Prince Sultan University PSU
Compliance and Policies Office
Compliance Policies
| Policy Code: | COP0008 |
| Policy Name: | Compliance Confidentiality Policy |
| Handler: | Compliance and Policies Office, Office of the President |
| Date Created: | 22 January 2022 |
| Date of Current Review: | N/A |
| Approved by: | University Council |
| Date of Approval: | 25 May 2022 |
Purpose
The confidentiality policy provides the university with a framework for dealing with the challenge of maintaining private and confidential data, so every person at the university who is entrusted with confidential data has an obligation to keep those data safe from theft or unauthorized access.
The University does not tolerate retaliation against the ones who report the violation cases. Any individual, who tries to retaliate will be subject to disciplinary action.
Policy
It is the Compliance and Legal Office Policy at Prince Sultan University to put all necessary efforts to maintain the confidentiality of all complaints and investigations and to keep the files (hard copies) in a locked file in the Compliance and Legal Office.
Confidential information must be maintained properly by the Compliance and Legal Office, which has the right to access, use, and disclosure within the limits of his/her authority. Any confidential information, whether oral, written or electronic should be maintained in a manner that safeguards its confidentiality.
The release of any such confidential information or the unauthorized or inappropriate use of the confidential information may affect negatively Prince Sultan University and may result in the worst of cases in a cause of action.
Definition
Confidential information: Confidential information is any document, or communication either oral, written, or electronic and includes facts, data, or points of view that may be in a graphic, numerical or narrative form. Confidential information includes but is not limited to students’ records, university employee data, payroll records, and research data.
Confidentiality is a set of rules that limits access or places restrictions on the use of certain types of information.
Procedure
The Senior Compliance and Legal Manager will keep all documents related to compliance breaches in a locked file cabinet in the office.
Only the reference number and the name of the case of breach related to non-compliance or a grievance shall be used in all the references.
In case of disclosure necessity, the reporting person's identification may be disclosed.
Responsibilities Management The university and the Compliance and Legal Office are responsible for ensuring that all University stakeholders are complying with the Compliance Confidentiality Policy. The management is also responsible for making all external parties aware of any changes to the policy.
Governance
All the university members must comply with the Compliance Confidentiality Policy in connection with the collection and processing of confidential information on any ordinary day at the university, the overall responsibility for ensuring compliance with this policy rests with the Compliance and Legal Office and Human Resources Department.
Confidential Information Collection
The collection of confidential information should be limited to what is needed to fulfill and serve a specific purpose. All the collection of confidential information by the management and the Compliance and Legal Office is governed by the Compliance and University policies.
User Responsibilities and Obligations
The Compliance and Legal Office is responsible for ensuring that appropriate steps be taken to protect confidential information. Regarding collecting, accessing, using or disclosure of confidential information.
The compliance and Legal office is expected to report any issues, problems, questions and concerns about this policy to the management.
All the users at the university should ensure that devices: computers, laptops, and other devices that use data are maintained and operated securely with up-to-date anti-virus software, anti-spyware software, and other approved security applications. They should seek technical assistance to ensure compliance if needed.
Any member or user of the university must immediately report any discovery of any machine or storage device that has been misplaced, hacked, or lost, and report any confidential information, which has been accessed by unauthorized individuals.
In case of any breach of confidentiality, or data information and security, the Compliance and Legal Office and the university management are expected to fully cooperate to take immediate action for investigation.
Procedure
Confidential Information's Accuracy
The Compliance and Legal office at the university must be diligent to protect against making any errors due to carelessness or other oversights. The university must take all reasonable steps to ensure the accuracy and completeness of any confidential information that the Compliance and Legal Office collect or record.
Confidential Information’s Access, Use, Disclosure, Sharing and Release
The Compliance and Legal Office is only authorized to access, use, disclose or share confidential information for legitimate purposes.
The Compliance and Legal Office is expected to comply with all university policies, procedures and guidelines for the release of confidential information.
Acknowledgment of Confidentiality
The University requires that its members be provided with a copy of this Policy.
The Management must also regularly remind the Compliance and Legal Office with the importance of confidentiality of sensitive information. The Compliance Office members are required to read and sign a Confidentiality Acknowledgment or non-disclosure agreement.
Failure to Comply with the Confidentiality Policy
Failure to comply with the Compliance Confidentiality Policy may result in disciplinary action.
All incidents involving theft or loss of confidential information shall be promptly addressed for investigation, reporting and remedial actions
Accessing or Sharing Confidential Information with Third Parties
Accessing or Sharing Confidential Information with Third Parties
In case the university needs to share confidential information with a third party, whether an organization or a person, the third party must sign a non-disclosure agreement or information-sharing agreement with the university. The Compliance and Legal Office is required to take all reasonable steps to ensure that the third parties be provided with access to records containing confidential information and shall approve the form of all such agreements. The third party’s access is limited only to the information absolutely necessary to perform his/her job task.
Retention and Destruction of Confidential Information
The Compliance and Legal Office is responsible for recording all the legal and regulatory requirements to identify the applicable retention period for the particular record and to comply with the compliance and University guidelines and procedures for the secure destruction of those records when the applicable retention period has expired.