Document No. | FIDV-ICTD-001-PPS&PICS-V1.0 |
Department | ICTD |
Type of Document | Policy |
Version | V1.0 |
Last Review Date | 31-May-2025 |
Effective Date | 1-Jun-2025 |
Next Review Date | 31-May-2028 |
Custodian by | ICTD |
Approval by | CMT |
(in reverse chronological order)
Distributed date | Distribution List |
01 June 2025 | All staff. |
(in reverse chronological order)
Version No. | Effective Date | Summary of Changes |
V1.0 | 01 June 2025 | First version. |
In Hong Kong, the right to privacy is guaranteed by Article 30 of the Basic Law and protected generally under Article 14, section 8, Part II of the Hong Kong Bill of Rights Ordinance (Chapter 383 of the Laws of Hong Kong). The latter is a mirror image of Article 17(1) of the International Covenant on Civil and Political Rights (ICCPR).
The right to privacy has been interpreted by the United Nations Human Rights Committee to include data protection.
The Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (PDPO) was passed in 1995 and took effect in December 1996 (except for certain provisions). It has its origins in the August 1994 Law Reform Commission Report entitled Reform of the Law Relating to the Protection of Personal Data, which recommended that Hong Kong introduced a new privacy law to ensure an adequate level of data protection to retain its status as an international trading centre and gave effect to the obligations under the ICCPR.
The Chinese Medicine Hospital of Hong Kong (CMHHK) respects the privacy of personal data and is committed to complying with the requirements of the applicable laws including the PDPO and the Data Protection Principles contained in it.
This document comprises two parts. The first part is the Privacy Policy Statement (PPS), which is a general statement about CMHHK’s privacy policies and practices in relation to the personal data that CMHHK handles. The following table summarizes the key components in PPS.
Privacy Policy Statement (PPS) | |
Purpose | Outlines CMHHK's practices and procedures regarding the collection, use, disclosure, and protection of personal data. It informs individuals about how their data will be handled and what rights they have concerning their privacy. |
Data Collection | Describes the types of personal data collected from individuals (e.g., names, contact details, payment information, and browsing behaviour). |
Data Usage | Explains how collected data will be used, whether for processing transactions, providing services, personalizing experiences, or marketing purposes. |
Data Sharing | Specifies circumstances under which personal data may be shared with third parties (e.g., healthcare providers, business partners, or government authorities). |
Data Security | Details security measures in place to protect personal data from unauthorized access, disclosure, alteration, or loss. |
Data Retention | States how long personal data will be retained and the criteria used to determine retention periods. |
Data Rights | Informs individuals of their rights regarding access, correction, deletion, and restriction of their personal data. |
Policy Updates | Indicates how changes to the PPS will be communicated and when they will take effect. |
Contact Information | Provides contact details for inquiries, complaints, or requests related to personal data privacy. |
Table 1 Terminology Definitions
The second part of this report is the Personal Information Collection Statement (PICS) which promotes transparency, informed consent, compliance, data protection, accountability, and effective communication. When or before CMHHK collects personal data from individuals, the PICS will be provided to the individuals in accordance with the PDPO. The following table summarizes the key components in PICS.
Personal Information Collection Statement (PICS) | |
Purpose | A specific notice provided to individuals at the point of data collection (e.g., on a website form, application form, or survey). It discloses the purposes for which personal data is collected and how it will be used. |
Reasons of Collection | States the reasons for collecting personal data (e.g., processing requests, providing services, conducting research, or marketing services). |
Data Disclosure | Informs individuals whether their data will be shared with third parties and for what purposes. |
Consequences of Non- Disclosure | Explains the implications of not providing certain personal data (e.g., being unable to access certain services). |
Data Retention | States how long personal data will be retained and the criteria used to determine retention periods. |
Contact Information | Provides contact details for inquiries, complaints, or requests related to personal data handling. |
Table 2 Personal Information Collection Statement Structure
Both the PPS and PICS are essential tools for CMHHK to communicate its data protection practices, build trust with individuals, and comply with privacy regulations (e.g., PDPO). By being transparent and accountable in handling personal data, CMHHK can demonstrate its commitment to safeguarding privacy rights and maintaining ethical data practices.
# | Term | Definition |
1 | Personal Data | Information relates to a living individual and can be used to identify that individual. It must also exist in a form in which access to or processing of the information is practicable. In the case of CMHHK, patient name and address are considered personal data. |
2 | Data Subject | An individual who is the subject of the personal data. In the case of CMHHK, a patient is a Data Subject because personal data are collected from each patient. |
3 | Data User | A person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data. In the case of CMHHK, Chinese Medicine Practitioners (CMP’s) are Data Users who rely on patient personal data to make diagnostic decisions. |
4 | Data Processor | A person who processes personal data on behalf of another person (a Data User), instead of for his/her own purpose(s). Data Processors are not directly regulated under PDPO. Instead, Data Users are required, by contractual or other means, to ensure that their Data Processors meet the applicable requirements of PDPO. In the case of CMHHK, marketing materials would be sent to patients and possibly other Data Subjects through an email marketing platform in the cloud. The email marketing platform is therefore a Data Processor who will be sent, processed, and deleted personal data passed to it. It is the responsibility of the Data User (in this example, CMHHK’s administration department) to ensure that the Data Processor is compliant to the procedures and guidelines presented in this document and other relevant CMHHK policies. |
Table 3 Data Processing Roles
The PPS informs individuals about how their personal data is collected, used, disclosed, and protected by CMHHK. This statement serves several key functions: transparency, informed consent, compliance, trust building, accountability, and information security.
