THE UNIVERSITY OF HONG KONG
Personal Data (Privacy) Ordinance
Code of Practice
INTRODUCTION
The Personal Data (Privacy) Ordinance (the Ordinance) was gazetted on August 4, 1995 and has been effective since December 20, 1996. Various amendments to the Ordinance were passed by the Legislative Council and gazetted since the Ordinance’s enactment. For the avoidance of doubt, any reference to the Ordinance means the Ordinance as amended.
This document is prepared with the aim of providing data users in the University with handy information and general reference in relation to the Ordinance. Individual offices/work units, as data users, are responsible for ensuring compliance with the Ordinance, and they are advised to make reference to the Ordinance for specific details and, if necessary, they may consult the University Data Protection Officer (DPO) or the Office of the Privacy Commissioner for Personal Data (the Commissioner or PCPD).
Other jurisdictions also have implemented legislation protecting privacy and personal data. Attention should be paid to and compliance measures should be taken for those laws and regulations with extra-territorial effect. Typical examples are the European Union’s General Data Protection Regulation (GDPR) which has been effective since May 25, 2018 and the Mainland’s Personal Information Protection Law (PIPL) which has been implemented since November 1, 2021. Key information and points to note about the GDPR and PIPL can be found in the University’s Data Protection Office website (https://dpo.hku.hk/).
In addition to the requirements of the Ordinance, the security and management of personal data are governed under the general framework of the University-wide Information Security and Data Management (ISDM) Policy which is made by the Council and built on, among others, the accountability principle. The ISDM Policy must be strictly complied with.
I. TERMINOLOGY
The following is a list of terminology specifically adopted by the Ordinance:
Data: means any representation of information (including an expression of opinion) in any document, and includes a personal identifier.
Personal Data: means any data –
(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is practicable.
Data Subject: in relation to personal data, means the individual who is the subject of the data.
Data User: in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
Data Access Request: every individual has the right to request another party (data user) to confirm whether it holds his/her personal data and to request a copy of any such data.
Data Correction Request: should the personal data provided in response to a data access request be inaccurate, the individual can ask for correction of the personal data.
Document: includes, in addition to a document in writing –
-
that is assigned to an individual by a data user for the purpose of the operations of the user; and
(b) that uniquely identifies that individual in relation to the data user, but does not include an individual’s name used to identify that individual.
Relevant Process: is a special provision under the Ordinance where personal data is exempt from the requirements of Data Protection Principle 6 and Section 18(1)(b) of the Ordinance (i.e. data access requests) until the completion of that process.
A relevant process means any process whereby personal data is considered for the purpose of determining the suitability, eligibility or qualifications of the data subject for employment, promotion, termination, award of contracts/scholarships/other benefits, etc.
It does not include any process where no appeal may be made against any such determination.