Statement of Policy
The Institute for China Studies (the “Institute”) respects the personal data privacy of all individuals and pledges to be in compliance with the requirements of the Personal Data (Privacy) Ordinance of Hong Kong (“PDPO”) so that the privacy of your personal data is protected in accordance with the standard required by law. In doing so, we require all our staff and agents to comply with the PDPO in the same manner as the PDPO applies to the Institute as a whole and adhere to the strictest standards of security and confidentiality.
Statement of Practice
Kinds of personal data held
The following explains the types of records / personal data held by the Institute.
- Personnel records, which include but not limited to job applications, teaching and non-teaching staff files (containing personal details, job particulars, details of salary, payments, benefits, and so on), leave and training records, group medical and dental insurance records, mandatory provident fund (and equivalent retirement) schemes participation records, performance appraisals, disciplinary records, information about dependents and affiliates necessary for administrative and operational activities;
- Records of students and alumni, which include but not limited to various Institute related applications and operations (such as for enrolment in courses, programs or activities run by the Institute; grants, loans or other assistance by the Institute) which contain student personal details, academic records (such as examination/test results or transcript, and so on), student reports, assignment/essay papers, examination papers, administrative records (such as payments, charges and fines, disciplinary information, etc.), non-academic and co-curricula records (such as internship, community activities, student union and other societal participation, and so on);
- Records collected from the Institute’s website / intranet, which include but not limited to records containing email addresses and personal details, preferences of web-users, location information (including IP addresses); and
- Other records, which include but not limited to administration and operational files, records holding personal data provided to the Institute from associates of the Institute, individuals participating in activities organized or run by the Institute (including promotional, educational, or training activities), log records on the use of data facilities, services, or participation in activities, records of requests to access / correct personal data and enquiries from the public, research findings and related publications.
Main purposes of collecting and keeping personal data
Personal data will only be used for the purposes stated at the time the data is collected, which broadly speaking, covers academic, educational/teaching, administrative, research, and related activities that are consistent with the Institute’s mission (which is to advance learning and knowledge through teaching and research, particularly in management and business studies, and at the postgraduate level; and to assist in the economic and social development of Hong Kong). However, specific purposes will vary depending on the nature of the personal data held.
Examples of specific purposes are explained further below.
Personal data held in:
- Personnel records are collected and kept for corresponding with staff, recruitment and human resource management purposes including but not limited to obtaining reference checks, maintaining employee records and assessing work performance, consideration for eligibility for staff benefits, training and development, and for emergency purposes, and organizing social and other activities and events;
- Records of students and alumni are collected and kept for purposes including but not limited to providing education and assistance to students, facilitating communications between the Institute and its students and alumni, facilitating the provision of information upon request by students or alumni in relation to their affairs at the Institute (such as requests for academic certificates and transcripts), compiling statistics on enrolment at the Institute to facilitate academic planning and management, and organizing social and other activities and events;
- Records collected from the Institute’s website / intranet are collected and kept for purposes including but not limited to handling various applications submitted through the Institute’s website / intranet, sending newsletters to subscribers registered through the Institute’s website, responding to requests submitted through the Institute’s website / intranet, facilitating website access and compiling statistics on website usage; and
- Other records are collected and kept for purposes which vary according to the nature of the record, including purposes such as facilitating administration or office functions, organizing and delivering activities, compiling, summarizing, aggregating and/or de-personalizing personal data in connection with research or statistical/analytical activities carried on by the Institute in furtherance of the Institute’s mission, conducting direct marketing activities (such as communicating information to individuals about the Institute’s courses and programs) in connection with furthering the Institute’s mission, facilitating publication of research or other publications relating to the Institute.
Collection of personal data
- General: When the Institute collects personal data from individuals, the Institute will provide them with a Personal Information Collection Statement (“PICS”) on or before the collection in an appropriate format and manner in compliance with the PDPO.
- Personal data from the Institute’s website / intranet: In order to provide web-users with a smooth browsing experience, we may need to use technical means (such as cookies) to collect information from web-users when they visit the Institute’s website / intranet. If you are given the option whether or not to accept cookies and you do not accept, you may not be able to access the full content of our website / intranet.
- Direct marketing: Where it is intended that the personal data collected will be used for direct marketing purposes, the Institute will provide the individual with all the necessary information required to be given by law such as information about the direct marketing means and the classes of marketing subjects before making the collection. The Institute will not use an individual’s personal data in direct marketing unless it has obtained the express consent of the individual concerned and such consent has not been withdrawn.
Duration of retention of personal data
The Institute will only hold personal data for as long as it is necessary to fulfill the purpose or a directly related purpose for which they are collected.
Disclosure of personal data
The Institute will take all practicable steps to keep the personal data you have provided confidential. However, the Institute may need to disclose, transfer or assign personal data collected by it to such outside third-parties to facilitate the purpose for which the personal data was collected. In general, the parties to which we may disclose, transfer or assign personal data include medical practitioners providing medical services to the Institute’s staff, if applicable, any agent, contractor or third-party service provider engaged by the Institute to provide services to or on behalf of the Institute (e.g. bankers, insurance providers and payroll service providers) and any person to whom the Institute is under an obligation to make disclosure under any requirements of any law or for the purposes of any guidelines or codes of practice with which the Institute is expected to comply. We may also disclose, transfer or assign personal data internally within the Institute (on a need-to-know basis) to facilitate the purpose for which the personal data was collected or a directly related purpose. The personal data may be disclosed, transferred, or assigned within or outside Hong Kong. In case it is to a place outside Hong Kong, while the Institute will take appropriate steps to protect the privacy of the personal data, it should be noted that such place may not have in place data protection laws which are substantially similar to, or serve the same purposes as, the PDPO so personal data located outside Hong Kong may not be protected to the same or similar level as in Hong Kong.
Security of personal data
The Institute will take appropriate steps to protect the personal data held by it against unauthorized or accidental access use, loss, processing, erasure, transmission, modification, or disclosure. When the Institute needs to disclose, transfer or assign personal data to outside third-parties, the Institute will take appropriate steps to protect the privacy of the personal data to be disclosed, transferred or assigned (for example, requiring our service providers to keep confidential any personal data with which it comes into contact).
Personal data access and correction
Individuals have the right to request access to and to correct their personal data held by the Institute.
Personal data may be made available to concerned individuals via different means, including (a) authenticated on-line enquiries and/or (b) completion of prescribed forms provided by concerned offices and sending the completed form by email to firstname.lastname@example.org.
Similarly, requests to correct personal data held by the Institute may be made via on-line functions where available and/or by submitting such requests by email to email@example.com, using prescribed forms provided by concerned offices.
In accordance with the Personal Data (Privacy) Ordinance, data access requests will normally be addressed within a 40-day period. A fee reflecting the cost of processing the data request may be levied.