CMHHK Privacy Policy Statement & Personal Information Collection Statement

Document No.

FIDV-ICTD-001-PPS&PICS-V1.0

Department

ICTD

Type of Document

Policy

Version

V1.0

 

Last Review Date

31-May-2025

Effective Date

1-Jun-2025

Next Review Date

31-May-2028

 

Custodian by

ICTD

Approval by

CMT


Summary of Distribution

(in reverse chronological order)

Distributed date

Distribution List

01 June 2025

All staff.


Revision History

(in reverse chronological order)

Version No.

Effective Date

Summary of Changes

V1.0

01 June 2025

First version.

 
1. Introduction
1.1. The Personal Data (Privacy) Ordinance

In Hong Kong, the right to privacy is guaranteed by Article 30 of the Basic Law and protected generally under Article 14, section 8, Part II of the Hong Kong Bill of Rights Ordinance (Chapter 383 of the Laws of Hong Kong). The latter is a mirror image of Article 17(1) of the International Covenant on Civil and Political Rights (ICCPR).

The right to privacy has been interpreted by the United Nations Human Rights Committee to include data protection.

The Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (PDPO) was passed in 1995 and took effect in December 1996 (except for certain provisions). It has its origins in the August 1994 Law Reform Commission Report entitled Reform of the Law Relating to the Protection of Personal Data, which recommended that Hong Kong introduced a new privacy law to ensure an adequate level of data protection to retain its status as an international trading centre and gave effect to the obligations under the ICCPR.

The Chinese Medicine Hospital of Hong Kong (CMHHK) respects the privacy of personal data and is committed to complying with the requirements of the applicable laws including the PDPO and the Data Protection Principles contained in it.
 

1.2. The Privacy Policy Statement (PPS)

This document comprises two parts. The first part is the Privacy Policy Statement (PPS), which is a general statement about CMHHK’s privacy policies and practices in relation to the personal data that CMHHK handles. The following table summarizes the key components in PPS.

Privacy Policy Statement (PPS)

Purpose

Outlines CMHHK's practices and procedures regarding the collection, use, disclosure, and protection of personal data. It informs individuals about how their data will be handled and what rights they have concerning their privacy.

Data Collection

Describes the types of personal data collected from individuals (e.g., names, contact details, payment information, and browsing behaviour).

Data Usage

Explains how collected data will be used, whether for processing transactions, providing services, personalizing experiences, or marketing purposes.

Data Sharing

Specifies circumstances under which personal data may be shared with third parties (e.g., healthcare providers, business partners, or government authorities).

Data Security

Details security measures in place to protect personal data from unauthorized access, disclosure, alteration, or loss.

Data Retention

States how long personal data will be retained and the criteria used to determine retention periods.

Data Rights

Informs individuals of their rights regarding access, correction, deletion, and restriction of their personal data.

Policy Updates

Indicates how changes to the PPS will be communicated and when they will take effect.

Contact Information

Provides contact details for inquiries, complaints, or requests related to personal data privacy.

Table 1 Terminology Definitions


1.3. The Personal Information Collection Statement (PICS)

The second part of this report is the Personal Information Collection Statement (PICS) which promotes transparency, informed consent, compliance, data protection, accountability, and effective communication. When or before CMHHK collects personal data from individuals, the PICS will be provided to the individuals in accordance with the PDPO. The following table summarizes the key components in PICS.

Personal Information Collection Statement (PICS)

Purpose

A specific notice provided to individuals at the point of data collection (e.g., on a website form, application form, or survey). It discloses the purposes for which personal data is collected and how it will be used.

Reasons of Collection

States the reasons for collecting personal data (e.g., processing requests, providing services, conducting research, or marketing services).

Data Disclosure

Informs individuals whether their data will be shared with third parties and for what purposes.

Consequences of Non- Disclosure

Explains the implications of not providing certain personal data (e.g., being unable to access certain services).

Data Retention

States how long personal data will be retained and the criteria used to determine retention periods.

Contact Information

Provides contact details for inquiries, complaints, or requests related to personal data handling.

Table 2 Personal Information Collection Statement Structure

Both the PPS and PICS are essential tools for CMHHK to communicate its data protection practices, build trust with individuals, and comply with privacy regulations (e.g., PDPO). By being transparent and accountable in handling personal data, CMHHK can demonstrate its commitment to safeguarding privacy rights and maintaining ethical data practices.
 

1.4. Definitions

#

Term

Definition

1

Personal Data

Information relates to a living individual and can be used to identify that individual. It must also exist in a form in which access to or processing of the information is practicable.

In the case of CMHHK, patient name and address are considered personal data.

2

Data Subject

An individual who is the subject of the personal data.

In the case of CMHHK, a patient is a Data Subject because personal data are collected from each patient.

3

Data User

A person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data.

In the case of CMHHK, Chinese Medicine Practitioners (CMP’s) are Data Users who rely on patient personal data to make diagnostic decisions.

4

Data Processor

A person who processes personal data on behalf of another person (a Data User), instead of for his/her own purpose(s). Data Processors are not directly regulated under PDPO. Instead, Data Users are required, by contractual or other means, to ensure that their Data Processors meet the applicable requirements of PDPO.

In the case of CMHHK, marketing materials would be sent to patients and possibly other Data Subjects through an email marketing platform in the cloud. The email marketing platform is therefore a Data Processor who will be sent, processed, and deleted personal data passed to it. It is the responsibility of the Data User (in this example, CMHHK’s administration department) to ensure that the Data Processor is compliant to the procedures and guidelines presented in this document and other relevant CMHHK policies.

