- The Personal Data (Privacy) (Amendment) Ordinance 2021New!
- What is Personal Data?
- Six Data Protection Principles of the Personal Data (Privacy) Ordinance
- Our Commitment
- Personal Information Collection Statement (PICS)
- Example of PICS included in the paper/electronic form that capture personal data:
- Training Workshops by EY
- Workshop on Personal Data Privacy by PCPD
- Impact of European Union GDPR to the University
- A note to Zoom online meeting users
- PCPD's Guidance Notes on using Artifical Intelligence
- Advice from DPO
- PICS statement template in Word formatNew!
The Personal Data (Privacy) (Amendment) Ordinance 2021
Effective on 8 October 2021, the Personal Data (Privacy) Ordinance was amended to include the criminalisation of doxxing acts (起底). The objective of the amendment ordinance is to combat doxxing acts by empowering the Privacy Commissioner for Personal Data (Privacy Commissioner) to carry out criminal investigations and institute prosecutions for doxxing and related offences. The disclosure of someone’s personal data without consent with an intent to cause harm or being reckless as to whether harm would be caused to the individual or any of his/her family member is now a criminal offence. Once convicted, the maximum penalty is a fine of HK$1,000,000 and imprisonment for 5 years. For more information about the amendment ordinance, please refer to https://www.pcpd.org.hk/english/doxxing/index.html .
What is Personal Data?
Personal data, according to the Personal Data (Privacy) Ordinance, refers to any data:
1. Relating directly or indirectly to a living individual;
2. From which it is practicable for identity of the individual to be directly or indirectly ascertained; and
3. In a form in which access to or processing of the data is practicable.
Examples of personal data include HKID number, personal phone number, passport number, Date of Birth, personal address, video recording of an individual, comments on individual performance in an appraisal, etc. The individual who surrenders his/her personal data is the “Data Subject”. The organisation or party that uses the personal data is the “Data User”. The Privacy Commissioner for Personal Data, Hong Kong is responsible for the enforcement and promotion of the requirements of the Ordinance.
Six Data Protection Principles of the Personal Data (Privacy) Ordinance:
There are six Data Protection Principles under the Personal Data (Privacy) Ordinance. (Reference: website of the Office of the Privacy Commissioner for Personal Data)
• DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data is collected and to be used.
• DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data is used.
• DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which it was originally collected or a directly related purpose.
• DPP4: all practicable steps shall be taken to ensure that personal data is protected against unauthorised or accidental access, processing or erasure.
• DPP5: formulates and provides policies and practices in relation to personal data.
• DPP6: individuals have rights of access to and correction of their personal data.
Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
EdUHK puts a high priority on the protection of personal data. The Chief Information Officer is appointed the University's Data Privacy Officer (DPO) who has the following responsibilities:
1. To coordinate, oversee and review the University's policies related to the Personal Data (Privacy) Ordinance and the implementation so as to ensure the University fully complies with the requirements of the Ordinance;
2. To handle enquiries related to the policies and the implementation; and
3. To raise the awareness of the requirements of the Ordinance in the University.
According to the Ordinance, the University has to provide the data subjects with a Personal Information Collection Statement (PICS) when collecting personal data (e.g. HKID number, address, telephone number, etc). The PICS should include the following:
1. Statement of purpose (with retention period specified);
2. Statement as to whether it is obligatory or voluntary for the individual to supply his/her personal data;
3. Statement of possible transferees within the University;
4. Request for consent to receiving further information from the University, if applicable;
5. Statement of rights of access and correction and contact details;
6. Notice of contact person for requesting access or correction; and
7. Hyperlink to the University PPS at https://www.eduhk.hk/en/privacy-policy .
Example of PICS included in the paper/electronic form that capture personal data:
For legitimate business purposes, colleagues may need to collect personal data from students, staff, applicants and donors. Colleagues should include in the data collection form (online or paper) a PICS tailor-made for the specific collection. They should also include a URL or link to the University's PPS as stipulated above. To help colleagues prepare a PICS, we have the following examples for your reference. Again, colleagues should tailor-make it to fit his/her situation.
