1. Purpose
Hong Kong Baptist University1 (the “University” or “we”) respects the privacy of personal data and is committed to complying with the requirements of the applicable laws including the Personal Data (Privacy) Ordinance (the “PDPO”) and the Data Protection Principles contained in it.
This document comprises two parts, the Privacy Policy Statement (Part A), a general statement about our privacy policies and practices in relation to the personal data we handle, and the University’s personal information collection statement (Part B) (“PICS”). When or before we collect personal data from you as a Data Subject, the PICS will be provided to you in accordance with the PDPO.
2. Collection of personal data
(1) We collect personal data for lawful purposes and by lawful and fair means. The data we collect in relation to a specified purpose shall be adequate but not excessive in respect of the purpose. Upon and before collection of data from an individual (“Data Subject” under the PDPO), we will explicitly inform him/her:
(a) the purpose(s) for which the data is to be collected and the groups of persons to whom the data may be transferred;
(b) whether it is obligatory or voluntary to supply the data, and the consequences of not supplying obligatory data;
(c) his/her right to request access to and correction of data held by us; and
(d) the person responsible for handling data access and correction requests.
(2) We collect personal data of Data Subjects in the course of our daily operations. Generally, these Data Subjects include:
(a) job applicants
(b) staff members
(c) applicants for admission to the University and its related bodies
(d) students
(e) alumni
(f) donors
(g) participants in the University’s studies and research projects
(h) patients of the University’s Chinese Medicine clinics
1 including all our offices, departments, faculties, schools, centres or units (however they may be named for administrative reasons), and our wholly owned subsidiaries (each a “Unit”). A separate Privacy Policy Statement and Personal Information Collection Statement, if provided by our subsidiaries, shall apply to you and prevail over this document. Where there is a Personal Information Collection Statement issued and provided by a Unit (other than a subsidiary) for a particular event or activity (a Bespoke PICS), please refer to Part B Section I paragraph 10 and Section II paragraphs 1 to 3 for details.
We may also collect personal data of other individuals who are also Data Subjects2 . Our handling of this personal data, unless specified otherwise in our communication with the Data Subjects, follows the terms of this statement and the relevant PICS.
(3) We may collect personal data directly from a Data Subject when he/she interacts with us3.
(4) We may also collect personal data of a Data Subject indirectly from third parties4.
(5) The University’s PICS in Part B states:
(a) the kind of Data Subjects’ personal data collected or held by the University,
(b) the purposes for which we may use such personal data, and
(c) the classes of persons to whom the personal data may be transferred.
The personal data collected by the University will be used or disclosed to third parties for the purposes:
(a) for which it is collected,
(b) as specified in the PICS, or
(c) as required or permitted by the PDPO and law.
(6) Where the University collects personal data from a Data Subject under the age of 18, we will request the individual to indicate that he/she has consulted his/her parents or such person(s) having parental responsibility for him/her on the contents of this entire document and understands the matters set out herein before providing his/her personal data to the University.
3. The University’s website, online applications and apps
(1) Information is collected from Data Subjects who visit the University’s web portal. In addition, information is collected from the use of the University’s smartphone applications by the Data Subjects.
(2) The University will normally not use cookies on its website or online applications for storage or tracking of users’ information and preferences.
(3) When “session cookies” are used, a statement will appear to alert users before they initiate or log in to the website or application. The “session cookies” collect technical information5. Such information helps us recognise users’ identities when they visit multiple pages in a web application within the same login session, thus removing the need to ask the users for the password on each page, and enables certain functions or services to be provided on the website.
Once users log out or close their browser, the cookie expires and no longer has any effect. Most browsers are initially set to accept cookies. Data Subjects may choose to set their browser to decline the cookies or inform them when the cookies are set (although this may prevent access to some portions of the University’s website or application or certain functions or services available on the website or application). Although the University’s web servers, through cookies, can monitor which sites users have visited, which pages they have seen and which options they have chosen, the data gathered through the use of the cookies will not be
2 For examples, immediate family members and domestic helpers of the Data Subjects, speakers, participants in seminars or activities, and visitors.