The PPS promotes transparency by detailing CMHHK's practices and procedures regarding the handling of personal data. It helps individuals understand what data is being collected from them, how it will be used, and who it may be shared with.
By providing clear information about data collection and processing practices, the PPS enables individuals to make informed decisions and give explicit consent to CMHHK for the use of their personal data.
The PPS is often required by privacy laws and regulations (e.g., PDPO). By having a comprehensive PPS in place, CMHHK demonstrates its commitment to compliance with relevant data protection requirements.
The PPS can help build trust with patients, visitors, and other stakeholders. By demonstrating a commitment to protecting personal data and respecting privacy rights, CMHHK can enhance its reputation and credibility.
The PPS serves as a public commitment by CMHHK to handle personal data responsibly and ethically. It holds CMHHK accountable for its data protection practices and provides a mechanism for individuals to hold CMHHK accountable if those practices are not upheld.
The PPS includes details about the security measures in place to protect personal data from unauthorized access, disclosure,
alteration, or loss. This helps reassure individuals that their data is being safeguarded.
Overall, the PPS plays a crucial role in establishing trust, promoting transparency, ensuring compliance with privacy regulations, and protecting the privacy rights of individuals whose personal data is collected and processed by CMHHK.
CMHHK collects personal data for lawful purposes and by lawful and fair means. The data that CMHHK collects in relation to a specified purpose shall be adequate but not excessive in respect of the purpose. Upon and before collection of personal data from an individual, a Data Subject, CMHHK will explicitly inform the Data Subject:
CMHHK collects personal data of individuals during its daily operations. Generally, these individuals fall into one of the following types:
CMHHK may also collect personal data of other individuals (e.g., immediate family members of staff members for the purpose of provision of health insurance). The handling of such personal data, unless specified otherwise in CMHHK’s communication with the individual, follows the terms of the PPS and PICS.
CMHHK may collect personal data directly from an individual when the individual interacts with CMHHK (e.g., visitors to CMHHK’s website, visitors requiring access to CMHHK’s car park).
CMHHK may also collect personal data indirectly from third parties (e.g., members of partner institutions which CMHHK collaborates with, such as staff members and students of the Hong Kong Baptist University).
The PICS elaborated in Section 3 states:
The personal data collected by CMHHK will be used or disclosed to third parties for the following purposes:
Where CMHHK collects personal data from an individual under the age of 18, CMHHK will request the individual to indicate that he/she has consulted his/her parents or such person(s) having parental responsibility for him/her on the contents of the PPS and PICS as well as understands the matters set out herein before providing his/her personal data to CMHHK.
Data is also collected from individuals visiting CMHHK’s website or using CMHHK’s existing and future online applications/apps.
Cookies are commonly used in applications, including web applications, to store IP address, login information, browser information, user preferences, session information, authentication tokens, user visits, and other data that helps enhance the user experience and functionality of the applications.
CMHHK will normally not use cookies on its website or applications. Such data helps CMHHK recognise visitors’ identities when they visit multiple pages in CMHHK’s website, thus avoiding the need to ask the users for the password on each page, and enables certain functions or services to be provided on the website. In the case of session cookies, they will expire once the visitors log out or close their browser.
Most browsers are initially set to accept cookies. Visitors may choose to set their browser to decline the cookies or inform them when the cookies are set (although this may prevent access to some portions of CMHHK’s website or application or certain functions or services available on the website or application).
Although CMHHK’s web servers, through cookies, can monitor which sites users have visited, which pages they have seen and which options they have chosen, the data gathered through the use of cookies will not be provided to any third party unless the relevant notice is given and the necessary consent is obtained.
CMHHK, as the Data User under PDPO, requires that all staff members who collect or process personal data comply with the relevant law, including the PDPO. CMHHK has established and will develop code(s) and guidance notes with which all staff members are required to observe and comply.
A unit which collects personal data directly from Data Subjects is a Personal Data Collecting Unit (PDCU) (e.g., the Human Resources Department that collects personal data of job applicants and staff members).
A Departmental Personal Data Privacy Manager (DPDPM), is appointed by each PDCU. The PDCU’s, DPDPM’s, the Chief Information Security Officer (CISO), and all staff members are responsible for overseeing the compliance with the law in the collection, use, disclosure, retention, security and accuracy of personal data, as well as processing data access requests and data correction requests. A list of the PDCU’s with their contact persons is available on the CMHHK website as well as in Section 4 of this document. A hard copy of the list is also available upon request.