Table 3 Data Processing Roles
 

2. Privacy Policy Statement (PPS)
2.1. Purpose

The PPS informs individuals about how their personal data is collected, used, disclosed, and protected by CMHHK. This statement serves several key functions: transparency, informed consent, compliance, trust building, accountability, and information security.
 

2.1.1. Transparency

The PPS promotes transparency by detailing CMHHK's practices and procedures regarding the handling of personal data. It helps individuals understand what data is being collected from them, how it will be used, and who it may be shared with.
 

2.1.2. Informed Consent

By providing clear information about data collection and processing practices, the PPS enables individuals to make informed decisions and give explicit consent to CMHHK for the use of their personal data.
 

2.1.3. Compliance

The PPS is often required by privacy laws and regulations (e.g., PDPO). By having a comprehensive PPS in place, CMHHK demonstrates its commitment to compliance with relevant data protection requirements.
 

2.1.4. Trust Building

The PPS can help build trust with patients, visitors, and other stakeholders. By demonstrating a commitment to protecting personal data and respecting privacy rights, CMHHK can enhance its reputation and credibility.
 

2.1.5. Accountability

The PPS serves as a public commitment by CMHHK to handle personal data responsibly and ethically. It holds CMHHK accountable for its data protection practices and provides a mechanism for individuals to hold CMHHK accountable if those practices are not upheld.
 

2.1.6. Information Security

The PPS includes details about the security measures in place to protect personal data from unauthorized access, disclosure,

alteration, or loss. This helps reassure individuals that their data is being safeguarded.

Overall, the PPS plays a crucial role in establishing trust, promoting transparency, ensuring compliance with privacy regulations, and protecting the privacy rights of individuals whose personal data is collected and processed by CMHHK.
 

2.2. Collection of Personal Data

CMHHK collects personal data for lawful purposes and by lawful and fair means. The data that CMHHK collects in relation to a specified purpose shall be adequate but not excessive in respect of the purpose. Upon and before collection of personal data from an individual, a Data Subject, CMHHK will explicitly inform the Data Subject:

  • the purpose(s) for which the data is to be collected and the groups of persons to whom the data may be transferred;
  • whether it is obligatory or voluntary to supply the data, and the consequences of not supplying obligatory data;
  • Data Subject’s right to request access to and correction of data held by CMHHK; and
  • the person responsible for handling data access and correction requests.

CMHHK collects personal data of individuals during its daily operations. Generally, these individuals fall into one of the following types:

  • job applicants;
  • staff members;
  • patients;
  • students;
  • donors; and
  • participants in studies and research projects.

CMHHK may also collect personal data of other individuals (e.g., immediate family members of staff members for the purpose of provision of health insurance). The handling of such personal data, unless specified otherwise in CMHHK’s communication with the individual, follows the terms of the PPS and PICS.

CMHHK may collect personal data directly from an individual when the individual interacts with CMHHK (e.g., visitors to CMHHK’s website, visitors requiring access to CMHHK’s car park).

CMHHK may also collect personal data indirectly from third parties (e.g., members of partner institutions which CMHHK collaborates with, such as staff members and students of the Hong Kong Baptist University).

The PICS elaborated in Section 3 states:

  • the kind of personal data collected or held by CMHHK,
  • the purposes for which CMHHK may use such personal data, and
  • the classes of persons to whom the personal data may be transferred.

The personal data collected by CMHHK will be used or disclosed to third parties for the following purposes:

  • for which it is collected,
  • as specified in the PICS, or
  • as required or permitted by the PDPO and law.

Where CMHHK collects personal data from an individual under the age of 18, CMHHK will request the individual to indicate that he/she has consulted his/her parents or such person(s) having parental responsibility for him/her on the contents of the PPS and PICS as well as understands the matters set out herein before providing his/her personal data to CMHHK.
 

2.3. Collection through Websites and Applications

Data is also collected from individuals visiting CMHHK’s website or using CMHHK’s existing and future online applications/apps.

Cookies are commonly used in applications, including web applications, to store IP address, login information, browser information, user preferences, session information, authentication tokens, user visits, and other data that helps enhance the user experience and functionality of the applications.

CMHHK will normally not use cookies on its website or applications. Such data helps CMHHK recognise visitors’ identities when they visit multiple pages in CMHHK’s website, thus avoiding the need to ask the users for the password on each page, and enables certain functions or services to be provided on the website. In the case of session cookies, they will expire once the visitors log out or close their browser.

Most browsers are initially set to accept cookies. Visitors may choose to set their browser to decline the cookies or inform them when the cookies are set (although this may prevent access to some portions of CMHHK’s website or application or certain functions or services available on the website or application).

Although CMHHK’s web servers, through cookies, can monitor which sites users have visited, which pages they have seen and which options they have chosen, the data gathered through the use of cookies will not be provided to any third party unless the relevant notice is given and the necessary consent is obtained.
 

2.4. Personal Data Privacy Practices

CMHHK, as the Data User under PDPO, requires that all staff members who collect or process personal data comply with the relevant law, including the PDPO. CMHHK has established and will develop code(s) and guidance notes with which all staff members are required to observe and comply.

A unit which collects personal data directly from Data Subjects is a Personal Data Collecting Unit (PDCU) (e.g., the Human Resources Department that collects personal data of job applicants and staff members).

A Departmental Personal Data Privacy Manager (DPDPM), is appointed by each PDCU. The PDCU’s, DPDPM’s, the Chief Information Security Officer (CISO), and all staff members are responsible for overseeing the compliance with the law in the collection, use, disclosure, retention, security and accuracy of personal data, as well as processing data access requests and data correction requests. A list of the PDCU’s with their contact persons is available on the CMHHK website as well as in Section 4 of this document. A hard copy of the list is also available upon request.

