Governance

Compliance with the General Data Protection Regulation (GDPR) or Equivalent National Data Protection Regulations

Data Protection Policy

Policy Managed By

Data Protection Policy is managed by the Digital Technologies Center and the Legal Department.

Description

Andijan State Technical Institute (ASTI) is committed to ensuring the lawful, secure, and transparent processing of personal data in accordance with the Law of the Republic of Uzbekistan "On Personal Data" (Law No. ZRU-547), national information security regulations, and the institute's internal policies on digital governance, cybersecurity, and information management. Although Uzbekistan is not subject to the European Union's General Data Protection Regulation (GDPR), ASTI has established institutional practices that closely align with internationally recognized data protection principles, including legality, transparency, data minimization, purpose limitation, confidentiality, integrity, and accountability.

At the institutional level, ASTI has adopted internal regulations governing the collection, storage, processing, transmission, and protection of personal data belonging to students, academic staff, employees, applicants, researchers, and external stakeholders. These regulations apply across all university information systems, including the Student Information System, Human Resource Management System, Learning Management System (Moodle), Electronic Document Management System (EDMS), Research Information System, Finance System, and the university's official web portal.

The implementation of institutional data protection measures is coordinated by the Digital Technologies Center, in cooperation with the Legal Department, Information Security specialists, and the university administration. These units are responsible for ensuring compliance with national legislation, monitoring information security risks, implementing technical safeguards, and regularly reviewing institutional data protection procedures.

To protect personal information, ASTI applies role-based access control, user authentication, password management policies, encrypted communications, secure server infrastructure, firewall protection, antivirus software, automatic database backup, disaster recovery procedures, and continuous monitoring of ICT infrastructure. Only authorized personnel are permitted to access confidential information according to their official responsibilities.

The university also ensures that personal data are collected only for clearly defined educational, administrative, research, and legal purposes. Individuals are informed about the use of their personal information during student admission, employment procedures, research participation, and digital service registration. Where appropriate, consent is obtained before processing personal data, and users are provided with information regarding their rights to access, update, correct, or request deletion of their personal information in accordance with applicable legislation.

Regular awareness programs, cybersecurity training sessions, and digital literacy workshops are organized for academic staff, administrative personnel, and students to promote responsible handling of personal information and compliance with institutional information security policies. Internal audits and periodic ICT system reviews further strengthen the university's commitment to maintaining high standards of privacy protection and cybersecurity.

Through these institutional measures, Andijan State Technical Institute demonstrates a strong commitment to protecting personal data, maintaining information security, and ensuring responsible digital governance in line with national legislation and internationally recognized data protection principles.

Evidence

No Evidence Description
1 Personal Data Protection Policy Institutional policy regulating the collection, processing, storage, retention, and protection of personal data in accordance with the Law of the Republic of Uzbekistan "On Personal Data".
2 Information Security Policy Internal policy governing cybersecurity, network protection, user authentication, password management, and ICT security procedures.
3 Digital Technologies Center Responsible unit managing university information systems, cybersecurity, data protection, and digital infrastructure.
4 Role-Based Access Control (RBAC) User access permissions implemented across Student Information System, HR, Finance, Library, Moodle LMS, and Electronic Document Management System.
5 Electronic Document Management System (EDMS) Secure digital document workflow with authenticated access and electronic approval mechanisms.
6 Database Backup & Disaster Recovery Procedures Daily automated backup, secure storage, and recovery procedures ensuring data availability and business continuity.
7 Cybersecurity Awareness Training Regular training programs for students and employees on information security, phishing prevention, password security, and responsible data handling.
8 Annual ICT Security Audit Periodic evaluation of ICT infrastructure, access control mechanisms, network security, and compliance with institutional policies.
9 Privacy Notice for Students and Employees Information provided regarding the collection, processing, storage, and protection of personal data within university services.
10 ICT Incident Response Procedure Institutional procedure for reporting, investigating, and responding to information security incidents and potential personal data breaches.

Additional Evidence (Examples)

  • Personal Data Protection Policy (Institutional Regulation)
  • Information Security Policy
  • ICT Security Management Regulation
  • Student Information System Privacy Notice
  • Employee Privacy Notice
  • Digital Technologies Center Organizational Structure
  • ICT Risk Assessment Report
  • Annual Information Security Audit Report
  • Electronic Document Management System (EDMS) Screenshots
  • Moodle LMS Authentication Screenshots
  • Student Portal Login Screenshots
  • Database Backup Logs
  • Firewall Monitoring Dashboard
  • Cybersecurity Training Certificates
  • ICT User Guidelines and Acceptable Use Policy