6th September, 2018
5th October, 2018
14th June, 2019
IRIS NITK strictly forbids the sharing of personal data (such as private information and passwords). If it comes to IRIS NITK notice that information is being shared illegally, strict action will be taken against the offending party by NITK and IRIS NITK reserves the right to freeze the individual’s account and take necessary action as per the Information Technology Act, 2008 and its subsequent amendments 21
Glossary of Terms
Consent: An agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
Data Controller: The person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the IRIS Data Policy. IRIS NITK is the Data Controller of all personal data relating to it. It is used for delivering education and training, conducting research and other purposes connected with it.
Data Protection impact assessment (DPIA): Data Protection tools and assessments are used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.
Data Protection Law: The Data Protection Law governs how personal information is used by organizations and other businesses. In this policy. the Data Protection Law specifically governs the usage of personal data by IRIS NITK, the data policies and other associated parties.
Data Subject: A Data Subject is an identifiable individual whose personal data is being collected, held and processed by IRIS NITK.
Default Sharing: Data classified under ‘Default Sharing’ can be shared without specific permission from the user.
Employee: All Faculty (Temporary/ Non-Temporary) and Non-Teaching Staff (Temporary/ Non-Temporary) who work at NITK.
Faculty - All Teaching staff employed under NITK appointed as such under the NITK’s Policy and in accordance with its requirements.
Non-Teaching Staff - All staff other than Faculty employed under NITK appointed as such under the NITK’s Policy and in accordance with its requirements.
Internal Data Processors: Internal Data Processors are managers and officials that are given access to IRIS NITK Data for processing. The responsibility for the security and appropriate use of that data remains with IRIS NITK. No Personal Data will however be given to any Internal Data Processor if it is not approved beforehand.
IRIS NITK: All inclusive term referring to the system and portal, its users, the IRIS Officers and the IRIS Team. IRIS NITK is the official owner of the data and all activities pertaining to the data.
IRIS Officers: The person appointed as such under the NITK’s Policy and in accordance with its requirements. IRIS Officers is responsible for advising IRIS NITK (including its employees) on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with IRIS NITK’s policies, providing advice, cooperating with the IRIS Team Leads and acting as a point of contact with the IRIS Team Leads.
IRIS Team: IRIS Team is a set of student developers and associated faculty members who are given Pseudonymised access to the IRIS Production Database which removes all personal information of all users.
National Institute of Technology Karnataka, Surathkal or NITK or interchangeably referred as Institute: Primary Stakeholder of IRIS NITK and all its Data.
Permission Required - Data classified under ‘Permission Required’ can be shared only after written consent has been obtained from the user.
Personal Data: Any information identifying a data subject or information relating to a data subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: Any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data or IRIS Data, where that breach results in a risk to the data subject.
Privacy by Design and Default: Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Processing or Process: Any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.
Pseudonymisation or Pseudonymised: Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure. This is used extensively when giving data to IRIS Team to develop the system.
Students: Undergraduates, Post-Graduates, Post-Graduates(Research), Research Scholars (Full-Time and Part-Time) who have taken admission at NITK.
Temporary Faculty: Temporary Faculty refer to temporary teaching faculty, adjunct faculty, visiting faculty appointed by NITK for a limited time duration.
Temporary Staff: Temporary Staff refer to temporary non teaching staff appointed by NITK for a limited time duration.
Project Staff: Junior Research Fellows, Senior Research Fellows and Research Assistants appointed under various projects and schemes by NITK.
Staff: Faculty, Temporary Faculty, Non Teaching Staff, Temporary Staff and Project Staff appointed by NITK.
Automated Decision-Making (ADM): Decisions being made solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.
Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.
The content on this website is meant for personal and private non-commercial use by NITK/IRIS NITK. Any individual is forbidden to copy, reproduce, distribute, transmit, broadcast, display, sell, license, or otherwise exploit this or any other content for any other purposes without the prior written consent of IRIS NITK. IRIS NITK maintains all intellectual property interests associated with this document. IRIS NITK makes no commitment/obligation about the completeness or adequateness of the information presented in this document and expressly disclaims liability for errors and omissions from this document. The usage of the content of this website is limited for internal consumption only and cannot be used for any external purpose without prior permission.
