The following guidelines aim to remind staff members, particularly those who need to handle personal data in the course of their duties, the data privacy they must observe in electronic communications and storing personal data with the use of portable storage devices, personally-owned computers and public clouds.
Staff members are also referred to “The University of Hong Kong Statement of Ethics on Information Technology (IT) Use” (The University of Hong Kong Statement of Ethics on Information Technology (IT) Use) on the guiding principles of using IT services and facilities in the University in a responsible manner.
Understanding the risk
The University handles a lot of personal data (such as student/staff personal information and research subject data) in its operations. As a publicly funded institution, it is particularly important that all such personal and confidential data must be properly handled by all staff members of the University. Any unauthorized disclosure or leakage of such data is not in the interests of not only the University but also the public.
- Transmission of personal data via electronic means can be unsafe if the transmitted data are not properly encrypted or the sender/recipient’s computers are infected with computer virus or malware. Also, it is easy to send out the data to unintended recipients by mistakes.
- Devices such as USB drives, mobile phones and computer pads/tablets are risky places to store personal data, as they are small and easily lost or stolen.
- Storing personal data on a personally-owned PC may also be unsafe because of the greater risk that it might be infected with malicious software or be exposed to other risks, such as theft.
- Installing file-sharing software on PCs and storing personal data on public clouds also come with the risk of unintentional leakage of personal data.
- Office PCs, particularly those having data connections with public clouds, that are kept running during night time or for a prolonged period without any user attendance would be subject to much higher risk of intrusion due to the massive and continuing hacking activities from Internet. Allowing access to unattended office PCs through remote desktop software during unattended times on regular basis, and/or on holidays and leave periods is much more risky. It is because hackers can intrude into the PCs and gain full control of them through continuous login attempts driven by access credentials generated by computers from Internet.
- Avoid, as far as possible, sending personal data via electronic means (e.g. email, instant-messaging apps, fax, file sharing). If, for operational reasons, it is indeed necessary to do so, ensure that the intended information or attachment is sent to the correct recipient address(es). Do not send personal data to unintended recipients. Alert the intended recipients that personal data is being sent and advise them to take good care of them and on the scope of use.
- If an email is addressed to a group of recipients who may not know each other and since names/email addresses are considered personal data, the sender must set up an address group or put the addresses under the blind copy (“bcc”) address list, to protect the names/email addresses of the recipients. The same principle should be adhered with for instant-messaging to a group of recipients. In cases where the feature of blind copy distribution list is not supported, consent of the group members to allow others in the group to know their names/messaging addresses should first be sought.
- Protect the personal data sent via electronic means through encryption with passwords if at all possible.
- Protect your computer and mobile devices against computer and mobile viruses or malware to avoid spreading of files by them.
- Computer and web-services accounts must be well protected and use strong passwords to avoid break-in.
- Delete the personal data when it is no longer useful. For instance, review the files, emails and mobile-apps messages stored in your computers and mobile devices regularly and remove all of those which contain personal data that are no longer useful.
Accessing personal data in a database of University IT systems
- All access to personal data in a database should be properly authorized by the Head of Department/Unit, the Principal/Chief Investigator (for research related activities), or other appropriate authorities.
- All data extraction/copy/backup from a database that contains personal data should also be properly authorized by the data owner or custodian authority.
Using portable storage devices ("PSD")
PSD should, as far as possible, not be used for the storage of personal data. In the event that, for operational reasons, the use of PSD to store personal data is necessary and there are no practicable alternatives, then
- the PSD should be properly password-protected by means of encryption;
- prior permission from the Head of Department/Unit, the Principal/Chief Investigator (for research related activities), or other appropriate authorities must be sought for the storing of personal data in the PSD; and
- the data kept in the PSD must be deleted immediately when it is no longer needed.
Data Leakage Prevention ("DLP") in the use of PSD
To protect against potential leakage of personal data kept on USB PSD (USB flash drives under most circumstances), staff members of the University are required to observe the following mandatory requirements –
- All staff PCs, which are owned by the University for use by staff members, must be installed with the DLP software adopted by the University, and the USB PSDs used have to be initialized using the DLP software to effect data encryption and password protection; and
- For staff PCs that are incompatible to be installed with the DLP software, use of the DLP encrypted USB flash drives administered by departments/offices/work units is mandatory when data export from such staff PCs is needed.
Detailed information on the background and scope of the DLP project, installation and usage procedures of the DLP software, training presentations and the user compliance declaration scheme are set out in the DLP project website of ITS that is accessible through HKU Portal and its search function with the keyword “DLP”.
