Statement of Policy
The Hong Kong University of Science and Technology (the “University”) respects the personal data privacy of all individuals and pledges to be in compliance with the requirements of the Personal Data (Privacy) Ordinance of Hong Kong (“PDPO”) so that the privacy of your personal data is protected in accordance with the standard required by law. In doing so, we require all our staff and agents to comply with the PDPO in the same manner as the PDPO applies to the University as a whole and adhere to the strictest standards of security and confidentiality.
Statement of Practice
1. Kinds of personal data held
The following explains the types of records / personal data held by the University.
(a) Personnel records, which include but not limited to job applications, teaching and nonteaching staff files (containing personal details, job particulars, details of salary, payments, benefits etc.), leave and training records, group medical and dental insurance records, mandatory provident fund (and equivalent retirement) schemes participation records, performance appraisals, disciplinary records, information about dependents and affiliates necessary for administrative and operational activities;
(b) Records of students and alumni, which include but not limited to various University related applications and operations (such as for enrolment in courses, programs or activities run by the University; grants, loans or other assistance by the University; and accommodation at the University, etc.) which contain student personal details, academic records (such as examination/test results or transcript, and so on), student reports, assignment/essay papers, examination papers, administrative records (such as payments, charges and fines, disciplinary information, etc.), non-academic and co-curricula records (such as internship, community activities, student union and other societal participation, and so on);
(c) Records collected from the University’s website / intranet, which include but not limited to records containing email addresses and personal details, preferences of web-users, location information (including IP addresses); and
(d) Other records, which include but not limited to administration and operational files, records holding personal data provided to the University from associates of the University, individuals participating in activities organized or run by the University (including promotional, educational, or training activities), log records on the use of data facilities, services, or participation in activities, records of requests to access / correct personal data and enquiries from the public, research findings and related publications.
2. Main purposes of collecting and keeping personal data
Personal data will only be used for the purposes stated at the time the data is collected, which broadly speaking, covers academic, educational/teaching, administrative, research, and related activities that are consistent with the University’s mission (which is to advance learning and knowledge through teaching and research, particularly in science, technology, engineering, management and business studies, and at the postgraduate level; and to assist in the economic 12 and social development of Hong Kong). However, specific purposes will vary depending on the nature of the personal data held.
Examples of specific purposes are explained further below.
Personal data held in:
(a) Personnel records are collected and kept for recruitment and human resource management purposes including but not limited to obtaining reference checks, maintaining employee records and assessing work performance, consideration for eligibility for staff benefits, training and development, and for emergency purposes;
(b) Records of students and alumni are collected and kept for purposes including but not limited to providing education and assistance to students, facilitating communications between the University and its students and alumni, facilitating the provision of information upon request by students or alumni in relation to their affairs at the University (such as requests for academic certificates and transcripts), compiling statistics on enrolment at the University to facilitate academic planning and management;
(c) Records collected from the University’s website / intranet are collected and kept for purposes including but not limited to handling various applications submitted through the University’s website / intranet, sending newsletters to subscribers registered through the University’s website, responding to requests submitted through the University’s website / intranet, facilitating website access and compiling statistics on website usage; and
(d) Other records are collected and kept for purposes which vary according to the nature of the record, including purposes such as facilitating administration or office functions, organizing and delivering activities, compiling, summarizing, aggregating and/or de-personalizing personal data in connection with research or statistical/analytical activities carried on by the University in furtherance of the University’s mission, conducting direct marketing activities (such as communicating information to individuals about the University’s courses and programs) in connection with furthering the University’s mission, facilitating publication of research or other publications relating to the University.
3. Collection of personal data
(a) General: When the University collects personal data from individuals, the University will provide them with a Personal Information Collection Statement ("PICS") on or before the collection in an appropriate format and manner in compliance with the PDPO.
(b) Personal data of minors: The PDPO does not impose any additional obligation on data users to seek the express consent of the minor (or his / her parent / guardian) on top of having to disclose the requisite information just because the data subject is a minor. Notwithstanding this, data users are generally not advised to collect personal data from minors (particularly those who are incapable of making an informed decision) without prior consent from a person with parental responsibility of the minor.
There are situations where the University may need to collect personal data of minors but it may not be practicable to obtain the consent of the parent because, for example:
- the occasion is not one where parents may accompany the minor;
- filling in an online application through the internet which the minor may be able to complete on his / her own, etc.
Under the circumstances, the University will ask for an indication that the minor has consulted his / her parents before providing the personal data.
(c) Personal data from the University’s website / intranet: In order to provide web-users with a smooth browsing experience, we may need to use technical means (such as cookies) to collect information from web-users when they visit the University’s website / intranet. If you are given the option whether or not to accept cookies and you do not accept, you may not be able to access the full content of our website / intranet.
(d) Direct marketing: Where it is intended that the personal data collected will be used for direct marketing purposes, the University will provide the individual with all the necessary information required to be given by law such as information about the direct marketing means and the classes of marketing subjects before making the collection. The University will not use an individual’s personal data in direct marketing unless it has obtained the express consent of the individual concerned and such consent has not been withdrawn.
4. Duration of retention of personal data
The University will only hold personal data for as long as it is necessary to fulfill the purpose or a directly related purpose for which they are collected.
5. Disclosure of personal data
The University will take all practicable steps to keep the personal data you have provided confidential. However, the University may need to disclose personal data collected by it to such outside third-parties to facilitate the purpose for which the personal data was collected. In general, the parties to which we may transfer / assign personal data include medical practitioners providing medical services to the University’s staff, if applicable, any agent, contractor or thirdparty service provider engaged by the University to provide services to or on behalf of the University (e.g. bankers, insurance providers and payroll service providers) and any person to whom the University is under an obligation to make disclosure under any requirements of any law or for the purposes of any guidelines or codes of practice with which the University is expected to comply. We may also transfer personal data internally within the University (on a need-to-know basis) to facilitate the purpose for which the personal data was collected or a directly related purpose.
6. Security of personal data
The University will take appropriate steps to protect the personal data held by it against unauthorized or accidental access use, loss, processing, erasure, transmission, modification or disclosure. When the University needs to disclose personal data to outside third-parties, the University will take appropriate steps to protect the privacy of the personal data to be disclosed (for example, requiring our service providers to keep confidential any personal data with which it comes into contact).
7. Personal data access and correction
Individuals have the right to request access to and to correct their personal data held by the University.
Personal data may be made available to concerned individuals via different means, including (a) authenticated on-line enquiries and/or (b) completion of prescribed forms provided by concerned offices and sending the completed form by email to firstname.lastname@example.org.
Similarly, requests to correct personal data held by the University may be made via on-line functions where available and/or by submitting such requests by email to email@example.com, using prescribed forms provided by concerned offices.
In accordance with the Personal Data (Privacy) Ordinance, data access requests will normally be addressed within a 40-day period. A fee reflecting the cost of processing the data request may be levied.