2.1 Responsibilities regarding management of requirements of the General Data Protection Policy (GDPR) are taken very seriously by IRIS NITK. The given Data Protection Policy explains briefly how IRIS NITK manages those responsibilities.
2.2 IRIS NITK obtains, uses, stores and otherwise processes personal data relating to potential staff and students (applicants), current staff and students, former staff and students, current and former workers, temporary staff and external users making payments to NITK via IRIS, collectively referred to in this policy as Data Subjects.
2.3 When processing personal data, IRIS NITK is obliged to fulfil individuals’ reasonable expectations of privacy by complying with General Data Protection Regulation (GDPR) and the Information Technology Act, 2008 and the subsequent amendments to this, involving all computers and networks located in India.
This policy therefore seeks to ensure that:
2.3.1 All entities with whom IRIS NITK shares its data are clear on how the data is processed and what are the stages to obtain that data from IRIS NITK.
2.3.2 IRIS NITK complies with the data protection law and ensures a good practice in terms of data collection and its usage.
2.3.3 IRIS NITK’s reputation is protected by ensuring the personal data entrusted to IRIS NITK is processed in accordance with data subjects’ rights.
2.3.4. IRIS NITK is protected from risks of personal data breaches and other breaches of data protection law.
The main terms used are explained in the glossary at the beginning of this policy.
3.1 This policy applies to all personal data which is stored and processed by IRIS regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the Data Subject. All staff and others processing personal data on IRIS NITK’s behalf must read this policy. A failure to comply with this policy may result in disciplinary action from the NITK.
3.2 All Head of Departments and Professor-In-Charge for all facilities are responsible for ensuring that all staff and students within their area of responsibility comply with this data policy and implement appropriate practices, processes, controls and training to ensure its compliance.
In case of any issues regarding this data policy, the IRIS Officers, can be reached at firstname.lastname@example.org.
4. Personal data protection principles
Storing personal data and processing is currently done by IRIS NITK in accordance with the principles of the General Data Protection Policy (GDPR) and Information Technology Act, 2008 and the subsequent amendments to it. IRIS NITK is responsible for and will demonstrate compliance with the data protection principles as listed below.
4.1 Data is stored and processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
4.2 Data is collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose Limitation).
4.3 Data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation).
4.4 Data is accurate and where necessary kept up to date (Accuracy).
4.5 Data is not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is being processed (Storage Limitation).
4.6 Data is processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
4.7 Data is neither archived nor deleted, but is stored after the usage period; it can be accessed by the user as per the permission given to the user.
5. Data Subjects’ Rights
Data subjects have rights in relation to the way in which their personal data is handled. These rights are detailed below:
5.1 To ask for access to personal data held by IRIS NITK pertaining to that particular user as per the permissions that the user has to access that particular data.
5.2 To ask IRIS NITK to rectify inaccurate data or to complete incomplete data and contact the IRIS Officers with appropriate proof.
5.3 To restrict data processing in specific circumstances (e.g. where there is a complaint about accuracy.)
5.4 To not be subject to decisions based solely on Automated Processing, including profiling, except where necessary for entering into, or performing, a contract, with IRIS NITK.
5.5 To prevent processing that is likely to cause damage or distress to the Data Subject or anyone else.
5.6 To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
Any individual requesting data under any of the rights listed must approach the appropriate authorities (based on the purpose) in the order of hierarchical levels as defined in Section 13.
Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. Any Data Subject Access Request received must be forwarded to the IRIS Team at email@example.com. Requests that are excessive or burdensome will involve a cost.
For information regarding the scope of the term Data Subjects, refer to the Glossary of Terms.