A PDCU may share the personal data held by it with other PDCU’s for carrying out one or more purposes for which such personal data is collected, as permitted by the PICS or otherwise permitted under the law. These latter PDCU’s and their staff members receiving such personal data are also responsible for ensuring compliance with the law in relation to the personal data that they receive, use, process or retain.

Unless with the consent of the Data Subjects, CMHHK will not use the personal data for any purpose other than the purpose for which the data was originally collected. CMHHK will only use a Data Subject’s personal data for direct marketing purposes if he/she has consented to do so in accordance with PDPO. Any consent for use of personal data in direct marketing may be withdrawn (i.e., opted out) by the Data Subject at any time.

CMHHK will comply with the legal requirements under the Personal Data (Protection) Ordinance (PDPO) to the extent that certain such requirements apply to personal data collected, held or processed by CMHHK.

CMHHK generally has closed circuit television systems installed at its premises. Information collected is mainly used for security, management and other related purposes, or as stated in PICS.

If CMHHK engages outsourcing service providers (i.e., Data Processors whether within or outside Hong Kong) to assist in its handling of personal data, partners with any parties in activities that involve collection of personal data, or shares the personal data it collects with bodies related to CMHHK in its various identities (e.g., as an educational and research institution, charitable body, donee, general corporate entity, sponsor, participant, and partner), all these providers, processors, parties and bodies are required to adhere to specific standards to prevent any loss, unauthorised access, use, modification, disclosure or retention, either by contractual provisions or other means.
 

2.5. Accuracy and Retention Duration of Personal Data

CMHHK takes all reasonably practicable steps to ensure that collected and retained personal data is accurate. Personal data will be retained in accordance with our prevailing policies and no longer than is necessary for the fulfilment of the purposes for which the personal data is collected or to which the Data Subject has given consent, except for the purposes of fulfilling legal obligations or with subsisting reasons. In some but limited circumstances, certain personal data may be retained indefinitely (e.g., regarding a Data Subject’s participation in some CMHHK activities which CMHHK sometimes records and preserves as part of CMHHK’s overall historical records and organisational archives). Each PDCU is required to maintain an inventory of the kinds of personal data that it collects, holds or processes, designate retention periods and support DPDPM in ensuring compliance with these requirements.
 

2.6. Security of Personal Data

CMHHK takes all reasonably practicable steps and implements internal guidance to ensure that retained personal data is protected against unauthorised or accidental access, processing, erasure or other use.

DPDPM is responsible for overseeing the collection, retention and/or processing of personal data by his/her PDCU.

To secure the safe transmission of personal data over the internet, CMHHK implements appropriate measures (e.g., encryption and authentication mechanisms) where practicable to protect the security of data transmission and against unauthorised access CMHHK’s systems

are well protected with well-tested and advance technologies against sophisticated cyber attack.

The Internet is not a secure form of communication, and a Data Subject who sends any personal data to CMHHK over the internet implies the acceptance of the risks that such communication involves (e.g., the risk of access or interference by unauthorised third parties). Information passing over the internet may be transmitted internationally (even when the sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than a Data Subject’s country of residence.
 

2.7. Provision of Information About CMHHK Privacy Practices

CMHHK will generally be able to provide upon request the following information in relation to personal data collected and processed by CMHHK:

  • the kinds of personal data held;
  • the main purposes for which personal data is used; and
  • CMHHK’s policies and practices in relation to the handling of such personal data.
     
2.8. Request to Access or Correct / Delete Personal Data

Data Subjects have the right to request access to their personal data held by CMHHK through the Access Request Procedure described in the following table or other channels provisioned in other business agreements with CMHHK (e.g., patients have the right to access their personal data through CMHHK’s clinical staff or any assigned CMHHK members). If the Requestor is not the Data Subject of the requested data, sufficient reason must be given to justify the necessity of the access.

#

Access Request Procedure

By Whom

Description

1

To obtain the Request Form

Requestor

  • To obtain the Request Form from Section 5 in this document.
  • To download the Request Form from the CMHHK website.

2

To fill in the Request Form

Requestor

  • Only the Access to Personal Data section in the Request Form needs to be filled.
  • Requestor may not be the Data Subject whose data is requested to be accessed.
  • To provide any additional information that might facilitate the approval of the request.

3

To sign and date the Request Form

Requestor

  • To sign and date the filled Request Form.

4

To prepare the payment

Requestor

  • To prepare a crossed cheque payable to The Chinese Medicine Hospital of Hong Kong with the amount stated in the Request Form, if applicable.

5

To submit the filled Request Form with the payment

Requestor

  • To submit the filled Request Form and the prepared cheque to either the CISO or the DPDPM of the relevant PDCU listed in Section 4 of this document.

6

To approve/reject the Access Request

CISO / DPDPM

  • To inform the Requestor about the decision on the Access Request by email within 40 days after the submission of the filled Request Form.
  • To provide a reason of the decision if the Access Request is rejected.

Table 4 Process to Request Access of Personal Data

A Data Subject also has the right to request correction of his/her personal data that is inaccurate at no charge by writing to our CISO or the DPDPM of the relevant department or through other channels

provisioned in other business agreements with CMHHK (e.g., patients have the right to get their personal data corrected through CMHHK’s clinical staff or any assigned CMHHK members). If the Requestor is not the Data Subject of the data requested to be corrected, sufficient reason must be given to justify the request not being originated from the Data Subject himself/herself.

#

Correction Request Procedure

By Whom

Description

1

To obtain the Request Form

Requestor

  • To obtain the Request Form from Section 5 in this document.
  • To download the Request Form from the CMHHK website.

