Purpose and manner of collection of personal data
1. Personal data will only be collected for a lawful purpose and by lawful and fair means. Data collected in relation to a specified purpose must be adequate but not excessive in respect of the purpose. Upon collection, the Data Subject must be explicitly informed of:
(a) the purpose(s) for which the data is to be collected and the groups of persons to whom the data may be transferred;
(b) whether it is obligatory or voluntary for such data to be supplied, and the consequences of not supplying the obligatory data;
(c) the right of the Data Subject to request access to and correction of data held by the Data Users; and
(d) the person-in-charge to handle such data access and correction requests.
Accuracy and duration of retention of personal data
2. All reasonably practicable steps will be taken to ensure that the personal data kept is accurate.
3. Personal data will not be kept longer than is necessary for the fulfilment of the purpose for which it is collected. Normally, the retention period will not exceed seven years after the departure of or cessation of services of the individuals, except for the purposes of fulfilling legal obligations or with subsisting reasons.
Use of personal data
4. Without the prescribed consent of a Data Subject, the personal data will not be used for any purpose other than the purpose for which the data was originally collected. The prescribed consent may be withdrawn by a Data Subject.
Security of personal data
5. All reasonably practicable steps will be taken to ensure that personal data held is protected against unauthorised or accidental access, processing, erasure or other use.
6. Regarding the transmission of personal data over the Internet, the University has imposed the following security measures:
(a) Encryption – The University is continuously enhancing the implementation of encryption mechanisms in protecting its data. Strong encryption technology will be employed whenever possible for the transmission of data collected, processed or distributed online. The University servers are well protected against cyberattacks over the Internet. A well-organised and safe system of backups is in place.
(b) Two-factor authentication (2FA) – To protect the University’s data against unauthorised access, a 2FA mechanism will be deployed whenever possible. It adds an extra layer of security for accessing the University’s data by confirming a user’s claimed identity through utilising something they know (password) and a second factor, that is something they have (security token).
As such, users’ data supplied to the University is protected against unauthorised or accidental access, processing, erasure or other illegitimate manipulation.
7. At the same time, the University does not allow users, both internal and external, to engage in rude and annoying spamming, which includes sending unsolicited email, making mailbombs, disseminating commercial advertisements/promotions and distributing chain letters. Appropriate actions including legal prosecution may be taken against offenders.
Information to be generally available
8. The following information in relation to personal data of the University will be generally available:
(a) the kinds of personal data held;
(b) the main purpose for which personal data is used; and
(c) the policies and practices in relation to personal data.
Access to personal data
9. A Data Subject will have the right to request access to his/her personal data held by a Data User, through sending a completed data access request form specified by the Privacy Commissioner for Personal Data to the data-holding department/office. A fee which is not excessive will be charged for the processing. The Data Subject will be notified of the outcome within 40 calendar days of submitting his/her access request and will be given a reason if a data access request is refused.
10. After reviewing the requested data, a Data Subject also has the right to request the data-holding department/office in writing for correction of his/her personal data.
Management of personal data
11. For each group of data collected from a Data Subject or a group of Data Subjects, the University designates the department/office which collects, holds and uses the data to be responsible for updating, protecting, providing access to and meeting requests for access/correction from the Data Subjects. Other departments/offices which make use of the same data transferred from these holders of data are expected to observe the six Data Protection Principles as well, particularly with regard to duration of data retention and use and security of data.
12. Data Users should adhere to the Data Protection Principles and draw up internal guidelines and practices for adoption by members of their respective departments/offices where appropriate.
13. A Data Protection Officer is to be appointed in each Faculty/School/Department/Office of the University to help protect the privacy of the data held in the Faculty/School/Department/Office, in compliance with the six Data Protection Principles, review and improve the relevant internal processes and enhance awareness of the need to protect personal data privacy among his or her colleagues in the Faculty/School/Department/Office.
The kinds of personal data held by the University and the respective purpose(s) of collection are listed below for information.
