Privacy Policy

SESP Data Storage, Backup, and Security Policy

SESP is committed to maintaining the highest standards of data security, confidentiality, integrity, and availability across all institutional IT systems. This policy governs the management, storage, protection, backup, and recovery of all electronic and physical institutional data.

All measures are aligned with national regulations including the
  • Saudi Personal Data Protection Law (PDPL)
  • National cybersecurity and cloud- computing regulations
  • SESP QMS, ISO 9001:2015 –aligned
  • Internal policies and procedures governing IS and access control

This policy aims to ensure that institutional information is protected from unauthorized access, loss, misuse, or breach, and that business continuity is maintained across all SESP operations.

Scope of IT Systems Covered

This policy applies to all SESP-managed IT systems, including but not limited to:

  • Student Information System (SIS)
  • Learning Management System (LMS)
  • HR & Payroll systems
  • Financial and procurement systems
  • Email and communication platforms
  • Local servers and on-site IT equipment
  • Cloud services and SaaS applications
  • Network infrastructure, including firewalls, routers, and switches
  • End-user devices (desktops, laptops, mobile devices)
  • Any third-party systems used to process, store, or transmit institutional data

Centralized Electronic Records & Data Management

SESP maintains a hybrid digital infrastructure built on cloud and on-premises systems to ensure secure, resilient, and efficient data management.

Electronic Records Management Systems (ERMS)
  • All core academic, administrative, financial, HR, and operational records are stored within secure, centralized systems.
  • All systems utilize industry-standard encryption and secure hosting (cloud or on-premises).
  • System access is governed by role-based access control (RBAC) with granular permissions aligned to job responsibilities.
  • User authentication is secured through strong password policies and, where supported, multi-factor authentication (MFA).

Related SESP Process:
SIS User Access and Permissions Procedure

Third-Party Platforms
  • Any third-party IT system must comply with PDPL and SESP’s data protection requirements.
  • Data-sharing agreements must include confidentiality, security, and breach-notification clauses.

Data Storage and Encryption

SESP uses a combination of cloud-based and on-premises solutions, all built to protect data confidentiality and integrity.

Data Encryption Standards 6
  • Data in transit: Encrypted using TLS 1.3 or higher.
  • Data at rest: Encrypted using AES-256 or equivalent.
  • Encryption is applied across all systems handling personal, academic, financial, HR, or operational data.
Data Classification

All institutional data is assigned a classification level:

  • Level 4 Confidential (e.g., personal data, student records, HR files)
  • Level 3 Restricted (e.g., internal reports, operational documents)
  • Level 2 Internal Use
  • Level 1 Public Information

Handling of each category follows PDPL and internal SESP security requirements.

Backup, Redundancy, and Disaster Recovery

SESP maintains a robust, multi-layered backup and redundancy strategy to ensure continuity of operations.

Backup Procedures
  • Automated backups of all critical systems occur daily (or more frequently for high-priority systems).
  • Backups are stored in secure, geographically separate locations, including cloud-based redundancy.
  • Backup files are encrypted at rest.
Backup Types
  • Full backups (scheduled weekly)
  • Incremental/differential backups (scheduled daily)
  • Real-time replication for mission-critical systems (where applicable)
Disaster Recovery
  • DRP is tested annually to verify system readiness and response procedures.
  • In case of data loss, systems can be restored from the latest verified backup.

Physical Records and On-Site Data Storage

While digital-first systems are the operational norm at SESP, some records require physical storage.

Physical Storage Controls
  • Physical documents are stored in locked, access-controlled locations .
  • Only authorized staff may access records based on their job function.
  • Sensitive records are logged to track access and movement.
On-Site Hardware Security
  • Server rooms are secured using access control, temperature regulation, and 24/7 monitoring.
  • Network equipment is protected against tampering, theft, and environmental hazards.

Access Controls and User Security

SESP enforces strict measures to ensure that only authorized individuals access sensitive information.

Permissions and Authentication
  • Role-based access control (RBAC) is applied across all systems.
  • Periodic access reviews ensure alignment with current job functions.
  • Accounts of departing employees are deactivated immediately.
Staff Security Training
  • All IT system users must participate in data privacy, cybersecurity, and PDPL awareness training.
  • All Employees are required to sign confidentiality agreements.
  • Regular reminders and workshops reinforce security best practices.

Data Privacy, Confidentiality, and Compliance

SESP adheres strictly to PDPL and all relevant regulations governing personal data and institutional records.

Student and Employee Data Confidentiality
  • Access to personal data is strictly limited to authorized personnel.
  • Students may request access to their own records through a formal process.
  • Data may only be shared externally with explicit written consent, unless otherwise required by law.
PDPL Compliance

SESP ensures compliance by:

  • Implementing secure data processing practices
  • Ensuring purpose-specific data collection
  • Minimizing retained personal data
  • Enforcing breach-notification procedures
  • Maintaining data subject rights

Monitoring, Auditing, and Incident Response

SESP continuously monitors and evaluates its IT systems to identify security risks and respond proactively.

Monitoring and Logging
  • System logs are generated for user activity, system changes, and access events.
  • Logs are securely stored and monitored for irregularities.
Security Audits
  • Annual internal audits assess compliance with PDPL, cybersecurity policies, and best practices.
  • External audits may be conducted when required by contracts or regulatory bodies.
Incident Response
  • Incidents are logged, investigated, and addressed according to severity.
  • PDPL breach reporting requirements are followed.

Policy Review and Continuous Improvement

  • This policy is reviewed annually by the IT Department and Quality Management to ensure ongoing relevance and compliance.
  • Updates are issued when technological, regulatory, or operational changes require improvement.

Related Documentation

Internal SESP Documents
  • QMS Manual - Information Management (Clauses 7.5, 8.1, 9.2)
  • Communications Matrix
  • Personnel Records Policy
  • PDPL Compliance Checklist
  • Confidentiality Agreement Template
  • Records Management Policy
  • Release of Trainee Information Policy
External Requirements
  • Saudi PDPL
  • National Cybersecurity Authority (NCA) controls
  • Cloud Computing Regulatory Framework (CCRF)
  • International standards (ISO 27001, ISO 9001 references)

Quick Links

Academics & Admissions

News & Media

Contacts

© SESP 2024 All rights reserved.