DECT

iDECT MIS — Integrated Digital Ecosystem for Craftsman Training

Directorate of Employment & Craftsman Training (DECT), Government of Meghalaya
Document: Privacy Policy
Version: 1.0
Effective Date: [DD Month YYYY]
Last Updated: 19 May 2026

Privacy Policy

This Privacy Policy explains how the Directorate of Employment & Craftsman Training (DECT), Government of Meghalaya (“DECT”, “we”, “us” or “our”) collects, uses, discloses, retains and safeguards personal data when you access or use the iDECT MIS — Integrated Digital Ecosystem for Craftsman Training mobile application, its web portal and related services (collectively, the “Platform”).

We are committed to protecting your privacy in accordance with the Digital Personal Data Protection Act, 2023 Information Technology Act, 2000 SPDI Rules, 2011 GDPR (where applicable) and applicable Government of India and Government of Meghalaya guidelines on data protection, cybersecurity and e-Governance.

1. Introduction & Scope

The iDECT MIS is the official Management Information System of DECT, designed to digitise and streamline the lifecycle of craftsman training — including admissions, attendance, academic progress, examinations, certifications, placements, alumni engagement and employer interaction across all Industrial Training Institutes (ITIs) and affiliated institutions in the State of Meghalaya.

This Policy applies to:

  • The iDECT MIS mobile application (Android and iOS);
  • The iDECT MIS web portal and any sub-domains operated by DECT;
  • All APIs, micro-services and back-end systems supporting the Platform;
  • All categories of users defined in Section 4 of this Policy.

By creating an account, logging in, registering as an applicant, or otherwise using the Platform, you acknowledge that you have read and understood this Policy. Where required by law, your explicit consent will be sought before processing your personal data.

2. Definitions

Personal Data
Any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act, 2023.
Sensitive Personal Data or Information (SPDI)
As defined under Rule 3 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — including biometric information, financial information, and health information.
Data Principal
The natural person to whom the personal data relates (i.e., you, the user).
Data Fiduciary
The entity that determines the purpose and means of processing personal data — in this case, DECT.
Data Processor
Any person or entity that processes personal data on behalf of DECT (for example, hosting providers, NIC, system integrators).
Processing
Any operation performed on personal data, whether automated or not — including collection, recording, storage, use, sharing, disclosure or erasure.
Platform
The iDECT MIS mobile application, web portal and related digital services operated by DECT.

3. Data Fiduciary / Controller

The Data Fiduciary for personal data processed through the Platform is:

Directorate of Employment & Craftsman Training (DECT)
Government of Meghalaya
Address: [Full postal address of DECT, Shillong]
Email: [official@dect.meghalaya.gov.in]
Phone: [+91-xxx-xxxxxxx]
Website: [https://dect.meghalaya.gov.in]

DECT acts as the sole Data Fiduciary for all personal data collected through the iDECT MIS. Implementing partners, technology vendors and hosting providers act strictly as Data Processors bound by written contracts and Government of India / NIC security guidelines.

4. User Categories & Data Collected

The Platform serves seven (7) categories of users. The personal data collected varies by user category, role and the feature being accessed. We adhere to the principle of data minimisation — collecting only what is necessary for the stated purpose.

4.1 Administrators (Directorate, ITI Principals, LDA/UDA)

Officials of DECT, ITI Principals, Lower Division Assistants (LDAs), Upper Division Assistants (UDAs) and other authorised administrative staff.

  • Government employee ID, designation, posting/ITI assignment;
  • Full name, official email, official phone, photograph;
  • Authentication credentials (hashed), role and access permissions;
  • Activity logs (logins, approvals, edits, downloads) for audit purposes;
  • IP address, device identifier and timestamps for security monitoring.

4.2 Instructors

Teaching faculty attached to specific ITIs and trades.

  • Employee ID, ITI affiliation, trade(s) taught, qualification, experience;
  • Name, gender, date of birth, contact details, photograph;
  • Attendance, leave records and timetable assignments;
  • Authentication credentials (hashed) and role permissions;
  • Activity and grading logs.

4.3 Students (Enrolled Trainees)

Active trainees enrolled in any ITI under DECT, Meghalaya.

