- General
1.1. The University is committed to safeguarding the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of personal data that are important to the University’s mission.
1.2. All Unit heads of the University are requested to critically review and improve the procedures and other relevant internal arrangements that are within their purview, in accordance with the following policy published by the University.
- Scope of Policy
2.1. This policy covers the personal data, not only limited to the Computer and Digital Data Resources (its definition is as at Appendix 1), but also the data in any other forms relating directly or indirectly to a living individual (data subject), from which it is practicable to ascertain the identity of the individual.
2.2. This policy applies to the individuals that control the collection, holding, processing or use of personal data at the University. The resources of personal data include, but not limited to students, alumni, faculty and staff, those working on behalf of the University, guests, tenants, contractors, consultants, visitors and/or individuals authorized by affiliated institutions and organizations.
2.3. Personal data created or transmitted in the University’s business processes includes, but not limited to, National ID, University ID, location data, online identifier, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity; application data such as for admissions, activities, scholarship and financial aid; academic data such as grades, scores, records of attendance and observations; data from journals, research publications or other platforms through which employees or students publish academic content; employment data such as employment history, education, professional certifications, health, personal profile, and those of family members.
- Purpose of Data Collection
3.1. Personal data created or transmitted in the University’s business processes is owned by the University, and, as such, all members of the University community and affiliates are responsible for appropriately using and safeguarding that data.
3.2. Personal data the University collects is to
- administer and manage University programmes, services and facilities,
- make strategic decisions,
- file required reports with applicable governmental authorities,
- enforce policies and applicable laws.
- Data Protection
4.1. The individuals that use the personal data are responsible for safeguarding their access privileges, for the use of the personal data in conformity with all applicable University policies, and for securing such data.
4.2. The individuals should take all practicable security steps to ensure that personal data is protected against unauthorized or accidental access, processing or erasure having particular regard to the kind of data and the harm that could result if any of those things should occur.
4.3. Personal data should be safeguarded to maintain the confidentiality and privacy of personally identified and personally identifiable information. Access to University’s personal data should be based on the business needs of the units and should enhance the ability of the University to achieve its mission. The individuals shall have access to the data needed to perform their responsibilities. Individually identifiable data shall be available to the extent necessary to perform administrative duties.
4.4. To protect Computer and Digital Data Resources, unit heads should make sure that an effective mechanism is in place within their respective Department/School/Unit to determine whether it is really necessary to use mobile computing devices (e.g. notebook computers and PDAs) and portable storage devices (e.g. external hard drives, memory cards, USB storage devices, memory sticks and thumb drives) to handle identifiable personal and sensitive data, and to make sure that such devices are securely kept and the data carried therein are properly encrypted and/or password protected. When required, unit heads should consult with Information Technology Services Office (ITSO) for further advice.
4.5. To avoid the loss or unauthorized use or disclosure of personal and sensitive data, it is recommended that a Non‐Disclosure Agreement (as at Appendix 2) be signed in all situations with contractors when acquiring third‐party service that may need to access personal and sensitive data in the University.
4.6. Engaging cloud storage providers is considered as one form of outsourcing arrangements. The individuals are ultimately responsible for the protection of the personal data collected and held by them. The outsourcing of any processing or storage of personal data to the third‐parties does not relieve the individuals’ responsibility for the protection of the personal data they collect and hold. The individuals should be aware of the risk that the cloud storage provider is able to unilaterally change conditions in the agreement it has with its customers to a lower protection standard or limit its liability.
4.7. While using cloud storage service, the individuals should ensure they have the obligations that enable them to access their personal data, request corrections, and resolve issues and complaints. Accordingly, the individuals must ensure that their
contract with the cloud storage provider allows them to meet these obligations. Furthermore, the individuals should ensure there are the following obligations imposed in their contract with cloud storage providers:
- Limit the use of personal data,
- Set out how personal data is to be erased or returned to the individuals upon requests, contract completion or contract termination,
- Take security commitment to the data protection,
- Maintain business continuity,
- Handle data breaches.
