Protection of Personal Data (Privacy)
The Chinese University of Hong Kong
Find Staff myCUHK 簡 繁

  1. The University’s Policy in Protection of Personal Data (Privacy)

    The Chinese University of Hong Kong (the University) as a data user undertakes to comply with the requirements of the Personal Data (Privacy) Ordinance to ensure that personal data kept are accurate, securely kept and used only for the purpose for which they have been collected.

    All staff members and students of the University who handle identifiable personal data should take extra precaution to ensure that the relevant laws on personal data (privacy) and University Guidelines are complied with and that effective security measures are adopted to protect personal and sensitive data concerning a wide spectrum of data subjects such as staff, students, alumni, patients, clients, donors, job applicants and other data subjects involved in research/experiments/surveys.

    Top of Page

  2. Personal Data (Privacy) Ordinance

    The Personal Data (Privacy) Ordinance was brought into force on 20 December 1996 to protect the privacy interests of living individuals in relation to personal data. The Ordinance covers any data relating directly or indirectly to a living individual (data subject), from which it is practicable to ascertain the identity of the individual and which are in a form in which access or processing is practicable. It applies to any person (data user) that controls the collection, holding, processing or use of personal data.

    Please read carefully and comply with the following Ordinance and relevant Codes of Practice and Guidelines. For other information of the Ordinance please consult the Office of the Privacy Commissioner for Personal Data, Hong Kong: .

    Personal Data (Privacy) (Amendment) Ordinance 2012

    The Personal Data (Privacy) (Amendment) Ordinance 2012 introduced various amendments to the Personal Data (Privacy) Ordinance to enhance the protection of personal data privacy of individuals. The majority of the provisions under the Amendment Ordinance have come into effect from 1 October 2012, while provisions relating to direct marketing and the legal assistance scheme take effect from 1 April 2013. Under the New Guidance on Direct Marketing (“the Guidance”), a data user is required to take specified action before using personal data in direct marketing and data user must not use or provide personal data to others for use in direct marketing without data subject’s consent or indication of no objection. The Guidance provides practical tips to data users on how to comply with the new direct marketing requirements under the amended Personal Data (Privacy) Ordinance.

    Top of Page

  3. European Union (EU) - General Data Protection Regulation (GDPR)

    The EU General Data Protection Regulation (GDPR), adopted in 2016, has come into force on 25 May 2018. The GDPR, which involves new provisions and enhanced rights, has replaced existing data protection laws throughout Europe and introduced significant changes and additional requirements that will have a wide ranging impact on businesses around the world, irrespective of where they operate. For details, please refer to the information leaflet European Union – General Data Protection Regulation 2016 <>.


    Top of Page

  4. Personal Information Protection Law of the Mainland

    The Personal Information Protection Law (PIPL) of the Mainland , which is effective from 1 November 2021, is the first piece of legislation in the Mainland dedicated to the protection of personal information. As a special legislation on personal information protection, the PIPL contains the basic principles, requirements and related systems for the protection of personal information. For details, please refer to the website of the Office of the Privacy Commissioner for Personal Data <>.


    Top of Page

  5. The University’s Guidelines in Protection of Personal Data (Privacy)

    All staff members and students are required to comply with all relevant provisions of the Ordinance and observe the following six Data Protection Principles under the Ordinance in the collection, use, disclosure and retention of personal data:

    6 Data Protection Principles

    Principle 1 - Purpose and Manner of Collection
    This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject.

    Principle 2 - Accuracy and Duration of Retention
    This provides that personal data should be accurate, up-to-date and kept no longer than necessary.

    Principle 3 - Use of Personal Data
    This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose.

    Principle 4 - Security of Personal Data
    This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).

    Principle 5 - Information to be Generally Available
    This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.

    Principle 6 - Access to Personal Data
    This provides for data subjects to have rights of access to and correction of their personal data.

    All Department Chairmen/School Directors/Unit Heads of the University are requested to critically review and improve the procedures and other relevant internal arrangements that are within their purview, in accordance with the following guidelines published from time to time by the Information Technology Services Centre (ITSC) and other relevant administrative units of the University.

    Department Chairmen/School Directors/Unit Heads should make sure that an effective mechanism is in place within their respective Department/School/Unit to determine whether it is really necessary to use mobile computing devices (e.g. notebook computers and PDAs) and removable storage media (e.g. external hard drives, memory cards, USB storage devices, memory sticks and thumb drives) to handle identifiable personal and sensitive data, and to make sure that such devices are securely kept and the data carried therein are properly encrypted and/or password protected.

