Implementation and Monitoring
To complement the University’s data privacy efforts a number of facilities/action will be undertaken. These are identified below.
1. To ensure continued awareness/alert
Periodic reminders will be issued by the Data Privacy Officer to data users and heads of schools/department/units to reinforce the importance of proper handling of personal data. This will be done by:
- all staff email – for general awareness of the principles of personal data privacy and reminder to be cautious about handling of such data.
- email to the heads of school/department/unit – as reminder of the personal data privacy principles and the need to have a mechanism in place to comply with such principles, including alert reminder to concerned staff handling such data.
Such reminders will typically be dispatched at the start of each semester (i.e. in September and February).
Other forms of notification / reminders will be taken as appropriate from time to time to reinforce the awareness of the University community.
From time to time, the Data Privacy Officer may also issue reminders to heads of school/department/unit/office on issues relevant to agents. In such case, it is the responsibility of the school/department/unit/office to ensure they circulate the reminder to the agents and draw those issues to the attention of the agents.
2. Education / Training
- Forums and seminars on the handling of personal data will be arranged on a periodic basis. These forums and seminars will provide the opportunity for the sharing of best practice across the institution, and help to ensure a common approach to data privacy issues.
Where appropriate, the Office of the Privacy Commission on Personal Data may be invited to participate to provide first-hand information and comments/feedback.
- Special security training will be arranged for technical staff as necessary.
The objective is to provide staff members who have to deal with personal data with the necessary information and/or techniques.
3. Addressing on-going operational questions and concerns
In their daily operations, University units may come across situations when it is not obvious whether personal data is (or should be) involved and, if so, how it should be handled.
It is expected that most operational concerns/questions could typically be addressed in discussion with the concerned Central Data User office(s) .
Concerned matters could also be brought to the attention of the Data Privacy Officer and email to email@example.com, especially when:
- it is not certain which Central Data User office should be contacted to discuss the matter, or
- the matter is non-trivial and/or requires policy considerations, and cannot be resolved via discussion with the Central Data User office(s) concerned.
This will ensure that data users will have a clear avenue to bring forward their operational questions/concerns for discussion/resolution, and, enable consistent handling among units for similar situations.
In the event agents have any questions or concerns about the use and handling of the personal data transferred to them, they should forthwith contact the relevant school/department/unit/office that transferred the personal data to them. If the relevant school/department/unit/office is unable to address the enquiry, it shall forward the enquiry to the Data Privacy Officer.
4. Making data privacy information generally available
Information about the University’s policy and practices regarding personal data will be made available through:
- Personal Information Collection Statement – available at various points of data collection
- Other information regarding data privacy practices will be published from time to time via the website of the University Data Privacy Officer
5. Incident reporting
Incidents or suspected incidents involving the breach of personal data privacy (including any leakage of personal data, actual or suspected) should immediately be brought to the attention of the head of the concerned school/department/unit, who in turn should promptly report the incident to the Data Privacy Officer.
Agents should forthwith report incidents or suspected incidents to the head of the school/department/unit/office that transferred the personal data to it, who in turn shall promptly report the incident to the Data Privacy Officer.
The Data Privacy Officer will determine the severity of the incident (drawing from his advisory committee where necessary) and report the case to the Privacy Commissioner for Personal Dataas appropriate/necessary.
Proper documentation should be maintained for each such case, typically including such information as:
- cause of the incident,
- action(s) taken,
- recommendation(s) to mitigate the risk(s) of further incidents.
6. Reviews and monitoring
All data users should review their respective personal data handling procedures and processes on a periodic (e.g. annual) basis and to remind concerned staff regarding proper practices.
Periodic audits will also be conducted to ensure compliance.