Document classification: Available
Traffic Light Protocol (TLP)
A TLP protocol is used to classify information and the mechanism for sharing and using this information. The protocol includes four colors (traffic lights), detailed as follows:
Red: The recipient may not share information (the red indicator) with any party outside the exchange, meeting or conversation platform that was originally disclosed.
Amber: The recipient can only share information with the concerned persons within the entity, or with whom the information belongs to take appropriate action, or with those who need to know the information to protect themselves or prevent further damage.
Green: The recipient can share information inside and outside the entity with a related person, and it is not allowed to publish it or exchange it through public channels.
White: The recipient can share the information without any restrictions and through the communication channels.
The scope of application of the security policy
The security policy applies to all parties involved in the creation, development and operation of the national application titled (Shlonik), the application is provided by the Central Agency for Information Technology and Zain Company in response to the special requirements of the Ministry of Health, and will be subject to the supervision and management of the Kuwaiti Ministry of Health in cooperation with the Central Agency for Information Technology, meanwhile the application will be hosted entirely under the account of The Communications and Information Technology Regulatory Authority in the cloud computing (Microsoft Azure), the authority is committed to providing the required cloud resources to operate the system and protect it on the cloud.
The central agency for Information Technology advised that Zain is be enabled to manage those resources, perform development and operation, and manage the cloud hosting system under the umbrella of The Communications and Information Technology Regulatory Authority. In addition, Zain is also committed to providing the necessary technical support to the Ministry of Health to operate the system in the optimal way, technically and practically, managing all data and information related to the system and its registrars, and conducting all necessary testing operations to measure the accuracy of the tracking function and the knowledge of those involved and promoting and developing them, taking into account aspects of cyber security and protecting privacy and in accordance with the security control measures issued by The Communications and Information Technology Regulatory Authority for this Purpose during the period of the CORONA crisis.
First: controls the collection, inventory, storage and use of personal data
1) All data recorded in the application will be used only for purposes of tracking cases associated with the spread of COVID-19 virus.
2) The Ministry of Health obtains the user’s consent and acceptance of all conditions and obligations of the application during the registration process by pressing the approval button (electronic approval), whereby the Ministry is committed to preserving the confidentiality of the data and not using it for any other purposes than the application, and in the event that the Ministry of Health is forced to use it with any other parties it must obtain the prior consent of the user.
3) Electronic approval to use the application and in accordance with its regulations and provisions applies to all citizens and residents to whom the conditions of home and / or institutional quarantine apply. The application obtains the explicit consent of the guardian of minors under 18 years of age to comply with the provisions of the home or institutional quarantine, with the ability to use the available technologies to verify the age of the user.
4) The Ministry of Health is committed to providing the service free of charge without requiring any future fees.
5) While providing the service, the Ministry of Health will provide the following:
- Clear and accessible information about their practices and policies regarding personal data to ensure that collection and processing are conducted in a transparent manner and in accordance with the provisions of the law.
- Determine the purpose of data collection, the legal basis for data processing and the period of retention, if any, in accordance with the requirements of the Ministry of Health and upon their request.
- Determine entities in which their personal data may be disclosed to.
- Provide all information and terms of service to the user such as requests to change or cancel the data.
- Provide appropriate technological means that enable individuals to exercise their right to access personal data and to review and correct it directly.
- Provide information on the period during which personal data will be stored and the location of storage in accordance with the requirements of the Ministry of Health and upon their request.
6) The Ministry of Health and Zain are obligated to provide all appropriate security measures to protect the personal information of any person against damage, disclosure, replacement of data or information with incorrect or added incorrect information.
7) The Ministry of Health will destroy personal data if its purpose ends with the owner of the data.
Second: Application controls
1) The application works using technologies to determine the location of the user such as GPS and Bluetooth to identify the distance between people in the home / institutional quarantine in order to ensure that they are not in contact with people.
2) The application, with the consent of the user, stores data of the telephone network or WIFI network and the user's GPS location.
3) The application does not allow the disclosure of the identity and user data to nearby individuals connected through Bluetooth.
4) A temporary user ID is generated during the process of registration in the application and it is associated with the person’s data registered with the Public Authority for Civil Information, this data is stored after it is encrypted in a database that is only accessible through the Ministry of Health.
5) The temporary user ID is used and exchanged through Bluetooth, and the identity of the user or the person calling him is not disclosed in order to preserve the privacy of the users.
6) The application does not allow any third-party applications to collect or track user data.
7) The application collects data about the user's device and the application for purposes related to improving application performance.
8) The user's personal data is kept on his phone, and it is allowed to be sent to the Ministry of Health through the application.
9) The Ministry of Health and Zain Company shall delete the application at the end of the COVID-19 virus contingency plan, and the Ministry of Health shall be concerned with determining the period of time necessary to maintain users ’data after canceling their account in the application, in proportion to the technical capabilities of Zain Company.
