- What is Personal Data?
- Six Data Protection Principles of the Personal Data (Privacy) Ordinance
- Our Commitment
- Personal Information Collection Statement (PICS)
- Example of PICS included in the paper/electronic form that capture personal data:
- Training Workshops by EY
- Workshop on Personal Data Privacy by PCPD
- Impact of European Union GDPR to the University
- A note to Zoom online meeting users
- Advice from DPO
What is Personal Data?
Personal data, according to the Personal Data (Privacy) Ordinance, refer to any data:
1. Relating directly or indirectly to a living individual;
2. From which it is practicable for identity of the individual to be directly or indirectly ascertained; and
3. In a form in which access to or processing of the data is practicable.
The individual who surrendered his/her personal data is the “Data Subject”. The organization or party who use the personal data is the “Data User”. Privacy Commissioner for Personal Data, Hong Kong is responsible for the enforcement and promotion of the requirements of the Ordinance.
Six Data Protection Principles of the Personal Data (Privacy) Ordinance:
There are six Data Protection Principles required by the Personal Data (Privacy) Ordinance. (Reference: website of the Office of the Privacy Commissioner for Personal Data)
• DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.
• DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.
• DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.
• DPP4: all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.
• DPP5: formulates and provides policies and practices in relation to personal data.
• DPP6: individuals have rights of access to and correction of their personal data.
Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.
EdUHK puts a high priority on the protection of personal data. The Chief Information Officer is appointed the University's Data Privacy Officer (DPO) who has the following responsibilities:
1. To coordinate, oversee and review the University's policies related to the Personal Data (Privacy) Ordinance and the implementation so as to ensure the University fully complies with the requirements of the Ordinance;
2. To handle enquiries related to the policies and the implementation; and
3. To raise the awareness of the requirements of the Ordinance in the University.
According to the Ordinance, the University has to provide the data subjects with a Personal Information Collection Statement (PICS) when collecting personal data (e.g. HKID number, address, telephone number, etc). The PICS should include the following:
1. Statement of purpose;
2. Statement as to whether it is obligatory or voluntary for the individual to supply his/her personal data;
3. Statement of possible transferees within the University;
4. Request for consent to receiving further information from the University, if applicable;
5. Statement of rights of access and correction and contact details; and
6. Notice of contact person for requesting access or correction.
Example of PICS included in the paper/electronic form that capture personal data:
For legitimate business purposes, colleagues may need to collect personal data from students, staff, applicants and donors. Colleagues should include in the data collection form (online or paper) a PICS tailor-made for the specific collection. They should also include a URL or link to the University's PPS as stipulated above. To help colleagues prepare a PICS, we have the following examples for your reference. Again, colleagues should tailor-make it to fit his/her situation.
A) Statement of Purpose with Retention Period:
e.g. The information collected from you will be used for “your purposes” . The collected data will be purged after “some milestone”.
B) Statement as to whether it is obligatory or voluntary for the individual to supply any personal data:
e.g. Please note that it is mandatory for you to provide the personal data required or we might not process your request.
C) Statement of possible transferees within the University: [Note: we should avoid transferring personal data to parties outside EdUHK as far as possible as we have no control on the security of data after the transfer.]
e.g. Your personal data captured might be transferred or shared with “other unit(s)” of EdUHK but will not be transferred to outside parties.
D) Request for consent to receiving further information from the University: [Note: the 2013 amendment requires data subject’s explicit consent if the personal data might be used for direct marketing purposes. Sending of information involving new courses organized by an educational institution constitutes the definition of direct marketing.]
e.g ☐ Please put a [x] in the box if you want to continue receiving marketing or promotional materials from the University.
E) Statement of rights of access and correction and contact details:
e.g. You have the right to request access to and correction of information held by us about you.
F) Notice of contact person for requesting access or correction:
e.g. If you wish to access or correct your personal data, please contact ….
Training Workshops by EY
- Presentation Slides (English version)
- Presentation Slides (Chinese version)
- Presentation Slides (English version)
- Case Sharing and Q&A
To clarify the impact of the European Union’s General Data Protection Regulations (DDPR), the University's legal adviser was engaged to study on the matter. In view of admission and recruitment activities where we are not offering goods and services in EU and the proportion of student is not significant, the personal data collections processes are not subject to GDPR. However, colleagues are reminded to note situations involving marketing activities in EU with a presence there and the contractual relationship with host universities in EU in exchange activities. We should avoid becoming the “Joint Controller” which might bring the University under GDPR. When circumstances arise, the legal adviser might be consulted again.
When users use Zoom (https://eduhk.zoom.us) for online meetings and class, the hosts might want to use the meeting recording function to record the session. Most of the time, the recordings include images, voices and slides of the speakers. Occasionally, the participants' inputs, images and voices might be captured too. As required by the relevant legislation, the host of the online meeting, who record the session, should clearly inform the participants before recording commences. An announcement to all participants in the meeting that the session will be recorded with usage of the video and retention period could serve the purpose. Nonethless, the recording should not be excessive and should stick to the declared usages. Zoom provides indications to participants that recording is in progress. For more information, please kindly refer to https://support.zoom.us/hc/en-us/articles/360000486746-Recording-Notifications. Please be mindful that recorded videos in classes or meetings are regarded as personal data, we need to follow the requirement of DPPs in using, handling and retention of the video concerned in due course. Meanwhile, the Zoom platform keeps a log of the activities of participants (e.g. when they join and leave the session) for administrative purposes. All the Zoom meeting activities recorded will be removed automatically after 12 months.
Advice from DPO:
It is common that colleagues tend to collect "excessive" personal information which could be avoided. For instance, if we could communicate with the data subject by email, we might not want to collect his/her mobile phone number. Please kindly exercise care and just in the collection while keeping it minimal. If there is a potential leakage of personal data, according to the University's Information Security Incident Handling Procedures, colleagues should report to the Information Security Officer (currently held by the Chief Information Officer) in a timely manner so that damage could be contained and victims could be notified as soon as possible. For enquiry, please contact firstname.lastname@example.org.