A) Statement of Purpose with Retention Period:
e.g. The information collected from you will be used for “your purposes” . The collected data will be purged after “some milestones”.
B) Statement as to whether it is obligatory or voluntary for the individual to supply any personal data:
e.g. Please note that it is mandatory for you to provide the personal data required or we might not process your request.
C) Statement of possible transferees within the University: [Note: we should avoid transferring personal data to parties outside EdUHK as far as possible as we have no control on the security of data after the transfer.]
e.g. Your personal data captured might be transferred or shared with “other unit(s)” of EdUHK but will not be transferred to outside parties.
D) Request for consent to receiving further information from the University: [Note: the 2013 amendment requires data subject’s explicit consent if the personal data might be used for direct marketing purposes. Sending of information involving new courses organised by an educational institution constitutes the definition of direct marketing.]
e.g ☐ Please put a [x] in the box if you want to continue receiving marketing or promotional materials from the University.
E) Statement of rights of access and correction and contact details:
e.g. You have the right to request access to and correction of information held by us about you.
F) Notice of contact person for requesting access or correction:
e.g. If you wish to access or correct your personal data, please contact ….
G) Hyperlink to the University Policy Statement:
Training Workshops by EY
- Presentation Slides (English version)
- Presentation Slides (English version)
- Presentation Slides (English version)
To clarify the impact of the European Union’s General Data Protection Regulations (GDPR), the University's legal adviser was engaged to study on the matter. In view of admission and recruitment activities where we are not offering goods and services in EU and the proportion of student is not significant, the personal data collections processes are not subject to GDPR. However, colleagues are reminded to note situations involving marketing activities in EU with a presence there and the contractual relationship with host universities in EU in exchange activities. We should avoid becoming the “Joint Controller” which might bring the University under GDPR. When circumstances arise, the legal adviser might be consulted again.
When users use Zoom (https://eduhk.zoom.us) for online meetings and class, the hosts might want to use the meeting recording function to record the session. Most of the time, the recordings include images, voices and slides of the speakers. Occasionally, the participants' inputs, images and voices might be captured too. As required by the relevant legislation, the host of the online meeting, who record the session, should clearly inform the participants before recording commences. An announcement to all participants in the meeting that the session will be recorded with usage of the video and retention period could serve the purpose. Nonetheless, the recording should not be excessive and should stick to the declared usages. Zoom provides indications to participants that recording is in progress. For more information, please kindly refer to https://support.zoom.us/hc/en-us/articles/360000486746-Recording-Notifications. Please be mindful that recorded videos in classes or meetings are regarded as personal data, we need to follow the requirement of DPPs in using, handling and retention of the video concerned in due course. Meanwhile, the Zoom platform keeps a log of the activities of participants (e.g. when they join and leave the session) for administrative purposes. All the Zoom meeting activities recorded will be removed automatically after 12 months.
PCPD's Guidance Notes on using Artifical Intelligence
With the growing use of Artificial Intelligence (A.I.) in decision making, recommendation generation and marketing, there are growing concerns about the ethnical side of the technology, in particularly regarding the privacy, fairness, objectives and risks. PCPD published a “Guidance on the Ethical Development and Use of Artificial Intelligence” for the public's reference so that A.I. could be used ethnically. For more information, please kindly refer to https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf.
Advice from DPO:
It is common that colleagues tend to collect "excessive" personal information which could be avoided. For instance, if we could communicate with the data subject by email, we might not want to collect his/her mobile phone number. Please kindly exercise care and just in the collection while keeping it minimal. If there is a potential leakage of personal data, according to the University's Information Security Incident Handling Procedures, colleagues should report to the Information Security Officer (currently held by the Chief Information Officer) in a timely manner so that damage could be contained and victims could be notified as soon as possible. For enquiry, please contact email@example.com.