1. DEFINITIONS

“Commissioner” is the Personal Data Privacy Commissioner holding office as such under the Personal Data (Privacy) Ordinance.

“Data User” is the person or organisation responsible for determining the purposes and means of the processing of personal data. The Royal Commonwealth Society, Hong Kong Branch (RCSHK) is the Data User with respect to all personal information that relates to the Society’s activities.

“Data Protection Officer” (DPO) The Society may appoint from time to time a DPO to inform and advise on data protection matters, monitor compliance with data protection legislation and act as liaison with the Commissioner.

Address and contact details of the DPO are:

Brian Brewer, RCS Council Member – brianbrewer@outlook.com

c/o Royal Commonwealth Society Hong Kong Branch, GPO Box 11749, Hong Kong

“Data Subject” is the identified or identifiable person to whom the collected personal data relates.

“Processing” is defined very broadly and encompasses any action performed on or with personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction (that is, the marking of stored data with the aim of limiting its processing in the future, erasure and destruction. In effect, it is any activity involving personal data.

“Data Processor” is the person or organisation (a third party) if any who shall or may process Personal Data on behalf of the Society as Data User.

“Ordinance” means the Personal Data (Privacy) Ordinance Cap. 486 of the Laws of Hong Kong.

“Personal Data” is any information that relates to an identified or identifiable living individual or from which it is practicable for the identity of the individual to be directly or indirectly ascertained. This includes where living individuals can be directly or indirectly identified using information such as a name as well as other identifiers such as unique personal identifiers e.g., Inland Revenue Department tax file record numbers, Hong Kong Identity Card Number, location data or other online identifiers, as well as physical, physiological, genetic mental, economic, cultural or social identity.

“Society” means the Royal Commonwealth Society Hong Kong Branch.

“Website” means the website maintained by the Society for all its membership use purposes.

2. DATA PROTECTION

The Society is legally required to comply with and shall comply with the six data protection principles scheduled to the Ordinance when processing Personal Data. These principles require that Personal Data:

• Shall be used for the purpose of processing the application of the Data Subject for membership of the Society and for managing such membership of the Society.
• Shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
• Shall be collected only for specified, explicit and legitimate purposes; and it must not then be further processed in any manner incompatible with those purposes.
• Shall be adequate, relevant and limited to what is necessary in relation to the designated lawful purposes for which it is processed.
• Shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
• Shall not be disclosed by the Society to any other party in a form that would identify the Data Subject.
• Shall not be kept in a form which permits identification of the Data Subjects and shall not be kept for longer than is necessary for the purposes for which the Personal Data has been collected and is to be processed. Personal Data may be stored for longer periods provided it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This is subject to the implementation of appropriate data security measures designed to safeguard the rights and freedoms of data subjects.
• Shall not be collected unless for a lawful purpose directly related to a function or activity of the Data User who is to use the Personal Data with explicit or implicit information to the Data Subject on or before collecting the Personal Data of whether it is obligatory or voluntary for him or her to supply the Personal Data.

2.1 All practicable steps shall be taken to ensure that the Personal Data is accurate having regard to the purpose (including any directly related purpose) for which the Personal Data is or is to be used.

2.2 Personal Data shall not, without the prescribed consent of the Data Subject, be used for a new purpose meaning any purpose other than the purpose for which the Personal Data was collected and was to be used at the time of the collection of the Personal Data; or a purpose directly related to that purpose.

2.3 All practicable steps shall be taken to ensure that any Personal Data (including data in a form in which access to or processing of the data is not practicable) held by a Data User is protected

against unauthorised or accidental access, processing, erasure, loss or use having particular regard to the safety and security of storage of the Personal Data.

2.4 All practicable steps shall be taken to ensure that the person can ascertain the policies and practices in relation to Personal Data of a Data User and to inform the Data Subject of the kind of Personal Data held by the Data User with information to the Data Subject of the main purpose for which Personal Data is held by the Data User.

