Statement of Policy
- M Plus Museum Limited (“M+”) respects personal data privacy and is committed to implement and comply with the data protection principles and relevant provisions under the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”).
Statement of Practices
Category of Personal Data Held
2. M+ holds the following category of personal data: –
Records collected for e-newsletter subscription, which include email addresses that can in specific circumstances be used to identify an individual.
Main Purpose of Keeping Personal Data
3. The main purposes of keeping the personal data are as follows:
(i) For sending newsletters to subscribers registered through this website;
(ii) For data analytics;
(iii) For direct marketing upon obtaining explicit consent from the data subjects;
(iv) For managing customer relationships within M+ and its holding company, West Kowloon Cultural District Authority (“WKCDA”).
Implementation of Practices
4. M+ or WKCDA will implement the practices at (a) to (f) below in accordance with the data protection principles in the Ordinance.
(a) Collection of personal data
5. When collecting personal data, M+ will satisfy itself that:
(i) the purposes for which the data is collected are lawful and directly related to a function or activity of M+;
(ii) the manner of collection is lawful and fair in the circumstances; and
(iii) the personal data collected is necessary but not excessive for the purpose(s) for which it is collected.
6. When M+ collects personal data from a data subject, the data subject will be provided with a Personal Information Collection Statement (“PICS”) on or before the collection in an appropriate format and manner. Practicable steps will be taken to ensure that –
(i) the data subject is informed of whether it is obligatory or voluntary to supply the data and, if obligatory, the consequences in failing to do so; and
(ii) the data subject is explicitly informed of the purpose(s) for which the personal data is to be used, the classes of persons to whom the data may be transferred or disclosed, the rights of the data subject to request access to and correction of the data, and the contact of the individual to whom any such request may be made.
If M+ or WKCDA intends to use the personal data collected for a new purpose, other than the purpose of first collection as stated in the PICS, M+ will obtain a prior consent from the data subject before the usage. M+ will, manually or electronically, keep track of the PICS to ensure that the personal data is only used for the purpose(s) stated in the PICS.
(b) Accuracy and retention of personal data
7. Personal data collected and maintained by M+ or WKCDA will be as accurate, complete, and up-to-date as is necessary for the purpose(s) for which it is to be used.
8. M+ or WKCDA maintains a personal data inventory, which contains the kinds of personal data that M+ or WKCDA holds, the purposes for which the personal data is collected, used and disclosed, and how the personal data is stored. The personal data inventory will be reviewed on an annual basis to ensure that it is accurate and up-to-date.
9. Personal data will not be kept longer than necessary for the fulfilment of the purpose(s) for which the data is collected or used. Personal data that is no longer required will be erased unless such erasure of personal data is prohibited under any law or it is in the public interest for the data not to be erased. Should there be a need to retain personal data for statistical purposes, such personnel data will be anonymised so that the individuals concerned can no longer be identified.
10. A destruction of records containing personal data will be conducted as and when necessary. Destruction of paper records will be carried out by irreversible means and electronic records will be cleared or destroyed from storage media before disposal by means of sanitisation or physical destruction.
(c) Use of personal data
11. All personal data collected will be used only for purposes which are directly related to the discharge of M+ functions. Personal data collected may be transferred to WKCDA for data storage and maintenance, or to third parties for the discharge of M+ functions. Personal data may also be disclosed to other entities which are authorised to receive information for law enforcement, prosecution or review of decisions. Data subject will be informed of the transferees of personal data when the data subject personal data is collected. For personal data that is stored in cloud servers of cloud service providers for M+, personal data may be transferred out of Hong Kong where the cloud servers are located.
12. If personal data is to be used for a purpose other than the purposes for which the data is collected, prior consent will be sought from the data subject. In seeking the consent, all practicable steps will be taken to ensure that (i) information provided to the data subject is clearly understandable and readable; and (ii) the data subject is informed that he is entitled to withhold his consent or withdraw his consent subsequently by giving notice in writing.