  • Identity: name, gender, date of birth, photograph, parent/guardian name;
  • Government identifiers: Aadhaar (only where mandated and with explicit consent), APAAR / ABC ID, ration card, domicile certificate;
  • Category/reservation details (SC/ST/OBC/PwD) — collected only where required by the admission rules and stored with restricted access;
  • Academic data: trade, batch, attendance, monthly progress, marks, leave applications;
  • Contact: address, mobile number, email, emergency contact;
  • Bank account details (only for stipend / scholarship disbursal, where applicable);
  • Device permissions used by the app: camera (profile photo, ID upload), location (only for geo-fenced attendance, with consent), notifications.

4.4 External Users — Applicants

Persons applying for admission to any ITI under DECT.

  • Personal details: name, date of birth, gender, parent/guardian details, photograph;
  • Identity documents: Aadhaar (with consent), domicile, caste / category certificates, PwD certificate (if applicable);
  • Educational qualifications and supporting documents;
  • Contact details and preferred trade/ITI choices;
  • Application fee payment data (handled via authorised payment gateways).

4.5 Alumni

Trainees who have successfully completed a course at any ITI under DECT.

  • Historical academic records linked to the original Student profile;
  • Updated contact details, current employment status, skills, resume/CV;
  • Job applications submitted through the Platform.

4.6 Employers

Companies, MSMEs, public sector undertakings or recruitment agencies registered on the Platform.

  • Organisation name, registration / CIN / GSTIN, registered address;
  • Authorised representative’s name, designation, official email and phone;
  • Job postings, selection records and shortlisting decisions;
  • Authentication credentials and activity logs.

4.7 Visitors (Unauthenticated Use)

Persons accessing public pages of the Platform without logging in.

  • Standard server log data (IP address, browser, referrer, pages visited);
  • Anonymised analytics data for service improvement.

5. Purposes & Legal Basis

We process your personal data for the following legitimate purposes:

PurposeLawful basis (DPDP Act / GDPR)
To administer ITI admissions, enrolment, attendance, examinations and certificationsPerformance of a public function entrusted to DECT under State law / public interest
To authenticate users and enforce role-based accessNecessary for service delivery; legitimate use under §7 of DPDP Act
To enable student services such as attendance, progress tracking, leave applicationPerformance of service / consent
To process applications for admission and communicate admission statusConsent & performance of service
To facilitate stipend / scholarship disbursal (where applicable)Legal obligation & performance of public benefit
To enable alumni engagement and job-matching with EmployersConsent of the Alumni user
To allow Employers to post jobs and shortlist candidatesPerformance of service to the registered Employer
To comply with audits, RTI, statutory reporting and government schemesCompliance with a legal obligation
To monitor security, detect fraud and prevent misuseLegitimate interest of DECT and protection of users
To improve the Platform through anonymised analyticsLegitimate interest / consent

We will not use your personal data for any purpose that is incompatible with those listed above without seeking your fresh consent.

Where processing is based on consent, you will be presented with a clear, plain-language consent notice at the point of collection, in English and (where feasible) in regional languages of Meghalaya. Consent is:

  • Free, specific, informed, unconditional and unambiguous, as required by §6 of the DPDP Act, 2023;
  • Limited to the purposes specified in the consent notice;
  • Withdrawable at any time through the Platform’s Privacy Settings or by writing to the Grievance Officer (see Section 18). Withdrawal will not affect the lawfulness of processing carried out before the withdrawal.

Certain processing — such as legal compliance, fraud prevention, or performance of a public function — may continue under non-consent grounds permitted by law even after withdrawal of consent.

7. Children & Persons with Disability

ITI training is open to candidates aged 14 years and above. Where a Student or Applicant is a minor (below 18 years) or is a person with disability who has a lawful guardian:

  • We will obtain verifiable consent from the parent or lawful guardian before processing personal data, in accordance with §9 of the DPDP Act, 2023;
  • We will not undertake tracking, behavioural monitoring, or targeted advertising directed at children;
  • We will not process personal data that is likely to cause any detrimental effect on the well-being of a child.
Parents/guardians may, at any time, request access to or deletion of their ward’s personal data by writing to the Grievance Officer (Section 18).

