Agents of the University

 

From time to time, personal data collected by the University through its various arms may be transferred to agents of the University for use and handling on behalf of the University. Examples are as follows:

  • Individual schools/departments/units/offices in the University may transfer personal data to student unions/societies and staff associations in connection with organizing and coordinating student/staff activities and events on behalf of the University.

  • Central departments/offices may transfer personal data to Council members or Council committee members to handle matters on behalf of the University that fall within their jurisdiction.

  • Central departments/offices may transfer personal data to contractors or third-party service providers engaged by the University to provide services to or on behalf of the University (e.g. bankers and insurance providers).

Schools/departments/units/offices shall only transfer personal data to a third party in accordance with the Personal Data (Privacy) Ordinance, the University Data Privacy Policy Statement and the relevant Personal Information Collection Statement, whether or not the recipient is an agent, and whether or not the recipient is within or outside the University.

However, if personal data is transferred to an agent of the University, the relevant school/department/unit/office shall bring this document to the attention of the agent and take steps to ensure that the agent complies with this document, the Personal Data (Privacy) Ordinance, the University Data Privacy Policy Statement and the Personal Information Collection Statement relating to the personal data. The relevant school/department/units/office must also establish a mandate governing the purpose, use and handling of the personal data by the agent and take steps to ensure the mandate is complied with.

More generally, schools/departments/units/offices shall ensure that they comply with the requirements in the Personal Data (Privacy) Ordinance and the guidelines issued by the Office of the Privacy Commissioner relating to transferring personal data to a data processor in the event the agent is a data processor.

Under the Personal Data (Privacy) Ordinance, a data processor means a person who processes personal data on behalf of another person and does not process the data for any of the person’s own purposes.

The Personal Data (Privacy) Ordinance imposes two specific obligations on data users who engage data processors. If a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent:

  • any personal data transferred to the data processor from being kept longer than is necessary for processing the data; and

  • unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

    The Office of the Privacy Commissioner has issued an information leaflet to provide guidelines to data users in complying with these requirements. The information leaflet can be accessed at: https://www.pcpd.org.hk/english/resources_centre/publications/files/dataprocessors_e.pdf.

Very often, schools/departments/units/offices may need to issue tenders for services where the potential bidder, if successful, will be regarded as a data processor. In this connection, the University has prepared suggested wordings for contracts and guidelines (see Appendix F and G) to help those who need to engage data processors. These illustrate the obligations imposed on data users who engage data processors explained above and how the information leaflet issued by the Office of the Privacy Commissioner relates to this context. Staff are reminded that these documents are only samples and staff should carefully read the guidance notes in the samples when using them. Staff are further reminded that these documents are not a substitute for reading the information leaflet issued by the Office of the Privacy Commissioner or this document. These samples can also serve as a general reference for entering into contracts with agents in generally.

If schools/departments/units/offices are not sure whether a third party is an agent and/or data processor and/or whether personal data can be transferred to a third party (whether or not an agent and/or data processor and whether or not within or outside the University), the relevant school/department/unit/office shall consult the Data Privacy Officer before making any arrangements for personal data to be transferred. Schools/departments/units/offices should also be mindful of the requirements of section 33 of the Personal Data (Privacy) Ordinance. See further Overseas Jurisdictions.

It is important for agents to remember that they are acting on behalf and upon the authority of the University. Therefore, agents receiving personal data shall only handle and use personal data in accordance with this document, the University Data Privacy Policy Statement and the Personal Information Collection Statement relating to the personal data. Agents must also only use and handle personal data in accordance with the mandate stipulated by the relevant school/department/unit/office that transferred the personal data to them.

More generally, agents shall familiarize themselves with the Personal Data (Privacy) Ordinance and ensure they are in compliance its provisions at all times.

Schools/departments/units/offices and agents should also be reminded that in the event there is infringing conduct, both the University and the agent could be held liable for the infringing conduct. The University reserves the right to take legal action against the agent. It is particularly important that schools/departments/units/offices ensure appropriate terms are incorporated into contracts with agents governing the obligations of agents in relation to protecting personal data and that agents act prudently at all times.