A PDCU may share the personal data held by it with other PDCU’s for carrying out one or more purposes for which such personal data is collected, as permitted by the PICS or otherwise permitted under the law. These latter PDCU’s and their staff members receiving such personal data are also responsible for ensuring compliance with the law in relation to the personal data that they receive, use, process or retain.
Unless with the consent of the Data Subjects, CMHHK will not use the personal data for any purpose other than the purpose for which the data was originally collected. CMHHK will only use a Data Subject’s personal data for direct marketing purposes if he/she has consented to do so in accordance with PDPO. Any consent for use of personal data in direct marketing may be withdrawn (i.e., opted out) by the Data Subject at any time.
CMHHK will comply with the legal requirements under the Personal Data (Protection) Ordinance (PDPO) to the extent that certain such requirements apply to personal data collected, held or processed by CMHHK.
CMHHK generally has closed circuit television systems installed at its premises. Information collected is mainly used for security, management and other related purposes, or as stated in PICS.
If CMHHK engages outsourcing service providers (i.e., Data Processors whether within or outside Hong Kong) to assist in its handling of personal data, partners with any parties in activities that involve collection of personal data, or shares the personal data it collects with bodies related to CMHHK in its various identities (e.g., as an educational and research institution, charitable body, donee, general corporate entity, sponsor, participant, and partner), all these providers, processors, parties and bodies are required to adhere to specific standards to prevent any loss, unauthorised access, use, modification, disclosure or retention, either by contractual provisions or other means.
CMHHK takes all reasonably practicable steps to ensure that collected and retained personal data is accurate. Personal data will be retained in accordance with our prevailing policies and no longer than is necessary for the fulfilment of the purposes for which the personal data is collected or to which the Data Subject has given consent, except for the purposes of fulfilling legal obligations or with subsisting reasons. In some but limited circumstances, certain personal data may be retained indefinitely (e.g., regarding a Data Subject’s participation in some CMHHK activities which CMHHK sometimes records and preserves as part of CMHHK’s overall historical records and organisational archives). Each PDCU is required to maintain an inventory of the kinds of personal data that it collects, holds or processes, designate retention periods and support DPDPM in ensuring compliance with these requirements.
CMHHK takes all reasonably practicable steps and implements internal guidance to ensure that retained personal data is protected against unauthorised or accidental access, processing, erasure or other use.
DPDPM is responsible for overseeing the collection, retention and/or processing of personal data by his/her PDCU.
To secure the safe transmission of personal data over the internet, CMHHK implements appropriate measures (e.g., encryption and authentication mechanisms) where practicable to protect the security of data transmission and against unauthorised access CMHHK’s systems
are well protected with well-tested and advance technologies against sophisticated cyber attack.
The Internet is not a secure form of communication, and a Data Subject who sends any personal data to CMHHK over the internet implies the acceptance of the risks that such communication involves (e.g., the risk of access or interference by unauthorised third parties). Information passing over the internet may be transmitted internationally (even when the sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than a Data Subject’s country of residence.
CMHHK will generally be able to provide upon request the following information in relation to personal data collected and processed by CMHHK:
Data Subjects have the right to request access to their personal data held by CMHHK through the Access Request Procedure described in the following table or other channels provisioned in other business agreements with CMHHK (e.g., patients have the right to access their personal data through CMHHK’s clinical staff or any assigned CMHHK members). If the Requestor is not the Data Subject of the requested data, sufficient reason must be given to justify the necessity of the access.
# | Access Request Procedure | By Whom | Description |
1 | To obtain the Request Form | Requestor |
|
2 | To fill in the Request Form | Requestor |
|
3 | To sign and date the Request Form | Requestor |
|
4 | To prepare the payment | Requestor |
|
5 | To submit the filled Request Form with the payment | Requestor |
|
6 | To approve/reject the Access Request | CISO / DPDPM |
|
Table 4 Process to Request Access of Personal Data
A Data Subject also has the right to request correction of his/her personal data that is inaccurate at no charge by writing to our CISO or the DPDPM of the relevant department or through other channels
provisioned in other business agreements with CMHHK (e.g., patients have the right to get their personal data corrected through CMHHK’s clinical staff or any assigned CMHHK members). If the Requestor is not the Data Subject of the data requested to be corrected, sufficient reason must be given to justify the request not being originated from the Data Subject himself/herself.
# | Correction Request Procedure | By Whom | Description |
1 | To obtain the Request Form | Requestor |
|
2 | To fill in the Request Form | Requestor |
|
3 | To sign and date the Request Form | Requestor |
|
4 | To submit the filled Request Form with the payment | Requestor |
|
5 | To approve/reject the Access Request | CISO / DPDPM |
|
Table 5 Process to Request Correction of Personal Data
Data Subjects whose personal data is subject to the requirements of PDPO may exercise their rights under the PDPO by contacting CMHHK’s CISO or the DPDPM of the relevant PDCU.