3 For examples, a Data Subject visits our website (see paragraph 3 below), attends our events, uses our services, applies for a job, applies for admission or enrolment as a student, registers in our events or communicates with us by various means of communications.
4 These sources may include partner institutions which we collaborate with (for instance, in jointly offered programmes), the Data Subject’s previous employers, academic institutions the Data Subject previously attended or is attending, banks, financial institutions, credit rating agencies, Government, public or non-government bodies, business partners, contractors, service providers, other students or employees, social media platforms and those whom the Data Subject has authorised to provide his/her personal data to other parties including the University (expressly named or not).
5 For example, IP address, login information, browser information and information about the users’ visits.
provided to any third party unless the relevant notice is given and the necessary consent is obtained.
4. The University’s practices
(1) The University, as the “Data User” under the PDPO, requires that all staff members who collect or process personal data comply with the relevant law, including the PDPO. The University has established code(s) and guidance notes which all staff members are required to observe and comply with.
(2) A Unit which collects personal data directly from Data Subjects is the data collecting Unit for such personal data. For instance, the data collecting Unit for personal data of job applicants and staff members is the Unit handling human resources matters, the Human Resources Office.
A Departmental Personal Data Privacy Manager (“Departmental PDP Manager”) is appointed by each personal data collecting and/or handling Unit. The personal data collecting Units, the Departmental PDP Managers and all staff members are responsible for overseeing compliance with the law in the collection, use, disclosure, retention, security and accuracy of such personal data, as well as processing data access and correction requests. A list of the personal data collecting Units and Departmental PDP Managers is available at our website6. A hard copy of the list is also available upon request.
(3) The personal data collecting Unit may share the personal data held by it with other Units for carrying out one or more purposes for which such data is collected, as permitted by the PICS or otherwise permitted under the law. These latter Units and their staff members receiving such personal data are also responsible for ensuring compliance with the law in relation to the personal data that they receive, use, process or retain.
(4) Unless a Data Subject consents, we will not use his/her personal data for any purpose other than the purpose for which the data was originally collected. We will only use a Data Subject’s personal data for direct marketing purposes if he/she has consented to do so in accordance with the PDPO7. Any consent for use of personal data in direct marketing may be withdrawn by the Data Subject at any time.
(5) The University may use algorithms when considering and processing a Data Subject’s application or request. The algorithms provide automatic assessments and decisions based on the information, including personal data, collected. The parameters used in these assessments have been selected to provide a fair and objective assessment of a Data Subject’s personal data and have been tested for reliability and fairness. If the University is uncertain about the accuracy of the personal data that will be used in an algorithmic assessment, it will seek the Data Subject’s clarification.
(6) We will comply with the legal requirements under the European Union-General Data Protection Regulations 2016 (“EU-GDPR”) to the extent that certain such requirements apply to personal data collected, held or processed by the University.
(7) The University generally has closed circuit television systems installed at its premises. Information collected is mainly used for security, management and other related purposes, or as stated in the PICS.
6 https://bupdpo.hkbu.edu.hk/pdprivacy-managers/
7 Please refer to Part B Section II paragraph 2 under “Direct Marketing”
(8) If the University engages outsourcing service providers or data processors (whether within or outside Hong Kong) to assist in its handling of personal data, partners with any parties in activities that involve collection of personal data, or shares the personal data it collects with bodies related to the University in its various identities, such as an educational and research institution, charitable body, donee, landlord/tenant, general corporate entity, constituent member, sponsor, and participant/partner, all these providers, processors, parties and bodies are required to adhere to specific standards to prevent any loss, unauthorised access, use, modification, disclosure or retention, either by contractual provisions or other means.
