info@nissa.gov.ly
+218 21 3614115

Data Privacy Policy

You can download the data protection policy as pdf by clicking on this link

Information Classification Policy

Introduction

It is essential for “Organization” to classify its information assets to help manage and protect it. The various departments at “Organization” have a multitude types of documents and data, each business unit or department should classify its data by considering the potential for harm to individuals or the University in the event of unintended disclosure, modification, or loss. This can be done by identifying which information should be protected and which information shall be placed open to the public and third parties.

Purpose

In order to preserve the appropriate confidentiality, integrity and availability of “Organization’s” information assets, the information classification policy describes principles that need to be followed to protect information through specifying how and to whom you can distribute information with a particular classification.

To provide the basis for protecting the confidentiality of data at “Organization” by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.

Domain

This policy applies to all data or information that is created, collected, stored or processed by “Organization”, in electronic or non-electronic formats, irrespective of the data location or the type of device it resides on. All staff should consequently use it, and third parties who interact with information held by and on behalf of “Organization”.

Policy

All data at “Organization” shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.

1. Confidential (restricted): Information that is classified as confidential or restricted includes data that can be catastrophic to one or more individuals and/or organizations if compromised or lost. Such information is frequently provided on a “need to know” basis and might include:

  • Personal data, including personally identifiable information such as Social Security or national identification numbers, passport numbers, credit card numbers, driver’s license numbers, medical records.
  • Financial records, including financial account numbers such as checking or investment account numbers.
  • Business material, such as documents or data that is unique or specific intellectual property.
  • Legal data, including potential attorney-privileged material.
  • Authentication data, including private cryptography keys, username password pairs.

2. For internal use only (sensitive): Information that is classified as being of medium sensitivity includes files and data that would not have a severe impact on an individual and/or organization if lost or destroyed. Such information might include:

  • Email, most of which can be deleted or distributed without causing a crisis (excluding mailboxes or email from individuals who are identified in the confidential classification).
  • Documents and files that do not include confidential data.
  • Anything that is not confidential. It can include most business data, because most files that are managed or used day-to-day can be classified as sensitive.

3. Public (unrestricted): Information that is classified as public includes data and files that are not critical to business needs or operations. This classification can also include data that has deliberately been released to the public for their use, such as marketing material or press announcements. In addition, this classification can include data such as spam email messages stored by an email service.

4.“Organization” associates shall be guided by the information category in their security-related handling “Organization” information.

Information Protection Policy

Introduction

Information is a major asset that “Organization” has a responsibility and requirement to protect. Differently classified information should appropriately protected in storage, transit, access etc. from modification or disclosure.

Purpose

Information Protection Policy addresses the stocks of information (electronic data or paper records) that “Organization” maintains, and also the people that use them, the processes they follow and the physical computer equipment used to access them, all these areas addresses to ensure that high confidentiality, quality and availability standards of information are maintained.

The following policy details the basic requirements and responsibilities for the proper management of information assets at “Organization”. The policy specifies the means of information handling and transfer within the Business.

Domain

This Policy applies to all the systems, people and business processes that make up the Business’s information systems. This includes all Executives, Committees, Departments, Partners, Employees, contractual third parties and agents of “Organization” who have access to Information Systems or information used for “Organization” purposes.

Information assets Owner

  • All important information assets must have a nominated owner and should be accounted for.  An owner must be a member of staff whose seniority is appropriate for the value of the asset they own.  The owner’s responsibility for the asset and the requirement for them to maintain it should be formalized and agreed.
  • Items of information that have no security classification and are of limited or no practical value should not be assigned a formal owner or inventoried.  Information should be destroyed if there is no legal or operational need to keep it and temporary owners should be assigned within each department to ensure that this is done.
  • For new documents that have a specific, short term localized use, the creator of the document will be the originator.  This includes letters, spread sheets and reports created by staff. All staff must be informed of their responsibility for the documents they create.
  • For information assets whose use throughout “Organization” is widespread a corporate owner must be designated and the responsibility clearly documented.  This should be the person who has the most control over the information.

Information storage

  • All electronic information will be stored on centralized facilities to allow regular backups to take place.
  • Employees should not be allowed to access information until they understand and agree the legislated responsibilities for the information that they will be handling.
  • Databases holding personal information will have a defined security and system management procedure for the records and documentation.
  • Files which are identified as a potential security risk should only be stored on secure network areas.

Disclosure of Information

  • In the case of sharing restricted information with other organization, disclosing such information must not be to any other person or organization via any insecure method.
  • Where information is disclosed/shared it should only be done so in accordance with a documented Information Sharing Protocol and/or Data Exchange Agreement.
  • Disclosing restricted information to any external organization is also prohibited.

Record Retention and Destruction Policy

Introduction

Record retention and destruction is an important substantive component of many of the laws with which most corporations must comply, and it is often the vehicle by which compliance is established.

Purpose

The purpose of this policy is to ensure that necessary records and documents of “Organization” are adequately protected and maintained and to ensure that records that are no longer needed by “Organization”  or are of no value are discarded at the proper time.

Domain

This Policy applies to all records generated in the course of “Organization’s” operation, including both original documents and reproductions.

All employees should comply with any published records retention policies.

