Guidelines on Handling Sensitive Personal Data (Draft)

Revised: 3 Jan 2018 by ITSC

Personal data privacy is a University-wide matter and it is necessary for all staff members of the University who handle personal data to observe the relevant rules and regulations and to take the necessary precaution and steps to ensure the privacy of personal data.

Personal Data (Privacy) Ordinance

Data Protection Principles DPP 4(1) as set out in Schedule 1 to the Ordinance, which provides that:

“All practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to –
(a) the kind of data and the harm that could result if any of those things should occur;
(b) the physical location where the data is stored;
(c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
(e) any measures taken for ensuring the secure transmission of the data.”

Personal Data Privacy Ordinance

HKUST Data Privacy Policy

https://dataprivacy.ust.hk/

Guidelines on Handling Sensitve Personal Data

  • Use only “necessary” personal data in all activities.
    • When conducting all activities, department/office/unit should only make available the personal data for access or use on a “need-to-know” and “need-to-use” basis so as to minimise the risk of data breach, especially when portable storage devices such as notebook computers are involved.
    • Department/office/unit should adopt the principle of least-privileged rights, by which only staffs authorised to handle identity verification would be able to retrieve or access relevant personal data.
  • Strictly review, approve and monitor the download and copying of systems containing personal data.
    • Department/office/unit should strictly evaluate the necessity of downloading and copying systems containing personal data and set approval procedures and standards.
    • Department/office/unit should monitor if any system containing personal data has been downloaded or copied without authorisation. Such systems and the related servers should record all activity logs. Whenever a system user accesses, uses, downloads, edits and/or deletes the data, department/office/unit should be able to trace the logs.
    • Department/office/unit should install monitoring and alarm mechanisms in all the systems containing personal data and the related servers, so that whenever there is any irregularity (e.g. download or deletion of huge personal data), timely reporting of the case, as well as tracing and reviews can be done.
  • Adopt effective technical security measures when storing personal data.
    • As storing personal data in notebook computers or portable storage devices will pose high risk to information security, personal data should not be stored in notebook computers or portable storage devices unless absolutely necessary.
    • If it is necessary to store personal data in notebook computers or other portable storage devices, department/office/unit should adopt effective technical security measures according to the quantity and sensitivity of the data, e.g. two-factor authentication in data access, automatic system lock or automatic data wipe upon several times of unsuccessful login, installation of location tracking software, etc.
    • Department/office/unit should adopt technology of reasonable standard to encrypt all sensitive (off-line) personal data.
    • Department/office/unit should effectively disseminate the personal data policies or guidelines to all staffs to ensure that they know and understand the policies and requirements.
  • Conduct Privacy Impact Assessment.
    • Before commencement of any new task or project involving the creation, collection, use or storage of voluminous data, sensitive one in particular, is involved, department/office/unit should carry out a privacy impact assessment. Department/office/unit should adopt adequate security measures to address the privacy risks arising from the project. The assessment procedures and steps should be clearly recorded and filed.