What is Personal Data?
Personal data, according to the Personal Data (Privacy) Ordinance, refer to any data:
1. Relating directly or indirectly to a living individual;
2. From which it is practicable for identity of the individual to be directly or indirectly ascertained; and
3. In a form in which access to or processing of the data is practicable.
The individual who surrendered his/her personal data is the “Data Subject”. The organization or party who use the personal data is the “Data User”. Privacy Commissioner for Personal Data, Hong Kong is responsible for the enforcement and promotion of the requirements of the Ordinance.
Six Data Protection Principles of the Personal Data (Privacy) Ordinance:
There are six Data Protection Principles required by the Personal Data (Privacy) Ordinance. (Reference: website of the Office of the Privacy Commissioner for Personal Data)
• DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
• DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
• DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
• DPP4: all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
• DPP5: formulates and provides policies and practices in relation to personal data.
• DPP6: individuals have rights of access to and correction of their personal data.
Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
EdUHK puts a high priority on the protection of personal data. The Chief Information Officer is appointed the University's Data Privacy Officer (DPO) who has the following responsibilities:
1. To coordinate, oversee and review the University's policies related to the Personal Data (Privacy) Ordinance and the implementation so as to ensure the University fully complies with the requirements of the Ordinance;
2. To handle enquiries related to the policies and the implementation; and
3. To raise the awareness of the requirements of the Ordinance in the University.
Personal Information Collection Statement (PICS)
According to the Ordinance, the University has to provide the data subjects with a Personal Information Collection Statement (PICS) when collecting personal data (e.g. HKID number, address, telephone number, etc). The PICS should include the following:
1. Statement of purpose;
2. Statement as to whether it is obligatory or voluntary for the individual to supply his/her personal data;
3. Statement of possible transferees within the University;
4. Request for consent to receiving further information from the University, if applicable;
5. Statement of rights of access and correction and contact details; and
6. Notice of contact person for requesting access or correction.
Example of PICS included in the paper/electronic form that capture personal data:
For legitimate business purposes, colleagues may need to collect personal data from students, staff, applicants and donors. Colleagues should include in the data collection form (online or paper) a PICS tailor-made for the specific collection. They should also include a URL or link to the University's PPS as stipulated above. To help colleagues prepare a PICS, we have the following examples for your reference. Again, colleagues should tailor-make it to fit his/her situation.
A) Statement of Purpose with Retention Period:
e.g. The information collected from you will be used for “your purposes” . The collected data will be purged after “some milestone”.
B) Statement as to whether it is obligatory or voluntary for the individual to supply any personal data:
e.g. Please note that it is mandatory for you to provide the personal data required or we might not process your request.
C) Statement of possible transferees within the University: [Note: we should avoid transferring personal data to parties outside EdUHK as far as possible as we have no control on the security of data after the transfer.]
e.g. Your personal data captured might be transferred or shared with “other unit(s)” of EdUHK but will not be transferred to outside parties.
D) Request for consent to receiving further information from the University: [Note: the 2013 amendment requires data subject’s explicit consent if the personal data might be used for direct marketing purposes. Sending of information involving new courses organized by an educational institution constitutes the definition of direct marketing.]
e.g ☐ Please put a [x] in the box if you want to continue receiving marketing or promotional materials from the University.
E) Statement of rights of access and correction and contact details:
e.g. You have the right to request access to and correction of information held by us about you.
F) Notice of contact person for requesting access or correction:
e.g. If you wish to access or correct your personal data, please contact ….
Training Workshops by EY
Advice from DPO:
It is common that colleagues tend to collect excessive personal information for just in case. For instance, if we could communicate with the data subject by email, we might not want to collect his/her mobile phone number. Please kindly exercise care and just in the collection while keeping it minimal. If there is a potential leakage of personal data, according to the University's Information Security Incident Handling Procedures, colleagues should report to the Information Security Officer (currently held by the Chief Information Officer) in a timely manner so that damage could be contained and victims could be notified as soon as possible. For enquiry, please contact firstname.lastname@example.org.