13. M+ or WKCDA will not use personal data or provide personal data for use in direct marketing without data subject’s explicit consent. If M+ or WKCDA intend to use the personal data for direct marketing, M+ or WKCDA will obtain explicit consent from the data subject before using the data subject’s personal data, and will notify the data subject when using personal data in direct marketing for the first time, and will cease to use the data in direct marketing if the data subject so requires. If M+ or WKCDA intend to provide personal data to another person for use by that other person in direct marketing, M+ or WKCDA will inform the data subject in writing in advance that M+ or WKCDA intend to provide the personal data and will not provide the personal data unless it has received the data subject’s explicit consent. A data subject may, at any time, require M+ or WKCDA to cease using the data subject’s personal data in direct marketing by informing M+ or WKCDA through the channels as stated in practice (f) below.
(d) Security of personal data
14. M+ or WKCDA observe strictly all relevant security standards and regulations. Security arrangements will be reviewed regularly to ensure that personal data is protected against loss and unauthorised or accidental access, use, disclosure, modification and erasure. The security arrangements include, without limitation, the following:
(i) restriction of access to personal data on a “need-to-know” basis;
(ii) regular review and enhancement of security measures for protection of personal data in the servers, user computers, or transmission of electronic messages;
(iii) regular change of passwords for IT facilities, or accounting and personnel systems;
(iv) encryption of all backup tapes that are to be transported to offsite storage;
(v) limited staff access rights to office areas storing confidential information; and
(vi) provision of clear guidelines to staff as to the types of data that may or may not be disclosed to a phone enquirer and implementation of appropriate identity verification procedures to confirm the enquirer’s identity.
(e) Transparency of the personal data policy and practices
(f) Access to and correction of personal data
16. M+ or the WKCDA recognises a data subject’s rights of access to and correction of his own personal data in accordance with the Ordinance. To make a data access request, a data subject should complete the form specified by the Office of the Privacy Commissioner for Personal Data, which is available at http://www.pcpd.org.hk/english/publications/files/Dforme.pdf, and submit the completed form to the WKCDA in any one of the following ways –
By email/fax/post/in person:
Attn. Data Protection Office
By email at email@example.com; or
By post to M Plus Museum Limited, Units 608-613, Level 6, Core C, Cyberport 3, 100 Cyberport Road, Hong Kong.
17. M+ or the WKCDA may refuse a data access request in the circumstances specified in Section 20 of the Ordinance. One example is that M+ or the WKCDA is not supplied with information to locate the requested data.
18. When handling a data access or correction request, M+ or the WKCDA will check the identity of the requester to ensure that the requester is the person legally entitled to make the data access or correction request.
19. M+ or the WKCDA may impose a fee for the necessary cost of complying with a data access request. M+ will clearly inform the requester the amount to be charged.
20. M+ or the WKCDA maintains a log book recording the data access or correction requests received as required under Section 27 of the Ordinance.
22. Statistics on visitors to our websites – When you visit this website, we will record your visit only as a “hit”. The webserver makes a record of your visit that includes your IP addresses (and domain names), the types and configurations of browsers, language settings, geo-locations, operating systems, previous sites visited, and time/duration and the pages visited (webserver access log).
M+ uses the webserver access log for the purpose of maintaining and improving this website such as to determine the optimal screen resolution, or which pages have been most frequently visited. M+ uses such data only for this website enhancement and optimisation.
M+ does not use, and has no intention of using the visitor data to personally identify anyone.
23. This website is developed and maintained by third-party service providers. All the service providers are bound by their contractual obligation to keep confidential any data they come into contact with against unauthorised access, use and retention.
Incident Reporting and Breach Handling
24. A mechanism is set up for incident reporting and breach handling in case there is a loss or leakage of personal data, or there is a reason to believe that the personal data held by M+ or the WKCDA has been compromised.
Ongoing Monitoring and Review
27. Words used herein which import the singular only also include the plural and vice versa where the context so admits.
28. Words used herein which import one gender (whether masculine, feminine or neuter) shall be taken to include any other gender where the context so admits.