Misr University for Science and Technology is a leading academic institution committed to protecting the privacy and personal data of all its affiliates, in accordance with the highest academic and professional standards. This Policy establishes the regulatory and legal framework governing the collection, processing, storage, and disclosure of personal data, thereby ensuring the safety and protection of rights of the entire University community.

The provisions of this Policy apply to all entities within the University that handle personal data, including: senior management, colleges, academic departments, student affairs directorates, human resources, information technology, affiliated hospitals, and all authorised external parties.

1. Categories Covered

• Faculty members and teaching assistants at all academic ranks.
• Undergraduate, postgraduate (Master’s and Doctoral) students.
• All students who have applied for enrollment (undergraduate, postgraduate, and doctoral) whose admission procedures have not yet been completed.
• Administrative, technical, and support staff.
• Visiting researchers, visiting professors, and trainees.
• Applicants for admission or employment, and alumni.
• Service suppliers and external contractors affiliated with the University

1. Geographical & Technical Scope

• All University premises, campuses, and research centres.
• Electronic systems and digital platforms owned by the University.
• Remote work arrangements and officially approved cloud-based systems.
• Any processing occurring outside the campus under formal authorisation

Governing Principles

• Lawfulness, Legal Controls & Transparency: Data is processed only for legitimate purposes and with the knowledge of the data subject.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes only.
• Data Minimisation: Only data strictly necessary to achieve the stated purpose is collected.
• Accuracy & Currency: The University ensures data is accurate and regularly updated.
• Storage Limitation: Data is not retained longer than necessary to fulfil the stated purpose.
• Integrity & Confidentiality: Data is protected against unauthorised access, loss, or damage.
• Accountability: The University appoints a Data Protection Officer and maintains processing records.

Technical Measures

• Data encryption using AES-256 standard at rest and TLS 1.3 protocol in transit.
• Multi-Factor Authentication (MFA) on all sensitive systems.
• Role-Based Access Control (RBAC) with the principle of least privilege.
• Continuous 24/7 security monitoring and real-time threat detection.
• Periodic encrypted data backups with regular restoration testing.
• Periodic penetration tests and annual independent security audits.

Organisational Measures

• Regular awareness and training programmes for all staff on data protection.
• Mandatory confidentiality agreements for all who handle personal data.
• Clean Desk & Clear Screen Policy enforced across all workstations.
• Procedures to verify the data processing practices of external service providers.

In the event of any actual or suspected personal data breach, the University follows the procedures below:

• Discovery & Reporting: Any person who discovers a breach must immediately notify the Information Security team via the dedicated channel (info@must.edu.eg).
• Containment (within 1 hour): Isolate affected systems, restrict access, and collect digital evidence.
• Assessment (within 24 hours): Determine the scope of the breach, the type of data affected, and the number of individuals impacted.
• Notification (within 72 hours): Notify the relevant regulatory authorities in accordance with applicable legal requirements.
• Notifying Affected Individuals: Notify affected data subjects without delay through appropriate means.
• Investigation & Remediation: Conduct a thorough investigation and apply the necessary corrective measures.
• Documentation & Reporting: Produce complete documentation of the incident and a final report with improvement recommendations.

The University does not share personal data with external parties except in the following cases:

• Compliance with applicable legal, regulatory, and judicial requirements.
• Service delivery by external providers bound by approved data processing agreements.
• Academic accreditation by internationally licensed bodies under confidentiality agreements.
• Joint scientific research with partner universities under documented data-sharing agreements.
• Medical emergencies to protect human life, using the minimum data strictly necessary.

All external service providers are required to sign a Data Processing Agreement in accordance with the University’s approved template and are subject to periodic security assessments. No data may be transferred outside the jurisdiction except under appropriate safeguards in accordance with applicable legislation.

Intentional or negligent violation of this Policy constitutes a disciplinary offence, resulting in the following measures:

• First Violation (unintentional): Written warning with mandatory data protection retraining.
• Repeated or Negligent Violation: Formal disciplinary proceedings that may lead to suspension from work.
• Serious or Intentional Violation: Referral to the Disciplinary Board, potentially resulting in contract termination.
• Criminal Violations: Referral to the competent judicial authorities in accordance with applicable law.

This Policy does not constitute a barrier to any legal rights of affected individuals to seek recourse through the courts or competent regulatory authorities.

Policy of Data_Protection