Subsite Background

Policy for Personal Data Inventory Framework

Lingnan University (the University) is committed to safeguarding personal data and privacy in compliance with the requirements of the Personal Data (Privacy) Ordinance. The University undertakes actions to ensure that the personal data of a University member are collected, stored, held and used accurately and securely.  When handling personal data, the University requires its academic departments and administrative units to properly record means of collecting personal data, kinds of personal data collected, locations for data storage, duration of retention, ways of using the personal data, and data security measures adopted in each unit’s Personal Data Inventory (PDI). A PDI should allow the University to:

  • Understand whether the unit needs to obtain consent from data subjects,
  • Record what personal data have been collected,
  • Record where personal data have been stored,
  • Whether appropriate security measures have been taken to guarantee that the collected data are stored safely,
  • Comply with Data Access and Correction Requests from data subjects, and
  • Find out what information is leaked in case of a personal data leakage incident

The Personal Data Protection Committee (PDPC) of the University requires each University unit to review its PDI annually or whenever deemed necessary to ensure that the personal information a unit holds is well managed and not excessive. Updating, correction of each unit’s PDI and responsible personnel(s) should be established in each unit.

In simple terms, PDPC suggests a PDI should consider containing the information below:




Name of the Unit


Title of the Process (e.g. New student registration/Donation/Hostel Application for new students etc.)

Items of personal data contained in the record

Personal data including but not limited to:

  • Name
  • HKID numbers (For immigration regulation, staff HKID and/or passport copies may be kept in certain units. Adequate measure needs to be taken to secure these personal data)
  • Contact information (including address, mobile number and email address)

Means of collection of the data

State clearly through what means the data are collected

Purpose of collection and use of the data

State in a concise manner regarding the purpose of collecting the data to avoid data misuse.


Location for data storage


Filing cabinets in Personnel Record Room

A clear location is preferred


A file path should be listed

Possible location of transfer (e.g. cloud server location)

No/Yes and where

Disclosure of data to any third parties including data processors and the names and relevant details of third parties (Yes/No)

Yes, and what are the names of these third parties/No

Purpose of disclosing the data and whether the disclosure complies with the Ordinance

Whether consents have been obtained; Whether additional consent is needed

Security measures adopted

Whether file cabinets are locked; whether your digital devices are properly encrypted for theft prevention

Retention period of the data1

How long will these data be kept

Date of return or destruction by the data processor (if applicable)

Please state when data destruction/return will occur.

Disposal and authorization personnel and date

Record the names of the relevant personnel and date of the disposal and authorization

1For more details of the data retention period, the University has a strict guideline regarding this aspect on its digital data stored on a University-wide Banner ERP System. Members of the public and Lingnan members can visit this document for more details (Link). For analogue data, such as hard copy files stored in a cabinet, each corresponding units also observe the same guideline.