WINC recognises that robust data security is essential to protecting students, staff, and partners and commits to maintaining appropriate technical and organisational controls. The Data Security Policy describes how information is safeguarded against loss, misuse, unauthorised access, disclosure, alteration, or destruction.
Personal and academic data are stored on secure systems with access restricted to authorised personnel who need the information to perform their roles. Role-based permissions, password policies, and session controls help ensure that only appropriately authorised staff can view or modify records.
WINC employs commercially reasonable security technologies such as encryption, secure protocols, and firewalls to protect data in transit and at rest, as appropriate for the type and sensitivity of the information. Systems are monitored for abnormal activity, and updates and patches are applied to reduce vulnerabilities.
Third-party service providers who process data on behalf of WINC are required to implement suitable data security and confidentiality measures consistent with legal and institutional expectations. Contracts or agreements specify obligations around data handling, breach notification, and return or deletion of data when services end.
Staff members are provided with guidance and training relevant to their responsibilities regarding data protection, secure handling of information, and recognising potential security threats or phishing attempts. Where appropriate, procedures outline how to report suspected issues promptly so that remedial action can be taken.
If WINC becomes aware of a data incident or potential breach affecting personal information, an internal investigation will be initiated without undue delay. In line with applicable regulations, affected individuals and relevant authorities may be notified within defined timeframes where the incident presents a risk to rights and freedoms.
Data is retained only for as long as necessary to fulfil academic, administrative, legal, or regulatory purposes, after which it is securely deleted or anonymised. Retention periods are determined by the nature of the data, contractual obligations, and statutory requirements.