4.8. If required, the individuals should consider implementing an end‐to‐end, comprehensive and properly managed encryption system for the transmission and storage of personal data. If the individuals are not able to have direct oversight over all the obligations necessary for the protection of personal data, they should consult with ITSO for further advice.
- Data Sharing
5.1. Personal data may be shared among University employees according to well‐ defined business processes approved by the University. It may be released publicly only according to well‐defined business processes, and with the permission of the unit heads.
5.2. Sharing data between academic and/or administrative units within the University should be facilitated where appropriate, subject to appropriate security restrictions as established by the University.
5.3. Integration of data across the University should be encouraged to foster data accuracy and uniformity, consistent with the University’s institutional complexity, various data systems, and differing data formats. This should result in reduced duplication of data and greater data accuracy.
- Data Retention
6.1. The University preserves the personal data of all resigned staff, leavers, and graduates. The University stores their personal data in accordance with the Lifecycle of Data Retention as at Appendix 3.
- Data Disposal
7.1. The University retains the ownership of personal data created and transmitted in the University business processes. The University units keep the right to dispose personal data in line with the data retention schedule in Appendix 3. While performing data disposal, unit heads should ensure there are no relevant proceeding in progress concerning with individuals identified in the data, for instance, internal disciplinary action, contract disputes or court actions.
7.2. Resigned staff’s, leavers’ and graduates’ portable storage devices can only keep their individual information, such as resume, salary forms, payroll slips, performance appraisal, reference letter and transcripts. Unit heads should ensure the sensitive data concerning with administrative, academic, and research records of the University is properly disposed from the portal storage devices owned by resigned staff, leavers, and graduates. To dispose the data stored in the portable storage devices, unit heads should ensure the data are deleted completely. When required, unit heads should consult with ITSO for further advice of data wiping operated on the portable storage devices.
7.3. ITSO is responsible for the data disposal residing at the University network storage. Aligning with the data retention schedule, ITSO will perform routine maintenance on personal data linking with these items as listed in the Lifecycle of Data Retention. ITSO will no longer keep or do backup of personal digital data which is out of its retention period.
7.4. To dispose of the data stored on paper, the University units should use paper shredder or other paper disposal devices. When necessary, a massive shredding work should be contracted to a professional disposal operator upon a written agreement to dispose of the materials to the necessary standard.
7.5. To dispose of the data stored in the tapes, on the films, and in other non‐electronic forms, the University units should consult with the professional data disposal contractor for further advice to ensure the operation of data disposal is complete and safe.
7.6. The data disposal procedure does not apply to the data archiving operation necessarily performed by the University or its administrative units, such as the President’s Office, nor does its retention schedule apply to any data in any forms that need to be archived in light of business needs. The University and its administrative units maintain separate data archiving mechanism to preserve data for future reference and historic needs.
- Rights of Employees and Students
8.1. Employees and students have the following rights with respect to personal data.
- The right to request access to personal data, such as salary forms or payroll slips, performance appraisal, reference letter, transcripts or other individual academic record that the University has, as well as the right to request rectification of any personal data that is inaccurate or incomplete, provided that such requests shall be practically in connection with his or her own profile.
- The right to request a copy of personal data, such as salary forms or payroll slips, performance appraisal, reference letter, transcripts or other individual academic record, in electronic format so that employees and students can transmit the data to third parties, or to request that the University directly transfer personal data to one or more third parties. Such requests should be specific and practically in connection with his or her profile.
- The right to object to the processing of personal data for marketing or other commercial purposes.
- Provision of Sanction
9.1. All the misconducts that violate this policy will be reported to the Personal Data Controlling Committee, whose members shall review and propose sanction advice in light of the relevant regulations of the University.
- Right of Interpretation
10.1. The University reserves the right of interpretation for all terms as stated in this policy. All terms, including the Appendixes, are subject to further revision from time to time conducted by the Personal Data Controlling Committee.
Oct, 2019
请点击下载附件(限内网访问):
Appendix 1: Definition of Computer and Digital Data Resources