Protection of Personal Data (Privacy)
The Chinese University of Hong Kong
Find Staff myCUHK 簡 繁
 

 

  1. The University’s Policy in Protection of Personal Data (Privacy)

    The Chinese University of Hong Kong (the University) as a data user undertakes to comply with the requirements of the Personal Data (Privacy) Ordinance to ensure that personal data kept are accurate, securely kept and used only for the purpose for which they have been collected.

    All staff members and students of the University who handle identifiable personal data should take extra precaution to ensure that the relevant laws on personal data (privacy) and University Guidelines are complied with and that effective security measures are adopted to protect personal and sensitive data concerning a wide spectrum of data subjects such as staff, students, alumni, patients, clients, donors, job applicants and other data subjects involved in research/experiments/surveys.


  2. Personal Data (Privacy) Ordinance

    The Personal Data (Privacy) Ordinance was brought into force on 20 December 1996 to protect the privacy interests of living individuals in relation to personal data. The Ordinance covers any data relating directly or indirectly to a living individual (data subject), from which it is practicable to ascertain the identity of the individual and which are in a form in which access or processing is practicable. It applies to any person (data user) that controls the collection, holding, processing or use of personal data.

    Please read carefully and comply with the following Ordinance and relevant Codes of Practice and Guidelines. For other information of the Ordinance please consult the Office of the Privacy Commissioner for Personal Data, Hong Kong: http://www.pcpd.org.hk .

  3. The University’s Guidelines in Protection of Personal Data (Privacy)

    All staff members and students are required to comply with all relevant provisions of the Ordinance and observe the following six Data Protection Principles under the Ordinance in the collection, use, disclosure and retention of personal data:

    6 Data Protection Principles

    Principle 1 - Purpose and Manner of Collection
    This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject.

    Principle 2 - Accuracy and Duration of Retention
    This provides that personal data should be accurate, up-to-date and kept no longer than necessary.

    Principle 3 - Use of Personal Data
    This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose.

    Principle 4 - Security of Personal Data
    This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).

    Principle 5 - Information to be Generally Available
    This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.

    Principle 6 - Access to Personal Data
    This provides for data subjects to have rights of access to and correction of their personal data.

    All Department Chairmen/School Directors/Unit Heads of the University are requested to critically review and improve the procedures and other relevant internal arrangements that are within their purview, in accordance with the following guidelines published from time to time by the Information Technology Services Centre (ITSC) and other relevant administrative units of the University.

    Department Chairmen/School Directors/Unit Heads should make sure that an effective mechanism is in place within their respective Department/School/Unit to determine whether it is really necessary to use mobile computing devices (e.g. notebook computers and PDAs) and removable storage media (e.g. external hard drives, memory cards, USB storage devices, memory sticks and thumb drives) to handle identifiable personal and sensitive data, and to make sure that such devices are securely kept and the data carried therein are properly encrypted and/or password protected.

    Special attention should be paid to protect the identifiable personal and sensitive data by encryption and security password. Advice and assistance may be obtained from ITSC where necessary: http://helpdesk.itsc.cuhk.edu.hk.

     

  5. Engagement of Third-Party Service Providers

    To avoid the loss or unauthorized use or disclosure of personal and sensitive data, it is recommended that a Non-Disclosure Agreement be signed in all situations with student helpers and contractors when acquiring third-party service that may give rise to access to personal and sensitive data or restricted information. Please refer to the following polices and samples of Non-Disclosure Agreement:

     

  6. Maintenance and Disposal of Computing Devices

    Regarding the maintenance and disposal of all the CUHK-owned computers, mobile computing devices and removable storage devices/media, all Department Chairmen/School Directors/Unit Heads should assign responsible staff member(s) to ensure that all identifiable personal and sensitive data therein contained are properly erased before these devices are dispatched for maintenance or disposal, to minimize the risk of loss, unlawful disclosure or unauthorized use of such data. Staff and students, when they need to use maintenance or repair service for computing devices, are advised to enter into Non-Disclosure Agreements with the relevant service providers.


  7. Information Security Incident Report Policy

    It is important that any incident or suspected incident of violation of the personal data (privacy) laws such as the loss of devices which carry identifiable personal or sensitive data, is reported to the University as soon as possible so that remedial actions can be taken to prevent or minimize the damages caused to the data subjects, the University and all other parties concerned. Please refer to the following details of the policy:

    Please fill in the following “Information Security Incident Reporting Form” and report the incident to the Department Chairmen/School Directors/Unit Heads concerned, and the Director of ITSC through confidential email:dir-itsc@cuhk.edu.hk.

     

  8. Data Access and Correction Request

    All members of the University have the right to request access to and correction of personally identifiable information about themselves that is held by the University. If you wish to access or correct your personal data held by the University, please complete and return the following “ Data Access Request Form” to the following University offices for action:

    The initial processing fee for the Personal Data Access Request is HK$150, with local registered mail service charge included. The University reserves the right to levy charges for supplying copies of personal data. You MUST attach a crossed cheque payable to “The Chinese University of Hong Kong” when submitting this Form.

      Personal Data Relating to
      Office in Charge
      Phone
      Appointees of the University
      Personnel Office 
      2609 7286
      Undergraduate Students of the University
      Office of Registry Services
      2609 8971
      Postgraduate Students of the University
      Graduate School Office
      2609 8976
      Alumni of the University
      Alumni Affairs Office
      2609 7860
      All other persons
      Secretariat
      2696 1723


  9. Personal Data Controlling Committee

    In December 1996, the University set up a Personal Data Controlling Committee to publicize the policies related to the Personal Data (Privacy) Ordinance and to oversee compliance with the Ordinance by the units and members of the University.

    Membership List

    Convener:   Mr. Jacob Leung, Secretary of the University
    Members:   Mr. Terence Chan, Bursar
      Mr. Eric Ng, Director of Registry Services
      Mrs. Sophie Lau, Director of Personnel
      Ms. Antonia Yeung, Director, Alumni Affairs Office
      Mr. Thomas Tsui, Representing the Director, Information Technology Services Centre

    Secretary:

    		   Ms. Michelle Chan, Secretariat

  10. Full Compliance

    The privacy of our data subjects is of utmost importance and we thank you for your cooperation in our efforts to protect the personal data collected and managed by the University and to ensure full compliance with the relevant laws on personal data (privacy).
 
 

Last Updated: 1 September 2009

Number of Visitors:

 

 
 
CUHK Home | Contact Us
Copyright (c) 2009. All Rights Reserved. The Chinese University of Hong Kong.