1. Introduction

Data protection ensures that individuals’ privacy rights are safeguarded when their personal data is collected, processed, stored, or otherwise handled. Kalasalingam academy of research and education (“the university”) collects and uses personal data relating to its students, faculty, staff, researchers, alumni, and other individuals who interact with the university, collectively referred to as “data subjects”.

In order to respect and protect the privacy rights of these individuals, the university is committed to complying with applicable data protection laws and regulations, including the digital personal data protection act, 2023 (india), the information technology act, 2000, and relevant rules and guidelines issued by statutory and regulatory authorities such as the university grants commission (ugc) and other competent bodies (collectively referred to in this policy as “data protection laws”).

These laws not only provide individuals with rights in relation to their personal data but also impose obligations and responsibilities on the university and all persons who process personal data on its behalf. The university recognizes its duty to ensure that personal data is handled in a lawful, fair, and transparent manner, and that appropriate technical and organizational measures are implemented to safeguard such data against unauthorized access, disclosure, alteration, or destruction.

This policy establishes the framework within which the university ensures compliance with data protection laws and promotes a culture of privacy, accountability, and responsible data management across all its academic, administrative, and research activities.

2. Purpose

This policy is a statement of the university’s commitment to protect the rights and privacy of individuals in accordance with applicable data protection laws in india, including the digital personal data protection act, 2023 and the information technology act, 2000 (as amended) (collectively referred to in this policy as the “data protection laws”).

It sets out responsibilities for all members of the university, including managers, employees, students, contractors, and any other individuals who may access or use personal data in the course of their work for, or studies with, the university.

3. Personal data and ‘sensitive personal data’

Personal data refers to any information that can be used to identify a living individual, either directly or indirectly. Even when separate pieces of information do not identify a person on their own, they may be considered personal data if, when combined, they can lead to the identification of an individual. Identifiers such as a person’s name, identification number, contact details, location data, or online identifiers, as well as characteristics related to physical, mental, economic, cultural, or social identity, may be used to recognize an individual.

In general, any information relating to a living person who can be identified from the available data, or from data that could reasonably be accessed, will be treated as personal data. This also includes pseudonymised data, where identifying details are replaced with codes or symbols. Although such data does not directly reveal the identity of the individual, identification may still be possible by linking it with additional information. Illustrative examples of personal data are provided in appendix f.

Certain types of personal data require a higher level of protection due to their sensitive nature. Under applicable indian laws, including the digital personal data protection act, 2023 and relevant provisions of the information technology act, 2000, such data is classified as ‘sensitive personal data’.

These include categories such as:

• Financial information
• Health-related information
• Biometric identifiers
• Genetic information
• Data relating to minors
• Any other category as may be specified under applicable laws

Processing of such sensitive personal data is permitted only under specific conditions, such as obtaining explicit consent from the individual or where processing is authorized by law, as detailed in appendix b.

In addition, personal data relating to criminal offences or legal proceedings, although not classified as sensitive personal data, may be subject to additional safeguards and restrictions in accordance with applicable laws and institutional requirements (see appendix c).

Further clarification of the terminology used in this policy is provided in the definitions section.

4. Scope

4.1 what information is included in this policy?

This policy covers all personal data that is collected, generated, or received as part of the university’s academic, administrative, research, or operational activities, regardless of the date of creation. Personal data may exist in various forms, including paper records, physical storage media, and electronic systems, and may be stored, processed, or transmitted through any of these formats.

4.2 to whom does this policy apply?

This policy applies to:

• All individuals employed by or formally associated with the university who handle personal data as part of their roles or responsibilities;
• All students who process or access personal data, other than publicly available information, during their academic, project, or research activities
• Individuals engaged through third-party service providers, contractors, or subcontractors who process personal data while performing services for the university;
• Interns, trainees, visiting scholars, research collaborators, and volunteers associated with the university;
• Members of the university’s governing bodies or committees while carrying out their official functions.

All such individuals are hereinafter collectively referred to as “members”.

4.3 where does the policy apply?

This policy applies to all environments where university-related personal data is accessed or processed, including on-campus locations, off-site facilities, and remote working arrangements, as well as through digital and cloud-based platforms.

5. Data protection principles

The institution shall be accountable for, and capable of demonstrating, adherence to the following data protection principles in accordance with applicable indian data protection laws.

Personal data shall be:

• Handled in a lawful, fair, and transparent manner with respect to the individual;
• Collected and processed solely for clearly defined, specific, and legitimate purposes;
• Relevant, adequate, and restricted to what is necessary for the intended purpose;
• Maintained with accuracy and updated whenever required;
• Stored only for the duration necessary to fulfill the purpose;
• Protected through appropriate security measures to ensure confidentiality and integrity

These principles apply to all entities and individuals processing personal data within the institution. Non-compliance with these principles may result in violations under the applicable data protection regulations. A detailed explanation of each principle is provided in the subsequent sections.

5.1 processing of personal data in a lawful, fair and transparent manner

Whenever kare collects personal data, it is required to provide relevant information to the individual to whom the data relates. This obligation applies whether the data is obtained directly from the individual or indirectly through another source. Such information shall be communicated through a privacy notice (or equivalent notice in digital platforms such as websites or applications). Additionally, kare must ensure that every processing activity is supported by a valid legal ground as prescribed under applicable indian data protection laws, including the digital personal data protection act, 2023.

5.1.1 privacy notices

When should a privacy notice be provided?

• If personal data is collected directly from the individual, the privacy notice must be provided at the time of data collection.
• If personal data is collected from another source, the privacy notice must be provided:
• Within a reasonable period, not exceeding one month from the date of collection;
• At the time of first communication with the individual, if the data is used for communication purposes;
• At the time of first disclosure, if the data is intended to be shared with another party

What information must be included in a privacy notice?

The privacy notice must clearly inform individuals about:

• The identity of the institution collecting the data (e.g., kalasalingam academy of research and education or specific departments);
• The purpose(s) for which the personal data is being collected and used;
• The legal basis or authorization under which the data is processed;
• The categories and nature of personal data being processed;
• The duration for which the data will be retained;
• Details of recipients or categories of recipients with whom the data may be shared;
• Contact details of the designated data protection officer or responsible authority;
• Information regarding any transfer of personal data outside india along with applicable safeguards;
• In cases of indirect data collection, the source and categories of such data.