1. Purpose
The purpose of this policy is to set a path to implement and manage controls for the protection of personal information related to ADAFSA employees and customers.
ADAFSA shall not collect any personal information about any individuals or customers while they access the ADAFSA website unless they specifically and willingly choose to provide such information to us.
- Declare & communicate ADAFSA's commitment for protecting the privacy of information collected.
- Maintenance of confidentiality of information
- Availability of information
- Adherence to regulatory and legislative requirements
- Information security awareness training to ADAFSA personnel
- Protection of sensitive and classified information
- Responsibilities regarding the protection of Personal Identifiable Information (PII)
- Define mechanisms for protecting the Privacy & security of data collected through ADAFSA's digital platforms
- Establish the Data Privacy Policy of ADAFSA to the public as relevant and compliance with Information Security policy, Data Security and Privacy Standards
2. Scope
The scope of the data privacy policy includes private information of ADAFSA employees and ADAFSA Customers and will apply across ADAFSA employees, contractors, sub-contractors, interns, trainees and volunteers.
3. Abbreviations, Terms and Definitions
| Term | Definition |
|---|
| Abu Dhabi Government Entity (ADGE) | Local departments and every legal person reporting to the Government and having full legal capacity to act and manage a public facility or aiming to provide a public service. |
| ADAFSA | Abu Dhabi Agriculture and Food Safety Authority |
| Data | A set of values that have no particular meaning. When additional attributes (i.e., metadata) are added, the data is given context, which gives it meaning and value. This makes it useful and as such, it becomes information. |
| Data Management | Refers to the disciplines and techniques to manage data as an asset. |
| Emirate | The Emirate of Abu Dhabi. |
| Open Data | Data publicly available in a way that enables it to be fully discoverable and usable by end users |
| Raw Data | Data that has not been processed or manipulated for usage purposes |
| Information | Data that is processed, organized, structured, or presented in a given context so as to make it useful |
| Metadata | Set of data that clarifies and describes other data and can be Business, Operational or Technical |
| Dataset | A discreet set of data, comprising multiple records. An information system may contain, use or maintain one or more datasets. A dataset may be published outside the information system that created it |
| Machine Readable Format | Data in a specific format that can be automatically processed by a computer and is structured data |
| Personally Identifiable Information (PII) | Any information that, by means of use or correlation with other information, can be used to uniquely identify a person |
| PII principal | The person to whom the PII refers |
| Personal Data | Information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information |
| Dataset Inventory | Fully described record of data assets maintained that includes basic information such as name, content, update frequency, owner, source etc. |
| Stakeholders | DGE, ADGEs, ADAFSA Data Management Committee, ADAFSA business owners, internal and external customers, and general public |
4. Roles and Responsibilities
Executive Management
- Approve the Data Privacy Policy and ensure alignment with organizational goals and regulatory requirements.
- Allocate necessary resources for the implementation and maintenance of privacy controls.
- Review data privacy risks and ensure mitigation strategies are in place.
- Ensure that data privacy measures are integrated into strategic decision-making processes.
Chief Information Security Officer (CISO)
- Oversee the overall implementation and enforcement of the Data Privacy Policy.
- Review and approve any exceptions to the policy.
- Ensure compliance with applicable data privacy laws, including the UAE Law No 45 of 2021 UAE Federal Data Protection Law.
- Coordinate with the legal advisors and data controller when disclosing PII to law enforcement agencies.
Data Privacy Officer (CISO)
- Serve as the primary point of contact for all data privacy-related matters within the organization.
- Ensure that employees, contractors, and vendors are informed and trained about their responsibilities regarding data privacy.
- Oversee the compliance monitoring with the Data Privacy Policy and conduct regular audits.
- Investigate any breaches of personal data and ensure proper reporting and corrective actions.
- Liaise with regulatory bodies and ensure that the organization adheres to the latest privacy laws and standards.
Human Resources (HR) Division
- Ensure that all employees, including contractors and volunteers, sign formal confidentiality agreements as part of their onboarding process.
- Conduct privacy and information security awareness training sessions at least once a year.
- Manage employee personal information securely, ensuring that access is restricted to authorized personnel only.
- Implement disciplinary actions for violations of the Data Privacy Policy in line with HR policies and procedures.
Partnership & Investment Office
- Include Data Privacy and Information Security requirements in the Memorandums of Understanding and agreements.
Information Technology Division
- Implement technical controls to protect personal data from unauthorized access, modification, or disclosure.
- Respond to and mitigate any incidents involving the leakage or breach of personal data.
Cybersecurity Section
- Oversee the implementation of technical controls to protect personal data from unauthorized access, modification, or disclosure
- Conduct security assessments to identify vulnerabilities in systems that store or process personal data.
- Monitor and review incident reports involving the leakage or breach of personal data.
Division Directors and Section Managers
- Ensure that their respective teams comply with the Data Privacy Policy.