Use of other mobile and portable audio-visual devices, such as smartphones, portable music players, cameras, etc., for storing and accessing personal data should be avoided as they are not designed for storing personal data, and generally do not allow data encryption for protection against data leakage or loss.
Accessing and storing personal data on public clouds
- Considering the personal data privacy concerns related to the use of cloud computing due to some characteristics of its business model, as discussed in the information leaflet of the Office of the Privacy Commissioner for Personal Data on this subject compliance with the data protection principles (“DDPs”) and Section 65(2) of the Personal Data (Privacy) Ordinance (the “Ordinance”) should first be assured with the cloud service provider before it is engaged for the usage of accessing and storing personal data. Personal data should therefore, as far as practicable, not be stored or shared on public clouds such as Dropbox, iCloud and OneDrive and Internet sites such as Facebook, Google Apps for Education and Blogger (commonly referred to as “Web 2.0 services”) unless special agreements with the service providers can be established to address the concerns on compliance with the requirements of the Ordinance.
- If personal data must be stored or shared on public clouds for operational reasons, proper authorization must be sought from the Head of Department/Unit, the Principal/Chief Investigator (for research related activities), or other appropriate authorities.
- Personal data stored in the public clouds, if at all possible, must not include items such as names, University numbers, ID card numbers and telephone numbers unless such data are absolutely necessary for operational reasons and there are no practicable alternatives. Do not store personal records and/or data fields which are not necessary.
- Personal data stored on public clouds should be encrypted with passwords to reduce the risk of unauthorized or accidental access, processing, erasure, loss or use of the stored personal data.
- Risk assessment should be carried out to assess the potential risks if the use of public clouds involves handling of personal data. Reference can be made to the Guidelines for Using External Web 2.0 Services for University Purposes.
Exporting personal data from the computers and IT systems should be avoided as far as possible. If the exportation of such data is required for operational reasons, then
- proper authorization must be sought from the Head of Department/Unit, the Principal/Chief Investigator (for research related activities), or other appropriate authorities;
- do not export any personal records and/or data fields which are not necessary, and the personal data to be exported should, if at all possible, not include items such as names, University numbers, ID card numbers and telephone numbers unless such data are absolutely necessary for operational reasons and there are no practicable alternatives;
- the exported personal data must be stored on the University’s standard DLP encrypted USB PSD, such as USB flash drives, and be properly labeled as containing confidential information;
- all PSD which contain personal data must be securely locked in the office when not in use, and should never be left unattended;
- use of any PSD which contain personal data outside the office (e.g. at home) should be avoided as far as possible. In the event that such an arrangement is absolutely necessary for operational reasons, the University’s standard DLP encrypted USB PSD must be used and the special prior permission from the Head of Department/Unit, the Principal/Chief Investigator (for research related activities), or other appropriate authorities must be sought.
Using personally-owned computers
- In addition to the aforementioned principles for storing personal data by means of PSD and public clouds, staff members of the University are also strongly advised not to store any personal data on their own computers. If it is absolutely necessary to do so for operational reasons, make sure that
- the computers are protected by appropriate security software with the latest updates, and with all protection mechanisms turned on; (b) no peer-to-peer (P2P) file-sharing software such as BitTorrent, Foxy, etc., is installed in the computers as such software would lead to serious information security breaches, including remote access by unknown external parties on Internet to distribute copyrighted software or materials, to implant virus, Trojan horse and spyware on the computers that would allow the hackers to have full control of the computers for data theft and further cyber-attacks;
- the data is deleted from the computers as soon as it is no longer required.
Any security incidents or data leakage/loss must be reported immediately to the Head of Department/Unit or the Principal/Chief Investigator (for research related activities), as appropriate. If the incident has major impact on the University community or the general public, the Head of Department/Unit or Principal/Chief Investigator should in turn report to the Registrar or the University Data Protection Officer at the soonest possibility with full details of the incident (type of data involved, number of people affected, risk assessment, when, where, and what remedial/follow-up actions have been taken).
Further information and assistance
- Guidelines for Using External Web 2.0 Services for University Purposes
- Healthy and Environmental Friendly PC
- InfoSec Website – Protect Mobile Devices
- The University of Hong Kong Statement of Ethics on Information Technology (IT) Use
- Recommended Procedures for IT Practitioners on Personal Data Handling
- Data Protection Principles
- Guidance on the Use of Portable Storage Devices
The following documents are hereby superseded:
- Guidelines on storing and accessing personal data on portable storage devices and personally owned computers (document 11/608)
- Guidelines on electronic communication (document 265/808)
Information Technology Services