Privacy and Data Protection Policy

1 Purpose

The purpose of this document is to describe RABET data protection and privacy controls and ensure compliance with data protection and privacy laws and regulations including but not limited to National Data Management office (NDMO). This policy governs and rules the collection, use and disclosure of Personal Identifiable Information (PII) during the usage of the Service and tells the user about the privacy rights and how the law protects his/her data.

1.1 Audience

The document is intended for RABET users.

2 Introduction

In its everyday business operations, RABET makes use of a variety of data about identifiable individuals, including data about:

In collecting and using this data, the organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.

The purpose of this policy is to set out the relevant legislation and to describe the steps RABET is taking to ensure that it complies with it.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to RABET systems.

The following policies and procedures are relevant to this document:

3 Privacy and Personal Data Protection Policy

3.1 The National Data Management Office (NDMO)

The National Data Management Office (NDMO), as the national regulator of data in the Kingdom, has developed the framework for national data governance to set the policies and regulations required for data classification, data sharing, data privacy, Freedom of Information, open data, and others in anticipation of necessary legislation. NDMO regulation is one of the most significant pieces of legislation affecting the way that RABET carries out its information processing activities. It is RABET’s policy to ensure that our compliance with the NDMO and other relevant legislation is clear and demonstrable at all times.

3.2 Definitions

There are many definitions listed within the NDMO and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to this policy are as follows:

3.2.1 RABET Definitions

3.3 Principles Relating to Processing of Personal Data

There are several fundamental principles upon which the NDMO regulations are based. These dictate that personal data shall be:

In addition, the Controller shall be responsible for, and be able to demonstrate compliance with, Principle 1: Accountability.

RABET must ensure that it complies with all these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems. The operation of an information security management system (ISMS), SAMA Cybersecurity framework (SAMA CSF), and National cybersecurity authority essential cybersecurity controls (NCA ECC) that conform the implementation of cybersecurity and data security controls.

3.4 Rights of the individual

The Data Subject also has rights under the NDMO regulations. These consist of:

Each of these rights must be supported by appropriate procedures within RABET that allow the required action to be taken within the timescales stated in the NDMO regulations.

These timescales are shown in Table 1:

DATA SUBJECT REQUEST TIMESCALE

The right to be informed

When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)

The right of access

One month

The right to rectification

One month

The right to erasure

Without undue delay

The right to restrict processing

Without undue delay

The right to data portability

One month

The right to object

On receipt of objection

Rights in relation to automated decision making and profiling.

Not specified

Table 1: Timescales for data subject requests

3.5 Consent

Unless it is necessary for a reason allowable in the NDMO regulation, explicit consent must be obtained from a data subject to collect and process their data.

Transparent information about RABET’s usage of personal data must be provided to Data Subjects at the time that consent is obtained and their rights regarding their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.

If the personal data are not obtained directly from the Data Subject, then this information must be provided within a reasonable period after the data are obtained and within one month.

3.6 Privacy by design

RABET has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process Personal Data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.

The impact assessment process shall be initiated with the mindset of the ‘Open by Default’ principle unless its nature or sensitivity requires higher level of classification or protection.

The impact assessment process of the potential damages that could arise from:

The privacy impact assessment will include:

Use of techniques such as data minimization and pseudonymization will be considered where applicable and appropriate.

3.7 Open Data and Information Access Officer (ODIAO)

A defined role of Open Data and Information Access Officer (ODIAO) is required under NDMO regulation. The ODIAO is the operational lead of Open data within the entity. Responsibilities include:

3.8 Breach notification

It is RABET’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of Personal Data. In line with NDMO regulation, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within seventy-two (72) hours. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.

3.9 Addressing compliance to the NDMO

The following actions are undertaken to ensure that RABET always complies with the accountability principle of the NDMO regulation:

These actions will be reviewed on a regular basis as part of the management review process of the information security management system.

4 Data Security and Protection Controls and Guidelines

Control Control Description

Information Security Governance

RABET shall establishing a plan to employ the tools, personnel, and business processes to ensure security is carried out sufficiently to meet the Entity's needs for data protection.

Information Security Architecture

RABET shall adopt defense in depth security architecture to enable the purpose, context, and guidance for making security design decisions

Information Systems Design, Development and Testing

Information security and security controls to include as components into a system during its development, testing and implementation

Identity and Access Management

RABET shall Identity users and information systems requesting to have access to the RABET's information assetss

Third Party Supplier Security

RABET shall ensure Information Security requirements are reflected in RABET's engagement of third-party suppliers

Information Security Training, Awareness and Communication

RABET shall implement a comprehensive Information Security training program designed to introduce personnel the RABET's security expectations and obligations