Third: Registration and use of the application controls
1) The application works after obtaining the user’s consent to all terms and conditions and the usage policy of the application, which is recognition from them that they have read and understood these terms and conditions, and that they agree and adheres to them.
2) These terms and conditions are considered a binding legal agreement between the user and the Ministry of Health, in addition to being considered a legal and regulatory agreement among all parties based on this application, and between users of each other, whether this user is a natural person or legal perso n.
3) The Ministry of Health may change any of the terms and conditions whenever the need arises, without consulting the user’s consent and the user must review them periodically throughout the period of using the application.
4) The application communicates through Bluetooth technology and the GPS location in order to collect data to track the user, which requires the user to allow the application to run these technologies.
Fourth: Work controls for the parties involved in creating, developing and operating the application
1) The Communications and Information Technology Regulatory Authority (CITRA) hosts the application completely under its account in the cloud computing (Microsoft Azure) and CITRA is committed to providing the required cloud resources to operate the application with all its sources and protect it on the cloud.
2) Zain manages the Microsoft Azure cloud hosting for the application’s development and operations under the umbrella of The Communications and Information Technology Regulatory Authority.
3) Zain is committed to provide the necessary technical support to the Ministry of Health to operate the application in the optimal way, technically and practically, and to solve all problems that arise on it and improve its functions, during the period of the CORONA crisis within a period no less than 120 days, which can be renewed based on instructions issued by the Ministry of Health and with the approval of Zain.
4) Zain is committed to managing all data and information about the system, its registrars and performing all necessary testing operations to measure the accuracy of the tracking function and the knowledge of individuals in close contact to promote and develop them.
5) Zain and the Ministry of Health are committed to taking into account the aspects of cyber security and protecting privacy and in accordance with the security policy issued by The Communications and Information Technology Regulatory Authority for this purpose during the period of the Corona emergency plan.
6) The intellectual property of the application, such as its own software, the equipment used, and all technical and technological issues and matters are owned by Zain, and the data and information that the user will enter in this application are private to the Ministry of Health only, and the Ministry has the right later and after preparing the appropriate operating environment upon request from Zain and The Central Agency for Information Technology to transfer the system to the Ministry's data center based on a subsequent agreement in this regard.
7) The Ministry of Health is entitled to request a copy of the system (back-office) and all data (DB) at the end of the application’s work, provided that Zain and The Communications and Information Technology Regulatory Authority hand over a copy of the system.
8) Zain establishes an operations center to follow up on the Shlonik system and application, which contains Internet communication devices, telephones, and portable computers in coordination with the Ministry of Health.
9) The Communications and Information Technology Regulatory Authority in coordination with the Ministry of Health and the Central Agency for Information Technology, determines the access privileges to the system and the databases of the applications users.
10) The Ministry of Health, in coordination with Zain Company, periodically reviews the entry authorities and the access privileges used to work on the system with assistance of The Communications and Information Technology Regulatory Authority if necessary, after adopting the necessary procedures for these privileges between the Ministry of Health and other participating parties.
11) Both the Ministry of Health and Zain use the Multi factor Authentication feature to access the system database.
12) Employees authorized to enter from the home network, whether they are from the Ministry of Health or Zain Company, must do so in accordance to the security controls for remote work issued by The Communications and Information Technology Regulatory Authority.
13) Employees working with the data are obligated not to print the system data permanently.
14) The Ministry of Health or the Central Agency for Information Technology shall inform the specialists at The Communications and Information Technology Regulatory Authority and Zain Company of any electronic threat or penetration.
15) In the event of an electronic breach, it is not necessary to inform the owner of the data that the necessary technical protection measures have been taken, and these measures have been applied to the personal data affected by the occurrence of the breach, or the following measures have been taken to ensure that the risks to the rights and freedoms of the persons with the data are not raised.
16) Zain activates the event logs on the mobile devices and the main service devices used to enter the system and review them periodically and with the assistance of The Communications and Information Technology Regulatory Authority if necessary.
17) Zain maintains records of processing activities and these records include all the required information (such as name and contact information, data processing purposes, description of categories of data owners and other personal data categories) and according to the period to be agreed upon with the Ministry of Health and their compatibility with Zain's technical capabilities, and with the assistance of The Communications and Information Technology Regulatory Authority if necessary.
18) Zain will take all necessary measures to ensure the appropriate level of protection and privacy of the data, including the following matters:
- Ensure the continued confidentiality of the application and the stored data.
- Restore availability and access to personal data in a timely manner in the event of a force majeure.
- Test and evaluate the effectiveness of security and technical measures.
19) Zain in coordination with The Communications and Information Technology Regulatory Authority, secure the data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data sent or stored.
20) All parties are obligated to abide by any rules or directives by The Communications and Information Technology Regulatory Authority in relation to business continuity, disaster recovery and risk management.
21) All parties implement internal policies and procedures that ensure system protection and data privacy.
22) Zain establishes internal procedures for receiving and studying complaints around the clock, requests for data access, and requests for correcting or deleting them.