Subsite Background

Data Protection Officers

Roles and responsibilities of the Chief Data Protection Officer and Data Protection Officers


Chief Data Protection Officer (Chief DPO)

(a)Handling data access and correction requests raised to the University
  • Processing personal data access and correction requests with the assistance from the DPOs
(b)Managing data breach incidents
  • Coordinating and monitoring the handling of data breach incidents
  • Providing advice to affected Departments/Units via internal and external notifications
  • Conducting investigations and post-incident reviews
(c)Providing consultation and advice to data privacy-related matters
  • Providing advice to Departments/Units on data processor management
  • Coordinating training and education
(d)Reporting to the Personal Data Privacy Committee
  • Reporting data privacy-related updates including identified non-compliance issues, implementation status of Privacy Management Programme, etc.
(e)Handling data public communications relating to data privacy
  • Handling public communications, including reviewing response prepared by Data Protection Officers on privacy complaints and enquiries in relations to personal data
(f)Monitoring Privacy Impact Assessments (PIAs)
  • Monitoring, reviewing and providing advice on conducting PIAs
(g)Maintaining Privacy Policy Statement (PPS) and Personal Information Collection Statement (PICS)
  • Monitoring, reviewing and providing advice on the preparation of PPS and PICS before it is officially presented to the public in any external communications
(h)Monitoring and reviewing personal data handling
  • Initiating and monitoring the annual personal data inventory review exercise and records disposal exercise conducted by DPOs
  • Reviewing data extraction request to ensure it is only approved for valid reasons
(i)Annual reviewing the effectiveness of data privacy and protection related controls
  • Preparing an oversight over data privacy and protection controls
  • Executing an annual review plan to ensure full compliance with the data privacy requirements

Data Protection Officers

(a)Managing matters relating to data privacy of his/her own department/Faculty/unit, and representing his/her department/Faculty/unit to communicate with the Chief DPO
(b)Updating personal data inventory of his/her department/Faculty/unit annually
(c)Carrying out periodic risk assessments within his/her department/Faculty/unit and submitting the review report to the Chief DPO
(d)Ensuring PICS prepared by his/her department/Faculty/unit is consistent with the requires under the Personal Data (Privacy) Ordinance, and submitting the PICS to the Chief DPO for review before adoption for use
(e)Assisting the Chief DPO in carrying out the ongoing assessment and revision of the Privacy Management Programme

Data Privacy Governance Framework and Reporting Structure

DPO diagram