|MINISTRY OF INDUSTRY AND MINERAL RESOURCES||MINISTRY OF INDUSTRY AND MINERAL RESOURCES and all affiliated entities|
|PII||Personally Identifiable Information|
|NCA||National Cybersecurity Authority|
1.1 The privacy of Data Subjects' PII is a fundamental component of data protection at MINISTRY OF INDUSTRY AND MINERAL RESOURCES Saudi Arabia 2020 and all affiliated entities (hereinafter referred to as ‘MINISTRY OF INDUSTRY AND MINERAL RESOURCES’). It is intended to enable protective measures and controls to reduce the risk of data disclosure, data exfiltration, unauthorized access, alteration, tampering, corruption or falsification.
2. Key Terms
|Data Subject||An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (including MINISTRY OF INDUSTRY AND MINERAL RESOURCES’s employees and beneficiaries).|
|PII||Any information relating to an identified natural living person or to a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, IP address or other online identifiers or to one or more other factors specific to the person’s identity.|
|Processing||Any operation or set of operations performed on PII or on sets of PII, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Controller||MINISTRY OF INDUSTRY AND MINERAL RESOURCES's department or employee that determines the purposes and means of the processing of PII.|
3.1 This policy directive describes the measures taken by MINISTRY OF INDUSTRY AND MINERAL RESOURCES to protect the privacy of its employees and beneficiaries' (data subject) Personally Identifiable Information (PII).
4.1 This policy is applicable to all MINISTRY OF INDUSTRY AND MINERAL RESOURCES's systems, equipment, staff, and third parties who are employed by MINISTRY OF INDUSTRY AND MINERAL RESOURCES whether directly or indirectly.
5.1 General Policy Statements
5.1.2 Unless it is necessary for a valid reason in the Saudi Law, explicit consent shall be obtained from a data subject to collect and process their data.
5.1.3 PII shall be processed lawfully, fairly, and transparently concerning the data subject.
5.1.4 Data privacy controls and mechanisms shall be implemented and enforced including pseudonymization, encryption, masking and tokenization.
5.1.5 Data privacy control mechanism should be (including and not limited to); as the technical choice of protection will be assessed by MINISTRY OF INDUSTRY AND MINERAL RESOURCES data and cybersecurity department.
MINISTRY OF INDUSTRY AND MINERAL RESOURCES PII Sources:
188.8.131.52 Direct from data Subject with his/her consent
184.108.40.206 Indirect, and MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall inform data subject withen one month.
5.1.7 Data Subjects’ PII shall be protected (during its identification, Transferring, processing and destroying).
MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall determines,
documents and approve PII inventory for which PII is collected, used,
processed, and shared, (if there was no purpose there should not be any
collection for PII) that Illustrate:
220.127.116.11 The category of needed PII
18.104.22.168 Business needs and the purpose(s) for each PII category
22.214.171.124 PII retention time
126.96.36.199 The recipients or categories of recipient to whom the personal data have been or will be disclosed
188.8.131.52 PII source details if PII were not collected from the data subject directly,
5.1.9 Data Subjects’ PII shall be stored, processed or transmitted in a manner that is accurate, adequate, relevant and limited to what is necessary and according to business needs and PII retention that was defined in data subject’s consent and privacy notice.
5.1.10 PII shall not be used for testing, training, and research Purposes.
5.1.11 Data Subjects’ PII shall be regularly reviewed and deleted based on business needs or PII retention that was defined in data subject’s consent and privacy notice.
5.1.12 Periodic data privacy assessments of PII shall be performed.
5.1.13 Data shall be hosted as per NCA regulations to be within Saudi Arabia. Within MINISTRY OF INDUSTRY AND MINERAL RESOURCES servers, or other government agency related to MINISTRY OF INDUSTRY AND MINERAL RESOURCES or in an authorized Cloud service provided.
5.1.14 PII relating to criminal convictions and offences or related security measures shall be processed only under the control of official authority.
