Information Technology

Information security encompasses all policies, processes, and technologies aimed at protecting the confidentiality, integrity, and accessibility of information. The goal is to protect data from threats such as unauthorized access, modification, disclosure, or destruction. Both technical and physical security measures are implemented in this process. Furthermore, raising user awareness and security awareness plays a critical role.

Any incident that could compromise the confidentiality, integrity, or accessibility of information due to unauthorized access, use, disclosure, modification, or destruction. Incidents such as documents containing information left in the printer, ID/credit cards found, or clicking links in fraudulent SMS/emails requesting personal information, such as "You've won a gift/scholarship," are considered information security incidents.

Information Security Policy is a set of rules, procedures, standards and guidelines determined by Özyeğin University to protect information assets and manage information security risks.

Employees must keep confidential all information they learn about universities, employees, students, suppliers, etc., during their duties; not share their personal passwords with anyone; follow announcements published by the Information Security Office via MyOzu; report spam emails; comply with the data minimization principle; avoid connecting to public Wi-Fi networks; and report lost or stolen devices through the Solution Center.

KVKK refers to the Personal Data Protection Law. This law sets standards for the processing of personal data and ensures the protection of this data. Personal data includes any information that can be associated with the identities of individuals and includes a variety of information such as identity, contact information, biometric and health information.

A disclosure text informs the data subject of the purpose of their data, where it is transferred, the legal basis, the collection method, and their rights before data processing. Explicit consent, on the other hand, is consent based on information and expressed freely on a specific subject.

For example, the Information Text Regarding the Student Registration Process explains the purposes for which personal data collected at the time of registration, such as identity information, contact information, education information and payment information, are processed and with which institutions and organizations they are shared within the framework of the relevant legislation.

Personal data is divided into specific categories based on their sensitivity and intended use. This classification helps determine the security measures to be taken to protect the data. For example:

• Contact information: Student/employee email address, phone number
• Identity information: Student/employee name, surname, identity information
• Financial information: Bank account number, card information
• Special personal data: Criminal record, blood type, allergies, health information

It refers to practices contrary to the general principles and legal regulations regarding the processing of personal data determined by KVKK. Processing of personal data without consent, processing more than necessary, inadequate protection, unlawful transfer, not being up-to-date, and not being destroyed are examples of this.

Data that could compromise an individual's privacy, such as health information, biometric data, and criminal records, is called "special personal data." At our university, this data is collected only for the relevant process and is protected by additional security measures such as masking, encryption, and authorization restrictions. This information belonging to employees or students is not used for purposes other than the process and is not shared with unauthorized individuals.

Personal data is processed in accordance with the following principles:

• Being in compliance with the law and the rules of honesty.
• Being accurate and up to date when necessary.
• Processing for specified, explicit and legitimate purposes.
• Being connected, limited and proportionate to the purpose for which they are processed.

Storage for the period required by the relevant legislation or for the purpose for which they are processed.

Within the framework of Article 11 of the Law, the relevant person may at any time apply to the data controller and obtain information regarding himself/herself;

• Learning whether personal data is processed or not,
• Request information if personal data is processed,
• Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• To request correction of personal data in case of incomplete or incorrect processing,
• To request the deletion or destruction of personal data,
• Requesting notification of the transactions regarding the correction, deletion or destruction of personal data to the third parties to whom the personal data has been transferred,
• Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• Request the removal of the damage in case the personal data is damaged due to illegal processing of the data

has the rights.

The principle is that personal data collected should be limited to the extent and purpose required by the relevant process. Employees and students should ensure that only necessary information is requested through data collection channels, that excessive or irrelevant data is not collected, that unnecessary copies are not created or shared, and that they should notify the Information Security Office through the Solution Center if they detect excessive data collection.