8. Disclosure & Sharing of Personal Data

We do not sell, rent or trade your personal data. Personal data may be shared only in the following circumstances:

  • Within DECT and affiliated ITIs: on a need-to-know basis to authorised officials for the purposes listed in Section 5.
  • With government bodies: Directorate General of Training (DGT), Ministry of Skill Development & Entrepreneurship (MSDE), National Council for Vocational Education & Training (NCVET), Skill India Digital Hub, NCS Portal and similar statutory authorities, for examinations, certification, accreditation and policy reporting.
  • With Employers: Alumni and final-year Student data (resume, contact, course details) is shared with Employers only after explicit consent of the user, either as part of a job application or selective campus placement.
  • With Service Providers / Data Processors: cloud hosting providers, NIC, MeitY-empanelled service providers, payment gateways, SMS/email gateways, who process data strictly under written contracts with confidentiality and security obligations.
  • For legal compliance: to courts, law-enforcement agencies, regulators, or under the Right to Information Act, 2005 (subject to exemptions under §8 RTI Act for personal data).
  • In aggregated, anonymised form: for research, policy planning and public reporting in a manner that does not identify individuals.

9. Cross-Border Transfers

The iDECT MIS is hosted on infrastructure located within India, in compliance with Government of India directives on data localisation for government systems (including NIC / MeghSDC / MeitY-empanelled cloud).

Personal data will not be transferred outside India except (a) to a country notified by the Central Government under §16 of the DPDP Act, 2023; or (b) where the transfer is permitted by law for the performance of a specific function (for example, transmission of academic credentials to a recognised international examination body, only with the Data Principal’s consent).

For users accessing the Platform from the European Economic Area (EEA) or the United Kingdom, we will, where required, rely on appropriate safeguards under the GDPR (such as the European Commission’s Standard Contractual Clauses) and inform you of such transfers at the point of collection.

10. Data Retention & Deletion

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.

CategoryIndicative Retention Period
Applicant data — applications not admittedUp to 3 years after the admission cycle closes
Student academic records (attendance, marks, certificates)Permanent archival, as required for verification of qualifications
Student contact and demographic profileFor the duration of training + 7 years
Alumni profile (post completion)Active until the user requests deletion; underlying academic record retained as above
Employer account & job postingsFor the duration of the account + 3 years after closure
Administrator / Instructor employment-related recordsAs per applicable government service rules
Audit logs and security logsMinimum 180 days, or longer if required by the IT Act / CERT-In directions
Payment transaction recordsAs per Income-tax Act and GST requirements (typically 8 years)

On expiry of the applicable retention period, or upon a valid erasure request (see Section 12), personal data will be deleted or irreversibly anonymised, except where retention is required by law or for the establishment, exercise or defence of legal claims.

11. Security Safeguards

DECT implements reasonable security practices and procedures aligned with ISO/IEC 27001, CERT-In directions and the SPDI Rules, 2011, including:

  • Transport-layer encryption (TLS 1.2 or higher) for all data in transit;
  • Encryption at rest for sensitive databases and document stores;
  • Role-based access control (RBAC) and the principle of least privilege;
  • Multi-factor authentication for Administrators and Instructors;
  • Hashing of all passwords using industry-standard algorithms;
  • Periodic Vulnerability Assessment & Penetration Testing (VAPT) by CERT-In empanelled auditors;
  • Server hosting within India on MeitY/STQC-compliant infrastructure;
  • Audit logging of administrative and security-critical actions;
  • Background verification and confidentiality undertakings from all personnel and vendors with access to personal data;
  • Regular backups and a documented disaster recovery plan.
Your role in security: please keep your login credentials confidential, enable multi-factor authentication where offered, log out from shared devices, and report any suspicious activity to the Grievance Officer immediately.

12. Your Rights as a Data Principal

Subject to the DPDP Act, 2023 and (where applicable) the GDPR, you have the following rights in respect of your personal data:

  • Right to access: a summary of personal data processed and the processing activities undertaken;
  • Right to correction and erasure: to correct inaccurate or misleading data, complete incomplete data, update data, and to request erasure of personal data that is no longer necessary;
  • Right to nominate: to nominate another individual to exercise your rights in the event of your death or incapacity;
  • Right of grievance redressal: to a readily accessible mechanism for redressal of grievances (Section 18);
  • Right to withdraw consent: as described in Section 6;
  • Right to data portability and objection (where the GDPR applies to your processing).

To exercise any of these rights, write to the Grievance Officer at the address in Section 18. We will respond within the timelines prescribed under applicable law (typically within 30 days). We may require verification of your identity before acting on a request. Certain requests may be denied where retention is required by law or where compliance would prejudice the rights of others.

13. Cookies, Device Permissions & Analytics

13.1 Cookies (Web Portal)

The web portal uses the following categories of cookies:

  • Strictly necessary — for session management, authentication and security (cannot be disabled);
  • Functional — to remember language and accessibility preferences;
  • Analytics — anonymised usage statistics. Used only with consent where required by law.