5.1.15 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
5.1.16 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall store and process PII only inside Kingdom of Saudi Arabia and enforce that in third parties contracts or related documents, and when MINISTRY OF INDUSTRY AND MINERAL RESOURCES need to share PII with another entity outside the kingdom it shall seek National Data Managment office approval .
5.2 Protection of PII
5.2.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
5.2.2 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensure ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
5.2.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall regularly test, assess and evaluat the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.2.4 PII shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving, public interest, scientific or historical research, or statistical purposes shall be consistent with the initial purposes.
5.2.5 PII shall be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
5.2.6 PII shall be accurate, appropriate, and kept up to date. Reasonable steps shall be taken to ensure that inaccurate PII concerning the purposes is erased or rectified without delay.
5.2.7 PII shall be kept in a form which permits the identification of data subjects for the time necessary for the purposes of processing PII.
5.2.8 Appropriate security controls shall be implemented to protect PII against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.
5.2.9 If PII is obtained from sources other than the data subject, the data subject shall be informed and MINISTRY OF INDUSTRY AND MINERAL RESOURCES Privacy notice should be sent to him/her too.
5.3 Data Subject Rights
Where a data subject exercises a right under applicable privacy law,
MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall respond by
taking any action required by the relevant privacy law, unless the request is
obviously unfounded or excessive. MINISTRY OF INDUSTRY AND MINERAL
RESOURCES shall take the relevant action within one month of receipt,
unless a different time period is set by applicable privacy law. This applies to:
MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall adopt the
principle of privacy by design and shall ensure that privacy requirements are
satisfied on current, new, or significantly changed systems that collect or
MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall regularly
conduct a privacy impact assessment on all systems that collect or process
PII. This assessment shall include the following:
5.4.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall apply suitable data pseudonymization/anonymization techniques and encryption to protect PII.
MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall satisfy the
following documentation requirements and make accessable by data
subjects regarding its processing activities on PII:
- Purposes of PII processing
- Processing activities conducted on PII
- Categories of PII processed
- Agreements and mechanisms for the transfer of PII from and to other organizations after getting data subject consent or request
- PII retention schedules
- Security controls in place to protect PII
5.4.5 MINISTRY OF INDUSTRY AND MINERAL RESOURCES's employees shall be made aware of this policy and their role to protect PII.
5.5 Privacy by Default
5.5.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall put in place appropriate technical and organizational measures for ensuring that, by default, PII is not processed unnecessarily. This applies to the amount of PII collected, the extent to which it is processed, how long it is stored and who can access it. In particular, MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensure that, by default, PII is not made available to an indefinite number of people without some action by the data subject.
5.6 Transfer of PII
5.6.1 Any transfer of PII should be based on data subject consent or request.
5.6.2 Before the transfer of PII outside MINISTRY OF INDUSTRY AND MINERAL RESOURCES, privacy impacy analysis should be implemented.
5.6.3 A proper notice should be sent to data subject including recipients to whom the PII will be transfered including: Date, nature, and purpose of each disclosure of a record; and Name and address of the recipients to which the disclosure was made
The adequacy of the protection of PII at the receiving end shall be
confirmed; this includes:
5.7 Requirements for Third Parties
5.7.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall establish, document, and approve privacy requirements (collection, use, processing, and sharing) for contractors, processors and service providers; and include it in contracts and other related documents.
5.7.2 Where MINISTRY OF INDUSTRY AND MINERAL RESOURCES and another controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under applicable privacy laws and regulations.
5.7.3 Where processing is to be carried out on behalf of MINISTRY OF INDUSTRY AND MINERAL RESOURCES, MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of applicaple privacy laws and regulations and ensure the protection of the rights of the data subject.
5.8 Processing records and moitoring
MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall record the
processing activities. That record shall contain but not limited to the
184.108.40.206 The name and contact details of the controller and processer
220.127.116.11 The purposes of the processing
18.104.22.168 A description of the categories of data subjects and of the categories of personal data
5.8.2 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall make the record available to the organization auditor and supervisory authority on request.
5.8.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall regularly review PII inventory to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.