2

To fill in the Request Form

Requestor

  • Only the Correction of Personal Data section in the Request Form needs to be filled.
  • Requestor may not be the Data Subject whose data is requested to be accessed.
  • To provide any additional information that might facilitate the approval of the request.

3

To sign and date the Request Form

Requestor

  • To sign and date the filled Request Form.

4

To submit the filled Request Form with the payment

Requestor

  • To submit the filled Request Form and the prepared cheque to either the CISO or the DPDPM of the relevant PDCU listed in Section 4 in this document.

5

To approve/reject the Access Request

CISO / DPDPM

  • To inform the Requestor about the decision on the Correction Request by email within 40 days afterthe submission of  the filled Request Form.
  • To provide a reason of the decision if the Correction Request is rejected.

Table 5 Process to Request Correction of Personal Data

Data Subjects whose personal data is subject to the requirements of PDPO may exercise their rights under the PDPO by contacting CMHHK’s CISO or the DPDPM of the relevant PDCU.
 

2.9. Obtaining Up-to-date PPS and PICS

The PPS and PICS are subject to review and change from time to time. Please contact the CISO or visit CMHHK’s website for the latest PPS and PICS.
 

2.10. Contact Information

If there are any queries concerning this PPS, please contact CISO. All queries shall be in writing and sent to our CISO, c/o Information Technology Department, The Chinese Medicine Hospital of Hong Kong, 1 Pak Shing Kok Road, Tseung Kwan O, New Territories, Hong Kong (email ciso@hkbu.edu.hk).
 

3. Personal Information Collection Statement (PICS)

From time to time, it is necessary for Data Subjects to supply CMHHK with personal data in connection with various activities in which CMHHK is involved. Failure to supply such data may result in CMHHK being unable to provide services, support, assistance, etc., to the Data Subjects.

Data is collected from Data Subjects in the ordinary course of and the continuation of CMHHK’s relationship with the Data Subjects, including (without limitation) through their own actions, third parties, the public domain, and the cookies and behavioural tracking tools of CMHHK’s mobile application and websites, and when Data Subjects interact with CMHHK in person (e.g. as visitors, guests or users of CMHHK’s facilities) or through other media (e.g. through the internet or by post).
 

3.1. Purpose

The purpose of the PICS is to provide individuals with clear and concise information about how their personal data will be collected, used, and managed by CMHHK. The primary objectives of the PICS include: informed consent, transparency, compliance, data protection, accountability, and communication.
 

3.1.1. Informed Consent

The PICS ensures that individuals are fully informed about the collection of their personal data before providing their personal data to CMHHK. By clearly outlining the purposes for which the personal data will be used and any potential disclosures to third parties, individuals can make informed decisions about sharing their personal data.
 

3.1.2. Transparency

The PICS promotes transparency by detailing the types of personal data that will be collected, the methods of collection, and the reasons for collecting the data. This transparency helps build trust between individuals and CMHHK.
 

3.1.3. Compliance

CMHHK is required by law to inform individuals about the collection of their personal data and obtain their consent before processing the personal data. The PICS helps CMHHK comply with data protection regulations and privacy laws by providing the necessary disclosures to individuals.
 

3.1.4. Data Protection

The PICS may include information about CMHHK's data protection practices (e.g., the security measures in place to safeguard personal data), data retention policies, and individuals' rights regarding their personal data. This helps reassure individuals that their personal data is being handled responsibly and securely.

 

3.1.5. Accountability

By providing a clear and easily accessible PICS, CMHHK demonstrates its commitment to accountability and ethical data handling practices. The PICS serves as a public declaration of CMHHK's responsibilities regarding the collection and processing of personal data.
 

3.1.6. Communication

The PICS serves as a communication tool between CMHHK and individuals, ensuring that both parties have a shared understanding of how personal data will be used. It helps prevent misunderstandings and fosters a transparent relationship between CMHHK and the Data Subjects.

Overall, the PICS is essential for promoting informed consent, transparency, compliance with data protection laws, data security, accountability, and effective communication between CMHHK and individuals regarding the collection and processing of personal data.
 

3.2. Privacy Information

This Section states the personal data that are relevant and commonly collected and retained across different kinds of Data Subjects.

Additional personal data, purposes, and disclosures of each kind of Data Subject will be covered in subsequent Sections. The six kinds of Data Subjects considered in this document are listed in the table below.

#

Kinds of Data Subjects

1

Job Applicants

2

Staff Members

3

Patients

4

Students

5

Donors

6

Participants in Studies and Research Projects

Table 6 Kinds of Data Subject

When or before collecting personal data from a Data Subject, CMHHK will provide the Data Subject or the party to whom the Data Subject has authorised to provide personal data on his/her behalf, a copy of the PPS and PICS, either electronically, by way of a webpage link or in hard copy. The Data Subject must read both Sections before providing any personal data to CMHHK.

Upon reading the PICS, a Data Subject will be informed whether it is obligatory or voluntary for the Data Subject to provide the personal data when CMHHK seeks to collect such personal data. If provision is obligatory, the Data Subject will be informed of the consequences of not supplying such personal data.

If a Data Subject is under the age of 18, the Data Subject shall consult his/her parents or such person(s) having parental responsibility for the Data Subject on the contents of the PPS and PICS and ensure that he/she understands the contents before providing any personal data to CMHHK.

It is sometimes necessary for a PDCU in certain of its activities (recurring or otherwise) to collect and handle specific types of personal data for enabling and facilitating the activities. The PICS custom-made for these activities (Bespoke PICS) shall be read in conjunction with this PICS and unless any terms in the Bespoke PICS state otherwise (in which case, such terms shall prevail), the contents of this PICS apply to all Data Subjects in full.

