Hong Kong Center for Neurodegenerative Diseases Limited (the “Company”) respects the personal data privacy of all individuals and pledges to be in compliance with the requirements of the Personal Data (Privacy) Ordinance of Hong Kong (the “PDPO”) so that the privacy of your personal data is protected in accordance with the standard required by law. In doing so, we require all our staff and agents to comply with the PDPO in the same manner as the PDPO applies to the Company as a whole and adhere to the strictest standards of security and confidentiality.
STATEMENT OF PRACTICE
1. Kinds of personal data held
The following explains the types of records / personal data held by the Company.
(a) Records collected from the Company’s website, which include but not limited to records containing email addresses and personal details, preferences of web-users, location information (including Internet Protocol addresses);
(b) Personnel records are collected and kept for corresponding with staff, recruitment and human resource management purposes including but not limited to obtaining reference checks, maintaining employee records and assessing work performance, consideration for eligibility for staff benefits, training and development, emergency purposes, and organizing social and other activities and events; and
(c) Other records, which include but not limited to administration and operational files, records holding personal data provided to the Company from associates or affiliates of the Company, individuals participating in activities organized or run by the Company (including promotional, educational, or training activities), records of requests to access / correct personal data and enquiries from the public, research findings and related publications.
2. Main purposes of collecting and keeping personal data
Personal data will only be used for the purposes stated at the time the data is collected, which broadly speaking, covers administrative, research, and related activities that are consistent with the Company’s mission. However, specific purposes will vary depending on the nature of the personal data held.
Examples of specific purposes are explained further below.
Personal data held in:
(a) Records collected from the Company’s website are collected and kept for purposes including but not limited to handling employment applications submitted through the Company’s website, sending newsletters to subscribers registered through the Company’s website, responding to requests submitted through the Company’s website, facilitating website access and compiling statistics on website usage;
(b) Personnel records are collected and kept for corresponding with staff, recruitment and human resource management purposes including but not limited to obtaining reference checks, maintaining employee records and assessing work performance, consideration for eligibility for staff benefits, training and development, and for emergency purposes, and organizing social and other activities and events; and
(c) Other records are collected and kept for purposes which vary according to the nature of the record, including purposes such as facilitating administration or office functions, organizing and delivering activities, compiling, summarizing, aggregating and/or de-personalizing personal data in connection with research or statistical/analytical activities carried on by the Company in furtherance of the Company’s mission, conducting direct marketing activities (such as communicating information to individuals about the Company’s news and events) in connection with furthering the Company’s mission, facilitating publication of research or other publications relating to the Company.
3. Collection of personal data
(a) General: When the Company collects personal data from individuals, the Company will provide them with a Personal Information Collection Statement (“PICS”) on or before the collection in an appropriate format and manner in compliance with the PDPO.
(b) Personal data of minors: The PDPO does not impose any additional obligation on data users to seek the express consent of the minor (or his / her parent / guardian) on top of having to disclose the requisite information just because the data subject is a minor. Notwithstanding this, data users are generally not advised to collect personal data from minors (particularly those who are incapable of making an informed decision) without prior consent from a person with parental responsibility of the minor.
There are situations where the Company may need to collect personal data of minors, but it may not be practicable to obtain the consent of the parent because, for example:
(i) the occasion is not one where parents may accompany the minor;
(ii) filling in an online application through the internet which the minor may be able to complete on his / her own, etc.
Under the circumstances, the Company will ask for an indication that the minor has consulted his / her parents before providing the personal data.
(c) Personal data from the Company’s website: In order to provide web-users with a smooth browsing experience, we may need to use technical means (such as cookies) to collect information from web-users when they visit the Company’s website. If you are given the option whether or not to accept cookies and you do not accept, you may not be able to access the full content of our website.
(d) Direct marketing: Where it is intended that the personal data collected will be used for direct marketing purposes, the Company will provide the individual with all the necessary information required to be given by law such as information about the direct marketing means and the classes of marketing subjects before making the collection. The Company will not use an individual’s personal data in direct marketing unless it has obtained the consent of the individual concerned and such consent has not been withdrawn.
4. Duration of retention of personal data
The Company will only hold personal data for as long as it is necessary to fulfill the purpose or a directly related purpose for which they are collected.
5. Disclosure of personal data
The Company will take all practicable steps to keep the personal data you have provided confidential. However, the Company may need to disclose, transfer or assign personal data collected by it to such outside third-parties to facilitate the purpose for which the personal data was collected. In general, the parties to which we may disclose, transfer or assign personal data include medical practitioners providing medical services to the Company’s staff, if applicable, any agent, contractor or third-party service provider engaged by the Company to provide services to or on behalf of the Company (e.g. bankers, insurance providers and payroll service providers) and any person to whom the Company is under an obligation to make disclosure under any requirements of any law or for the purposes of any guidelines or codes of practice with which the Company is expected to comply. We may also disclose, transfer or assign personal data internally within the Company (on a need-to-know basis) to facilitate the purpose for which the personal data was collected or a directly related purpose. The personal data may be disclosed, transferred or assigned within or outside Hong Kong. In case it is to a place outside Hong Kong, while the Company will take appropriate steps to protect the privacy of the personal data, it should be noted that such place may not have in place data protection laws which are substantially similar to, or serve the same purposes as, the PDPO so personal data located outside Hong Kong may not be protected to the same or similar level as in Hong Kong.
6. Security of personal data
The Company will take appropriate steps to protect the personal data held by it against unauthorized or accidental access use, loss, processing, erasure, transmission, modification or disclosure. When the Company needs to disclose, transfer or assign personal data to outside third-parties, the Company will take appropriate steps to protect the privacy of the personal data to be disclosed, transferred or assigned (for example, requiring our service providers to keep confidential any personal data with which it comes into contact).
7. Personal data access and correction
Individuals have the right to request access to and to correct their personal data held by the Company.
Personal data may be made available to concerned individuals via different means, including (a) authenticated on-line enquiries and/or (b) completion of prescribed forms provided by concerned offices and sending the completed form by email to firstname.lastname@example.org.
Similarly, requests to correct personal data held by the Company may be made via on-line functions where available and/or by submitting such requests by email to email@example.com, using prescribed forms provided by concerned offices.
In accordance with the Personal Data (Privacy) Ordinance, data access requests will normally be addressed within a 40-day period. A fee reflecting the cost of processing the data request may be levied.
This statement was last updated on 17 November 2022.