- Promote a culture of privacy and security within their divisions.
- Report any suspected data privacy incidents to the DPO or CISO immediately.
- Ensure that personal data collected for business purposes is handled in accordance with the policy guidelines.
Employees, Contractors, Interns and Volunteers
- Adhere to the Data Privacy Policy and related procedures when handling personal data.
- Report any data breaches or suspicious activities related to personal data to their immediate supervisor, the DPO, or the CISO.
- Participate in privacy and security awareness training as required.
- Maintain the confidentiality of personal data, both during and after their working period with the organization.
5. Policy
5.1 General Requirements
- All employees, contractors, vendors, consultants, trainees, and volunteers are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with ADAFSA.
- Information regarding ADAFSA's customers or other people dealing with ADAFSA shall be labeled secret and sensitive at all times. Handling of secret and sensitive information shall be done as mentioned in the ADAFSA's Data Classification Policy.
- HR Division and Cybersecurity Section shall ensure that all employees are fully aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within ADAFSA and to external parties. This awareness shall be done through introduction programs and ongoing security awareness training.
- ADAFSA shall ensure the following to safeguard the privacy of the employees:
- Contractual agreements and non-disclosure agreements shall be signed between employee and ADAFSA.
- Awareness sessions shall be conducted at least once a year on the importance of the privacy of customers and employees.
- In the event of any ADAFSA private information and personal data leakage, ADAFSA shall set accountability for the same in line with the Human Resource Security Policy.
5.2 Employee Personal Information
- All personal information of employees, outsourced employees, contractors, sub-contractors, trainees and volunteers held by ADAFSA (such as salary details, medical information, personal and family information, passport and visa details etc.) shall be protected from unauthorized access, modification and disclosure.
- Personal information of employees like contact numbers, addresses, email addresses and other information stored by any ADAFSA division shall not be shared with the external parties. This shall only be shared, if required, after the consent from the employee himself.
- Employee Medical records and background verification checks conducted at the time of the employee joining shall be stored securely. This shall be maintained as sensitive and secret information and shall not be shared unless there is a specific requirement from the government and approved by the ADAFSA management.
- Personal information shall not be disclosed to anybody without written consent from the individual except when required to be disclosed in court of Law or to comply with any other UAE governmental regulation.
5.3 Type of Private Information
ADAFSA may collect the personal and private information for the purpose of operating its core business. The private information may include but is not limited to the following:
- Demographic: Name, age, gender, nationality, family and siblings, ethnic background …etc
- Contact information: Email, Phone, Mobile, social media, IP address, user accounts
- Professional: Qualifications, experience, skillset, trainings taken
- Geographic: Address, GPS coordinates, GIS information, Location-based data
- Health: BMI and other personal health related data
- School Related: Attendance, grades, assessments
- Economical: Family income, place of work, work-related details, financial data
- Social: Complaints, sentiments, feedback
The data may be collected through various systems listed below but is not limited to:
- Enterprise systems
- ADAFSA Website
- Microsites and portals
- Registration forms
- Surveys
- Customer centre
- Social media
- Paper based applications
5.4 Protection of Customer/Clients Information
Due to the nature of business of ADAFSA, the organization collects personal information from customers. This personal information shall be treated as secret and sensitive in nature and appropriate security controls shall be implemented to safeguard the information. For controls related to customer related information provide reason for the data collection.
5.5 Disclosing data
Under specific circumstances and when required, ADAFSA can disclose PII to law enforcement agencies without obtaining consent from the PII principal. However, ADAFSA will ensure the request is legitimate by seeking assistance from the legal advisors, when necessary.
6. Exception
- Any exception to this policy must be handled by sending special request to the CISO, giving business justification.
- Such requests are subject to the CISO’s review and approval.
7. Changes to this Privacy statement
ADAFSA reserves the right to revise this policy as it deems fit to do so. Any given time, the latest version of the policy statement will be published.
8. Violations and Enforcement
Any users violating this policy shall be subjected to disciplinary action in accordance with HR policies and procedures.
9. Reference Documents/ Standards
- ADAFSA Information Security Policy – ADAFSA-ISP-00-00
- ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems Requirements
- NESA UAE Information Assurance Standards
- Information Security Policy – Abu Dhabi Government Version 2.0 – Reference Guideline
- Information Security Standards – Abu Dhabi Government Version 2.0 – Reference Guideline
- UAE Law No 45 of 2021 UAE Federal Data Protection Law
- Federal Law No. 12 of 2016 amending Federal Law No.5 of 2012 on Combating Cybercrimes
- Federal Law No.1 of 2006 on Electronic Commerce and Transactions
- Ministerial Resolution No. 1 of 2008 regarding the Issuance of Certification Service Provider Regulations
- Guidelines to website owners and internet services –TDRA
- Prohibited Content Categories – TDRA
- Internet Access Management Regulatory Policy –TDRA