Nothing in this PICS shall limit the rights of Data Subjects under PDPO.
 

3.3. General Privacy Information
3.3.1. Commonly Collected Personal Data

Personal data collected by CMHHK for all kinds of Data Subjects are summarised in the following table.

#

Personal Data Type

Examples

1

Contact Information

  • Address
  • Telephone number
  • Email address

2

Personal Identifiers

  • Name
  • Identity card number
  • Passport number
  • Visual and audio recordings
  • Photographic images

3

Demographic Information
  • Gender

4

Third Party Provided Data

  • Information that is obtained from external sources or partners rather than collected directly from the individual by CMHHK
  • For example, data provided by spouse. employers, or parents

5

Supplemental Information
  • Data specified in subsequent Sections

6

Information Specified in an Applicable Bespoke PICS 
  • Data specified in any applicable Bespoke PICS that is relevant to the Data Subject

Table 7 Commonly Collected Personal Data
 

3.3.2. Purposes of Personal Data Collection

The purposes for which personal data relating to a Data Subject may be used vary depending on the nature of the Data Subject’s relationship with CMHHK. In general, the personal data a Data Subject provides to CMHHK will be used for the following purposes.

#

Purpose of Personal Data Collection

1

Provision of CMHHK services.

2

Administration, management, and record keeping.

3

Communication and delivery of information and invitations.

4

Research, quality assurance, surveys, review, statistical analysis, or teaching.

5

Direct marketing with Data Subjects’ consents.

6

Implementation and monitoring of policies and procedures compliance.

7

Management (including use, protection, and security) of CMHHK properties and facilities.

8

Protection of the personal safety and health of the CMHHK community.

9

Provision of referrals, references, or recommendations.

10

Handling of Data Subjects’ complaints or enquiries.

11

Other additional purposes stated in Section 3.4 Supplemental Privacy Information.

12

Other additional purposes set out in any applicable Bespoke PICS.

Table 8 Purposes of Personal Data Collection
 

3.3.3. Opt-in and Opt-out for Direct Marketing

Direct marketing is defined as (a) the offering, or advertising of the availability, of goods, facilities or services, or (b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means.

Subject to the Data Subject’s consent through an opt-in mechanism, CMHHK may use the Data Subject’s personal data (such as name and contact details) to send direct marketing material which are relevant to the Data Subject. Having said that CMHHK is required by law to give the Data Subject the opportunity to not receive such communication. As such, a Data Subject will be given the opportunity to indicate his/her consent, or otherwise, to receive such communication through the opt-in mechanism referred to earlier.

Any staff member involved in sending the above communication on behalf of CMHHK should seek guidance from the relevant DPDPM if he/she is uncertain whether or not a communication constitutes direct marketing or sending of promotional materials.
 

3.3.4. Consequences of Non-Disclosure

When Data Subjects are not willing or unable to provide personal data that is deemed obligatory by CMHHK, there can be several consequences, both for the Data Subjects themselves and for CMHHK.
 

Inability to Provide Services

If the provision of personal data is necessary for CMHHK to provide a service or fulfill a contractual obligation, the Data Subject's refusal to provide the required data may result in CMHHK being unable to deliver the service or meet its obligations.
 

Legal Compliance Issues

In some cases, CMHHK is legally required to collect certain personal data for compliance with regulations or laws. If Data

Subjects refuse to provide this data, CMHHK may face legal repercussions or be unable to comply with legal requirements.
 

Risk of Termination of Services

CMHHK has policies in place that require the collection of specific personal data for security, verification, or operational purposes. If Data Subjects do not provide this data, CMHHK may have grounds to terminate the services or relationship with the individual.
 

Limited Access or Functionality

In scenarios where personal data is required for access to certain features or functionalities of a service or platform, Data Subjects who do not provide the necessary information may experience limitations in their user experience or access to certain services.
 

Impact on Personalization

Personal data is often used to personalize services, content, or recommendations for users. If Data Subjects do not provide the required data, they may miss out on personalized experiences tailored to their preferences and needs.
 

Loss of Benefits or Opportunities

CMHHK uses personal data to offer benefits, discounts, or opportunities to their customers or users. Data subjects who do not provide the necessary information may not be able to access these benefits or opportunities.
 

Trust and Relationship Impact

Refusal to provide personal data that is deemed obligatory by CMHHK may impact the trust and relationship between the Data Subject and CMHHK. Data Subjects may feel that their privacy or autonomy is not being respected, leading to a breakdown in trust.
 

3.3.5. Retention of Personal Data

While the PDPO does not specify a specific retention period for healthcare data, it requires that personal data should not be kept longer than is necessary for the fulfilment of the purpose for which it was collected. Healthcare providers in Hong Kong, including CMHHK, are expected to establish data retention policies that align with legal requirements, industry standards, and best practices to ensure the appropriate handling and retention of patient data.

 

3.3.6. Disclosure and Transfer of Personal Data

In connection with the above purposes, CMHHK may disclose or transfer personal data of Data Subjects to other parties, such as the following.

#

Party to Whom Personal Data May Be Disclosed

1

Any parties on a need-to-know basis.

2

Any party who owes a duty of confidentiality to CMHHK and is obliged to keep the personal data confidential.

3

Third parties engaged by CMHHK to provide services to CMHHK and/or the Data Subjects.

4

Regulators and authorities (including any adjudicative bodies, such as courts).

5

Third parties who have the right to access such data.

6

CMHHK’s professional advisors (such as lawyers, accountants, and auditors).

7

Other additional parties relevant to a Data Subject as stated in Section 3.4 Supplemental Privacy Information.

8

Other additional parties set out in any applicable Bespoke PICS.

