Protection of Personal Data (Privacy)


The Chinese University of Hong Kong as a data user and a responsible public institution undertakes to comply with the requirements of the data protection principles set out in the Personal Data (Privacy) Ordinance (the Ordinance), and to ensure that personal data kept are accurate, securely kept and used only for the purpose for which they have been collected. All students are required to comply with all relevant provisions of the Ordinance and observe the following six Data Protection Principles under the Ordinance in the collection, use, disclosure and retention of personal data:


Principle 1 - Purpose and Manner of Collection

This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject.


Principle 2 - Accuracy and Duration of Retention

This provides that personal data should be accurate, up-to-date and kept no longer than necessary.


Principle 3 - Use of Personal Data

This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose.


Principle 4 - Security of Personal Data

This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable).


Principle 5 - Information to be Generally Available

This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used.


Principle 6 - Access to Personal Data

This provides for data subjects to have rights of access to and correction of their personal data.


For details of the Ordinance and its provisions please refer to the website of the Office of the Privacy Commissioner for Personal Data, Hong Kong at


Students are also requested to observe the “Information Security Best Practices”, especially the “Guidelines for Securely Managing Mobile / Removable Devices” listed in the website of the Information Technology Services Centre (ITSC):


It is important that any incident or suspected incident of violation of the personal data (privacy) laws such as the loss of devices which carry identifiable personal or sensitive data, is reported to the University as soon as possible so that remedial actions can be taken to prevent or minimize the damages caused to the data subjects, the University and all other parties concerned.  Please refer to the “Information Security Incident Report Policy” under “Information Security Policies” posted in the above ITSC website.


For further information, please visit the University’s website at