6.1 IRIS NITK must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles.
6.2 IRIS NITK is responsible for, and must be able to demonstrate compliance with the data protection principles.
6.3 IRIS NITK must therefore apply adequate resources and controls to ensure and to document GDPR compliance including:
6.3.1 To implement Privacy by Design when processing personal data.
6.3.2 To integrate data protection into policies and procedures, in the way personal data is handled and producing required documentation such as Privacy Notices, Records of Processing and Records of Personal Data Breaches;
6.3.3 To train the IRIS Team on compliance with Data Protection Law and keep a record accordingly.
6.3.4 To regularly test the privacy measures implemented and conduct periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
7.1 IRIS NITK responsibilities
7.1.1 To establish policies and procedures in order to comply with data protection law.
7.1.2 To obtain compliance of signing the Non-Disclosure Agreement (NDA) from the IRIS Team and IRIS Officers.
7.2 IRIS Officers responsibilities
7.2.1 To advise IRIS NITK and its staff of its obligations under GDPR;
7.2.2 To monitor compliance with the GDPR and the Information Technology Act, 2008 and subsequent amendments to it. IRIS NITK’s policies with respect to monitoring training and audit activities related to complying with GDPR and the Information Technology Act, 2008 and the subsequent amendments to it.
7.2.3 To provide advice as requested while conducting Data Protection impact assessments;
7.2.4 To hold due regard to the risk associated with processing operations, taking into account the nature, scope, context and purpose of processing, while performing his or her tasks.
7.2.5 To sign a Non-Disclosure Agreement (NDA) and abide by it.
7.3 IRIS Team responsibilities
7.3.1 To keep all personal data securely and forbid direct access to IRIS Production Database to all developers except IRIS Team Leads.
7.3.2 To prevent disclosure of personal data either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
7.3.3 To keep in accordance with IRIS NITK’s retention schedule for data;
7.3.4 To redirect any queries regarding data protection, including subject access requests and complaints, promptly, to the IRIS Officers;
7.3.5 To bring up any data protection breaches swiftly, to the attention of the IRIS Team Leads and the IRIS Officers and support the IRIS Team Leads in resolving breaches and the ensuing investigations;
7.3.6 Where there is uncertainty around a data protection matter, seeking advice from the Team Leads and the IRIS Officers.
7.3.7 To sign a Non-Disclosure Agreement (NDA) and abide by it.
7.4 Student, Faculty and Non-Teaching Staff responsibilities
7.4.1 To familiarise themselves with the Data Policy;
7.4.2 To ensure that the personal data provided to IRIS NITK is accurate and up to date.
7.5 Temporary Staff and Temporary Faculty responsibilities
Department HoD’s must ensure the following with respect to the Temporary staff and Temporary Faculty they appoint.
7.5.1 To familiarize themselves with the Data Policy and to ensure that the personal data provided to IRIS NITK is accurate and up to date;
7.5.2 To ensure that any personal data collected or processed in the course of work undertaken for IRIS NITK is kept securely and confidentially;
7.5.3 To guarantee the return of all personal data back to IRIS NITK on completion of the work, including any copies that may have been made. Alternatively the data maybe securely destroyed and IRIS NITK must receive notification in this regard from the temporary faculty;
7.5.4 To prevent the storage or processing of any personal data made available by IRIS NITK, or collected in the course of the work, outside India, unless written consent to do so has been obtained from IRIS NITK;
7.5.5 To ensure that there is no access to any personal data, beyond what is essential for the work to be carried out,
7.6 Internal Data Processors Responsibilities:
7.6.1 To choose a data processor which provides sufficient guarantee about security measures to protect the processing of personal data, and to ensure such measures are in place;
7.6.2 A written contract establishing what personal data and for what purpose it will be processed and signed between IRIS NITK and the Data Processor;
For further guidance about the use of third-party data processors please contact the IRIS Officers or the IRIS Team.