Table 9 Disclosure and Transfer of Personal Data
 

3.3.7. Request to Access or Correct / Delete Personal Data

Data Subjects have the right to request access to personal data about the Data Subjects retained by CMHHK as well to request correction of their personal data incorrectly kept by CMHHK. Section 2.8 Request to Access or Correct / Delete Personal Data provides the procedures of making such requests.
 

3.3.8. Contact Information

If there are any queries concerning this PICS, please contact the CISO. All queries shall be in writing and sent to our CISO, c/o Information Technology Department, The Chinese Medicine Hospital of Hong Kong, 1 Pak Shing Kok Road, Tseung Kwan O, New Territories, Hong Kong (email ciso@hkbu.edu.hk).
 

3.4. Supplemental Privacy Information
3.4.1. Job Applicants

Additional Personal Data about Job Applicants

#

Additional Personal Data about Job Applicants

1

Proof of previous incomes

2

Educational background

3

Records of assessment and review

4

Professional body associations, qualifications, and work experience

5

Academic and job references

6

Other information provided in the job application

7

Visa requirement

8

Declaration of conflict of interest

9

Consent of reference check

Table 10 Additional Personal Data about Job Applicants

Provision of the above personal data is obligatory, unless such items are indicated as optional. Failure to provide such data may result in CMHHK not considering the job application, processing any request regarding the job application, or providing any service generally.
 

Additional Purposes for Collecting Additional Personal Data about Job Applicants

#

Additional Purpose for Collecting Additional Personal Data about Job Applicants

1

To serve as a basis for assessing the job application.

2

To obtain references and recommendations relevant to the job application.

3

To manage the application account and process the job application.

4

To verify the job applicant’s identity, public examination results, qualifications and academic records, and work experience.

5

To ascertain any criminal record or adverse finding or ruling against the job applicant.

6

To facilitate communications for job application related matters.

7

To conduct statistical analysis, research, surveys, quality assurance, and review.

8

To process a work visa application or any immigration related permit, if applicable.

Table 11 Additional Purposes about Collecting Job Applicant Data

If a job application is not successful, the associated personal data will be retained and thereafter erased according to the relevant CMHHK human resources management policies.

The Code of Practice on Human Resources Management published by the Privacy Commissioner for Personal Data specifies the following retention period for job applicant data.

▫ No longer than two years in respect of recruitment- related data held about a job applicant from the date of rejecting the applicant.

This retention period will also apply to electronic job applicant records.
 

Additional Third Parties to Whom Additional Personal Data about Job Applicants May Be Disclosed or Transferred

#

Additional Third Party to Whom Additional Personal Data about Job Applicants May Be Disclosed or Transferred

1

Previous employers, academic institutions, and professional bodies.

2

Service providers engaged by CMHHK for conducting background checks and searches.

3

Third party institutions (whether or not affiliated with CMHHK) and their staff members, where a job application relates to a joint appointment with, or

secondment to, such institutions.

Table 12 Additional Disclosure and Transfer of Job Applicant Data
 

3.4.2. Staff Members

Additional Personal Data about Staff Members

#

Additional Personal Data about Staff Members

1

Age

2

Date of birth

3

Proof of address

4

Academic transcripts

5

Test results and testimonials

6

Marital status and family data

7

Contractual data

8

Bank account information

9

Employment details and records

10

Job-related medical and health related information

11

Information relating to criminal or civil proceedings involving the staff member as a party/witness

Table 13 Additional Personal Data about Staff Members

Provision of the above personal data is obligatory, unless such items are indicated as optional. If a staff member does not or is unable to provide such data, CMHHK may not be able to implement some of the processes and administer the human resources functions or provide the staff member (or the dependents) with employee benefits.
 

Additional Purposes for Collecting Additional Personal Data about Staff Members

#

Additional Purpose for Collecting Additional Personal Data about Staff Members

1

To provide access to and usage of CMHHK’s facilities (whether physical or electronic such as online applications and apps) and properties (e.g. staff car park).

2

To enable work planning.

3

To facilitate planning and administration of benefits.

4

To process remuneration, payroll and other payments due from CMHHK to staff members (e.g. reimbursement of expenses under medical/dental claims).

5

To prepare tax returns.

6

To facilitate performance appraisals.

7

To review appointments, promotions and granting of awards/fellowships.

8

To facilitate eligibility assessment and application for benefits.

9

To support certification and accreditation activities.

10

To organise training and development activities.

11

To monitor compliance with CMHHK’s policies

12

To conduct investigations and forensic reviews.

13

To take disciplinary action.

14

To prepare management reports or employee announcements.

15

To provide references and certificate of services to potential employers, financial or educational institutions.

16

To comply with applicable laws, regulations and procedures.

17

To support other purposes permitted by the terms of employment.

Table 14 Additional Purposes about Collecting Staff Member Data

In addition to the above, all other general employment-related purposes in manpower planning and management, development and maintenance of employment relationship are included without limitation.

Staff member personal data will be retained and erased according to the relevant CMHHK human resources management policies.

The Code of Practice on Human Resources Management published by the Privacy Commissioner for Personal Data specifies the following retention period for staff data.

  • No longer than seven years in respect of recruitment- related data held about a job applicant from the date of rejecting the applicant.

This retention period will also apply to electronic job applicant records.
 

Additional Third Parties to Whom Additional Personal Data about Staff Members May Be Disclosed or Transferred

#

Additional Third Party to Whom Additional Personal Data about Staff Members May Be Disclosed or Transferred

1

Financial institutions.

2

Academic institutions.

3

Insurers and their agents.

4

Medical and dental practices/consultants.