The PPS and PICS are subject to review and change from time to time. Please contact the CISO or visit CMHHK’s website for the latest PPS and PICS.
If there are any queries concerning this PPS, please contact CISO. All queries shall be in writing and sent to our CISO, c/o Information Technology Department, The Chinese Medicine Hospital of Hong Kong, 1 Pak Shing Kok Road, Tseung Kwan O, New Territories, Hong Kong (email ciso@hkbu.edu.hk).
From time to time, it is necessary for Data Subjects to supply CMHHK with personal data in connection with various activities in which CMHHK is involved. Failure to supply such data may result in CMHHK being unable to provide services, support, assistance, etc., to the Data Subjects.
Data is collected from Data Subjects in the ordinary course of and the continuation of CMHHK’s relationship with the Data Subjects, including (without limitation) through their own actions, third parties, the public domain, and the cookies and behavioural tracking tools of CMHHK’s mobile application and websites, and when Data Subjects interact with CMHHK in person (e.g. as visitors, guests or users of CMHHK’s facilities) or through other media (e.g. through the internet or by post).
The purpose of the PICS is to provide individuals with clear and concise information about how their personal data will be collected, used, and managed by CMHHK. The primary objectives of the PICS include: informed consent, transparency, compliance, data protection, accountability, and communication.
The PICS ensures that individuals are fully informed about the collection of their personal data before providing their personal data to CMHHK. By clearly outlining the purposes for which the personal data will be used and any potential disclosures to third parties, individuals can make informed decisions about sharing their personal data.
The PICS promotes transparency by detailing the types of personal data that will be collected, the methods of collection, and the reasons for collecting the data. This transparency helps build trust between individuals and CMHHK.
CMHHK is required by law to inform individuals about the collection of their personal data and obtain their consent before processing the personal data. The PICS helps CMHHK comply with data protection regulations and privacy laws by providing the necessary disclosures to individuals.
The PICS may include information about CMHHK's data protection practices (e.g., the security measures in place to safeguard personal data), data retention policies, and individuals' rights regarding their personal data. This helps reassure individuals that their personal data is being handled responsibly and securely.
By providing a clear and easily accessible PICS, CMHHK demonstrates its commitment to accountability and ethical data handling practices. The PICS serves as a public declaration of CMHHK's responsibilities regarding the collection and processing of personal data.
The PICS serves as a communication tool between CMHHK and individuals, ensuring that both parties have a shared understanding of how personal data will be used. It helps prevent misunderstandings and fosters a transparent relationship between CMHHK and the Data Subjects.
Overall, the PICS is essential for promoting informed consent, transparency, compliance with data protection laws, data security, accountability, and effective communication between CMHHK and individuals regarding the collection and processing of personal data.
This Section states the personal data that are relevant and commonly collected and retained across different kinds of Data Subjects.
Additional personal data, purposes, and disclosures of each kind of Data Subject will be covered in subsequent Sections. The six kinds of Data Subjects considered in this document are listed in the table below.
# | Kinds of Data Subjects |
1 | Job Applicants |
2 | Staff Members |
3 | Patients |
4 | Students |
5 | Donors |
6 | Participants in Studies and Research Projects |
Table 6 Kinds of Data Subject
When or before collecting personal data from a Data Subject, CMHHK will provide the Data Subject or the party to whom the Data Subject has authorised to provide personal data on his/her behalf, a copy of the PPS and PICS, either electronically, by way of a webpage link or in hard copy. The Data Subject must read both Sections before providing any personal data to CMHHK.
Upon reading the PICS, a Data Subject will be informed whether it is obligatory or voluntary for the Data Subject to provide the personal data when CMHHK seeks to collect such personal data. If provision is obligatory, the Data Subject will be informed of the consequences of not supplying such personal data.
If a Data Subject is under the age of 18, the Data Subject shall consult his/her parents or such person(s) having parental responsibility for the Data Subject on the contents of the PPS and PICS and ensure that he/she understands the contents before providing any personal data to CMHHK.
It is sometimes necessary for a PDCU in certain of its activities (recurring or otherwise) to collect and handle specific types of personal data for enabling and facilitating the activities. The PICS custom-made for these activities (Bespoke PICS) shall be read in conjunction with this PICS and unless any terms in the Bespoke PICS state otherwise (in which case, such terms shall prevail), the contents of this PICS apply to all Data Subjects in full.
Nothing in this PICS shall limit the rights of Data Subjects under PDPO.
Personal data collected by CMHHK for all kinds of Data Subjects are summarised in the following table.
# | Personal Data Type | Examples |
1 | Contact Information |
|
2 | Personal Identifiers |
|
3 | Demographic Information |
|
4 | Third Party Provided Data |
|
5 | Supplemental Information |
|
6 | Information Specified in an Applicable Bespoke PICS |
|
Table 7 Commonly Collected Personal Data
The purposes for which personal data relating to a Data Subject may be used vary depending on the nature of the Data Subject’s relationship with CMHHK. In general, the personal data a Data Subject provides to CMHHK will be used for the following purposes.
