Statement on HA's Data Protection Policy and Practice

Policy

It is the policy of the Hospital Authority (and the hospitals and institutions under its management) that it will:
  1. collect adequate but not excessive Personal Data relating to living individuals by lawful and fair means for lawful purposes.


  2. take all reasonably practicable steps to ensure that the Personal Data collected or retained is accurate for the purpose for which it is to be used.


  3. take all reasonably practicable steps to erase Personal Data which is no longer necessary for the purposes for which it is to be used.


  4. not use the Personal Data collected for any purpose other than the purposes or directly related purposes for which the data was to be used at the time of collection unless there is consent from the individual concerned or use otherwise permitted by law.


  5. take such reasonably practicable steps to ensure that the Personal Data collected will be protected against unauthorised or accidental access, processing, erasure, loss or use.


  6. take such reasonably practicable steps to ensure that a person can be informed of the kinds of Personal Data that the Hospital Authority holds and the purposes for which the data is to be used.


  7. permit persons to access and correct Personal Data of which it is the Data Subject and process any such access/correction requests in such manner permitted or required by law .


  8. comply with the applicable duties and obligations under the Personal Data (Privacy) Ordinance.

Practice

To ensure compliance with the Ordinance, the Hospital Authority has set up a Data Protection Unit in the Hospital Authority Head Office. For access/correction of Personal Data that may be in the possession, custody or control of the Hospital Authority Head Office, approach can be made to this Unit.

Since the Hospital Authority manages quite a number of public hospitals, it is impossible for this Data Protection Unit to co-ordinate or obtain replies from all hospitals. As such, a Data Controller has been appointed for each hospital. For access/correction of Personal Data that may be in the possession, custody or control of a particular hospital, approach can be made to the Data Controller at the relevant hospital.

Form and Scale of fees payable for Data Access Request are available at the Data Protection Unit at the Hospital Authority Head Office or the Data Controller at the relevant hospital, where appropriate.


Kind of Personal Data Held

In the HA, the three broad categories of Personal Data held are:
  1. Personnel records which include personal details, job particulars, details of wages, payments, benefits, training, qualifications, disciplinary matters, performance assessment etc.


  2. Other records which include the award of contracts, scholarships (if operated for non-employees of the Hospital Authority), appointments to the Hospital Authority Board and Hospital Governing Committees of hospitals, administration files, flimsy files, public complaints, personality profile etc.


  3. Medical records which include records containing information relating to the physical and/or mental health of an individual.

Main Purpose for Keeping Personal Data

  1. Personnel records of employees are kept for the employment purposes in relation to the employee's appointment, promotion, transfer, employment, benefits, training, discipline, termination etc.


  2. Other records are kept for the various purposes pertaining to the nature of the record, such as the handling of complaints from the public, appointment of HA Board members and HGC members, award of contracts etc.


  3. Medical records are kept for the purposes of providing patient care including medical treatment/consultation, counselling, rehabilitation etc.