5

Fund administrators/managers of the Superannuation Fund or Mandatory Provident Fund Scheme(s).

6

Government departments and regulatory bodies.

7

Certification and accreditation bodies.

8

Prospective employers (provided that the staff member has consented) for the purpose of providing references.

9

Professional advisors (including lawyers, accountants and auditors).

10

Third-party institutions (whether or not affiliated with CMHHK) and their staff members, where the staff member’s employment relates to joint appointment with, or secondment to, such institutions.

Table 15 Additional Disclosure and Transfer of Staff Member Data

Personal data is retained primarily by the Human Resources Department and may be disclosed or transferred to, and retained by, other PDCU’s and the staff members supporting those PDCU’s, for example, for publication in the internal staff directory. Where a staff member’s duties require collaborating parties or members of the public to be able to contact the staff member, CMHHK may also publish (e.g. on the CMHHK website) or provide the staff name and work contact information to them.
 

3.4.3. Patients

Additional Personal Data about Patients

#

Additional Personal Data about Patients

1

Information provided by the patient or collected/prepared by CMHHK in the patient registration and check-in processes, and during the course of

treatment

2

Age

3

Date of birth

4

Name and contact details (e.g., mobile phone number) of caretaker and for emergency contact.

5

Medical and health related information (e.g. medical history, hospitalisation record, prescriptions, laboratory test results, previous medical procedures / treatments / immunisation records)

6

Insurance information

7

Billing information

8

Other information about the patient provided to CMHHK by third parties with the patient’s consent (e.g., EHRSS records)

9

History of consultations received at CMHHK or through other channels.

Table 16 Additional Personal Data about Patients

Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the data collection form/webpage/screen. Failure to provide such personal data may result in CMHHK not able to provide the necessary medical treatment or assistance in general. The patient should ensure that the information provided is accurate and complete.
 

Additional Purposes for Collecting Additional Personal Data about Patients

#

Additional Purpose for Collecting Additional Personal Data about Patients

1

To facilitate diagnosis and CMHHK’s provision of treatment to the patient.

2

To enable patient administration in general.

3

To support teaching, educational or statistical purposes.

4

To facilitate the conduct of medical related research and development.

Table 17 Additional Purposes about Collecting Patient Data

Electronic records are increasingly serving as the primary means of maintaining patient information. Compared to paper records, they offer significant advantages in terms of space efficiency and preservation. Retaining digital patient data ensures continuity of care across a patient's lifetime, supporting long-term health monitoring and chronic disease management. It allows for valuable medical research and public health studies over extended periods while still meeting most legal and regulatory requirements.

This also empowers patients with access to their records throughout their lives, facilitates interoperability between healthcare providers, and maintains cost- effective and secure data storage. Additionally, it preserves sufficient medical history for educational purposes and training of healthcare professionals.

  • Patient records will be retained continuously.
     
Additional Third Parties to Whom Additional Personal Data about Patients May Be Disclosed or Transferred

#

Additional Third Party to Whom Additional Personal Data about Patients May Be Disclosed or Transferred

1

Third-party service providers involved in conducting specific analyses for the patient’s treatment (such as laboratory or technical services).

2

Courier services which handle delivery of prescribed medicine.

3

Other healthcare providers for which the patient has consented to such disclosure or transfer.

Table 18 Additional Disclosure and Transfer of Patient Data
 

3.4.4. Students

Additional Personal Data about Students

#

Additional Personal Data about Students

1

Information provided by the student or collected by CMHHK during student’s onboarding process and such updated or additional information during the course or

after completion of the working or practising relationship with CMHHK.

2

Study history (including exchange programme information) and records (such as programme details, years of study and awards).

3

Academic status.

4

Academic work, test results and testimonials.

5

Records of assessment and review.

6

Scholarships, awards and financial aid records.

7

Medical or health related information.

8

Other activity records (e.g. disciplinary and counselling records).

9

Nationality, racial or ethnic origin, religious or similar belief.

10

Information relating to criminal or civil proceedings involving the student as a party/witness.

Table 19 Additional Personal Data about Students

Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the practice enrolment form. If the student does not or is unable to provide such data, CMHHK may not be able to enrol the student for practice in CMHHK. The student should ensure that the provided information is accurate and complete.
 

Additional Purposes for Collecting Additional Personal Data about Students

#

Additional Purpose for Collecting Additional Personal Data about Students

1

To provide access to and usage of CMHHK’s facilities (whether physical or electronic, such as online applications and apps) and properties (e.g. CMHHK car park).

2

To inform and register the student for events organised by CMHHK.

3

To enable academic and administrative communications.

4

To assess academic progress and attainment (e.g. completion or graduation requirements).

5

To consider needs for special educational support.

6

To report graduate employability.

7

To communicate to the student CMHHK news, activities, initiatives, publications, information, and other important notices.

Table 20 Additional Purposes about Collecting Student Data

Personal data is retained primarily by the clinical units providing practice opportunities to students studying Chinese medicine.

Personal data may be disclosed or transferred to, and retained by, other PDCU’s and the staff members supporting those PDCU’s. Where a student’s studies require CMHHK’s collaborating parties or members of the public to be able to contact the student, CMHHK may also publish (e.g. on the CMHHK website) or provide the student’s name and student contact information to them.
 

Additional Third Parties to Whom Additional Personal Data about Students May Be Disclosed or Transferred

#

Additional Third Parties to Whom Additional Personal Data about Students May Be Disclosed or Transferred

1

Academic institutions, professional bodies and the student’s prospective employers.

2

Government departments and regulators.