# | Purpose of Personal Data Collection |
1 | Provision of CMHHK services. |
2 | Administration, management, and record keeping. |
3 | Communication and delivery of information and invitations. |
4 | Research, quality assurance, surveys, review, statistical analysis, or teaching. |
5 | Direct marketing with Data Subjects’ consents. |
6 | Implementation and monitoring of policies and procedures compliance. |
7 | Management (including use, protection, and security) of CMHHK properties and facilities. |
8 | Protection of the personal safety and health of the CMHHK community. |
9 | Provision of referrals, references, or recommendations. |
10 | Handling of Data Subjects’ complaints or enquiries. |
11 | Other additional purposes stated in Section 3.4 Supplemental Privacy Information. |
12 | Other additional purposes set out in any applicable Bespoke PICS. |
Table 8 Purposes of Personal Data Collection
Direct marketing is defined as (a) the offering, or advertising of the availability, of goods, facilities or services, or (b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means.
Subject to the Data Subject’s consent through an opt-in mechanism, CMHHK may use the Data Subject’s personal data (such as name and contact details) to send direct marketing material which are relevant to the Data Subject. Having said that CMHHK is required by law to give the Data Subject the opportunity to not receive such communication. As such, a Data Subject will be given the opportunity to indicate his/her consent, or otherwise, to receive such communication through the opt-in mechanism referred to earlier.
Any staff member involved in sending the above communication on behalf of CMHHK should seek guidance from the relevant DPDPM if he/she is uncertain whether or not a communication constitutes direct marketing or sending of promotional materials.
When Data Subjects are not willing or unable to provide personal data that is deemed obligatory by CMHHK, there can be several consequences, both for the Data Subjects themselves and for CMHHK.
If the provision of personal data is necessary for CMHHK to provide a service or fulfill a contractual obligation, the Data Subject's refusal to provide the required data may result in CMHHK being unable to deliver the service or meet its obligations.
In some cases, CMHHK is legally required to collect certain personal data for compliance with regulations or laws. If Data
Subjects refuse to provide this data, CMHHK may face legal repercussions or be unable to comply with legal requirements.
CMHHK has policies in place that require the collection of specific personal data for security, verification, or operational purposes. If Data Subjects do not provide this data, CMHHK may have grounds to terminate the services or relationship with the individual.
In scenarios where personal data is required for access to certain features or functionalities of a service or platform, Data Subjects who do not provide the necessary information may experience limitations in their user experience or access to certain services.
Personal data is often used to personalize services, content, or recommendations for users. If Data Subjects do not provide the required data, they may miss out on personalized experiences tailored to their preferences and needs.
CMHHK uses personal data to offer benefits, discounts, or opportunities to their customers or users. Data subjects who do not provide the necessary information may not be able to access these benefits or opportunities.
Refusal to provide personal data that is deemed obligatory by CMHHK may impact the trust and relationship between the Data Subject and CMHHK. Data Subjects may feel that their privacy or autonomy is not being respected, leading to a breakdown in trust.
While the PDPO does not specify a specific retention period for healthcare data, it requires that personal data should not be kept longer than is necessary for the fulfilment of the purpose for which it was collected. Healthcare providers in Hong Kong, including CMHHK, are expected to establish data retention policies that align with legal requirements, industry standards, and best practices to ensure the appropriate handling and retention of patient data.
In connection with the above purposes, CMHHK may disclose or transfer personal data of Data Subjects to other parties, such as the following.
# | Party to Whom Personal Data May Be Disclosed |
1 | Any parties on a need-to-know basis. |
2 | Any party who owes a duty of confidentiality to CMHHK and is obliged to keep the personal data confidential. |
3 | Third parties engaged by CMHHK to provide services to CMHHK and/or the Data Subjects. |
4 | Regulators and authorities (including any adjudicative bodies, such as courts). |
5 | Third parties who have the right to access such data. |
6 | CMHHK’s professional advisors (such as lawyers, accountants, and auditors). |
7 | Other additional parties relevant to a Data Subject as stated in Section 3.4 Supplemental Privacy Information. |
8 | Other additional parties set out in any applicable Bespoke PICS. |
Table 9 Disclosure and Transfer of Personal Data
Data Subjects have the right to request access to personal data about the Data Subjects retained by CMHHK as well to request correction of their personal data incorrectly kept by CMHHK. Section 2.8 Request to Access or Correct / Delete Personal Data provides the procedures of making such requests.
If there are any queries concerning this PICS, please contact the CISO. All queries shall be in writing and sent to our CISO, c/o Information Technology Department, The Chinese Medicine Hospital of Hong Kong, 1 Pak Shing Kok Road, Tseung Kwan O, New Territories, Hong Kong (email ciso@hkbu.edu.hk).