2.5 The Data Subject shall be entitled to ascertain whether a Data User holds Personal Data of which is the Data Subject and to request access to the Personal Data and be given reasons if the request is refused upon which the Data Subject shall be entitled to object to the refusal.

3. REASONS FOR PROCESSING, USE PURPOSE OF PERSONAL DATA

3.1 The Society shall inform individuals the reasons for processing their Personal Data, how it uses such data and the legal basis for processing in its privacy notices. The Society will not process Personal Data of individuals for other incompatible reasons.

3.2 In the event that the Data Subject does not provide or fails to continue to provide his or her Personal Data to the Society then his or her membership is liable to cancellation.

a. All Personal Data processed by the Society must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.

b. Where consent is relied upon as a lawful basis for processing Personal Data, evidence of opt-in consent shall be kept with the Personal Data.

c. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent in writing should be clearly available, and systems should be in place to ensure that the receipt of such revocation is reflected accurately in the Society’s systems.

4. LAWFUL PURPOSES

a. All Personal Data processed by the Society must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests

b. Where consent is relied upon as a lawful basis for processing Personal Data, evidence of opt-in consent shall be kept with the Personal Data.

c. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent in writing should be clearly available, and systems should be in place to ensure that the receipt of such revocation is reflected accurately in the Society’s systems.

5. DATA MINIMISATION

a. The Society shall ensure that Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. ACCURACY

a. The Society shall take reasonable steps to ensure that Personal Data Collection is accurate.

b. Where necessary for the lawful basis on which Personal Data is processed, reasonable steps shall be put in place to ensure that Personal Data is kept up to date.

7. LAWFUL, FAIR AND TRANSPARENT PROCESSING, ARCHIVING AND RIGHT OF ACCESS BY THE DATA SUBJECT AND CORRECTION

a. To ensure its processing of Personal Data is lawful, fair and transparent, the Society shall maintain an archive of Personal Data Collection.

b. To ensure that Personal Data is kept for no longer than necessary, the Society shall put in place an archiving policy for each area in which Personal Data is processed and what Personal Data should/must be retained, for how long, and why and review this process annually.

c. The Archive shall be reviewed at least annually.

d. Individual Data Subjects have the right of access to the archive and to correct his or her own Personal Data upon written request through the DPO, and any such requests made to the Society shall be dealt with in a timely manner.

8. SECURITY

a. The Society shall ensure that Personal Data is stored securely using modern software that is kept up-to-date.

b. Access to Personal Data shall be limited to the Data Subject and any person as authorised in writing by the Data Subject who need access, and appropriate security should be in place to avoid unauthorised information sharing with any other parties.

c. When Personal Data is deleted, this should be done safely to make the data irrecoverable.

d. Appropriate backup and disaster recovery solutions shall be in place.

9. GENERAL PROVISIONS

9.1 Information Collection

Please note that the Personal Data of the Data Subject will be collected through the use of the Website. For details, please see the Society’s Privacy Policy Statement.

9.2 Why does the Society collect personal information?

In order for the Society to process the application of the Data Subject for membership and for any and all subsequent programmes of the Society, subscriptions and the services of the Society, the Data Subject is required to provide his or her personal data to the Society. This applies to both existing and potential members of the Society.

The Society collects the personal information that the Data Subject provides such as the name, contact numbers, email address and mailing address for the purposes of direct marketing and non-direct marketing such as sending to the Data Subject the latest news of the Society including programme updates, trips, greetings, events, special offers, promotions, discounts, sponsorship opportunities, networking, opinion sharing benefits, invitations, opportunities for volunteering, workshops, seminars, courses, workshops, conferences, lectures and other programme opportunities, services or benefits related to the membership of the Society and to the activities and services of the Society as an art, cultural and related service organisation. Such communications to the Data Subject may be by postal mail, electronic mail, telephone, SMS, online etc.

The Society also may use the personal data of the Data Subject held by the Society for the purposes of feedback collection, surveys, membership administration and all actions incidental to the maintenance of the membership of the Data Subject in good standing and any other communication and marketing purposes.

