faculty Responsibilities

Staff and faculty members who process sensitive, confidential, and personal data about students, staff, faculty, applicants, alumni or any other individual must comply with the requirements of this policy. Staff and faculty members must ensure that:

5.2.1         All confidential and sensitive data is kept securely;
5.2.2         No confidential and sensitive data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorized third party;
5.2.3         Confidential and sensitive data is kept in accordance with the University’s retention schedule;
5.2.4         Any confidential and sensitive data protection breaches are swiftly brought to the university that they support in resolving breaches;
5.2.5         Where there is uncertainty around a data protection matter advice is sought from the university or the director in the department.

Where members of staff and faculty are responsible for supervising students doing work, which involves the processing of personal information (for example in research projects), they must ensure that those students are aware of the data protection principles.

Staff and faculty who are unsure about who are the authorized third parties to whom they can legitimately disclose personal data should seek advice from the university.

5.3         Third-Party Data Processors

Where external companies are used to process personal data on behalf of the University, responsibility for the security and appropriate use of that data remains with the University. Where a third-party data processor is used:


5.3.1         A data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;

5.3.2         Reasonable steps must be taken that such security measures are in place;

5.3.3         A written contract establishing what personal data will be processed and for what purpose must be set out;

5.3.4         A data processing agreement must be signed by both parties.

5.4         Contractors, Short-Term, Trainee, and Volunteers

The University is responsible for the use made of confidential and sensitive data by anyone working on its behalf. Departments/colleges who employ contractors, short-Term, trainee, and volunteers must ensure that they are appropriately vetted for the data they will be processing. In addition, Departments/colleges should ensure that:

5.4.1         Any confidential and sensitive data collected or processed in the course of work undertaken for the university is kept securely and confidentially;

5.4.2         All confidential and sensitive data is returned to the university on completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and the university receives notification in this regard from the contractor, short-Term, trainee, or volunteers;

5.4.3         The university receives prior notification of any disclosure of personal data to any other organization or any person who is not a direct employee of the contractor;

5.4.4         Any confidential and sensitive data made available by the university, or collected in the course of the work, is neither stored nor processed outside the university unless written consent to do so has been received from the University;

5.4.5         All practical and reasonable steps are taken to ensure that contractor, short-Term, trainee, or volunteers do not have access to any confidential and sensitive data beyond what is essential for the work to be carried out properly.

5.5         Student Responsibilities

Students are responsible for:

5.5.1         Familiarizing themselves with the Privacy Notice provided when they register with the university;

5.5.2         Ensuring that their personal data provided to the university is accurate and up to date.