13.2 Mobile App Permissions

The mobile application may request the following device permissions, each used only for the stated purpose and only when necessary for a feature you initiate:

PermissionWhy we use it
CameraTo capture profile photographs, upload identity / academic documents, and (for Instructors/Admin) to mark attendance via QR code.
Storage / PhotosTo upload supporting documents and download certificates / reports.
LocationOnly for geo-fenced attendance marking at ITI premises, and only when you actively mark attendance. Background location is not collected.
NotificationsTo send important updates regarding attendance, leave approvals, exam schedules, application status and job postings.
Biometric (fingerprint / Face ID)For convenient on-device login only. Biometric data never leaves your device.

You can revoke any of these permissions at any time through your device settings.

14. Third-Party Services & Links

The Platform may integrate with or link to third-party services such as:

  • Government portals (e.g., DigiLocker, Aadhaar e-KYC via UIDAI, Skill India Digital Hub, NCS, APAAR/ABC);
  • Authorised payment gateways for application fees and other payments;
  • SMS, email and push-notification gateways;
  • Map and geo-services for ITI location and geo-fenced attendance.

When you interact with these services, their respective privacy policies apply in addition to this Policy. DECT is not responsible for the privacy practices of third-party services beyond its control, but selects vendors that meet government and CERT-In security standards.

15. RTI & Government Disclosure

As a public authority, DECT is subject to the Right to Information Act, 2005. Information held by DECT may be disclosed in response to a valid RTI application, subject to the exemptions under §8 of the RTI Act — in particular §8(1)(j), which protects personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of privacy.

DECT may also share statistical, anonymised or de-identified information for the purposes of State and Central Government planning, scheme implementation, and reporting to bodies such as DGT, MSDE, NCVET and the Planning Department, in line with applicable government norms.

16. Personal Data Breach

In the event of a personal data breach that is likely to result in harm to any Data Principal, DECT will:

  • Notify the Data Protection Board of India in the form and manner prescribed under the DPDP Act, 2023;
  • Notify affected Data Principals without undue delay, where required;
  • Report cyber-security incidents to CERT-In within the timelines prescribed under the CERT-In Directions of 28 April 2022;
  • Take all reasonable measures to mitigate harm and prevent recurrence.

17. Changes to this Policy

DECT may update this Privacy Policy from time to time to reflect changes in law, technology, or Platform features. The “Last Updated” date at the top of this Policy reflects the most recent revision. Material changes will be communicated through the Platform (in-app notice or login screen banner) and, where appropriate, by email. Continued use of the Platform after such changes constitutes acknowledgement of the revised Policy, subject to any fresh consent required by law.

18. Grievance Redressal

If you have any complaint or concern regarding the processing of your personal data, you may contact our Grievance Officer:

Grievance Officer / Data Protection Officer
Name: [Name of officer]
Designation: [e.g., Joint Director, DECT]
Office: Directorate of Employment & Craftsman Training, Government of Meghalaya
Address: [Full postal address]
Email: [grievance@dect.meghalaya.gov.in]
Phone: [+91-xxx-xxxxxxx]
Office hours: Monday to Friday, 10:00 to 17:00 (excluding gazetted holidays)

We will acknowledge your grievance within 48 hours and aim to resolve it within 30 days. If you are not satisfied with the resolution, you may approach the Data Protection Board of India established under the DPDP Act, 2023.

19. Contact Us

For general queries about the Platform that are not grievances under Section 18:

iDECT MIS Help Desk
Email: [support@dect.meghalaya.gov.in]
Helpline: [+91-xxx-xxxxxxx]
Website: [https://dect.meghalaya.gov.in]

This Privacy Policy and any dispute arising out of or in connection with it shall be governed by the laws of India. The courts at Shillong, Meghalaya shall have exclusive jurisdiction, subject to the statutory remedies available under the DPDP Act, 2023, the Information Technology Act, 2000, and other applicable laws.

In the event of any inconsistency between the English version of this Policy and any translation, the English version shall prevail.

Document control: Version 1.0 · Effective from [DD Month YYYY] · Approved by [Designation of approving authority, DECT].
This document is published in accordance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the SPDI Rules, 2011, and applicable Government of Meghalaya e-Governance guidelines. Yellow-highlighted placeholders must be filled in by DECT before publication.

↑ Back to top