8. Data Subject Access Requests
8.1 Data subjects have the right to receive a copy of their personal data which is held by IRIS NITK. In addition, individuals are entitled to receive further information about IRIS NITK’s processing of their personal data as follows:
8.1.1 The purposes
8.1.2 The categories of personal data being processed
8.1.3 Recipients/categories of recipient
8.1.4 Retention periods
8.1.5 Information about their rights
8.1.6 The right to complain,
8.1.7 Details of the relevant safeguards where personal data is transferred
8.1.8 Any third-party source of the personal data
8.2 A Data Subject should not allow a third party to persuade them into disclosing Personal Data. The entitlement is not to documents per se (which may however be accessible by means of the Freedom of Information Act, subject to any exemptions and the public interest), but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.
8.3 A Data Subject should not alter, conceal, block or destroy personal data once a request for access has been made. The IRIS Officers must be contacted before any changes are made to personal data which is the subject of an access request.
9. Reporting a personal data breach
9.1 The Data Protection Policy requires that users report to the IRIS Team any personal data breach where there is a risk to the rights and freedoms of the Data Subject.
9.2 In the case where the Personal data breach results in a high risk to the data subject, he/she also has to be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly. In the latter circumstances, a public communication must be made or an equally effective alternative measure must be adopted to inform data subjects, so that they themselves can take any remedial action;
9.3 IRIS NITK should put in place procedures to deal with any suspected personal data breach and will notify data subjects where it is legally required to do so;
9.4 If an individual knows or suspects that a personal data breach has occurred, s/he should immediately contact the IRIS Team Leads at firstname.lastname@example.org and follow the instructions in the personal data breach procedure. All evidence must be retained relating to personal data breaches, in particular, to enable IRIS NITK to maintain a record of such breaches, as required by the GDPR and the Information Technology Act, 2008 and its subsequent amendments.
10. Record Keeping
10.1 The GDPR requires IRIS NITK to keep full and accurate records of all the data processing activities. IRIS NITK is required to keep and maintain accurate corporate records reflecting processing, including records of data subjects’ consents and procedures for obtaining consent, where consent is the legal basis of processing.
10.2 Any activity on IRIS NITK is logged and the logs are visible to authorised users only. The logs don’t include any sensitive information i.e. passwords entered on any page.
10.3 These records should include, at a minimum, the name and contact details of IRIS NITK as Data Controller and the IRIS Officers, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data retention period and a description of the security measures in place.
10.4 Records of personal data breaches must also be kept, setting out:
10.4.1 The facts surrounding the breach;
10.4.2 Effects of the data breach;
10.4.3 The remedial action taken by the IRIS Team.
11. Training and Audit
NITK is required to ensure that all staff undergo adequate training to enable them to comply with data protection law. NITK must also regularly test IRIS NITK’s systems and processes to assess compliance.
The IRIS Team must regularly review all the systems and processes under their control to ensure that it is in compliance with this policy.
12. Data privacy by design and default and Data Protection Impact Assessments (DPIAs)
IRIS NITK is required to implement Privacy-by-Design measures when processing personal data, by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data protection principles. IRIS NITK must ensure therefore that by default only personal data which is necessary for each specific purpose is processed. The obligation applies to the volume of personal data collected, the extent of the processing, the period of storage and the accessibility of the personal data. In particular, by default, personal data should not be available to an indefinite number of persons. IRIS NITK ensures that it adheres to these measures.
As well as complying with NITK-wide practices designed to fulfil reasonable expectations of privacy, IRIS NITK ensures that its own data-handling practices default to privacy to minimise unwarranted intrusions in privacy. (e.g. by disseminating personal data to those who need to receive it to discharge their duties.)
12.1 IRIS NITK must also conduct DPIAs in respect of high-risk processing before that processing is undertaken.
12.1.1 The use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes).
12.1.2 Automated processing including profiling.
12.1.3 Large scale processing of sensitive (special category) data.
12.1.4 Large scale, systematic monitoring of a publicly accessible area.
12.2 A DPIA must include:
12.2.1 A description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate;
12.2.2 An assessment of the necessity and proportionality of the processing in relation to its purpose;
12.2.3 An assessment of the risk to individuals; and
12.2.4 The risk-mitigation measures in place and demonstration of compliance.
13. Level Based Hierarchy for Different Modules
Data Access in every IRIS module is designed on a Level Based Hierarchy, with Level I having the most access and Data Access progressively reducing at each subsequent level. In case an individual at a lower level requires data, he/she is unauthorized to access, they can request for it from the level directly above them.