    Special attention should be paid to protect the identifiable personal and sensitive data by encryption and security password. Advice and assistance may be obtained from ITSC where necessary:

    Principles and Guidelines on the Use and Monitoring of the University's Information and Communication Technologies Facilities and Services

    Top of Page

  6. Engagement of Third-Party Service Providers

    To avoid the loss or unauthorized use or disclosure of personal and sensitive data, it is recommended that a Non-Disclosure Agreement be signed in all situations with student helpers and contractors when acquiring third-party service that may give rise to access to personal and sensitive data or restricted information. Please refer to the following polices and samples of Non-Disclosure Agreement:

    Top of Page

  7. Maintenance and Disposal of Computing Devices

    Regarding the maintenance and disposal of all the CUHK-owned computers, mobile computing devices and removable storage devices/media, all Department Chairmen/School Directors/Unit Heads should assign responsible staff member(s) to ensure that all identifiable personal and sensitive data therein contained are properly erased before these devices are dispatched for maintenance or disposal, to minimize the risk of loss, unlawful disclosure or unauthorized use of such data. Staff and students, when they need to use maintenance or repair service for computing devices, are advised to enter into Non-Disclosure Agreements with the relevant service providers.

    Top of Page

  8. Information Security Incident Report Policy

    It is important that any incident or suspected incident of violation of the personal data (privacy) laws such as the loss of devices which carry identifiable personal or sensitive data, is reported to the University as soon as possible so that remedial actions can be taken to prevent or minimize the damages caused to the data subjects, the University and all other parties concerned. Please refer to the following details of the policy:

    Please fill in the following “Information Security Incident Reporting Form” and report the incident to the Department Chairmen/School Directors/Unit Heads concerned, and the Director of ITSC (IT-related incidents) or the Secretariat (non IT-related incidents) through confidential email: /

    Top of Page

  9. Data Access and Correction Request

    All members of the University have the right to request access to and correction of personally identifiable information about themselves that is held by the University. If you wish to access your personal data held by the University, please complete and return the following “Data Access Request Form” prescribed by the Office of the Privacy Commissioner for Personal Data, and return it to the following University offices for action:

    The initial processing fee for the Personal Data Access Request is HK$150 for a hard copy of 30 pages or below, with local registered mail service charge included. If the document requested exceeds 30 pages, HK$5 will be charged for each additional page. The University reserves the right to levy charges for supplying other copies of personal data. Please note that only hard copy of the requested information will be provided. You MUST attach a crossed cheque payable to “The Chinese University of Hong Kong” when submitting this Form.

      Personal Data Relating to
      Office in Charge
      Appointees of the University
      Human Resources Office 
      3943 7335
      Undergraduate Students of the University
      3943 9888
      Postgraduate Students of the University
      Graduate School Office
      3943 8976
      Alumni of the University
      Alumni Affairs Office
      3943 7860
      All other persons
      3943 7262

    Staff members of the University who wish to change their personal data should log in the webpage of the Human Resources Office using the staff ID and password, and complete and return the "Change of Personal Data" Form to the Human Resources Office. Students and alumni may update their personal data through the Chinese University Student Information System (CUSIS). Please contact the relevant administrative offices for the details.

    Top of Page

  10. Personal Data Controlling Committee

    In December 1996, the University set up a Personal Data Controlling Committee to publicize the policies related to the Personal Data (Privacy) Ordinance and to oversee compliance with the Ordinance by the units and members of the University.

    Membership List

    Convener:   Mr. Eric S.P. Ng, Vice-President (Administration) and University Secretary
    Members:   Ms. Salome Lam, Director of Finance
      Ms. Kitty W.H. Yu, Registrar
      Ms. Corinna Lee, Director of Human Resources
      Mr. Daniel Cheng, Director of Alumni Affairs
      Ms. Carol Chiu, Director of Information Technology Services


      Ms. Judy San, Assistant Secretary of University Secretariat

    Top of Page

  11. Full Compliance

    The privacy of our data subjects is of utmost importance and we thank you for your cooperation in our efforts to protect the personal data collected and managed by the University and to ensure full compliance with the relevant laws on personal data (privacy).

Top of Page


Last Updated: 1st Nov 2021

Number of Visitors:


CUHK Home | Contact Us
Copyright (c) 2011. All Rights Reserved. The Chinese University of Hong Kong.