Ministry of Industry and Mineral Resources

Abbreviations

Abbreviation	Description
MINISTRY OF INDUSTRY AND MINERAL RESOURCES	MINISTRY OF INDUSTRY AND MINERAL RESOURCES and all affiliated entities
PII	Personally Identifiable Information
NCA	National Cybersecurity Authority
IP	Internet Protoco
ID	Identity

1. Introduction

1.1 The privacy of Data Subjects' PII is a fundamental component of data protection at MINISTRY OF INDUSTRY AND MINERAL RESOURCES Saudi Arabia 2020 and all affiliated entities (hereinafter referred to as ‘MINISTRY OF INDUSTRY AND MINERAL RESOURCES’). It is intended to enable protective measures and controls to reduce the risk of data disclosure, data exfiltration, unauthorized access, alteration, tampering, corruption or falsification.

2. Key Terms

Term	Description
Data Subject	An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (including MINISTRY OF INDUSTRY AND MINERAL RESOURCES’s employees and beneficiaries).
PII	Any information relating to an identified natural living person or to a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, IP address or other online identifiers or to one or more other factors specific to the person’s identity.
Processing	Any operation or set of operations performed on PII or on sets of PII, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller	MINISTRY OF INDUSTRY AND MINERAL RESOURCES's department or employee that determines the purposes and means of the processing of PII.

3. Purpose

3.1 This policy directive describes the measures taken by MINISTRY OF INDUSTRY AND MINERAL RESOURCES to protect the privacy of its employees and beneficiaries' (data subject) Personally Identifiable Information (PII).

4. Scope

4.1 This policy is applicable to all MINISTRY OF INDUSTRY AND MINERAL RESOURCES's systems, equipment, staff, and third parties who are employed by MINISTRY OF INDUSTRY AND MINERAL RESOURCES whether directly or indirectly.

5. Policy

5.1 General Policy Statements

5.1.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall determine and documents applicable privacy laws and regulations. Also, MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall monitor any changes or updates regarding the applicable privacy law and regulations to reflect it on its privacy policy, notice and practices.

5.1.2 Unless it is necessary for a valid reason in the Saudi Law, explicit consent shall be obtained from a data subject to collect and process their data.

5.1.3 PII shall be processed lawfully, fairly, and transparently concerning the data subject.

5.1.4 Data privacy controls and mechanisms shall be implemented and enforced including pseudonymization, encryption, masking and tokenization.

5.1.5 Data privacy control mechanism should be (including and not limited to); as the technical choice of protection will be assessed by MINISTRY OF INDUSTRY AND MINERAL RESOURCES data and cybersecurity department.

5.1.6 MINISTRY OF INDUSTRY AND MINERAL RESOURCES PII Sources:
5.1.6.1 Direct from data Subject with his/her consent
5.1.6.2 Indirect, and MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall inform data subject withen one month.

5.1.7 Data Subjects’ PII shall be protected (during its identification, Transferring, processing and destroying).

5.1.8 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall determines, documents and approve PII inventory for which PII is collected, used, processed, and shared, (if there was no purpose there should not be any collection for PII) that Illustrate:
5.1.8.1 The category of needed PII
5.1.8.2 Business needs and the purpose(s) for each PII category
5.1.8.3 PII retention time
5.1.8.4 The recipients or categories of recipient to whom the personal data have been or will be disclosed
5.1.8.5 PII source details if PII were not collected from the data subject directly,

5.1.9 Data Subjects’ PII shall be stored, processed or transmitted in a manner that is accurate, adequate, relevant and limited to what is necessary and according to business needs and PII retention that was defined in data subject’s consent and privacy notice.

5.1.10 PII shall not be used for testing, training, and research Purposes.

5.1.11 Data Subjects’ PII shall be regularly reviewed and deleted based on business needs or PII retention that was defined in data subject’s consent and privacy notice.

5.1.12 Periodic data privacy assessments of PII shall be performed.

5.1.13 Data shall be hosted as per NCA regulations to be within Saudi Arabia. Within MINISTRY OF INDUSTRY AND MINERAL RESOURCES servers, or other government agency related to MINISTRY OF INDUSTRY AND MINERAL RESOURCES or in an authorized Cloud service provided.

5.1.14 PII relating to criminal convictions and offences or related security measures shall be processed only under the control of official authority.

5.1.15 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

5.1.16 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall store and process PII only inside Kingdom of Saudi Arabia and enforce that in third parties contracts or related documents, and when MINISTRY OF INDUSTRY AND MINERAL RESOURCES need to share PII with another entity outside the kingdom it shall seek National Data Managment office approval .

5.2 Protection of PII

5.2.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

5.2.2 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensure ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

5.2.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall regularly test, assess and evaluat the effectiveness of technical and organisational measures for ensuring the security of the processing.