Policy

1Accounting and Finance records include, but may not be limited to, >

  • Documents concerning payroll, accounting procedures, accounts Payable ledgers and schedules, accounts receivable ledgers and schedules, employee expense reports, interim financial statements, notes receivable ledgers and schedules. These should be retained for at least five years.
  • Annual audit reports and financial statements should be permanent retained, and the annual plans and budgets should retained for the time required to implement them and/or refer to them as needed.

2. Contracts and Related Correspondence (including any proposal that resulted in the contract and all other supportive documentation) should be permanently retained.

3. “Organization” records (minute books, signed minutes of the Board and all committees, corporate seals, articles of incorporation, Contribution records and annual corporate reports) as well as licenses, property insurance and permits should have a permanent retention.

4.It is also possible to destroy documents considered in the judgment of a valuable documents and have never been used  or modified for the last 5 years, only if these documents are subject to examination or review or were required in an ongoing legal proceeding, or Instructions/regulations set by the Ministry of Finance decides to keep them longer. Destruction of those documents only after taking the necessary procedures to record their data or its summary. 

 

5. Electronic documents:

  • Electronic Documents: including Microsoft Office Suite and PDF files. Retention also depends on the subject matter.
  • Electronic Mail: Not all email needs to be retained, depending on the subject matter, E-mail that needs to be saved should be either printed in hard copy and kept in the appropriate file, or downloaded to a computer file and kept electronically or on disk as a separate file.
  • Web Page Files: All workstations: Internet Browsers should be scheduled to delete Internet cookies once per month.

6. Legal files and papers :

Permanent retention of “Organization” legal archive as follows:

      • Files of the judicial proceedings and the decisions of the preliminary and final judgments, decisions and orders of the courts, including all relevant files.
      • Legal notes and opinions issued by legal offices.

7. Personnel records:

  • Employee Personnel file should have a permanent retention even after Termination of employee relationship with the “Organization”
  • Employment records (including individual attendance records, application forms, job or status change records, termination papers,  test results, training and qualification records) shall be retained as needed and for the necessary period according to “Organization estimates.
  •  “Organization” should retained for a period of 2 years all Job interview related documents (including written examinations, records, lists and all other documents relating to the exam).

8. Records and documents The “Organization” has the discretion to determine the time required to retain them and the discretionary authority is related to the continued need of the “Organization” :

  • Consultant’s reports.
  • Policy and procedures manuals (Original / Copies)
  • Annual reports.

9. Document destruction procedures:

  • Records must not be removed or destroyed before retention period expiration; 
  • Once records have been retained for the applicable period of time, set forth in the record retention
  • Destruction of finance records shall be in accordance to budget and accounts procedures.
  • Destruction of financial and personnel-related documents and all paper documents will be accomplished by a method that prevents retrieval of this data.
  • Electronic data contained on all other media shall be destroyed by the physical destruction of that media.
  • Records must be destroyed securely and completely.
  • Recorded Destruction in formal documented processes, for data destruction within the “Organization”.

Information Dissemination Policy

Introduction

This policy discuss the types of information that can be disseminated to internal and external groups, as well as the methods by which this information is disseminated. Moreover, this policy explains the specific type of information that will be disclosed and not to be disclosed.

  • Information not to be disclosed
    • Personal information includes staff records, medical information, information on salary and benefits.
    • Financial information.
    • Legal, disciplinary or investigative matters; the concerned person shall be notified by official means.
    • Deliberative information including e-mail, notes, letters, memoranda, draft reports.
    • All of the confidential information.
  • Information to be disclosed in connection with other organizations
    • Initial project abstracts.
    • Any information  the “Organization” deems necessary for dissemination

Purpose

Is to ensure personal information and confidential information are protected from unauthorized use and disclosure and also to facilitate the identification of information to support routine disclosure and active dissemination of information. This policy was also set to protect the intellectual property of “Organization”.

Domain

This policy applies to all information produced, collected and stored by “Organization”.

Policy

  1. Information which is considered unrestricted can be open to the public and all employees as well as Third Parties. 

  2. Information which needs to be protected is accessed by authorized access such as employees, contractors and on a “need-to-know” basis for business related purposes. This access should be granted for a specific period required and set by higher level management.

  3. Confidential information is limited to individuals in a specific function, group or role. pre clearance based on position is required in order to access confidential information held by “Organization”.

  4. In term of restricted information where access is granted to limited named individuals based on job position.

 

Access to Information Policy

Introduction

“Organization” will determine the extent to which security classification needs to be applied to information assets. The security classification of information assets should highlight what type of information can be viewed or accessed by members of “Organization” staff or external parties. The different levels of information particularly sensitive or confidential information will require higher level of authorization for access. 

Purpose

The purpose of this policy is to limit the threat of losing or disclosing data that will affect the integrity, availability or confidentiality of data assets, by controlling the access to information with authorizations.

Domain

This policy applies to all reports, research information, and supporting documentation originally produced or collected by “Organization”.

Policy

  • Authorized individuals only access current and complete information
  • Authorized users have access to and can use information when required. 
  • Authorized individuals, entities or processes only access information and the value of intellectual property are protected as needed.

 

Authority Membership

Contact info

+218 21 3614115

+218 21 361 4277

info@nissa.gov.ly

Albareed,Tripoli-Libya

All Rights Reserved Nissa © 2021