HONG KONG BAPTIST UNIVERSITY
Purpose and manner of collection of personal data
1. Personal data will only be collected for a lawful purpose, and
by lawful and fair means. Data collected in relation to a specified
purpose must be adequate but not excessive in respect of the purpose.
The Data Subject must be informed explicitly on collection:
(a) purpose(s) for which the data are to be collected and the groups
of persons to whom the data may be transferred;
(b) whether it is obligatory or voluntary for such data to be supplied,
and the consequences of not supplying the obligatory data;
(c) the right of the Data Subject to request access to, and correction
of data held by the Data Users; and
(d) the person in charge to handle such data access and correction
Accuracy and duration of retention of personal data
2. All reasonably practicable steps will be taken to ensure that
the personal data kept is accurate.
3. Personal data will not be kept longer than is necessary for the
fulfilment of the purpose for which it is collected.
Use of personal data
4. Without the prescribed consent of a Data Subject, the personal
data will not be used for any purpose other than the purpose for
which the data was originally collected. The prescribed consent
may be withdrawn by a Data Subject.
Security of personal data
5. All reasonably practicable steps will be taken to ensure that
personal data held are protected against unauthorized or accidental
access, processing, erasure or other use.
6. Regarding the transmission of personal data over the Internet,
the University has imposed the following security measures:
(a) Encryption - The University is continuously enhancing the implementation
of encryption mechanism in protecting the University data. Encryption
technology, such as SSL, will be employed whenever possible, for
the transmission of data collected online. The University servers
are, to the maximum possible extent, protected against security
attacks over the Internet by means of system securities set up and
the "Firewalls". A well-organized and safe system of backups
is in place.
As such, users' data supplied to the University will reside in the
University servers which are protected to the maximum possible extent
against unauthorized or accidental access, processing, erasure or
other illegitimate manipulation.
University will normally not implement applications with cookies
requirement. In rare cases, when "session cookies" are
used, a statement will be provided on its web page to alert users
before initiating or signing in the application. The "session
cookies" helps the University to recognize users' identity
when they visit multiple pages in its web application within the
same login session, so that the University does not need to ask
users for their password on each page. Once users sign out or close
their browser, the cookie expires and no longer has any effect.
Most browsers are initially set to accept cookies. Users may choose
to set their browser to decline the cookies or inform them when
the cookies are set. However, in this way, they may not be able
to visit some portions of the University's website.
Any information collected by "cookies" is anonymous and
does not contain any personal data. Although through cookies, the
University's web servers can monitor which sites the users have
visited, which pages they have seen and which options they have
chosen, the University will NOT make any analysis on these cookies
data NOR provide such data to outside organizations.
7. At the same time, the University does not allow users, both internal
and external, to make rude and annoying spamming which includes
sending unsolicited email, making mailbombs, disseminating commercial
advertisements/promotions and distributing mail chain letter. Appropriate
action including legal prosecution may be taken to the offenders.
Information to be generally available
8. The following information in relation to personal data of the
University will be generally available:
(a) the kinds of personal data held;
(b) the main purpose for which personal data are used; and
(c) the policies and practices in relation to personal data.
Access to personal data
9. A Data Subject will have the right to request access to his/ her personal
data of held by a Data User, through writing
to the data holding department/office.
A fee, which is not excessive, will be charged for the processing. The Data Subject will be notified
of the outcome within 40 days of submitting his/her access request,
and to be given a reason if a data correction request is refused.
10. A Data Subject also has the right to request the data holding department/office in writing the correction of his/her personal data.
Management personal data
11. For each group of data collected from a Data Subject or a group
of Data Subjects, the University designates the department/office
which collects, holds and uses the data as the Primary (Data) Holder
(PH). It is held responsible for updating, protecting, providing
access to and meeting requests for access/correction from the Data
Subjects. The other departments/offices which make use of the same
data transferred from the PH are the Secondary Data
Users (SDUs). SDUs are expected to observe the six Data Protection
Principles as well, particularly with regard to duration of data retention
and use and security of data.
12. Data Users should adhere to the Data Protection Principles and
draw up internal guidelines and practices for adoption by members
of their respective departments/ offices where appropriate.
13. A Data Protection Officer is to be appointed from each Faculty/School/Office
of the University to help protect the privacy of the data held in
the Faculty/School/Office, in compliance with the six Data Protection
Principles, review and improve the relevant internal process and
enhance the awareness of protecting personal data privacy among
his or her colleagues in the Faculty/School/Office.
The kinds of personal data held by the University and the respective
purpose(s) of collection are enclosed for information.
held by the University and the respective purpose(s) of collection
Personal data kept in different Faculties/Schools/Offices vary depending on their purpose of collection. In general terms, personal data could be classified as factual, evaluative, or statistical data. Factual data are mostly provided by the Data Subjects themselves, evaluative data are normally provided by another person on the Data Subjects, whereas statistical data are derived primarily from factual and evaluative data. For the latter purpose, personal data are depersonalized before statistical analyses are performed. Examples of personal data kept by the University include the following:
(a) identification data, e.g., name, Identity Card/Passport No.,
(b) personal details, e.g., age, sex, date of birth, contact telephone,
(c) family data, e.g., marital status, details of other family members,
(d) contractual data, e.g., appointment period, terms of appointment, etc.
(e) education background and employment details
(f) record of assessment and review, e.g., self-statements, review/promotion
panel resolutions, etc.
1. Personal data of Job Applicants kept in the Personnel Office include applicants' personal particulars, copies of qualifications, record of experience, test results, interview assessment, resolution of assessment panel, last employers’ references, external assessors’ reports, etc. They are kept for recruitment administration purposes. These personal data will be transferred to the relevant Faculty/School/ Department/Office for recruitment consideration and will be kept until the completion of the recruitment exercise.
2. Personal data of Staff of the University are kept for various purposes in manpower planning and management, development and maintenance of employment relationship. These will include the provision of access to and usage of University facilities, benefits, remuneration and payroll, preparing tax returns, facilitating performance appraisals, review of appointment, promotion, granting awards/fellowship, organizing training and development activities. Staff data may be transferred to the Departments/Offices of the University providing facilities or staff benefits, insurers, medical and dental practices/consultants, fund administrators/ managers of the Superannuation Fund or Mandatory Provident Fund Scheme(s), and auditors appointed by the University for the above-mentioned purposes.
3. Personal data of Former Staff of the University are kept in the Personnel Office. Physical personal files of former staff, which contain personal particulars, family data, contractual data, evaluative data and other benefits-related data, will be destroyed after a retention period. Basic data of former staff will be kept electronically for provision of certificate of service.
4. Personal particulars, examination results and evaluative data of Student Applicants are collected as a basis for selection of applicants for admission. Data of successful applicants will be transferred and become part of the student records kept by the University. These data in electronic format with personal identification data masked will be kept for statistical purpose. All hard copies of unsuccessful applications will be destroyed upon completion of the admission process.
5. Personal data of Students of the University, including personal particulars, family data, education background, academic and assessment records, as well as senate resolutions, are kept for registration, academic and administrative communication, statistical purposes as well as provision of student welfare services. Upon graduation of students, their personal data and basic study information will be transferred to the Alumni Affairs Office of the University and become Alumni data.
6. Personal data of Alumni, Donors and Prospective Donors are collected, kept and used for the purposes of sending news and updates, invitation to the University events and gatherings, data analyses and generation of statistical reports.
Should you have any queries concerning the Policy,
please call (852) 3411 7400.