Delegation of the role is not clubbed with the responsibility. Responsibilities that rest with the person assigned to the role cannot be transferred even if he/she temporarily assigns the role to another person.
The level based Hierarchy of the Various IRIS Modules has been detailed below.
13.1 Basic User Module
13.1.1 Level I - IRIS Officers.
13.2 Student Management
13.2.1 Level I - IRIS Officers;
13.2.2 Level II - Student.
13.3 Employee Management
13.3.1 Level I - IRIS Officers;
13.3.2 Level II - Employee.
13.4 Course Management
13.4.1 Course Registration
126.96.36.199 Level I - Head of Department, Time-Table Incharge;
188.8.131.52 Level II - Faculty, Class Representative;
184.108.40.206 Level III - Student.
13.5.1 Administration Events
220.127.116.11 Level I - Dean Faculty Welfare (DFW);
18.104.22.168 Level II - Student Council;
22.214.171.124 Level III - Student.
13.5.2 Department Events
126.96.36.199 Level I - Head of Department, Faculty;
188.8.131.52 Level II - Class Representative;
184.108.40.206 Level III - Student.
13.5.3 Alumni Events
220.127.116.11 Level I - Alumni Association, Dean AAIR;
18.104.22.168 Level II - Student Council;
22.214.171.124 Level III - Student.
13.5.4 Student-led Events
126.96.36.199 Level I - Club Convener;
188.8.131.52 Level II - Club Executive Member;
184.108.40.206 Level III - Student.
13.6 Finance Management
13.6.1 Level I - Prof In Charge (Hostel Affairs), Assistant Registrar (Accounts), Assistant Registrar (Academic);
13.6.2 Level II - IRIS Officer;
13.6.3 Level III - Student.
13.7 Feedback Module
13.7.1 Level I - HoD (Access to all feedback of his/her department);
13.7.2 Level II - Faculty (Access to all feedback of his/her course);
13.7.3 Level III - Student (Access to all individual feedback of his/her courses).
13.8.1 Level I - Faculty, IRIS Officer;
13.8.2 Level II - Students.
13.9.1 Level I - Faculty;
13.9.2 Level II - Student.
13.10.1 Room Allotments
220.127.116.11 Level I - Prof. In Charge Hostels, Hostel Council President;
18.104.22.168 Level II - Student Council President, Girls’ Representative;
22.214.171.124 Level III - Student.
126.96.36.199 General Maintenance Complaints
188.8.131.52.1 Level I - Professor-in-Charge Warden, Hostel Office;
184.108.40.206.2 Level II - Block Wardens, Hostel Council President;
220.127.116.11.3 Level III - Resident Engineer;
18.104.22.168.4 Level IV - General Maintenance Councillor;
22.214.171.124.5 Level V - Student.
126.96.36.199 Mess Complaints
188.8.131.52.1 Level I - Professor-in-Charge Warden, Hostel Office;
184.108.40.206.2 Level II - Block Wardens, Hostel Council President;
220.127.116.11.3 Level III - Mess Councillor, Mess Committee;
18.104.22.168.4 Level IV - Student.
22.214.171.124 Network Complaints
126.96.36.199.1 Level I - CCC Chairman;
188.8.131.52.2 Level II - Block Wardens, Hostel Council President;
184.108.40.206.3 Level III - General Maintenance Councillor;
220.127.116.11.4 Level IV - Student.
18.104.22.168 Housekeeping Complaints
22.214.171.124.1 Level I - Professor-in-Charge Warden, Hostel Office;
126.96.36.199.2 Level II - Block Wardens, Hostel Council President;
188.8.131.52.3 Level III - General Maintenance Councillor;
184.108.40.206.4 Level IV - Student.
13.11.1 Guest House
220.127.116.11 Level I - Dean (Faculty Welfare);
18.104.22.168 Level II - Guest House Manager;
22.214.171.124 Level III - Student, Employee.
13.11.2 CCC - Virtual Classroom
126.96.36.199 Level I - Chairman (CCC);
188.8.131.52 Level II - Receptionist (CCC);
184.108.40.206 Level III - Student, Employee.
13.11.3 Rooms in the Main Building and in Lecture Hall Complexes A, B and C
