Data Protection Policy

Introduction

This policy lays out how the School/College manages its responsibilities for protecting the data it holds regarding staff and students. The School/College obtains, uses, stores and processes personal data relating to potential staff and students, current staff and students, former staff and students, current and former workers, and others, referred to in this policy as ‘data subjects’.

When processing or otherwise handling personal data, the School/College fulfills individuals’ reasonable expectations of privacy by complying with relevant data protection legislation in Pakistan (data protection law).

This policy applies to all personal data we have access to and process. All staff and others processing personal data on the School’s/College’s behalf must read and comply with this policy.

Aims of this Policy

This policy ensures that:

  • Everybody in school/college is clear about how personal data must be processed and the School’s/College’s expectations for all those who process personal data on its behalf
  • We ensure compliance with the data protection law in Pakistan
  • We protect the School’s/College’s reputation by ensuring the personal data entrusted to us is processed in accordance with people’s rights according to the law
  • We protect the School/College from risks of personal data breaches and other breaches of data protection law

Data Protection Principles

The processing of personal data by the school/college is guided by the following principles:

  1. All data must be processed lawfully, fairly and in a transparent manner
  2. Data can only be collected for specified and legitimate purposes
  3. The data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
  4. Data must be accurate and kept up to date (currency)
  5. Data is not kept in a form which permits easy access and identification of data subjects
  6. Data must always be processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage

Data Subjects’ Rights

We handle data subjects’ personal data in the full recognition that they have Rights regarding how we use the data. These include the following Rights:

  1. To withdraw the consent for holding and using personal data at any time
  2. To ask for access to the personal data that we hold
  3. Not to use subject data for direct marketing purposes
  4. To ask us to erase personal data without delay
  5. To ask us to correct any inaccurate data
  6. To prevent processing of data that is likely to cause damage or distress to the data subject
  7. In limited circumstances, receive or ask for personal data to be transferred to a third party (e.g. another school/college to which a student is transferring)

The identity of an individual requesting data under any of the rights listed above MUST be verified.

Responsibilities

  1.  School/College responsibilities

The school/college is responsible for establishing policies and procedures in order to comply with data protection law in Pakistan

  1. The Principal is responsible for:
  • advising all staff of their obligations under data protection law and school/college standard operating procedures
  • monitoring compliance with this policy and monitoring training and audit activities relate to data protection compliance
  • having due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of data processing

iii.       Staff responsibilities

All members of staff members with responsibility for handling personal data (of students, teachers, staff members, parents etc.) must comply with the requirements of this policy. Staff members must ensure that:

  • all personal data is secure and privacy is not breached
  • no personal data is disclosed (either verbally or in writing, accidentally or deliberately) to any unauthorised person
  • any data protection breaches are brought immediately to the attention of the The following records of a data breach must be kept, indicating:
  • How the breach occurred
  • its effects/ impact
  • the remedial action that is taken
  • where there is uncertainty around a data protection matter advice must be sought from the relevant department in Ziauddin University

NB: Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Principal.

  1. Student responsibilities

Students are responsible for ensuring that their personal data provided to the school/college is accurate and up to date

Data Subject Requests for Access

Data subjects have the right to receive a copy of their personal data held by the school/college. In addition, an individual is entitled to receive information about the school’s/college’s processing of their personal data as follows:

  1. The purposes for which the data will be used
  2. The categories of personal data being processed
  3. The recipients of the data

Retention Periods

Personal data is retained by the school/college for no longer than is necessary for the purpose or purposes for which it is obtained.

This requirement places a responsibility on each school/college as data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained.

It is a key requirement of data protection legislation that personal data collected for one purpose cannot be retained once that initial purpose has ceased.