資料隱私與保障

1. Purpose

According to the “Recommended Procedures for IT Practitioners on Personal Data Handling”^[1], information users should not release information that contains confidential information to any IT contractors or third-party users unless it is absolutely necessary for them to complete the task.  Under this situation, non-disclosure agreement should be used to govern the responsibility of the contractors or third-party users in maintaining the privacy of information and to protect the reputation and legal position of the University.

^[1] The procedures are jointly published by Office of the Privacy Commissioner for Personal Data, ISACA Hong Kong Chapter, Internet Professional Association and The Hong Kong Institution of Engineers.

2. Definitions

The abbreviations and terms used in this document shall have the following meaning:

• “Information” means but is not limited to information and data whether concerning personal data, commercial, financial, technical or any other matter.
• “Information user” ^[1] means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the information.
• “Confidential Information” means all information which is not marked as “non-confidential” or “non-proprietary” relating to the teaching, research, development or business activities of The Chinese University of Hong Kong. It is hereby expressly declared that all personal data of staff, students, professors, officers and all other members of The Chinese University of Hong Kong shall be Confidential Information.
• “personal data” ^[2] means any data
  1. relating directly or indirectly to a living individual;
  2. from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
  3. in a form in which access to or processing of the data is practicable

^[1] The definition is sated based on the definition of “data user” in Personal Data (Privacy) Ordinance:  https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html
^[2] Definition is quoted from Personal Data (Privacy) Ordinance:  https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html

3. Implementation Guidance

Non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms.  These agreements should comply with all applicable laws and regulations for the jurisdiction to which they apply.  To identify requirements for non-disclosure agreements, the following elements should be considered:

1. a definition of the information to be protected (e.g. confidential information);
2. expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
3. required actions when an agreement is terminated;
4. responsibilities and actions of signatories to avoid unauthorized information disclosure (such as ‘need to know’);
5. ownership of information, trade secrets and intellectual property, and how these relate to the protection of confidential information;
6. the permitted use of confidential information, and rights of the signatory to use information;
7. the right to audit and monitor activities that involve confidential information;
8. process for notification and reporting of unauthorized disclosure or confidential information breaches;
9. terms for information to be returned or destroyed at agreement cessation; and
10. expected actions to be taken in case of a breach of this agreement.

Based on your security requirements, other elements may be needed in a non-disclosure agreement.  Two samples of non-disclosure agreement are attached for your reference.  You may need to modify the samples or design your own non-disclosure agreements for different circumstances.

When you prepare the non-disclosure agreement, please note that if the receiving party is an individual, you should check his/her HKID to verify the HKID number as written on the agreement.  If the receiving party is a company, you are advised to:

• Request for a director of the company to sign the agreement.
• Keep a copy of the Annual Return of the company, the Register of Directors and its Certificate of Incorporation.
• Check the Annual Return of the company to ensure that the agreement is signed by a director
• If the agreement is not signed by a director of the company but by another authorized representative, you should try your best to verify the identity and authority of that representative such as requesting the company to provide the minutes to prove the authorization

Last but not least, you should familiarize yourself with the “Data Protection Principles” and the “Recommended Procedures for IT Practitioners on Personal Data Handling” in order to know how to deal with personal data and to ensure compliance with the law and regulations in Hong Kong.

4. Samples

Departments can download the NDA samples for reference.

5. Reference

This document is written by referring to ISO17799:2005 (06.01.5 Confidentiality agreements and 07.2.1 Classification guidelines).  In addition, the following documents are also used as references:

• Personal Data (Privacy) Ordinance: https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html
• Data Protection Principles: https://www.pcpd.org.hk/english/data_privacy_law/6_data_protection_principles/principles.html
• Recommended Procedures for IT Practitioners on Personal Data Handling: http://www.pcpd.org.hk/english/publications/files/isec.pdf
• Personal Data Controlling Committee: http://www.cuhk.edu.hk/policy/pdo/

6. Enquiry

For any enquiries, please email to infosec@cuhk.edu.hk .

Published on:  Feb 2009