Privacy Policy Statement (私隐政策)
Tin Ka Ping Foundation, as a Data User, respects the privacy of personal data. The Foundation is fully supportive of and committed to upholding the spirit of the six Data Protection Principles and to complying with the requirements of the Personal Data (Privacy) Ordinance (the Ordinance) in its management practices. The Foundation has made this Privacy Policy Statement to ensure compliance by staff members with the Ordinance. The main points of the Foundation’s privacy policy and practices are summarised as follows:
Purpose and manner of collection of personal data
Purpose and manner of collection of personal data
1. Personal data will only be collected for a lawful purpose and by lawful and fair means. Data collected in relation to a specified purpose must be adequate but not excessive in respect of the purpose. Upon collection, the Data Subject must be explicitly informed of:
(a) the purpose(s) for which the data is to be collected and the groups of persons to whom the data may be transferred;
(b) whether it is obligatory or voluntary for such data to be supplied, and the consequences of not supplying the obligatory data;
(c) the right of the Data Subject to request access to and correction of data held by the Data Users; and
(d) Appointed personnel to handle such data access and correction requests.
Accuracy and duration of retention of personal data
Accuracy and duration of retention of personal data
2. All reasonably practicable steps will be taken to ensure that the personal data kept is accurate.
3. Personal data will not be kept longer than is necessary for the fulfilment of the purpose for which it is collected. Normally, the retention period will not exceed seven years after the departure of or cessation of services of the individuals, except for the purposes of fulfilling legal obligations or with subsisting reasons.
Use of personal data
Use of personal data
4. Without the prescribed consent of a Data Subject, the personal data will not be used for any purpose other than the purpose for which the data was originally collected. The prescribed consent may be withdrawn by a Data Subject upon written request made to the Foundation Office.
Security of personal data
Security of personal data
5. All reasonably practicable steps will be taken to ensure that personal data held is protected against unauthorised or accidental access, processing, erasure or other use. The identifiable personal and sensitive data is held in the Foundation’s secured and protected server.
Information to be generally available
Information to be generally available
6. The following information in relation to personal data of the Foundation will be available upon request to the Foundation Office:
(a) the kinds of personal data held;
(b) the main purpose for which personal data is used; and
(c) the policies and practices in relation to personal data.
Access to personal data
Access to personal data
7. A Data Subject will have the right to request access to his/her personal data held by a Data User, through sending a completed data access request form specified by the Privacy Commissioner for Personal Data to the Foundation Office. A fee which is not excessive will be charged for the processing. The Data Subject will be notified of the outcome within 40 calendar days of submitting his/her access request and will be given a reason if a data access request is refused.
8. After reviewing the requested data, a Data Subject also has the right to request the Foundation in writing for correction of his/her personal data.
Management of personal data
Management of personal data
9. For each type of data collected from a Data Subject or a group of Data Subjects, the Foundation designates the department/personnel which collects, holds and uses the data to be responsible for updating, protecting, providing access to and meeting requests for access/correction from the Data Subjects. Other departments/personnel which make use of the same data transferred from these holders of data are expected to observe the six Data Protection Principles as well, particularly with regard to duration of data retention and use and security of data.
10. A Data Protection Officer is to be appointed by the Foundation to help protect the privacy of the data held by the Foundation, in compliance with the six Data Protection Principles, review and improve the relevant internal processes and enhance awareness of the need to protect personal data privacy among his or her colleagues in the Foundation.
The kinds of personal data held by the Foundation and the respective purpose(s) of collection are listed below for information.
Personal data held by the Foundation and the respective purpose(s) of collection
Personal data held by the Foundation and the respective purpose(s) of collection
11. Personal data kept by the Foundation varies depending on the purpose of collection. In general terms, personal data could be classified as factual, evaluative or statistical data. Factual data is mostly provided by the Data Subjects themselves; evaluative data is normally provided by another person on the Data Subjects; and statistical data is derived primarily from factual and evaluative data. Statistical data is, where possible, depersonalised before statistical analyses are performed. Examples of personal data kept by the Foundation include the following:
(a) identification data, e.g. name, identity card/passport number, photo
(b) personal details, e.g. age, sex, date of birth, contact telephone, address
(c) family data, e.g. marital status, details of family members
(d) contractual data, e.g. appointment period, terms of appointment
(e) education background and employment details
(f) record of assessment and review, e.g. self-statements, review/promotion panel resolutions
12. Personal data of Job Applicants kept by the Foundation includes the applicants’ personal particulars, copies of qualifications, records of experience, test results, interview assessments, resolutions of assessment panels, last employers’ references and external assessors’ reports. It is kept for recruitment administration purposes. The personal data will be only kept for recruitment consideration. Personal data of unsuccessful applicants will be disposed of soon after the completion of the relevant recruitment exercises and will not be kept for more than two years.
13. Personal data of Existing Staff of the Foundation is kept for various purposes including manpower planning and management, the provision of access to and usage of Foundation facilities, planning and administration of benefits, remuneration and payroll, preparing tax returns, organising training and development activities, complying with applicable laws, regulations and procedures. All personal data may be transferred to third parties, including third party service providers to the Foundation providing facilities and staff benefits, insurers, Mandatory Provident Fund Scheme(s), government departments or regulatory bodies, and auditors appointed by the Foundation.
14. Personal data of Former Staff of the Foundation is kept in the Foundation office. Physical personal files of former staff, which contain personal particulars, family data, contractual data, evaluative data and other benefits-related data, will be destroyed two years after employment has ceased. Basic data of former staff will be kept electronically for the provision of certificates of service. Personal data required in filing for tax records will be disposed of seven years after staff has left the Foundation.
15. Personal data of Volunteers of the Foundation is held by the Foundation for registration, administrative communication, statistical purposes and provision of volunteer welfare services, and includes, but are not limited to, personal particulars, family data, education background, work experience, contact details. For volunteers who have left the Foundation, their personal particulars will be destroyed two years after their cessation of volunteer services to the Foundation.
16. Personal data of Grantees (such as awardees, applicants for sponsorship and/or funding) is collected, kept and used for the assessment and processing of sponsorship and/or funding applications, auditing and reporting purposes, data analysis, and generation of statistical reports.
17. The Foundation will conduct regular evaluation and assessment of its current personal data privacy policy to ensure compliance with the laws and regulations relating to the collection, use and retention of personal data by the Foundation and take necessary measures to safeguard the personal data held.
18. Any enquiries regarding personal data privacy policy and practice and requests for updating or correction of personal data held may be addressed to Foundation’s Data Privacy Officer by post to the Foundation office or by email at info@tinkaping.org.
2020.06.24