HONG KONG BAPTIST UNIVERSITY
Purpose and manner of collection of personal data
1. Personal data will only be collected for a lawful purpose, and by lawful and fair means. Data collected in relation to a specified purpose must be adequate but not excessive in respect of the purpose. The Data Subject must be informed explicitly on collection:
(a) purpose(s) for which the data are to be collected and the groups of persons to whom the data may be transferred;
(b) whether it is obligatory or voluntary for such data to be supplied, and the consequences of not supplying the obligatory data;
(c) the right of the Data Subject to request access to, and correction of data held by the Data Users; and
(d) the person in charge to handle such data access and correction requests.
Accuracy and duration of retention of personal data
2. All reasonably practicable steps will be taken to ensure that the personal data kept is accurate.
3. Personal data will not be kept longer than is necessary for the fulfilment of the purpose for which it is collected.
Use of personal data
4. Without the prescribed consent of a Data Subject, the personal data will not be used for any purpose other than the purpose for which the data was originally collected. The prescribed consent may be withdrawn by a Data Subject.
Security of personal data
5. All reasonably practicable steps will be taken to ensure that personal data held are protected against unauthorized or accidental access, processing, erasure or other use.
6. Regarding the transmission of personal data over the Internet, the University has imposed the following security measures:
(a) Encryption - The University is continuously enhancing the implementation of encryption mechanism in protecting the University data. Encryption technology, such as SSL, will be employed whenever possible, for the transmission of data collected online. The University servers are, to the maximum possible extent, protected against security attacks over the Internet by means of system securities set up and the "Firewalls". A well-organized and safe system of backups is in place.
As such, users' data supplied to the University will reside in the University servers which are protected to the maximum possible extent against unauthorized or accidental access, processing, erasure or other illegitimate manipulation.
Any information collected by "cookies" is anonymous and does not contain any personal data. Although through cookies, the University's web servers can monitor which sites the users have visited, which pages they have seen and which options they have chosen, the University will NOT make any analysis on these cookies data NOR provide such data to outside organizations.
7. At the same time, the University does not allow users, both internal and external, to make rude and annoying spamming which includes sending unsolicited email, making mailbombs, disseminating commercial advertisements/promotions and distributing mail chain letter. Appropriate action including legal prosecution may be taken to the offenders.
Information to be generally available
8. The following information in relation to personal data of the University will be generally available:
(a) the kinds of personal data held;
(b) the main purpose for which personal data are used; and
(c) the policies and practices in relation to personal data.
Access to personal data
9. A Data Subject will have the right to request access to personal data of himself/herself held by a Data User, in person or in writing to the department/office concerned, within a reasonable time, for a fee that is not excessive, in a manner that is reasonable, and in a form that is intelligible. The Data Subject will be notified of the outcome within 40 days of submitting his/her access request, and to be given a reason if a data correction request is refused.
10. A Data Subject will also have the right to request correction of the personal data, in person or in writing to the department/office concerned.
Management of Personal Data
11. For each group of data collected from a Data Subject or a group of Data Subjects, the University designates the department/office which collects, holds and uses the data as the Primary (Data) Holder (PH). It is held responsible for updating, protecting, providing access to and meeting requests for access/correction from the Data Subjects. The other departments/offices which make use of the same data transferred from the Primary Holder are the Secondary Data Users (SDUs) which are expected to observe the six Data Protection Principles, particularly with regard to duration of data retention and use and security of data.
12. Data Users should adhere to the Data Protection Principles and draw up internal guidelines and practices for adoption by members of their respective departments/ offices where appropriate.
13. A Data Protection Officer is to be appointed from each Faculty/School/Office of the University to help protect the privacy of the data held in the Faculty/School/Office, in compliance with the six Data Protection Principles, review and improve the relevant internal process and enhance the awareness of protecting personal data privacy among his or her colleagues in the Faculty/School/Office.
The kinds of personal data held by the University and the respective purpose(s) of collection are enclosed for information.
The kinds of personal data
held by the University and the respective purpose(s) of collection
Should you have any queries concerning the Policy,
please call (852) 3411 7400.
- End -