5. Accuracy and duration of retention of personal data
We take all reasonably practicable steps to ensure that the personal data collected and retained is accurate. Personal data will be retained in accordance with our prevailing policies and no longer than is necessary for the fulfilment of the purposes for which it is collected or to which the Data Subject has given consent, except for the purposes of fulfilling legal obligations or with subsisting reasons. In some but limited circumstances, certain data may be retained indefinitely, for example, regarding a Data Subject’s participation in some of the University’s events or activities which we sometimes record and preserve as part of the University’s overall historical records and organisational archives. Each Unit is required to maintain an inventory of the kind of personal data that it collects, holds or processes, designate retention periods and support its Departmental PDP Manager in ensuring compliance with these requirements.
6. Security of personal data
(1) The University takes all reasonably practicable steps and implements internal guidance to ensure that personal data held is protected against unauthorised or accidental access, processing, erasure or other use. The Departmental PDP Manager is responsible for overseeing the collection, retention and/or processing of data by his/her Unit.
(2) In order to secure the safe transmission of personal data over the internet, the University implements appropriate measures (including encryption and authentication mechanisms) where practicable to protect security of data transmitted and against unauthorised access. Our servers also employ technologies to reduce the risk of cyberattacks over the internet.
(3) The internet is not a secure form of communication, and a Data Subject who sends any personal data to the University over the internet accepts the risks that such communication, involves, including the risk of access or interference by unauthorised third parties. Information passing over the internet may be transmitted internationally (even when the sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than a Data Subject’s country of residence.
7. Information to be generally available
We will generally be able to provide upon request the following information in relation to personal data collected and processed by us:
(1) the kinds of personal data held;
(2) the main purposes for which personal data is used; and
(3) our policies and practices in relation to the handling of such personal data.
8. Access to personal data and data correction requests
(1) Data Subjects have the right to request access to their personal data held by us by completing a data access request form8, and sending the completed form to the University for the attention of the Personal Data (Privacy) Officer or the Departmental PDP Manager of the relevant Unit. Data Subjects may access the list of Units and their respective Departmental PDP Managers through our website9 to identify the Unit to which their request should be addressed and the procedures for submitting the request. Hard copies of the list and the procedures are also available upon request. We will charge a fee for processing each data access request. Normally, we will inform the Data Subject of the outcome within 40 calendar days of his/her submission of the access request and will give a reason if the request is refused.
(2) A Data Subject also has the right to request correction of his/her personal data that is inaccurate at no charge by writing to our Personal Data (Privacy) Officer or the relevant Departmental PDP Manager.
(3) Data Subjects whose personal data is subject to the requirements of EU-GDPR may exercise their rights under the EU-GDPR by contacting our Personal Data (Privacy) Officer or the Departmental PDP Manager of the relevant Unit.
9. Amendments and language
This Privacy Policy Statement and the following PICS are subject to review and change from time to time. Please contact our Personal Data (Privacy) Officer or visit our website for the latest Privacy Policy Statement and PICS.
In case of any discrepancy between the English and Chinese versions of the Privacy Policy Statement and the PICS, the English version shall prevail.
10. Enquiries
If there are any queries concerning this Privacy Policy Statement, please contact our Personal Data (Privacy) Officer. All queries shall be in writing and sent to the Personal Data (Privacy) Officer, c/o General Administration Office, Hong Kong Baptist University, Kowloon Tong, Kowloon, Hong Kong (email data-privacy@hkbu.edu.hk).
8 Available at https://www.pcpd.org.hk/english/publications/files/Dforme.pdf, or from our Personal Data (Privacy) Officer
9 https://bupdpo.hkbu.edu.hk/pdprivacy-managers/
(This PICS shall be read in conjunction with the Privacy Policy Statement in Part A above)
I. Introduction
1. From time to time, it is necessary for various individuals (collectively, the “Data Subjects”) to supply the University (as defined in our Privacy Policy Statement) with data in connection with various activities in which the University is involved.
2. Failure to supply such data may result in the University being unable to provide services, support, assistance, etc., to the Data Subjects.