220.127.116.11 Level I - Dean (Faculty Welfare);
18.104.22.168 Level II - Chief Security Officer.
22.214.171.124 Level III - Student, Employee.
13.11.4 Department Seminar Halls
126.96.36.199 Level I - Head of Department;
188.8.131.52 Level II - Student, Employee.
13.12.1 Level I - Career Development Center (CDC) Chairman, Career Development Center (CDC) Staff, Head Placement Coordinator;
13.12.2 Level II - Placement and Internship Coordinators designated as SPoCs;
13.12.3 Level III - Student.
13.13.1 Level I - Student, Employee.
13.14.1 Level I - Assistant Registrar (Academic), Academic Officers, Dean Academic;
13.14.2 Level II - Admission Case Worker;
13.14.3 Level III - Student.
13.5.1 Level I - Director (NITK), Senate,;
13.5.2 Level II - Dean (Academic), Assistant Registrar (Academic);
13.15.3 Level III - Doctoral Research Programme Committee
13.15.4 Level IV - Research Progress Assessment Committee (RPAC).
13.15.5 Level V - PhD Student.
13.16 No Dues
13.16.1 Level I - Accounts - Section II
13.16.2 Level II -Head of the Departments, Dean Students’ Welfare, Librarian, Hostel Superintendent, Physical Director, Faculty In-Charge (Student Cooperative Society), System Manager (CCC), Officer Commanding NCC
13.16.3 Level III - Student
13.17 Faculty Appraisal
13.17.1 - Director, Dean Faculty Welfare
13.17.2 - Head of Department
13.17.3 - Employee
13.18 Tell IRIS
13.18.1 Level I - IRIS Team Leads, MIS Officers
13.18.2 Level II- IRIS Team Members
13.191 Level I - Physical Director
13.19.2 Level II - Sports Secretary (Students’ Council)
13.19.3 Level III - Team Captains
13.19.4 Level IV - Student, Employee
14. Sharing Personal Data
In the absence of consent, a legal obligation or the necessity of other legal processing, IRIS NITK will not reveal personal data to any third parties including individuals such as students' parents, members of the public, private property owners, etc. In case a third party requires data, access must be requested through the IRIS OAuth API and due process has to be followed to obtain permission to use IRIS OAuth.
IRIS NITK strictly forbids the sharing of personal data (such as private information and passwords). If it comes to IRIS NITK notice that information is being shared illegally, strict action will be taken against the offending party by NITK and IRIS NITK reserves the right to freeze the individual’s account and take necessary action as per the Information Technology Act, 2008 and its subsequent amendments
15 Third Party Data Access
IRIS Users and External Third Parties who require access to data they are not authorized to access may submit a request through IRIS to the IRIS Officers. The request must thoroughly detail the purpose for requesting the data. The IRIS Officers will examine the request and will approve of it only if he/she finds the request to be genuine, after which the IRIS team will be entrusted in furnishing the Third Party with the required Data.
It is the responsibility of the third party to ensure that the data being furnished to them is handled with the utmost level of care and is not misused or distributed unlawfully. In case a situation arises where it comes to the notice of IRIS NITK that Data furnished to third parties is/was misused, the third party will bear all consequences, monetary or otherwise.
16. Changes to the Data Policy
IRIS NITK holds the right to change the Data Policy at any time without notice to the student body. Please check regularly to obtain the latest copy. It will be reviewed yearly.
This revision of the policy was approved on 18 June 2019 by the IRIS Faculty Advisors. It will be reviewed next in December 2019.