Personal data held by the University and the respective purpose(s) of collection
14. Personal data kept in different Faculties/Schools/Offices varies depending on the purpose of collection. In general terms, personal data could be classified as factual, evaluative or statistical data. Factual data is mostly provided by the Data Subjects themselves; evaluative data is normally provided by another person on the Data Subjects; and statistical data is derived primarily from factual and evaluative data. For the purpose of statistical data, personal data is depersonalised before statistical analyses are performed. Examples of personal data kept by the University include the following:
(a) identification data, e.g. name, identity card/passport number, photo
(b) personal details, e.g. age, sex, date of birth, contact telephone, address
(c) family data, e.g. marital status, details of family members
(d) contractual data, e.g. appointment period, terms of appointment
(e) education background and employment details
(f) record of assessment and review, e.g. self-statements, review/promotion panel resolutions
15. Personal data of Job Applicants kept in the Personnel Office includes applicants’ personal particulars, copies of qualifications, records of experience, test results, interview assessments, resolutions of assessment panels, last employers’ references and external assessors’ reports. It is kept for recruitment administration purposes. The personal data will be transferred to the relevant Faculty/School/Department/Office for recruitment consideration. Personal data of unsuccessful applicants will be disposed of soon after the completion of the relevant recruitment exercises and will not be kept for more than two years.
16. Personal data of Staff of the University is kept for various purposes in manpower planning and management, development and maintenance of the employment relationship. These will include but not limited to the provision of access to and usage of University facilities, planning and administration of benefits, remuneration and payroll, preparing tax returns, facilitating performance appraisals, reviews of appointments, promotions, granting of awards/fellowships, organising training and development activities, complying with applicable laws, regulations and procedures, and interacting with the internal bodies of the University (e.g. the Council, the Court and the Senate). Staff data may be transferred to the Departments/Offices/internal bodies of the University providing facilities and staff benefits and facilitating communication, insurers, medical and dental practices/consultants, fund administrators/managers of the Superannuation Fund or Mandatory Provident Fund Scheme(s), government departments or regulatory bodies, and auditors appointed by the University for the above-mentioned purposes.
17. Personal data of Former Staff of the University is kept in the Personnel Office. Physical personal files of former staff, which contain personal particulars, family data, contractual data, evaluative data and other benefits-related data, will be destroyed two years after employment has ceased. Basic data of former staff will be kept electronically for the provision of certificates of service. Personal data required in filing for tax records will be disposed of seven years after staff have left the University.
18. Personal particulars, examination results and evaluative data of Prospective Students are collected as a basis for selection of applicants for admission. Data of successful applicants will be transferred and become part of the student records kept by the University. Data of unsuccessful applicants in electronic format, with personal identification data masked, will be kept for statistical purposes. All hard copies of unsuccessful applications will be destroyed upon completion of the admission process.
19. Personal data of Students of the University, including personal particulars, family data, education background, academic and assessment records, as well as Senate resolutions, is kept for registration, academic and administrative communication, statistical purposes and provision of student welfare services. For students who have graduated or left the University, their personal particulars (except contact details), study history or records, academic status and academic results will be kept indefinitely for the future provision of transcripts, testimonials or verification of education qualifications. For graduates of the University, their personal data and basic information about their studies will also be transferred to the Alumni Affairs Office of the University and become alumni data upon graduation.
20. Personal data of Alumni, Donors and Prospective Donors is collected, kept and used for the purposes of handling donation-related matters; sending news, updates and invitations to University events and gatherings; and data analysis and generation of statistical reports.
21. While following the retention requirements of personal data, the University is obliged to observe and ensure compliance with all the governing legislation and ordinances, including those enacted outside the Hong Kong Special Administrative Region but with extraterritorial applications covering the context of the University (e.g. the European Union General Data Protection Regulation 2016). Data Users in the University will evaluate and assess whether the collection, processing, using and retention of personal data fall within the scope of the related regulations and take necessary measures to safeguard the personal data and ensure full compliance.
22. If you have any queries concerning the policy, please contact the officer-in-charge of personal data in the Personnel Office, details of which can be found on the website of the Office.