3. Data is collected from Data Subjects in the ordinary course of and the continuation of the University’s relationship with such Data Subjects, including (without limitation) through their own actions, third parties, the public domain, and the cookies and behavioural tracking tools of the University’s mobile application and websites, and when Data Subjects interact with the University in person (e.g. as visitors, guests or users of the University’s facilities) or through other media (e.g. through the internet or by post).
4. The PICS comprises three sections: Section I. Introduction
Section II. General Privacy Information
Section III. Supplemental Privacy Information
(Sections II and III together form the “Privacy Information”). It sets out:
(1) the kind of personal data collected from you or held by the University about you as a Data Subject;
(2) the purposes for which personal data is collected; and
(3) the classes of persons to whom such personal data may be transferred.
5. Section II is the general Privacy Information relevant to all Data Subjects including you.
6. Section III is the supplemental Privacy Information relevant to seven specific groups of Data Subjects.
Please read BOTH Section II and the relevant subsection in Section III applicable to you before you provide your personal data to us:
Subsection III | Specific Group of Data Subjects |
1 | job applicants |
2 | staff members |
3 | applicants for admission to the University and its related bodies |
4 | students and alumni members |
5 | donors |
6 | participants in studies and research projects |
7 | patients of the Chinese Medicine clinics |
7. When or before collecting your personal data, we will provide to you or the party to whom you have authorised to provide your personal data on your behalf, a copy of the Privacy Policy Statement and this PICS in one document, either electronically, by way of a webpage link or in hard copy. Unless a different PICS (e.g. a Bespoke PICS (paragraph 10)) is provided to you when a data collecting Unit requests personal data from you, this PICS applies to personal data provided by you from time to time.
8. Through this PICS or our staff member, you will be informed whether it is obligatory or voluntary for you to provide the personal data when we seek to collect the data from you. If provision is obligatory, you will be informed of the consequences for you if you do not supply such data.
9. If you are under the age of 18, you shall consult your parents or such person(s) having parental responsibility for you on the contents of the Privacy Policy Statement in Part A above and this PICS and ensure that you understand their contents before providing your personal data to us.
10. It is sometimes necessary for a Unit of the University in certain of its activities (recurring or otherwise) to collect and handle specific types of personal data for enabling and facilitating the activities. The personal information collection statement custom-made for these activities (“Bespoke PICS”) shall be read in conjunction with this PICS and unless any terms in the Bespoke PICS state otherwise (in which case, such terms shall prevail), the contents of this PICS apply to you in full.
11. Nothing in this PICS shall limit the rights of Data Subjects under the Personal Data (Privacy) Ordinance.
II. General Privacy Information
1. Types of personal data
Your personal data collected or held by us includes:
Types | Examples (illustrative only) | |
(1) | identification and personal information |
|
(2) | contact details |
|
(3) | provided by you or third parties (e.g. spouse, employer or parents/guardian) to us |
|
(4) | evaluative data created by us (including our staff members, agents or service providers) |
|
(5) | information collected by means of cookies (when you access our website, online applications or apps) |
|
(6) | other personal data applicable to you in Section III |
|
(7) | additional personal data set out in any Bespoke PICS |
|
2. Purposes for which your personal data is collected
The purposes for which data relating to a Data Subject may be used vary depending on the nature of the Data Subject’s relationship with the University. In general, the personal data you provide to us will be used for the following purposes from time to time:
(1) | our provision of services |
(2) | our administration, management and recordkeeping |
(3) | communication and delivery of information and invitations to you |
(4) | teaching, research (including facilitating open access), quality assurance, surveys, review or statistical analysis |
(5) | promotion of the University’s academic offerings or institutional events, facilities and services, and related publicity activities |
(6) | implementation of and monitoring compliance with our policies and procedures |
(7) | our management (including use, protection and security) of the University’s properties (including accommodation) and facilities |
(8) | protection of the personal safety and health of the University community |
(9) | direct marketing to which you have consented |
(10) | provision of referrals, references or recommendations |
(11) | handling your complaints or enquiries |
(12) | other purposes applicable to you stated in Section III |
(13) | all other purposes directly related to any of the above |
(14) | purposes as set out in any Bespoke PICS |
Subject to your consent through an opt-in mechanism, the University and some of its Units may use your personal data (such as name and contact details) to send communications that may be considered to be direct marketing/promotional material which are relevant to you. However, there are communications issued by us from time to time which are intended to be an extension of the studies or learning experience for a Data Subject who is a student or alumni member or who may have an interest in further learning, which shall not be treated as direct marketing or sending of promotional materials. These may cover promotional, exchange or extracurricular activities related to a Data Subject’s course of study or materials or activities that are integral parts of or viewed as value added to the ongoing relationship between the Data Subject and the University, such as news or information about the University’s latest initiatives and developments.