Additional Personal Data about Job Applicants
# | Additional Personal Data about Job Applicants |
1 | Proof of previous incomes |
2 | Educational background |
3 | Records of assessment and review |
4 | Professional body associations, qualifications, and work experience |
5 | Academic and job references |
6 | Other information provided in the job application |
7 | Visa requirement |
8 | Declaration of conflict of interest |
9 | Consent of reference check |
Table 10 Additional Personal Data about Job Applicants
Provision of the above personal data is obligatory, unless such items are indicated as optional. Failure to provide such data may result in CMHHK not considering the job application, processing any request regarding the job application, or providing any service generally.
# | Additional Purpose for Collecting Additional Personal Data about Job Applicants |
1 | To serve as a basis for assessing the job application. |
2 | To obtain references and recommendations relevant to the job application. |
3 | To manage the application account and process the job application. |
4 | To verify the job applicant’s identity, public examination results, qualifications and academic records, and work experience. |
5 | To ascertain any criminal record or adverse finding or ruling against the job applicant. |
6 | To facilitate communications for job application related matters. |
7 | To conduct statistical analysis, research, surveys, quality assurance, and review. |
8 | To process a work visa application or any immigration related permit, if applicable. |
Table 11 Additional Purposes about Collecting Job Applicant Data
If a job application is not successful, the associated personal data will be retained and thereafter erased according to the relevant CMHHK human resources management policies.
The Code of Practice on Human Resources Management published by the Privacy Commissioner for Personal Data specifies the following retention period for job applicant data.
▫ No longer than two years in respect of recruitment- related data held about a job applicant from the date of rejecting the applicant.
This retention period will also apply to electronic job applicant records.
# | Additional Third Party to Whom Additional Personal Data about Job Applicants May Be Disclosed or Transferred |
1 | Previous employers, academic institutions, and professional bodies. |
2 | Service providers engaged by CMHHK for conducting background checks and searches. |
3 | Third party institutions (whether or not affiliated with CMHHK) and their staff members, where a job application relates to a joint appointment with, or secondment to, such institutions. |
Table 12 Additional Disclosure and Transfer of Job Applicant Data
Additional Personal Data about Staff Members
# | Additional Personal Data about Staff Members |
1 | Age |
2 | Date of birth |
3 | Proof of address |
4 | Academic transcripts |
5 | Test results and testimonials |
6 | Marital status and family data |
7 | Contractual data |
8 | Bank account information |
9 | Employment details and records |
10 | Job-related medical and health related information |
11 | Information relating to criminal or civil proceedings involving the staff member as a party/witness |
Table 13 Additional Personal Data about Staff Members
Provision of the above personal data is obligatory, unless such items are indicated as optional. If a staff member does not or is unable to provide such data, CMHHK may not be able to implement some of the processes and administer the human resources functions or provide the staff member (or the dependents) with employee benefits.
# | Additional Purpose for Collecting Additional Personal Data about Staff Members |
1 | To provide access to and usage of CMHHK’s facilities (whether physical or electronic such as online applications and apps) and properties (e.g. staff car park). |
2 | To enable work planning. |
3 | To facilitate planning and administration of benefits. |
4 | To process remuneration, payroll and other payments due from CMHHK to staff members (e.g. reimbursement of expenses under medical/dental claims). |
5 | To prepare tax returns. |
6 | To facilitate performance appraisals. |
7 | To review appointments, promotions and granting of awards/fellowships. |
8 | To facilitate eligibility assessment and application for benefits. |
9 | To support certification and accreditation activities. |
10 | To organise training and development activities. |
11 | To monitor compliance with CMHHK’s policies |
12 | To conduct investigations and forensic reviews. |
13 | To take disciplinary action. |
14 | To prepare management reports or employee announcements. |
15 | To provide references and certificate of services to potential employers, financial or educational institutions. |
16 | To comply with applicable laws, regulations and procedures. |
17 | To support other purposes permitted by the terms of employment. |
Table 14 Additional Purposes about Collecting Staff Member Data
In addition to the above, all other general employment-related purposes in manpower planning and management, development and maintenance of employment relationship are included without limitation.
Staff member personal data will be retained and erased according to the relevant CMHHK human resources management policies.
The Code of Practice on Human Resources Management published by the Privacy Commissioner for Personal Data specifies the following retention period for staff data.
This retention period will also apply to electronic job applicant records.
# | Additional Third Party to Whom Additional Personal Data about Staff Members May Be Disclosed or Transferred |
1 | Financial institutions. |
2 | Academic institutions. |
3 | Insurers and their agents. |
4 | Medical and dental practices/consultants. |
5 | Fund administrators/managers of the Superannuation Fund or Mandatory Provident Fund Scheme(s). |
6 | Government departments and regulatory bodies. |
7 | Certification and accreditation bodies. |
8 | Prospective employers (provided that the staff member has consented) for the purpose of providing references. |
9 | Professional advisors (including lawyers, accountants and auditors). |
10 | Third-party institutions (whether or not affiliated with CMHHK) and their staff members, where the staff member’s employment relates to joint appointment with, or secondment to, such institutions. |
Table 15 Additional Disclosure and Transfer of Staff Member Data
Personal data is retained primarily by the Human Resources Department and may be disclosed or transferred to, and retained by, other PDCU’s and the staff members supporting those PDCU’s, for example, for publication in the internal staff directory. Where a staff member’s duties require collaborating parties or members of the public to be able to contact the staff member, CMHHK may also publish (e.g. on the CMHHK website) or provide the staff name and work contact information to them.
