Data Protection and Privacy Policy

The Data Protection and Privacy Policy ensures that all AIES Approved Centers handle personal and sensitive information with the highest level of confidentiality and security. This policy outlines the requirements for collecting, storing, and using data in compliance with AIES standards and applicable local and international data protection laws.

Key Principles:

1. Compliance with Data Protection Laws
   Centers must comply with all relevant local, national, and international data protection laws, including but not limited to GDPR (General Data Protection Regulation), as applicable. This includes ensuring that all data handling practices meet legal requirements for the protection of personal information.

2. Collection of Personal Data
   Centers must collect personal data from students and staff only when it is necessary for educational or administrative purposes. This includes, but is not limited to:

   • Student enrollment information (e.g., name, contact details, educational background).
   • Staff employment information.
   • Assessment and exam records. Centers should inform individuals of what data is being collected, the purpose of collection, and how the data will be used.

3. Consent and Transparency
   Centers must obtain clear and informed consent from individuals before collecting their personal data. This means:

   • Ensuring individuals are aware of how their data will be used, stored, and shared.
   • Providing a transparent data privacy policy outlining the center’s data collection practices.
   • Allowing individuals to withdraw consent at any time, in accordance with data protection regulations.

4. Data Storage and Security
   All personal data collected must be securely stored to prevent unauthorized access, loss, or theft. Centers must:

   • Use secure storage systems, including encrypted digital storage and locked physical files.
   • Ensure access to personal data is restricted to authorized personnel only.
   • Regularly review and update security measures to protect against data breaches or cyber threats.

5. Data Access and Sharing
   Personal data should only be accessed and shared on a need-to-know basis. Centers must:

   • Limit access to personal data to authorized individuals involved in program administration, assessment, and student support.
   • Share personal data with AIES only when necessary for administrative purposes (e.g., exam results, enrollment data).
   • Never share personal data with third parties without the explicit consent of the individual, except as required by law.

6. Retention of Data
   Centers must retain personal data only for as long as it is necessary for the purposes for which it was collected. This includes:

   • Retaining student and staff records for the duration specified by AIES and any applicable legal requirements.
   • Ensuring that once data is no longer needed, it is securely deleted or destroyed in a manner that prevents unauthorized access or recovery.

7. Data Breach Notification
   In the event of a data breach, centers are required to notify AIES and relevant authorities immediately. Centers must:

   • Investigate and take steps to contain the breach.
   • Inform affected individuals of the breach, the risks involved, and the measures taken to address it.
   • Implement corrective measures to prevent future breaches.

8. Rights of Individuals
   Centers must respect the rights of individuals regarding their personal data, including the right to:

   • Access: Individuals have the right to request access to the personal data that a center holds about them.
   • Correction: Individuals can request corrections to any inaccurate or incomplete personal data.
   • Erasure: Individuals can request the deletion of their personal data when it is no longer necessary for the purposes it was collected.
   • Portability: Individuals can request the transfer of their personal data to another institution or organization in a commonly used format.

9. Staff Training on Data Protection
   Centers must ensure that all staff members handling personal data are trained on data protection and privacy policies. This includes:

   • Understanding the legal requirements for data protection.
   • Recognizing potential risks and threats to data security.
   • Following best practices for secure data handling and storage.

10. Auditing and Accountability
    AIES reserves the right to audit centers for compliance with data protection regulations and policies. Centers must maintain accurate records of their data protection practices and make them available for review as needed.

Consequences of Non-Compliance:

Failure to adhere to the Data Protection and Privacy Policy may result in disciplinary action, including potential removal of approved center status. Any data breaches or violations must be reported to AIES and appropriate authorities immediately.