个人信息采集许可声明
香港中文大学(深圳)【下称:港中大(深圳)】在为学生提供教学服务的过程中,会 通过学生档案资料整理、校园系统使用、学生自愿资料报送,学生学籍、教学管理等各方 面收集您的部分信息。收集个人信息是用于港中大(深圳)为实现教学、科研、学校管理 之目的。现就港中大个人信息采集声明如下:
一、收集信息的范围仅限于那些港中大(深圳)认为对了解您的求学需求和开展教学、科研、学校管理所必需的相关资料。
二、港中大(深圳)尽力确保对您的信息记录是准确和及时的。
三、任何第三方,在得到港中大(深圳)许可获取您的个人信息时,都被要求严格遵守保密责任。港中大(深圳)遵守对以上政策的承诺,并将竭力维护您给予的信任。
四、个人信息采集及使用的授权:您授权港中大(深圳),除法律另有规定之外,同意港中大(深圳)对于您的信息进行收集,并将您提供给港中大(深圳)的信息、享受港 中大(深圳)提供教学服务产生的信息以及港中大(深圳)根据本条约定提供、查 询、收集的信息,为实现教学、科研、学校管理之目的,供港中大(深圳)及其因服 务必要委托的合作伙伴进行合理使用。
本人已充分阅读并知悉和准确理解该声明内容,特别是对于黑色字体加粗部分之内内 容,同意按照该声明对于港中大(深圳)进行相应授权,该授权自本人签字之日起生效, 自授权目的完全达成之日起终止。
姓名:
日期:
校园网络使用规定
1. 香港中文大学(深圳)尊重和保护知识产权和版权。
2. 使用高校IT设施和服务的用户须了解并遵守《中华人民共和国著作权法》和《中华人民共和国海 关知识产权保护条例》。
3. 所有学生都必须遵守《中华人民共和国著作权法》的相关规定,避免通过互联网、校园网等方式 引用著作权作品进行教学活动。
4. 未经法律许可,不得通过校园网在服务器、个人电脑、笔记本电脑或移动设备上下载、上传或分 发受版权保护的作品。上传著作权作品的数量必须符合《中华人民共和国著作权法》有关规定的要 求。受版权保护的作品仅用于教育用途。
5. 不允许用户通过校园网络下载未经授权的作品。未经授权通过校园网络上传或下载受版权保护的 作品,可能会导致遭受金钱损害的风险,在某些情况下,刑事起诉,大学可能会承担替代责任。
6. 未经ITSO授权,用户不得在校园网内设置BBS服务器和其他网络服务。
7. 严重违规的行为,如未经授权使用或访问IT设施或服务,企图窃取密码或数据,企图窃取许可软 件,侵犯版权和企图破坏计算机设施或违反现有法律、相关的大学和ITSO政策,可能会受到有关大 学相关部门的纪律处分。
Policy on Protection of Personal Data(Privary)
- General
1.1. The University is committed to safeguarding the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of personal data that are important to the University’s mission.
1.2. All Unit heads of the University are requested to critically review and improve the procedures and other relevant internal arrangements that are within their purview, in accordance with the following policy published by the University.
- Scope of Policy
2.1. This policy covers the personal data, not only limited to the Computer and Digital Data Resources (its definition is as at Appendix 1), but also the data in any other forms relating directly or indirectly to a living individual (data subject), from which it is practicable to ascertain the identity of the individual.
2.2. This policy applies to the individuals that control the collection, holding, processing or use of personal data at the University. The resources of personal data include, but not limited to students, alumni, faculty and staff, those working on behalf of the University, guests, tenants, contractors, consultants, visitors and/or individuals authorized by affiliated institutions and organizations.
2.3. Personal data created or transmitted in the University’s business processes includes, but not limited to, National ID, University ID, location data, online identifier, and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity; application data such as for admissions, activities, scholarship and financial aid; academic data such as grades, scores, records of attendance and observations; data from journals, research publications or other platforms through which employees or students publish academic content; employment data such as employment history, education, professional certifications, health, personal profile, and those of family members.
- Purpose of Data Collection
3.1. Personal data created or transmitted in the University’s business processes is owned by the University, and, as such, all members of the University community and affiliates are responsible for appropriately using and safeguarding that data.
3.2. Personal data the University collects is to
- administer and manage University programmes, services and facilities,
- make strategic decisions,
- file required reports with applicable governmental authorities,
- enforce policies and applicable laws.
- Data Protection
4.1. The individuals that use the personal data are responsible for safeguarding their access privileges, for the use of the personal data in conformity with all applicable University policies, and for securing such data.
4.2. The individuals should take all practicable security steps to ensure that personal data is protected against unauthorized or accidental access, processing or erasure having particular regard to the kind of data and the harm that could result if any of those things should occur.
4.3. Personal data should be safeguarded to maintain the confidentiality and privacy of personally identified and personally identifiable information. Access to University’s personal data should be based on the business needs of the units and should enhance the ability of the University to achieve its mission. The individuals shall have access to the data needed to perform their responsibilities. Individually identifiable data shall be available to the extent necessary to perform administrative duties.
4.4. To protect Computer and Digital Data Resources, unit heads should make sure that an effective mechanism is in place within their respective Department/School/Unit to determine whether it is really necessary to use mobile computing devices (e.g. notebook computers and PDAs) and portable storage devices (e.g. external hard drives, memory cards, USB storage devices, memory sticks and thumb drives) to handle identifiable personal and sensitive data, and to make sure that such devices are securely kept and the data carried therein are properly encrypted and/or password protected. When required, unit heads should consult with Information Technology Services Office (ITSO) for further advice.