Additional Personal Data about Patients
# | Additional Personal Data about Patients |
1 | Information provided by the patient or collected/prepared by CMHHK in the patient registration and check-in processes, and during the course of treatment |
2 | Age |
3 | Date of birth |
4 | Name and contact details (e.g., mobile phone number) of caretaker and for emergency contact. |
5 | Medical and health related information (e.g. medical history, hospitalisation record, prescriptions, laboratory test results, previous medical procedures / treatments / immunisation records) |
6 | Insurance information |
7 | Billing information |
8 | Other information about the patient provided to CMHHK by third parties with the patient’s consent (e.g., EHRSS records) |
9 | History of consultations received at CMHHK or through other channels. |
Table 16 Additional Personal Data about Patients
Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the data collection form/webpage/screen. Failure to provide such personal data may result in CMHHK not able to provide the necessary medical treatment or assistance in general. The patient should ensure that the information provided is accurate and complete.
# | Additional Purpose for Collecting Additional Personal Data about Patients |
1 | To facilitate diagnosis and CMHHK’s provision of treatment to the patient. |
2 | To enable patient administration in general. |
3 | To support teaching, educational or statistical purposes. |
4 | To facilitate the conduct of medical related research and development. |
Table 17 Additional Purposes about Collecting Patient Data
Electronic records are increasingly serving as the primary means of maintaining patient information. Compared to paper records, they offer significant advantages in terms of space efficiency and preservation. Retaining digital patient data ensures continuity of care across a patient's lifetime, supporting long-term health monitoring and chronic disease management. It allows for valuable medical research and public health studies over extended periods while still meeting most legal and regulatory requirements.
This also empowers patients with access to their records throughout their lives, facilitates interoperability between healthcare providers, and maintains cost- effective and secure data storage. Additionally, it preserves sufficient medical history for educational purposes and training of healthcare professionals.
# | Additional Third Party to Whom Additional Personal Data about Patients May Be Disclosed or Transferred |
1 | Third-party service providers involved in conducting specific analyses for the patient’s treatment (such as laboratory or technical services). |
2 | Courier services which handle delivery of prescribed medicine. |
3 | Other healthcare providers for which the patient has consented to such disclosure or transfer. |
Table 18 Additional Disclosure and Transfer of Patient Data
Additional Personal Data about Students
# | Additional Personal Data about Students |
1 | Information provided by the student or collected by CMHHK during student’s onboarding process and such updated or additional information during the course or after completion of the working or practising relationship with CMHHK. |
2 | Study history (including exchange programme information) and records (such as programme details, years of study and awards). |
3 | Academic status. |
4 | Academic work, test results and testimonials. |
5 | Records of assessment and review. |
6 | Scholarships, awards and financial aid records. |
7 | Medical or health related information. |
8 | Other activity records (e.g. disciplinary and counselling records). |
9 | Nationality, racial or ethnic origin, religious or similar belief. |
10 | Information relating to criminal or civil proceedings involving the student as a party/witness. |
Table 19 Additional Personal Data about Students
Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the practice enrolment form. If the student does not or is unable to provide such data, CMHHK may not be able to enrol the student for practice in CMHHK. The student should ensure that the provided information is accurate and complete.
# | Additional Purpose for Collecting Additional Personal Data about Students |
1 | To provide access to and usage of CMHHK’s facilities (whether physical or electronic, such as online applications and apps) and properties (e.g. CMHHK car park). |
2 | To inform and register the student for events organised by CMHHK. |
3 | To enable academic and administrative communications. |
4 | To assess academic progress and attainment (e.g. completion or graduation requirements). |
5 | To consider needs for special educational support. |
6 | To report graduate employability. |
7 | To communicate to the student CMHHK news, activities, initiatives, publications, information, and other important notices. |
Table 20 Additional Purposes about Collecting Student Data
Personal data is retained primarily by the clinical units providing practice opportunities to students studying Chinese medicine.
Personal data may be disclosed or transferred to, and retained by, other PDCU’s and the staff members supporting those PDCU’s. Where a student’s studies require CMHHK’s collaborating parties or members of the public to be able to contact the student, CMHHK may also publish (e.g. on the CMHHK website) or provide the student’s name and student contact information to them.
# | Additional Third Parties to Whom Additional Personal Data about Students May Be Disclosed or Transferred |
1 | Academic institutions, professional bodies and the student’s prospective employers. |
2 | Government departments and regulators. |
Table 21 Additional Disclosure and Transfer of Student Data
Additional Personal Data about Donors
# | Additional Personal Data about Donors |
1 | Personal data provided by the donor in the donation form and the data collected during the donation process |
Table 22 Additional Personal Data about Donors
Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the donation form. If the donor does not or is unable to provide such data, CMHHK may not be able to process the donation or attribute the donation to the donor. The donor should ensure that the provided information is accurate and complete.