Table 21 Additional Disclosure and Transfer of Student Data
 

3.4.5. Donors

Additional Personal Data about Donors

#

Additional Personal Data about Donors

1

Personal data provided by the donor in the donation form and the data collected during the donation process

Table 22 Additional Personal Data about Donors

Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the donation form. If the donor does not or is unable to provide such data, CMHHK may not be able to process the donation or attribute the donation to the donor. The donor should ensure that the provided information is accurate and complete.
 

Additional Purposes for Collecting Additional Personal Data about Donors

#

Additional Purpose for Collecting Additional Personal Data about Donors

1

To administer and process the donations (including any pre-acceptance clearance procedures).

2

To give due recognition to donations with proper acknowledgement and publicity.

3

To communicate to the donors CMHHK news, updates, initiatives, publications and invitations to CMHHK’s events and activities.

4

To facilitate data analysis and statistical report compilation.

Table 23 Additional Purposes about Collecting Donor Data

Additional Third Parties to Whom Additional Personal Data about Donors May Be Disclosed or Transferred

#

Additional Third Party to Whom Additional Personal Data about Donors May Be Disclosed or Transferred

1

N/A

Table 24 Additional Disclosure and Transfer of Donor Data

 

3.4.6. Participants in Studies and Research Projects

Additional Personal Data about Participants

#

Additional Personal Data about Participants

1

Name and contact details (including mobile phone number) of emergency contact.

2

Medical and health related information.

3

Information requested in the enrolment form or set out in the study materials provided to the participant.

4

Other information about the participant provided to CMHHK by third parties with the participant’s consent (e.g., existing healthcare providers).

5

Study data to be collected or generated about the participant in the course of conducting the study.

Table 25 Additional Personal Data about Participants

Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the enrolment form or study materials. If the participant does not or is unable to provide such data, CMHHK may not be able to enrol the participant in the study. The participant should ensure that the provided information is accurate and complete.
 

Additional Purposes for Collecting Additional Personal Data about Participants

#

Additional Purpose for Collecting Additional Personal Data about Participants

1

To conduct the study.

2

To provide treatment to the participant and/or other study subjects within the scope of the study.

3

To facilitate teaching, research or statistical analysis.

4

To develop and design future studies.

5

To maintain quality assurance and conduct satisfaction surveys in relation to the study and/or CMHHK generally.

6

To conduct internal or external audits in relation to the study.

7

To communicate with the participant in connection with the above purposes.

Table 26 Additional Purposes about Collecting Participant Data

 

Additional Third Parties to Whom Additional Personal Data about Participants May Be Disclosed or Transferred

CMHHK will take all practicable steps to keep personal data confidential, in particular participants’ medical or health related information. CMHHK shall anonymise personal identity in any study data, teaching or research materials disclosed to any outside party (unless disclosure of personal identity is required for the purpose of the disclosure). The circumstances under which personal data may be disclosed to third parties will be set out in the study materials provided to the participants. Personal data may be disclosed to:

#

Additional Third Party to Whom Additional Personal Data about Participants May Be Disclosed or Transferred

1

A partnering institution, coordinating research organisation or lead investigator if the study is conducted in collaboration with the partnering institution or is part of a multi-site study.

2

Third-party service providers involved in conducting specific analyses for the study (such as laboratory or technical services).

Table 27 Additional Disclosure and Transfer of Participant Data

 

4. Personal Data Collecting Units and Contacts

Personal Data Collection Unit (PDCU)

Departmental Personal Data Privacy Manager (DPDPM)

Email Address

Phone Number

Hospital Chief

Executive Office

Professor BIAN Zhaoxiang

bzxiang@hkbu.edu.hk

3411 2905

Chinese Medicine

Division

Dr. CHEUNG

Chun Hoi

cchunhoi@hkbu.edu.hk

3411 8069

Western

Medicine Division

Dr. LAU Chun Wing

laucw3@hkbu.edu.hk

3411 5989

Nursing

Division

Ms. Ellie CHON

elliechon@hkbu.edu.hk

3411 5566

Pharmacy

Mr. Jeffrey

LEUNG

khleung@hkbu.edu.hk

3411 7428

Finance

Department

Mr. Leo LUI

leolui@hkbu.edu.hk

3411 2777

Human

Resources Department

Mr. Cleve WONG

wonghcc@hkbu.edu.hk

3411 2393

Administration

Department

Dr. CHEUNG

Chun Hoi

cchunhoi@hkbu.edu.hk

3411 8069

Chief Information Security

Officer (CISO)

Dr. Daniel CHAN

danielkcchan@hkbu.edu.hk

3411 2305

Table 28 Personal Data Collecting Units and Contacts

 

5. Request Form for the Access/Correction/Deletion of Personal Data

Access or Correction / Deletion of Personal Data Request Form

Personal Information

Full Name

 

Date of Birth

 

Address

 

Contact Number

 

Email Address

 

Identification Number

[HKID/Passport Number]

Relationship to the Data Subject

(if different from the Data Subject)

 

Request Details

Please indicate the nature of your request by checking the appropriate box(es)

 

Access to Personal Data

I would like to request access to the personal data that you hold about me.

 
 

Correction of Personal Data

I would like to request correction of inaccurate or outdated personal data that you hold about me.

 
 

Deletion of Personal Data

I would like to request permanent deletion of personal data that you hold about me.

 

Additional Information

Please provide any additional details or specifications related to your request.

Declaration

I hereby declare that the information provided above is true and accurate to the best of my knowledge. I understand that any false information provided may result in the rejection of my request.

  

Signature

Date

  

Please submit this completed form to the Chief Information Security Officer (CISO) or the Departmental Personal Data Privacy Manager (DPDPM) of the relevant Personal Data Collecting Unit (PDCU).

Table 29 Personal Data Access & Correction / Deletion Request Form