5.2.4 PII shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving, public interest, scientific or historical research, or statistical purposes shall be consistent with the initial purposes.

5.2.5 PII shall be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

5.2.6 PII shall be accurate, appropriate, and kept up to date. Reasonable steps shall be taken to ensure that inaccurate PII concerning the purposes is erased or rectified without delay.

5.2.7 PII shall be kept in a form which permits the identification of data subjects for the time necessary for the purposes of processing PII.

5.2.8 Appropriate security controls shall be implemented to protect PII against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.

5.2.9 If PII is obtained from sources other than the data subject, the data subject shall be informed and MINISTRY OF INDUSTRY AND MINERAL RESOURCES Privacy notice should be sent to him/her too.

5.3 Data Subject Rights

5.3.1 Where a data subject exercises a right under applicable privacy law, MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall respond by taking any action required by the relevant privacy law, unless the request is obviously unfounded or excessive. MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall take the relevant action within one month of receipt, unless a different time period is set by applicable privacy law. This applies to:

Right to get his/her authorization for collection, use, maintaining, and sharing of (PII) prior to its collection; OR prior to any new uses or disclosure of previously collected PII.
Right to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII.
Right to withdraw his or her consent at any time
Right to Access or get a copy of PII
Right to Rectification
Right to Erasure (Right to be forgotten)
Right to Restrict Data Processing
Right to be Notified
Right to Data Portability
Right to Object
Right to respond to his/her complaints, concerns, or questions.
Right to lodge a complaint with a supervisory authority.
Right to access MINISTRY OF INDUSTRY AND MINERAL RESOURCES Privacy notice.
Right to access all information in PII inventory.

5.4.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall adopt the principle of privacy by design and shall ensure that privacy requirements are satisfied on current, new, or significantly changed systems that collect or process PII. 5.4.2 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall regularly conduct a privacy impact assessment on all systems that collect or process PII. This assessment shall include the following:

Applying PII Protection Principles
Fulfilling controller responsibilities
Implementing security controls to protect PII
Ensuring the legal basis for the processing of PII is clear and unambiguous
Ensuring that all staff involved in handling PII understand their responsibilities
Ensuring that PII are collected, used, processed, stored or shared for the authorized purpose(s) that identified in the privacy notices
Ensuring that MINISTRY OF INDUSTRY AND MINERAL RESOURCES provides effective notice to the public and to data subjects regarding any changes in its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII
Following the rules regarding the consent
Performing regular reviews of procedures involving PII
Adopting privacy by design for all new or changed systems and processes

5.4.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall apply suitable data pseudonymization/anonymization techniques and encryption to protect PII.

5.4.4 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall satisfy the following documentation requirements and make accessable by data subjects regarding its processing activities on PII:

Purposes of PII processing
Processing activities conducted on PII
Categories of PII processed
Agreements and mechanisms for the transfer of PII from and to other organizations after getting data subject consent or request
PII retention schedules
Security controls in place to protect PII

5.4.5 MINISTRY OF INDUSTRY AND MINERAL RESOURCES's employees shall be made aware of this policy and their role to protect PII.

5.5 Privacy by Default

5.5.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall put in place appropriate technical and organizational measures for ensuring that, by default, PII is not processed unnecessarily. This applies to the amount of PII collected, the extent to which it is processed, how long it is stored and who can access it. In particular, MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensure that, by default, PII is not made available to an indefinite number of people without some action by the data subject.

5.6 Transfer of PII

5.6.1 Any transfer of PII should be based on data subject consent or request.

5.6.2 Before the transfer of PII outside MINISTRY OF INDUSTRY AND MINERAL RESOURCES, privacy impacy analysis should be implemented.

5.6.3 A proper notice should be sent to data subject including recipients to whom the PII will be transfered including: Date, nature, and purpose of each disclosure of a record; and Name and address of the recipients to which the disclosure was made

5.6.4 The adequacy of the protection of PII at the receiving end shall be confirmed; this includes:

Receiving organization name and relevant details
Purposes of PII processing
Categories of individuals and PII processed
Categories of PII recipients
Agreements and mechanisms for transfers of PII
PII retention schedules
Relevant technical and organizational controls in place

5.7 Requirements for Third Parties

5.7.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall establish, document, and approve privacy requirements (collection, use, processing, and sharing) for contractors, processors and service providers; and include it in contracts and other related documents.

5.7.2 Where MINISTRY OF INDUSTRY AND MINERAL RESOURCES and another controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under applicable privacy laws and regulations.

5.7.3 Where processing is to be carried out on behalf of MINISTRY OF INDUSTRY AND MINERAL RESOURCES, MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of applicaple privacy laws and regulations and ensure the protection of the rights of the data subject.

