Data Protection and Privacy Policy

(Including Information Security, Cybersecurity, and Data Governance Framework)

Policy Statement

An-Najah National University (hereinafter “the University”) is committed to protecting the privacy, confidentiality, integrity, and availability of all personal data, institutional information, and digital assets processed across its academic, administrative, research, and digital environments.

The University recognizes that effective data protection and cybersecurity are fundamental to institutional trust, academic integrity, operational continuity, and compliance with applicable laws and international best practices, including principles aligned with the Palestinian General Data Protection Regulation (GDPR) and ISO/IEC 27001 standards.

Purpose

This Policy establishes a unified institutional framework for:

• Protecting personal data and privacy rights 

• Securing information and ICT infrastructure 

• Governing acceptable use of digital resources 

• Ensuring responsible data management and archiving 

• Managing cybersecurity risks and incidents 

• Supporting secure research and data handling 

• Ensuring business continuity and disaster recovery 

• Promoting awareness and compliance across the University 

Scope

This Policy applies to:

• All University staff, faculty, students, researchers, and contractors 

• All information systems, networks, devices, and digital platforms owned or operated by the University 

• All personal and institutional data processed in academic, administrative, and research contexts 

• All third-party service providers handling University data 

Core Principles of Data Protection

The University shall ensure that all data processing activities follow the principles of:

• Lawfulness, fairness, and transparency 

• Purpose limitation 

• Data minimization 

• Accuracy and integrity 

• Storage limitation 

• Confidentiality and security 

• Accountability and governance 

Information Security Policy

The University shall implement an Information Security Management System (ISMS) to ensure:

• Protection against unauthorized access, alteration, disclosure, or destruction 

• Secure authentication and access control mechanisms 

• Encryption of sensitive and confidential data 

• Continuous monitoring of information systems 

• Regular vulnerability assessments and security audits 

All institutional data shall be protected according to its classification level.

Cybersecurity Policy

The University shall implement cybersecurity controls including:

• Network security monitoring and intrusion detection systems 

• Firewalls, endpoint protection, and anti-malware systems 

• Secure configuration of servers, applications, and cloud services 

• Multi-factor authentication for critical systems 

• Continuous threat intelligence and risk monitoring 

Cybersecurity governance shall align with internationally recognized frameworks such as NIST Cybersecurity Framework.

Acceptable Use of ICT Resources

Users must comply with the following:

• ICT resources shall be used for authorized academic and administrative purposes only 

• Prohibited activities include unauthorized access, hacking, data theft, or system disruption 

• Users must not share credentials or bypass security controls 

• Personal use of systems must not interfere with institutional operations 

• The University reserves the right to monitor usage for security and compliance purposes 

Records Management and Electronic Archiving

The University shall ensure:

• Proper classification, storage, and retention of records 

• Secure electronic archiving systems with access controls 

• Retention schedules aligned with legal and institutional requirements 

• Protection of records from loss, alteration, or unauthorized destruction 

• Secure disposal of records at end-of-life 

Information Classification and Handling

All institutional information shall be classified into:

• Public 

• Internal Use Only 

• Confidential 

• Highly Confidential / Restricted 

Handling requirements:

• Access based on least privilege principle 

• Encryption for confidential and sensitive data 

• Secure transmission protocols for data exchange 

• Physical and digital safeguards proportional to classification level 

Research Ethics and Human Data Protection

All research involving human participants must ensure:

• Informed consent prior to data collection 

• Ethical approval from relevant institutional review boards 

• Anonymization or pseudonymization of personal data where applicable 

• Secure storage of research datasets 

• Restricted access to sensitive research data 

• Compliance with international ethical standards (e.g., Helsinki Declaration principles) 

Information Security Incident Response

The University shall maintain an Incident Response Framework that includes:

• Detection and reporting of security incidents 

• Immediate containment and mitigation measures 

• Investigation and root cause analysis 

• Communication protocols for stakeholders 

• Documentation and post-incident review 

• Continuous improvement of security controls 

All incidents must be reported to the designated Information Security Unit immediately.

Backup and Disaster Recovery

The University shall ensure:

• Regular automated backups of critical systems and data 

• Off-site and secure storage of backup data 

• Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) 

• Periodic disaster recovery testing 

• Business continuity planning for critical services 

Information and Privacy Risk Management

The University shall:

• Conduct regular risk assessments for all systems and processes 

• Identify threats, vulnerabilities, and potential impacts 

• Implement risk mitigation and treatment plans 

• Maintain a centralized risk register 

• Integrate privacy impact assessments for high-risk processing activities 

Website Privacy Notice and Digital Services

The University website and digital platforms shall:

• Clearly inform users about data collection and usage 

• Collect only necessary personal data 

• Use cookies and tracking technologies transparently 

• Provide user rights including access, correction, and deletion where applicable 

• Ensure secure transmission of data via encrypted channels (HTTPS) 

• Include contact details for privacy-related inquiries 

Annual Awareness and Training Program

The University shall implement an annual program covering:

• Cybersecurity awareness training for all staff and students 

• Data protection and privacy best practices 

• Phishing and social engineering prevention 

• Secure use of digital tools and platforms 

• Mandatory induction training for new employees and students 

• Regular simulation exercises (e.g., phishing tests) 

Governance and Responsibilities

• University President: Overall accountability 

• Computer Center: Technical implementation 

• Information Security Officer (ISO): Security governance 

• Data Protection Officer (DPO): Privacy compliance oversight 

• Faculties and Departments: Operational compliance 

• Users: Personal responsibility for adherence 

Compliance and Enforcement

Failure to comply with this Policy may result in:

• Suspension of system access 

• Disciplinary action according to university regulations 

• Legal action where applicable 

• Reporting to relevant authorities in severe cases 

Policy Review

This Policy shall be reviewed:

• Every two years, or 

• Upon significant legal, technological, or institutional changes 

Effective Date: October 12, 2016

Last Review Date: Jun 18, 2025