In contrast, there are communications intended to serve the primary purpose of offering opportunities for further studies, such as inviting application to new programmes or courses, or soliciting interest in services or products provided by the University and/or selected third parties. These communications will be treated as direct marketing or sending of promotional materials. We are required by law to give you the opportunity to not receive these communications. As such, you will be given the opportunity to indicate your consent, or otherwise, to receive such communications through the opt-in mechanism referred to above. Please keep in mind that by declining to receive these communications, you may miss important information related to our activities or various benefits or offers that may affect your participation in the University community.
Any Unit involved in sending the above communications for itself or on behalf of the University to you will seek guidance from the relevant Departmental PDP Manager if it is uncertain whether or not a communication constitutes direct marketing or sending of promotional materials.
3. Disclosure and transfer of your personal data
In connection with the above purposes, we may disclose or transfer your personal data to the following parties:
(1) | any party who owes a duty of confidentiality to the University and is obliged to keep the personal data confidential |
(2) | third parties engaged by us to provide services to us and/or you |
(3) | institutions with which we jointly offer programmes or other collaboration opportunities |
(4) | financial institutions whose services are used by either the University or you |
(5) | credit rating agencies |
(6) | any parties (including students and staff members) within the University on a need-to-know basis |
(7) | regulators and authorities, including any adjudicative bodies (e.g. courts) |
(8) | third parties who have the right to access such data |
(9) | our professional advisors, such as lawyers, accountants and auditors |
(10) | other parties applicable to you identified in Section III |
(11) | parties as set out in any Bespoke PICS |
10 “Direct marketing” is defined as (a) the offering, or advertising of the availability, of goods, facilities or services; or (b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means.
4. Access to personal data and data correction requests
You have the right to request access to and to request correction of your personal data. Please refer to paragraph 8 of the Privacy Policy Statement in Part A above on the procedures and the party to whom such a request should be made.
5. Enquiries
11 Please refer to Part A paragraph 8 and footnote 9
III. Supplemental Privacy Information
1. Job applicants
(1) Additional personal data collected or held by us:
(a) | proof of address |
(b) | bank account information |
(c) | family data |
(d) | educational background |
(e) | professional body associations, qualifications and work experience |
(f) | academic transcripts |
(g) | test results and testimonials |
(h) | academic and job references |
(i) | records of assessment records and review |
(j) | medical or health-related information |
(k) | criminal records check |
(l) | other information provided by you in the job application |
Provision of the above personal data is obligatory, unless such items are indicated as optional. If you do not or are unable to provide such data, we may not be able to assess your job application, process your requests or provide you with services generally.
(2) Additional purposes for which your personal data may be used:
(a) | serve as a basis for assessing your job application |
(b) | obtain references and recommendations relevant to your application |
(c) | manage the application account and process the application |
(d) | verify your identity, public examination results, qualifications and academic records and work experience |
(e) | ascertain any criminal record or adverse finding or ruling against you |
(f) | facilitate communications for application-related matters |
(g) | conduct statistical analysis, research, surveys, quality assurance and review |
(h) | process a work visa application, if applicable |
If your application is not successful, your personal data will be retained and thereafter erased according to our prevailing policy and the Code of Practice on Human Resources Management published by the Privacy Commissioner.
