Implementation and Monitoring

To complement the University’s data privacy efforts a number of facilities/action will be undertaken. These are identified below.


1. To ensure continued awareness/alert

Periodic reminders will be issued by the Data Privacy Officer to data users and heads of schools/department/units to reinforce the importance of proper handling of personal data. This will be done by:

  • all staff email – for general awareness of the principles of personal data privacy and reminder to be cautious about handling of such data.
  • email to the heads of school/department/unit – as reminder of the personal data privacy principles and the need to have a mechanism in place to comply with such principles, including alert reminder to concerned staff handling such data.

Such reminders will typically be dispatched at the start of each semester (i.e. in September and February).

Other forms of notification / reminders will be taken as appropriate from time to time to reinforce the awareness of the University community.

Those who transfer personal data to agents must periodically remind the agents that they must handle and use the personal data transferred to them in accordance with this document, the Personal Data (Privacy) Ordinance, the University Data Privacy Policy Statement and the Personal Information Collection Statement relating to the personal data and that they must only handle and use personal data in accordance with the mandate stipulated by the relevant school/department/unit/office that transferred the personal data to them.

From time to time, the Data Privacy Officer may also issue reminders to heads of school/department/unit/office on issues relevant to agents. In such case, it is the responsibility of the school/department/unit/office to ensure they circulate the reminder to the agents and draw those issues to the attention of the agents.


2. Education / Training

  • Forums and seminars on the handling of personal data will be arranged on a periodic basis. These forums and seminars will provide the opportunity for the sharing of best practice across the institution, and help to ensure a common approach to data privacy issues.

    Where appropriate, the Office of the Privacy Commission on Personal Data may be invited to participate to provide first-hand information and comments/feedback.
  • Special security training will be arranged for technical staff as necessary.

The objective is to provide staff members who have to deal with personal data with the necessary information and/or techniques.


3. Addressing on-going operational questions and concerns

In their daily operations, University units may come across situations when it is not obvious whether personal data is (or should be) involved and, if so, how it should be handled.

It is expected that most operational concerns/questions could typically be addressed in discussion with the concerned Central Data User office(s) .

Concerned matters could also be brought to the attention of the Data Privacy Officer and email to, especially when:

  • it is not certain which Central Data User office should be contacted to discuss the matter, or
  • the matter is non-trivial and/or requires policy considerations, and cannot be resolved via discussion with the Central Data User office(s) concerned.

This will ensure that data users will have a clear avenue to bring forward their operational questions/concerns for discussion/resolution, and, enable consistent handling among units for similar situations.

In the event agents have any questions or concerns about the use and handling of the personal data transferred to them, they should forthwith contact the relevant school/department/unit/office that transferred the personal data to them. If the relevant school/department/unit/office is unable to address the enquiry, it shall forward the enquiry to the Data Privacy Officer.


4. Making data privacy information generally available

Information about the University’s policy and practices regarding personal data will be made available through:

5. Incident reporting

Incidents or suspected incidents involving the breach of personal data privacy (including any leakage of personal data, actual or suspected) should immediately be brought to the attention of the head of the concerned school/department/unit, who in turn should promptly report the incident to the Data Privacy Officer.

Agents should forthwith report incidents or suspected incidents to the head of the school/department/unit/office that transferred the personal data to it, who in turn shall promptly report the incident to the Data Privacy Officer.

The Data Privacy Officer will determine the severity of the incident (drawing from his advisory committee where necessary) and report the case to the Privacy Commissioner for Personal Dataas appropriate/necessary.

Proper documentation should be maintained for each such case, typically including such information as:

  • cause of the incident,
  • action(s) taken,
  • recommendation(s) to mitigate the risk(s) of further incidents.

6. Reviews and monitoring

All data users should review their respective personal data handling procedures and processes on a periodic (e.g. annual) basis and to remind concerned staff regarding proper practices.

Periodic audits will also be conducted to ensure compliance.