# | Additional Purpose for Collecting Additional Personal Data about Donors |
1 | To administer and process the donations (including any pre-acceptance clearance procedures). |
2 | To give due recognition to donations with proper acknowledgement and publicity. |
3 | To communicate to the donors CMHHK news, updates, initiatives, publications and invitations to CMHHK’s events and activities. |
4 | To facilitate data analysis and statistical report compilation. |
Table 23 Additional Purposes about Collecting Donor Data
Additional Third Parties to Whom Additional Personal Data about Donors May Be Disclosed or Transferred
# | Additional Third Party to Whom Additional Personal Data about Donors May Be Disclosed or Transferred |
1 | N/A |
Table 24 Additional Disclosure and Transfer of Donor Data
Additional Personal Data about Participants
# | Additional Personal Data about Participants |
1 | Name and contact details (including mobile phone number) of emergency contact. |
2 | Medical and health related information. |
3 | Information requested in the enrolment form or set out in the study materials provided to the participant. |
4 | Other information about the participant provided to CMHHK by third parties with the participant’s consent (e.g., existing healthcare providers). |
5 | Study data to be collected or generated about the participant in the course of conducting the study. |
Table 25 Additional Personal Data about Participants
Provision of the above personal data is obligatory, unless otherwise indicated as voluntary in the enrolment form or study materials. If the participant does not or is unable to provide such data, CMHHK may not be able to enrol the participant in the study. The participant should ensure that the provided information is accurate and complete.
# | Additional Purpose for Collecting Additional Personal Data about Participants |
1 | To conduct the study. |
2 | To provide treatment to the participant and/or other study subjects within the scope of the study. |
3 | To facilitate teaching, research or statistical analysis. |
4 | To develop and design future studies. |
5 | To maintain quality assurance and conduct satisfaction surveys in relation to the study and/or CMHHK generally. |
6 | To conduct internal or external audits in relation to the study. |
7 | To communicate with the participant in connection with the above purposes. |
Table 26 Additional Purposes about Collecting Participant Data
CMHHK will take all practicable steps to keep personal data confidential, in particular participants’ medical or health related information. CMHHK shall anonymise personal identity in any study data, teaching or research materials disclosed to any outside party (unless disclosure of personal identity is required for the purpose of the disclosure). The circumstances under which personal data may be disclosed to third parties will be set out in the study materials provided to the participants. Personal data may be disclosed to:
# | Additional Third Party to Whom Additional Personal Data about Participants May Be Disclosed or Transferred |
1 | A partnering institution, coordinating research organisation or lead investigator if the study is conducted in collaboration with the partnering institution or is part of a multi-site study. |
2 | Third-party service providers involved in conducting specific analyses for the study (such as laboratory or technical services). |
Table 27 Additional Disclosure and Transfer of Participant Data
Personal Data Collection Unit (PDCU) | Departmental Personal Data Privacy Manager (DPDPM) | Email Address | Phone Number |
Hospital Chief Executive Office | Professor BIAN Zhaoxiang | 3411 2905 | |
Chinese Medicine Division | Dr. CHEUNG Chun Hoi | 3411 8069 | |
Western Medicine Division | Dr. LAU Chun Wing | 3411 5989 | |
Nursing Division | Ms. Ellie CHON | 3411 5566 | |
Pharmacy | Mr. Jeffrey LEUNG | 3411 7428 | |
Finance Department | Mr. Leo LUI | 3411 2777 | |
Human Resources Department | Mr. Cleve WONG | 3411 2393 | |
Administration Department | Dr. CHEUNG Chun Hoi | 3411 8069 | |
Chief Information Security Officer (CISO) | Dr. Daniel CHAN | 3411 2305 |
Table 28 Personal Data Collecting Units and Contacts
Access or Correction / Deletion of Personal Data Request Form | ||||
Personal Information | ||||
Full Name | ||||
Date of Birth | ||||
Address | ||||
Contact Number | ||||
Email Address | ||||
Identification Number | [HKID/Passport Number] | |||
Relationship to the Data Subject (if different from the Data Subject) | ||||
Request Details | ||||
Please indicate the nature of your request by checking the appropriate box(es) | ||||
Access to Personal Data I would like to request access to the personal data that you hold about me. | ||||
Correction of Personal Data I would like to request correction of inaccurate or outdated personal data that you hold about me. | ||||
Deletion of Personal Data I would like to request permanent deletion of personal data that you hold about me. | ||||
Additional Information | ||||
Please provide any additional details or specifications related to your request. | ||||
Declaration | ||||
I hereby declare that the information provided above is true and accurate to the best of my knowledge. I understand that any false information provided may result in the rejection of my request. | ||||
Signature | Date |
Please submit this completed form to the Chief Information Security Officer (CISO) or the Departmental Personal Data Privacy Manager (DPDPM) of the relevant Personal Data Collecting Unit (PDCU). |
Table 29 Personal Data Access & Correction / Deletion Request Form