4.5. To avoid the loss or unauthorized use or disclosure of personal and sensitive data, it is recommended that a Non‐Disclosure Agreement (as at Appendix 2) be signed in all situations with contractors when acquiring third‐party service that may need to access personal and sensitive data in the University.
4.6. Engaging cloud storage providers is considered as one form of outsourcing arrangements. The individuals are ultimately responsible for the protection of the personal data collected and held by them. The outsourcing of any processing or storage of personal data to the third‐parties does not relieve the individuals’ responsibility for the protection of the personal data they collect and hold. The individuals should be aware of the risk that the cloud storage provider is able to unilaterally change conditions in the agreement it has with its customers to a lower protection standard or limit its liability.
4.7. While using cloud storage service, the individuals should ensure they have the obligations that enable them to access their personal data, request corrections, and resolve issues and complaints. Accordingly, the individuals must ensure that their
contract with the cloud storage provider allows them to meet these obligations. Furthermore, the individuals should ensure there are the following obligations imposed in their contract with cloud storage providers:
- Limit the use of personal data,
- Set out how personal data is to be erased or returned to the individuals upon requests, contract completion or contract termination,
- Take security commitment to the data protection,
- Maintain business continuity,
- Handle data breaches.
4.8. If required, the individuals should consider implementing an end‐to‐end, comprehensive and properly managed encryption system for the transmission and storage of personal data. If the individuals are not able to have direct oversight over all the obligations necessary for the protection of personal data, they should consult with ITSO for further advice.
- Data Sharing
5.1. Personal data may be shared among University employees according to well‐ defined business processes approved by the University. It may be released publicly only according to well‐defined business processes, and with the permission of the unit heads.
5.2. Sharing data between academic and/or administrative units within the University should be facilitated where appropriate, subject to appropriate security restrictions as established by the University.
5.3. Integration of data across the University should be encouraged to foster data accuracy and uniformity, consistent with the University’s institutional complexity, various data systems, and differing data formats. This should result in reduced duplication of data and greater data accuracy.
- Data Retention
6.1. The University preserves the personal data of all resigned staff, leavers, and graduates. The University stores their personal data in accordance with the Lifecycle of Data Retention as at Appendix 3.
- Data Disposal
7.1. The University retains the ownership of personal data created and transmitted in the University business processes. The University units keep the right to dispose personal data in line with the data retention schedule in Appendix 3. While performing data disposal, unit heads should ensure there are no relevant proceeding in progress concerning with individuals identified in the data, for instance, internal disciplinary action, contract disputes or court actions.
7.2. Resigned staff’s, leavers’ and graduates’ portable storage devices can only keep their individual information, such as resume, salary forms, payroll slips, performance appraisal, reference letter and transcripts. Unit heads should ensure the sensitive data concerning with administrative, academic, and research records of the University is properly disposed from the portal storage devices owned by resigned staff, leavers, and graduates. To dispose the data stored in the portable storage devices, unit heads should ensure the data are deleted completely. When required, unit heads should consult with ITSO for further advice of data wiping operated on the portable storage devices.
7.3. ITSO is responsible for the data disposal residing at the University network storage. Aligning with the data retention schedule, ITSO will perform routine maintenance on personal data linking with these items as listed in the Lifecycle of Data Retention. ITSO will no longer keep or do backup of personal digital data which is out of its retention period.
7.4. To dispose of the data stored on paper, the University units should use paper shredder or other paper disposal devices. When necessary, a massive shredding work should be contracted to a professional disposal operator upon a written agreement to dispose of the materials to the necessary standard.
7.5. To dispose of the data stored in the tapes, on the films, and in other non‐electronic forms, the University units should consult with the professional data disposal contractor for further advice to ensure the operation of data disposal is complete and safe.
7.6. The data disposal procedure does not apply to the data archiving operation necessarily performed by the University or its administrative units, such as the President’s Office, nor does its retention schedule apply to any data in any forms that need to be archived in light of business needs. The University and its administrative units maintain separate data archiving mechanism to preserve data for future reference and historic needs.
- Rights of Employees and Students
8.1. Employees and students have the following rights with respect to personal data.
- The right to request access to personal data, such as salary forms or payroll slips, performance appraisal, reference letter, transcripts or other individual academic record that the University has, as well as the right to request rectification of any personal data that is inaccurate or incomplete, provided that such requests shall be practically in connection with his or her own profile.
- The right to request a copy of personal data, such as salary forms or payroll slips, performance appraisal, reference letter, transcripts or other individual academic record, in electronic format so that employees and students can transmit the data to third parties, or to request that the University directly transfer personal data to one or more third parties. Such requests should be specific and practically in connection with his or her profile.
- The right to object to the processing of personal data for marketing or other commercial purposes.
- Provision of Sanction
9.1. All the misconducts that violate this policy will be reported to the Personal Data Controlling Committee, whose members shall review and propose sanction advice in light of the relevant regulations of the University.
- Right of Interpretation
10.1. The University reserves the right of interpretation for all terms as stated in this policy. All terms, including the Appendixes, are subject to further revision from time to time conducted by the Personal Data Controlling Committee.
Oct, 2019
请点击下载附件(限内网访问):
Appendix 1: Definition of Computer and Digital Data Resources