(3) Additional third parties to whom your personal data may be disclosed or transferred:
(a) | previous employers, academic institutions and professional bodies |
(b) | service providers engaged by us for conducting background checks and searches |
(c) | Government departments and regulators |
(d) | third-party institutions (whether or not affiliated with us) and their staff members, where your application relates to a joint appointment with, or secondment to, such institutions |
2. Staff members
(1) Additional personal data collected or held by us:
(a) | information provided by you or collected or prepared by us in the job application and onboarding processes, and during the course of employment |
(b) | contractual data |
(c) | marital status and family data |
(d) | records of assessment and review |
(e) | medical or health-related information |
(f) | criminal records check |
(g) | employment details and records |
(h) | test results and testimonials |
(i) | credit rating data and financial (including bank account) information |
(j) | nationality, racial or ethnic origin, religious or similar belief |
(k) | information relating to criminal or civil proceedings involving you as a party/witness |
(l) | research output, academic/scholarly activities and grant activities |
Provision of the above personal data is obligatory, unless such items are indicated as optional. If you do not or are unable to provide such data, we may not be able to implement some of our academic and research policies process and administer the human resources functions or provide you (or your dependants) with employee benefits.
(2) Additional purposes for which your personal data may be used:
(a) | provide access to and usage of our facilities (whether physical or electronic such as online applications and apps) and properties (e.g. staff accommodation) |
(b) | enable work planning |
(c) | facilitate planning and administration of benefits |
(d) | process remuneration, payroll and other payments due from the University to you (e.g. reimbursement of expenses under medical/dental claims) or vice versa |
(e) | prepare tax returns |
(f) | facilitate performance appraisals |
(g) | review appointments, promotions and granting of awards/fellowships |
(h) | facilitate eligibility assessment and application for research grants and funding |
(i) | support ranking exercises, quality assurance certification and programme accreditation |
(j) | disseminate academic writings and research papers for education |
(k) | organise training and development activities |
(l) | monitor compliance with the University’s policies |
(m) | conduct investigations and forensic reviews |
(n) | take disciplinary action |
(o) | prepare management reports or employee announcements |
(p) | provide references and certificate of services to potential employers, financial or educational institutions |
(q) | comply with applicable laws, regulations and procedures |
(r) | support other purposes permitted by the terms of employment |
In addition to the above, all other general employment-related purposes in manpower planning and management, development and maintenance of employment relationship are included without limitation.
(3) Additional third parties to whom your personal data may be disclosed or transferred:
(a) | financial institutions |
(b) | academic institutions |
(c) | publishers of academic and/or open access journals |
(d) | insurers and their agents |
(e) | medical and dental practices/consultants |
(f) | fund administrators/managers of the Superannuation Fund or Mandatory Provident Fund Scheme(s) |
(g) | Government departments and regulatory bodies |
(h) | certification and accreditation bodies and ranking information providers |
(i) | prospective employers (provided that you have consented) for the purpose of providing references |
(j) | professional advisors (including lawyers, accountants and auditors) |
(k) | third-party institutions (whether or not affiliated with us) and their staff members, where your employment relates to joint appointment with, or secondment to, such institutions |
(l) | third-party service providers engaged, subscribed or participated with by us for the above-mentioned purposes in Section II and this Section III |
Your personal data is retained primarily by the internal Unit handling human resources matters and your affiliated Unit(s). Your personal data may be disclosed or transferred to, and retained by, other Units and other internal bodies of the University (such as the Council, the Court and the Senate) and the staff members supporting those Units or bodies, for example, for publication in the internal staff directory and external databases designed for accessing academic publications and data. Where your duties require our collaborating parties or members of the public to be able to contact you, we may also publish (e.g. on our website) or provide your name and work contact information to them.
