Personal Data Compliance Manual New!

To strengthen internal control and operation in terms of personal data and requirement compliance, the Personal Data Compliance Manual is released for staff members of the University. The Manual sets out the practices of the University regarding personal data as a compliance guide for staff members when carrying out their duties.  It includes key components of the requirements of the Personal Data (Privacy) Ordinance, the University’s Information Security Policy and related policies. It is hoped that the Manual could help colleagues understand, be better prepared and handle personal data matters properly to minimise the risks of personal data incidents.

Two information sessions on the Manual were held in Dec 2022. The presentation slides and video are available below.

Personal Data Collection Inventory (PDCI) System

To enable the University to have a holistic view of the personal data collection activities and ensure compliance with the key components of the requirements of the Ordinance and University’s policies, departments are required to update their personal data collection processes on the Personal Data Collection Inventory (PDCI) system ( annually. This is crucial for incident handling, personal data enquiries by data subjects and risk mitigation. Only delegated colleagues nominated by Heads of Departments have access to the system. Sample checks on the records of the PDCI system are done by the University Data Protection Officer (UDPO) and relevant departments are alerted for data rectification if needed.

Should you have any queries on the Manual and PDCI system, please contact the University Data Protection Officer at


The Personal Data (Privacy) (Amendment) Ordinance 2021

Effective on 8 Oct 2021, the Personal Data (Privacy) Ordinance was amended to include the criminalisation of doxxing acts (起底). The objective of the amendment ordinance is to combat doxxing acts by empowering the Privacy Commissioner for Personal Data (Privacy Commissioner) to carry out criminal investigations and institute prosecutions for doxxing and related offences. The disclosure of someone’s personal data without consent with an intent to cause harm or being reckless as to whether harm would be caused to the individual or any of his/her family members is now a criminal offence. Once convicted, the maximum penalty is a fine of HK$1,000,000 and imprisonment for 5 years. For more information about the amendment ordinance, please refer to .  


What is Personal Data?

Personal data, according to the Personal Data (Privacy) Ordinance, refers to any data:

1. Relating directly or indirectly to a living individual;
2. From which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
3. In a form in which access to or processing of the data is practicable.

Examples of personal data include HKID number, personal phone number, passport number, date of birth, personal address, video recording of an individual, comments on individual performance in an appraisal, etc. The individual who surrenders his/her personal data is the “Data Subject”. The organisation or party that uses the personal data is the “Data User”. The Privacy Commissioner for Personal Data, Hong Kong is responsible for the enforcement and promotion of the requirements of the Ordinance. 


Six Data Protection Principles of the Personal Data (Privacy) Ordinance:

There are six Data Protection Principles under the Personal Data (Privacy) Ordinance. (Reference: website of the Office of the Privacy Commissioner for Personal Data)

DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data is collected and to be used.
DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfilment of the purpose for which the data is used.
• DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which it was originally collected or a directly related purpose.
• DPP4: all practicable steps shall be taken to ensure that personal data is protected against unauthorised or accidental access, processing or erasure.
DPP5: formulates and provides policies and practices in relation to personal data.
DPP6: individuals have rights of access to and correction of their personal data.

Data users should comply with data access or data correction requests within the time limit unless reasons for rejection prescribed in the Ordinance are applicable.


Our Commitment

EdUHK puts a high priority on the protection of personal data. The Associate Director of the Office of the Chief Information Officer is appointed the University Data Protection Officer (UDPO) who has the following responsibilities:

1. To coordinate, oversee and review the University's policies related to the Personal Data (Privacy) Ordinance and its implementation so as to ensure the University fully complies with the requirements of the Ordinance;
2. To handle enquiries related to the policies and the implementation; and
3. To raise awareness of the requirements of the Ordinance in the University.


Privacy Policy Statement (PPS)

The Privacy Policy Statement (PPS) is the University's overall commitment to protecting personal data privacy. The University PPS is accessible at or at the Privacy Policy on the University website ( The PPS also includes communication channels for data subjects (staff/ex-staff, students/alumni, contractors/ex-contractors) to make enquiries and requests for updates of the personal data in custody. For general enquiry about the privacy policy and practice in the University, please contact the UDPO at


Personal Information Collection Statement (PICS)

According to the Ordinance, the University has to provide the data subjects with a Personal Information Collection Statement (PICS) when collecting personal data (e.g. HKID number, address, telephone number, etc). The PICS should include the following:

1. Statement of purpose (with retention period specified);
2. Statement as to whether it is obligatory or voluntary for the individual to supply his/her personal data;
3. Statement of possible transferees within the University;
4. Request for consent to receiving further information from the University, if applicable;
5. Statement of rights of access and correction and contact details;
6. Notice of contact person for requesting access or correction; and
7. Hyperlink to the University PPS at


Examples of PICS and PPS  in paper/electronic forms that capture personal data:

For legitimate business purposes, colleagues may need to collect personal data from students, staff, applicants and donors. Colleagues should include in the data collection form (online or paper) a PICS tailor-made for the specific collection. They should also include a URL or link to the University's PPS as stipulated above. To help colleagues prepare a PICS, we have the following examples for your reference. Again, colleagues should tailor-make it to fit their situation.