5.8 Processing records and moitoring

5.8.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall record the processing activities. That record shall contain but not limited to the following information:
5.8.1.1 The name and contact details of the controller and processer
5.8.1.2 The purposes of the processing
5.8.1.3 A description of the categories of data subjects and of the categories of personal data

5.8.2 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall make the record available to the organization auditor and supervisory authority on request.

5.8.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall regularly review PII inventory to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.

5.9 Training and Awareness

5.9.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall develops, document, approve, and implements, and updates Regularly a comprehensive training and awareness program aimed at ensuring that personnel understand privacy responsibilities and procedures, such as administers basic privacy training and targeted, role-based privacy training for personnel having responsibility for PII or for activities that involve PII.

5.10 Privacy Notice

5.10.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall determines, document, approve, and implement requirements to provides effective notice to the public and data subjects regarding:
5.10.1.1 Its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII
5.10.1.2 Authority for collecting PII
5.10.1.3 The choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices
5.10.1.4 The right to access and have PII amended or corrected if necessary
5.10.1.5 The PII the organization collects and the purpose(s) for which it collects that information
5.10.1.6 How the organization uses PII
5.10.1.7 Whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing
5.10.1.8 Whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent;
5.10.1.9 How individuals may obtain access or get PII;
5.10.1.10 How the PII will be protected;
5.10.1.11 The period for which the PII will be stored
5.10.1.12 The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
5.10.1.13 The existence of the right to withdraw consent at any time,
5.10.1.14 The right to lodge a complaint, concerns, or questions to MINISTRY OF INDUSTRY AND MINERAL RESOURCES and to lodge a complaint with a supervisory authority
5.10.1.15 Whether the provision of personal data is legaly required, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
5.10.1.16 The changes in practices or policies that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change

5.10.2 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that its privacy practices are publicly available through organizational websites

5.10.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall inform data subject before the restriction of processing is lifted, if processing was restricted by data subject, personal data shall, with the exception of storage, only be processed with the data subject's consent.

5.10.4 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed. The controller shall inform the data subject about those recipients if the data subject requests it.

5.10.5 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall inform data subject of the appropriate safeguards of transferring where personal data are transferred to a third country or to an international organization.

5.10.6 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that the public has access to information about the identity and the contact details of the the organization.

5.10.7 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that the public has access to information about its privacy activities and is able to communicate with its Privacy Officer.

5.10.8 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall ensures that its privacy practices are publicly available through organizational websites.

5.11 Privacy Breach

5.11.1 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall develops, document and approve a Privacy Incident Response Plan and implement it when needed.

5.11.2 If a breach has occurred with a probability to result in a risk to the privacy or protection of PII, then MINISTRY OF INDUSTRY AND MINERAL RESOURCES following Privacy Incident Response Plan Procedures shall inform the DCS department.

5.11.3 MINISTRY OF INDUSTRY AND MINERAL RESOURCES shall develops, document, approve, and implement a procedure to communicate the PII breach to the data subject without delay

6. Roles and Responsibilities

6.1 Data and Cybersecurity Executive Director shall:

6.1.1 The policy and support its implementation.

6.1.2 Oversee policy compliance, violations, exceptions, and dispute resolution.

6.1.3 Ensure alignment between this policy, MINISTRY OF INDUSTRY AND MINERAL RESOURCES’s business, and strategy.

6.1.4 Manage policy exceptions and violations.

6.2 Legal department shall:

6.2.1 Define applicable privacy laws and regulations on MINISTRY OF INDUSTRY AND MINERAL RESOURCES.

6.2.2 Execute their part in privacy impact analysis

6.2.3 Define privacy requirements in third parties’ contracts or related documents.

6.3 Data Owners/ head of departments shall:

6.3.1 Apply the requirements in this policy on the PII in their possession and demonstrate compliance.

6.4 MINISTRY OF INDUSTRY AND MINERAL RESOURCES’s users shall adhere to this policy and report any security incident or non-adherence to this policy to the Data and Cybersecurity Executive Director/ Data Asset Owners/Head of department.

7. Related Policies

7.1 Asset Management Policy

7.2 Access Control Policy

7.3 Cryptography Policy

7.4 Data and Cybersecurity Compliance Policy

7.5 Data Classification Policy

7.6 Data Protection Policy

7.7 Data and Cybersecurity Policy

8. Policy Relation with NCA-ECC, ISO 27001, GDPR, NDMO-NDGP and NIST

Section Name	NCA-ECC	ISO 27001	GDPR	NDMO-NDGP	NIST
Data and Information Privacy	2-7-3-3	A.18.1.4	Article 5 to 46	Section 5	Appendix J

Ministry of Industry and Mineral Resources

About Ministry

Institutional Strategy

Initiatives

All Services

All News

Quick links

Open Data

Laws and Regulations

FAQs

Download E-branch App

Use and evacuation of responsibility

Terms and conditions