Personal Data Protection Guidelines

University Data Privacy Security Guidelines for handling personal data

Never download data to home computers. If you need to process data at home, consider using remote desktop with VPN.

  1. Personal data should not be downloaded, processed or transmitted to office desktop computers unless absolutely necessary. Be sure applying encryption on those files.
  2. Delete the personal data once they are no longer used. Be aware of cleaning up the recycle bin after deletion of those files.
  3. When download or transfer the personal data, consider only extract those required fields and not necessary sensitive fields should be trimmed down.
  4. Instead of downloading data to desktop, it is highly recommended to consider other alternatives of directly processing data stored in file shares.
  5. For email transmission with attached personal data files, mandatory password protection is required in all transmission of email attachments containing personal data files. Password protected file and password must be delivered separately via different channels.
  6. Departmental file shares that do not have professional IT personnel managing should not be used.
  7. Personal data should be stored in servers provided by the University or shared drives within the office for access by the authorized staff only.
  8. For shared drive and shared documents, password should be changed regularly. It is good practice to change password regularly, every 3 months.
  9. Portable storage devices such as USB memory sticks, notebooks, smart mobile phones, and tablets, should, as far as possible, not be used for storage of personal data files. If such storage is necessary, always encrypt and/or add password to the portable device.
  10. Sensitive and personal data should never be saved in unprotected devices. Mandatory password protection is required for all files containing personal data.
  11. All portable storage devices or hard copy documents which contain personal data must be securely locked in the office when not in use, and should never be left unattended. Please do mark “confidential” on the hard copy documents.
  12. Prohibit export of personal data from computer system for temporary storage or storage of personal data in public “cloud/internet storage services”, e.g. Dropbox, iCloud, google drive etc.
  13. On disposing of a hard disk, floppy disks, CD, DVDs, magnetic tapes or any other storage, be sure all data inside being wiped and destroy the medias by cutting, breaking or drilling holes before disposal.
  14. Storing and processing personal data outside the office or on a personally-owned storage device or PC is strongly discouraged. If it is absolutely necessary to do so for operational reasons, make sure that:
    • The device is protected by appropriate security software with the latest updates, and with all protection mechanisms turned on.
    • No peer-to-peer file sharing software such as Foxy is installed in the device as such software could auto-download and redistribute other software without your authorization.
    • Use VPN
  15. Maintaining a stable and secure computing environment is critical to personal data protection.  Please read ITSC’s Cyber Security at https://itsc.hkust.edu.hk/cyber-security