5.9 Training and Awareness
5.9.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall develops, document, approve, and implements, and updates Regularly a comprehensive training and awareness program aimed at ensuring that personnel understand privacy responsibilities and procedures, such as administers basic privacy training and targeted, role-based privacy training for personnel having responsibility for PII or for activities that involve PII.
5.10 Privacy Notice
MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall determines,
document, approve, and implement requirements to provides effective
notice to the public and data subjects regarding:
22.214.171.124 Its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII
126.96.36.199 Authority for collecting PII
188.8.131.52 The choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices
184.108.40.206 The right to access and have PII amended or corrected if necessary
220.127.116.11 The PII the organization collects and the purpose(s) for which it collects that information
18.104.22.168 How the organization uses PII
22.214.171.124 Whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing
126.96.36.199 Whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent;
188.8.131.52 How individuals may obtain access or get PII;
184.108.40.206 How the PII will be protected;
220.127.116.11 The period for which the PII will be stored
18.104.22.168 The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
22.214.171.124 The existence of the right to withdraw consent at any time,
126.96.36.199 The right to lodge a complaint, concerns, or questions to MINISTRY OF INDUSTRY AND MINERAL RESOURCES and to lodge a complaint with a supervisory authority
188.8.131.52 Whether the provision of personal data is legaly required, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
184.108.40.206 The changes in practices or policies that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change
5.10.2 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that its privacy practices are publicly available through organizational websites
5.10.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall inform data subject before the restriction of processing is lifted, if processing was restricted by data subject, personal data shall, with the exception of storage, only be processed with the data subject's consent.
5.10.4 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed. The controller shall inform the data subject about those recipients if the data subject requests it.
5.10.5 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall inform data subject of the appropriate safeguards of transferring where personal data are transferred to a third country or to an international organization.
5.10.6 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that the public has access to information about the identity and the contact details of the the organization.
5.10.7 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that the public has access to information about its privacy activities and is able to communicate with its Privacy Officer.
5.10.8 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that its privacy practices are publicly available through organizational websites.
5.11 Privacy Breach
5.11.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall develops, document and approve a Privacy Incident Response Plan and implement it when needed.
5.11.2 If a breach has occurred with a probability to result in a risk to the privacy or protection of PII, then MINISTRY OF INDUSTRY AND MINERAL RESOURCES following Privacy Incident Response Plan Procedures shall inform the DCS department.
5.11.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall develops, document, approve, and implement a procedure to communicate the PII breach to the data subject without delay
6. Roles and Responsibilities
6.1 Data and Cybersecurity Executive Director shall:
6.1.1 The policy and support its implementation.
6.1.2 Oversee policy compliance, violations, exceptions, and dispute resolution.
6.1.3 Ensure alignment between this policy, MINISTRY OF INDUSTRY AND MINERAL RESOURCES’s business, and strategy.
6.1.4 Manage policy exceptions and violations.
6.2 Legal department shall:
6.2.1 Define applicable privacy laws and regulations on MINISTRY OF INDUSTRY AND MINERAL RESOURCES.
6.2.2 Execute their part in privacy impact analysis
6.2.3 Define privacy requirements in third parties’ contracts or related documents.
6.3 Data Owners/ head of departments shall:
6.3.1 Apply the requirements in this policy on the PII in their possession and demonstrate compliance.
6.4 MINISTRY OF INDUSTRY AND MINERAL RESOURCES’s users shall adhere to this policy and report any security incident or non-adherence to this policy to the Data and Cybersecurity Executive Director/ Data Asset Owners/Head of department.
7. Related Policies
7.1 Asset Management Policy
7.2 Access Control Policy
7.3 Cryptography Policy
7.4 Data and Cybersecurity Compliance Policy
7.5 Data Classification Policy
7.6 Data Protection Policy
7.7 Data and Cybersecurity Policy
8. Policy Relation with NCA-ECC, ISO 27001, GDPR, NDMO-NDGP and NIST
|Section Name||NCA-ECC||ISO 27001||GDPR||NDMO-NDGP||NIST|
|Data and Information Privacy||2-7-3-3||A.18.1.4||Article 5 to 46||Section 5||Appendix J|