3. Applicants for admission to the University and its related bodies
(1) Additional personal data collected or held by us:
(a) | proof of address |
(b) | bank account information |
(c) | family data |
(d) | educational background |
(e) | professional body associations, qualifications and work experience |
(f) | academic transcripts |
(g) | test results and testimonials |
(h) | academic and job references |
(i) | records of assessment and review |
(j) | scholarships, awards and financial aid records |
(k) | medical or health-related information |
(l) | other information provided by you in the admission process |
Provision of the above personal data is obligatory, unless such items are indicated as optional. If you do not or are unable to provide such data, we may not be able to admit you to the University, enrol you in academic programmes, process your requests or provide you with services generally.
(2) Additional purposes for which your personal data may be used:
(a) | serve as a basis for selection for admissions and consideration of the award of scholarships |
(b) | obtain references and recommendations relevant to your application for admissions |
(c) | manage the application account and process the application |
(d) | identify possible multiple applications |
(e) | obtain records of existing and previous studies and activities at the University and other institutions |
(f) | verify your identity, public examination results, qualifications and academic records and, where applicable, work experience |
(g) | facilitate communication for admission-related matters |
(h) | conduct statistical analysis, research, surveys, quality assurance and review |
(i) | process a student visa application, if applicable |
If your application is not accepted, your personal data provided during the admission process will be retained and thereafter erased according to our prevailing policy.
(1) Additional third parties to whom your personal data may be disclosed or transferred:
(a) | previous employers, academic institutions and professional bodies |
(b) | Government departments and regulators |
(c) | third-party institutions (whether or not affiliated with us) and their staff members, where your application relates to admission or joint admission to such institutions or joint programmes offered with such institutions |
4. Students and alumni members
(1) Additional personal data collected or held by us:
(a) | information provided by you or collected by us during your admission application and admission process and such updated or additional information during the course or after completion of your studies (e.g. regarding employment following graduation) |
(b) | study history (including exchange programme information) and records (such as programme details, years of study and awards) |
(c) | academic status |
(d) | academic work, test results and testimonials |
(e) | records of assessment and review |
(f) | scholarships, awards and financial aid records |
(g) | medical or health-related information |
(h) | other activity records (e.g. membership of student bodies, and disciplinary and counselling records) |
(i) | credit rating data and financial (including bank account) information |
(j) | nationality, racial or ethnic origin, religious or similar belief |
(k) | information relating to criminal or civil proceedings involving you as a party/witness |
(2) Additional purposes for which your personal data may be used:
(a) | provide access to and usage of our facilities (whether physical or electronic, such as online applications and apps) and properties (e.g. student accommodation) |
(b) | inform and register you for events or courses organised by the University |
(c) | enable academic and administrative communications |
(d) | provide study, academic, student welfare and accommodation services |
(e) | facilitate enquiry or investigation in academic integrity and general conduct |
(f) | assess academic progress and attainment (e.g. completion or graduation requirements) |
(g) | consider needs for financial aid and special educational support |
(h) | provide academic transcripts, academic references, testimonials or verify qualifications to you or to third parties (such as academic institutions and your prospective employers) to whom you have consented |
(i) | report graduate employability |
(j) | communicate to you University news, activities, initiatives, publications, information and other important notices |
(k) | send membership invitations and deliver information about activities organised and/or promoted by student bodies and organisations and teaching units to you |
(l) | keep in touch with you as an alumni member |
(m) | communicate to you information about alumni activities, University news, activities, initiatives and publications |
Your personal data is retained primarily by the internal Units handling student and academic matters. Your personal data may be disclosed or transferred to, and retained by, other Units and other internal bodies of the University (such as the Council, the Court and the Senate) and the staff members supporting those Units or bodies. Where your studies require our collaborating parties or members of the public to be able to contact you, we may also publish (e.g. on our website) or provide your name and student contact information to them.
The University will retain and store alumni data in its alumni database indefinitely.