The Society may engage third party service providers and Data Processors for the performance of any of the normal activities of the Society and for such purpose the Society may disclose or transfer the personal data of the Data Subject purely for the purposes outlined above to such service provider, Data Processor or any other person on the basis of a duty of confidentiality owed to the Society. The normal practice of the Society is to secure from any volunteers or staff or associated organization assisting in the provision of the services of the Society to undertake to keep all personal data information confidential with the exception only in any case where the Society is under an obligation to make disclosure under the requirements of any law or rule, regulations, codes of practice or guidelines issued by any regulatory or other authorities having direct authority for such purpose or with which, in the discretion of the Society, it is under a duty to comply.

As an important part of the services of the Society to the Data Subject as a member, the Society would like to ensure that the Data Subject remains fully updated about all of the activities of the Society and the Society shall continue to send the Data Subject the latest news of all the above functions, offers and promotions.

The Society therefore now seeks to ascertain that the Data Subject has no objection to the continued use by the Society of the personal data of the Data Subject for the above purposes.

If the Data Subject agrees that the Personal Data of the Data Subject can continue to be used as mentioned above in the same way as in the past, there is no need for the Data Subject to take any further action and in the absence of contrary response within 30 days of the date of this communication the Society shall be happy to take the tacit agreement of the Data Subject to such continuation.

As required by law, the Society will not use the Personal Data of the Data Subject for sending marketing or promotional information to the Data Subject if the Society shall have received the confirmation of the Data Subject of withdrawal or opting out of the Society’s system of communication and arrangements.

However, should the Data Subject no longer wish the Society either now or at any future time to use the Personal Data of the Data Subject as explained above or shall wish to be excluded from the future communications of the Society, the Data Subject should indicate his or her wish in writing by posting hard copy or by email to the Society at secretary@rcshk.com in order to unsubscribe.

The Society thanks the Data Subject for taking the time to familiarise himself or herself with the above information. The Society shall continue to make the privacy of the Data Subject the highest priority of the Society and the Society assures the Data Subject that his or her personal information will be used in accordance with the Society’s Privacy Policy Statement. The Society will not share the personal information of the Data Subject with other parties without the prior written consent of the Data Subject.

Although the Society may communicate to the Data Subject offers from third parties, such communication would always come from the Society. The Society has no intention to transfer and the Society shall not transfer the Personal Data of the Data Subject to any third parties.

9.3 Application of this Policy

a. This policy applies to all Personal Data processed by the Society or by third parties duly appointed by the Society for such processing.

b. The DPO shall take responsibility for the Society’s ongoing compliance with this policy.

c. The Society pledges to meet fully the standards of security and confidentiality of the collection of Personal Data in compliance with the Ordinance.

d. The use of all the materials provided for in or referable to the Society (“the Materials”) is and maintains the exclusive property of the Society and use of the Materials by the Data Subject is for information purposes only. The Data Subject will not distribute, publish, transmit, modify, display or create derivative works from or exploit the Materials and shall agree to indemnify, defend and hold harmless the Society for any and all unauthorised uses which the Data Subject may make of any of the Materials and of the name, trade mark, service mark and logo of the Society as appearing on the Website or in any other place and may not without the prior express written permission of the Society be used in any advertising or publicity, or otherwise indicates sponsorship of the Society or affiliation of the Society with any third party, product or service.

e. The Website may contain links to other sites and if and when a Data Subject uses a link to go from the Website to another website this Privacy Policy Statement shall be no longer in effect as regards the newly visited website. Browsing and intervention on other websites by the Data Subject including websites that have a link to the Website shall be subject to the own rules and policies of any such visited websites which may differ from those of the Website and the Society has no participation in or responsibility for any of these other websites.

10. BREACH

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, the Society shall promptly assess the risk to rights and freedoms of the Data Subject and, if appropriate, report this breach to the Commissioner.