A) Statement of Purpose with Retention Period:

e.g. The information collected from you will be used for “your purposes”. The collected data will be purged after “some milestones”.

B) Statement as to whether it is obligatory or voluntary for the individual to supply any personal data:

e.g. Please note that it is mandatory for you to provide the personal data required or we might not process your request.

C) Statement of possible transferees within the University: [Note: we should avoid transferring personal data to parties outside EdUHK as far as possible as we have no control over data security after the transfer.]

e.g. Your personal data captured might be transferred or shared with “other unit(s)” of EdUHK but will not be transferred to outside parties.

D) Request for consent to receiving further information from the University: [Note: the 2013 amendment requires the data subject’s explicit consent if the personal data might be used for direct marketing purposes. Sending of information involving new courses organised by an educational institution constitutes the definition of direct marketing.]

e.g  Please put a [x] in the box if you want to continue receiving marketing or promotional materials from the University. 

E) Statement of rights of access and correction and contact details:

e.g. You have the right to request access to and correction of information held by us about you.

F) Notice of contact person for requesting access or correction:

e.g. If you wish to access or correct your personal data, please contact ….

G) Hyperlink to the University Policy Statement:

e.g. The University's Privacy Policy Statement can be found at .


Training Workshops by EY

Training workshops on data privacy were given by EY consultants in May 2015. The presentation slides and videos are available below.


Workshop on Personal Data Privacy by PCPD

(Note: The presentation materials are valid as of the date the workshop was given and are made available below for reference only. For latest and more information, please visit PCPD.)

The latest workshop on Personal Data Privacy was given by PCPD in May 2024 and the presentation slides are available below.

Presentation slides and videos of previous workshops by PCPD: 


Impact of European Union GDPR on the University:

To clarify the impact of the European Union’s General Data Protection Regulations (GDPR), the University's legal adviser was engaged to study the matter. In view of admission and recruitment activities where we are not offering goods and services in the EU and the proportion of students is not significant, the personal data collection processes are not subject to GDPR. However, colleagues are reminded to note situations involving marketing activities in the EU with a presence there and the contractual relationship with host universities in the EU in exchange activities. We should avoid becoming the “Joint Controller”, which might bring the University under GDPR. When circumstances arise, the legal adviser might be consulted again.


A note to Zoom online meeting users:

When users use Zoom ( for online meetings and classes, the hosts might want to use the meeting recording function to record the session. Most of the time, the recordings include images, voices and slides of the speakers. Occasionally, the participants' inputs, images and voices might be captured too. As required by the relevant legislation, the host of the online meeting, who records the session, should clearly inform the participants before the recording commences. An announcement to all participants in the meeting that the session will be recorded with usage of the video and the retention period could serve the purpose. Nonetheless, the recording should not be excessive and should stick to the declared usage. Zoom provides indications to participants that recording is in progress. For more information, please kindly refer to Please be mindful that recorded videos in classes or meetings are regarded as personal data, and we need to follow the requirements of DPPs in using, handling and retention of the video concerned in due course.  Meanwhile, the Zoom platform keeps a log of the activities of participants (e.g. when they join and leave the session) for administrative purposes.  All the Zoom meeting activities recorded will be removed automatically after 12 months.


PCPD's Guidance Notes on Using Artificial Intelligence

With the growing use of Artificial Intelligence (A.I.) in decision-making, recommendation generation and marketing, there are growing concerns about the ethical side of the technology, particularly regarding privacy, fairness, objectives and risks. PCPD published a “Guidance on the Ethical Development and Use of Artificial Intelligence” for the public's reference so that A.I. could be used ethically. For more information, please kindly refer to


Advice from UDPO:

It is common that colleagues tend to collect "excessive" personal information that could be avoided. For instance, if we could communicate with the data subject by email, we might not want to collect his/her mobile phone number. Please kindly exercise care and diligence in the collection while keeping it minimal. If there is a potential leakage of personal data, according to the University's Personal Data Compliance Manual, colleagues should report to the UDPO in a timely manner so that damage can be contained and victims can be notified as soon as possible. For enquiry, please contact