(3) Additional third parties to whom your personal data may be disclosed or transferred while you are a student or an alumni member:
(a) | student bodies within the University, such as the Students’ Union, Postgraduate Association, hall councils, academic societies and extra-curricular clubs |
(b) | academic institutions, professional bodies and your prospective employers |
(c) | Government departments and regulators |
(d) | third-party institutions (whether or not affiliated with us) and their staff members, where you are admitted or jointly admitted to such institutions, or your studies relate to joint programme(s) offered with such institutions |
(e) | University Alumni Association and course/Unit-based alumni associations (local and overseas) |
5. Donors
(1) Additional personal data collected or held by the University:
Personal data provided by you in the donation form and the donation process.
(2) Additional purposes for which your personal data may be used:
(a) | administer and process your donations (including any pre-acceptance clearance procedures) |
(b) | give due recognition to donations with proper acknowledgement and publicity |
(c) | communicate to you University news, updates, initiatives, publications and invitations to University events and activities |
(d) | facilitate data analysis and statistical report compilation |
(3) Additional third parties to whom your personal data may be disclosed or transferred:
Notwithstanding Section II (General Privacy Information) in this PICS, your personal data will be treated as strictly confidential and in accordance with our Donor Charter and the law.
6. Participants in studies and research projects
(1) Additional personal data collected or held by us:
(a) | name and details (including mobile phone number) of emergency contact |
(b) | medical and health-related information |
(c) | information requested in the enrolment form or set out in the study materials provided to you |
(d) | other information about you provided to us by third parties with your consent, such as your existing healthcare providers, if relevant to assessing your suitability for participation in the study or research project |
(e) | study data to be collected or generated about you in the course of conducting the study |
Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the enrolment form or study materials. If you do not or are unable to provide such data, we may not be able to enrol you in the study. Please also ensure that the information you provided is accurate and complete.
(2) Additional purposes for which your personal data is collected:
(a) | conduct the study |
(b) | provide treatment to you and/or other study subjects within the scope of the study |
(c) | facilitate teaching, research or statistical analysis |
(d) | develop and design future studies |
(e) | maintain quality assurance and conduct satisfaction surveys in relation to the study and/or the University generally |
(f) | conduct internal or external audits in relation to the study |
(g) | communicate with you in connection with the above purposes |
(3) Additional third parties to whom your personal data may be disclosed or transferred:
We will take all practicable steps to keep your personal data confidential, in particular your medical or health-related information. We shall anonymise your identity information in any study data, teaching or research materials disclosed to any outside party (unless disclosure of your personal data is required for the purpose of the disclosure). The circumstances under which your personal data may be disclosed to third parties will be set out in the study materials provided to you. For example, your personal data may be disclosed to:
(a) | a partnering institution, coordinating research organisation or lead investigator if the study is conducted in collaboration with the partnering institution or is part of a multi-site study |
(b) | third-party service providers involved in conducting specific analyses for the study (such as laboratory or technical services) |
7. Patients of the Chinese Medicine clinics
(1) Additional personal data collected or held by us:
(a) | name and details (including mobile phone number) of emergency contact |
(b) | family data |
(c) | medical and health-related information (e.g. medical history, hospitalisation record, laboratory test results, previous medical procedures and treatments and immunisation record) |
(d) | other information about you provided to us by third parties with your consent, such as your existing healthcare providers |
(e) | history of consultations received at our clinics or through other channels |
(f) | medical prescriptions issued to you |
(2) Additional purposes for which your personal data will be used:
(a) | facilitate diagnosis and our provision of treatment to you |
(b) | enable patient administration in general |
(c) | support teaching, educational or statistical purposes |
(3) Additional third parties to whom your personal data may be disclosed or transferred:
(a) | third-party service providers involved in conducting specific analyses for your treatment (such as laboratory or technical services) |
(b) | courier services which handle delivery of prescribed medicine |
(c) | other healthcare providers for which you have consented to such disclosure or transfer |
August 2021