Privacy Policy

14 November 2023

Statement of Policy

The Firm respects personal data privacy and is committed to implement and comply with the data protection principles and provisions under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).

Statement of Practices

  1. Categories of Personal Data Held
    1.  The Firm holds the following categories of personal data:-
      1. Employment-related records which include data on job applications, personal particulars, education and qualifications, employment history, salary and allowances, participation in Mandatory Provident Fund, terms and conditions of service, housing and medical benefits, leave records, training and development, appraisal reports, conduct and discipline, etc.;
      2. General administrative records which include personal data collected in connection with the office administration functions, records containing information supplied by data subjects and collected in connection with the handling of enquiries and complaints made to the Firm, etc.;
      3. Clients’ records which include personal data collected in the course of handling clients’ cases, transactions, complaints and enquiries, etc.; and
      4. Other records which include administrative and programme records containing personal data. 
  2. Main Purposes of Keeping Personal Data
    1. The main purposes of keeping the personal data are as follows:
      1. Employment-related records are kept for a range of appointments and human resource management purposes, including postings and transfers, training and career development, performance appraisal and promotion, discipline, offer of benefits, etc.;
      2. General administrative records are kept for the purposes of carrying out various office administration functions, responding to and taking follow-up actions on enquiries and complaints, etc.;
      3. Clients’ records are kept for the purposes of handling clients’ cases, transactions, complaints and enquiries, etc.; and
      4. Other records are kept for various purposes, which vary according to the nature of the records, such as procurement of stores and equipment, organisation of activities, etc.
  3. Practices of Personal Data Handling
    1. The practices at (A) to (F) below are implemented to ensure that personal data held by the Firm is handled in accordance with the data protection principles enshrined in the PDPO.
      1. Collection of personal data
        1. When collecting personal data, the Firm will satisfy itself that:-
          1. The purposes for which the data is collected are lawful and directly related to a function or activity of the Firm;
          2. The manner of collection is lawful and fair in the circumstances of the case; and
          3. The personal data collected is necessary but not excessive for the purpose(s) for which it is collected.
        2. When the Firm collects personal data from an individual, the individual will be provided with a Personal Information Collection Statement, if so requested, on or before the collection in an appropriate format and manner. Practicable steps will be taken to ensure that:-
          1. The data subject is informed of whether it is obligatory or voluntary for him/her to supply the data and, if obligatory, the consequences for him/her if he/she fails to do so; and
          2. The data subject is explicitly informed of the purpose for which his/her personal data is to be used, the classes of persons to whom the data may be transferred or disclosed, the rights of the data subject to request access to and correction of the data, and the contact details of the individual to whom any such request may be made.
      2. Accuracy and retention of personal data
        1. Personal data collected and maintained by the Firm shall be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used.
        2. The Firm maintains a personal data inventory, which contains the kinds of personal data that the Firm holds; the purposes for which the personal data is collected, used and disclosed; and how the personal data is stored. The personal data inventory will be reviewed when necessary to ensure that it is accurate and up-to-date.
        3. Personal data will not be kept longer than necessary for the fulfilment of the purpose for which the data is collected or used. Personal data that is no longer required would be erased unless such erasure of personal data is prohibited under any law or it is in the public interest for the data not to be erased. Should there be a need to retain the personal data for statistical purposes, such data would be anonymised so that the individuals concerned could no longer be identified.
        4. A destruction exercise on records containing personal data will be conducted as and when necessary and in accordance with the Firm’s records management guidelines and procedures. Destruction of paper records would be carried out by irreversible means and electronic records would be cleared or destroyed from storage media before disposal by means of sanitisation or physical destruction.
      3. Use of personal data
        1. All personal data collected will be used only for purposes which are directly related to the discharge of the Firm’s duties and responsibilities. Personal data collected may be transferred to third parties during the discharge of the Firm’s functions when necessary. Relevant personal data may also be disclosed to other entities which are authorised to receive information for the purposes of law enforcement, prosecution or review of decisions. Data subjects would be informed of the possible transferees of their personal data when their personal data is collected.
        2. If personal data is to be used for a purpose other than the purposes for which the data is collected, express prior consent would be sought from the data subject concerned. In seeking the data subject’s consent, all practicable steps would be taken to ensure that (i) information provided to the data subject is clearly understandable and readable; and (ii) the data subject is informed that he/she is entitled to withhold his/her consent or withdraw his/her consent subsequently by giving notice in writing.
      4. Security of personal data
        1. The Firm observes strictly relevant security standards and regulations. Security arrangements will also be reviewed regularly to ensure that personal data is protected against loss and unauthorised or accidental access, use, disclosure, modification and erasure. The security arrangements adopted include but are not limited to the following:
          1. Restriction of access to personal data on a “need-to-know” basis;
          2. Regular review and enhancement of security measures for protection of personal data in the servers, user computers, transmission of electronic messages, etc.;
          3. Regular change of passwords for IT facilities, accounting and personnel systems, etc.;
          4. Encryption of all backup storage devices that are to be transported to offsite storage;
          5. Limited staff access rights to office areas storing confidential information; and
          6. Provision of clear guidelines to staff as to the types of data that may or may not be disclosed to a phone enquirer and implementation of appropriate identity verification procedures to confirm the enquirer’s identity.
      5.  Transparency of the personal data policy and practices
        1. The Firm’s privacy policy and practices can be found on the Firm’s website.
      6. Access to and correction of personal data
        1. The Firm recognises an individual’s rights of access to and correction of his/her own personal data in accordance with the PDPO. To make a data access request, an individual should complete the form specified by the office of the Privacy Commissioner for Personal Data, which is available at, and submit the completed form to the Firm in any one of the following ways –By email: / attention to:- Data Protection Officer
          By fax: +852 2877 2633
          By post or in person: Suites 4404-4410, 44/F, One Island East, 18 Westlands Road, Taikoo Place
        2. When handling a data access or correction request, the Firm will check the identity of the requester to ensure that he/she is the person legally entitled to make the data access or correction request.
        3. The Firm may impose a fee for the direct and necessary cost of complying with a data access request. The Firm will clearly inform the requestor the amount to be charged.
        4. The Firm maintains records recording the data access or correction requests received.
  4. Incident Reporting and Breach Handling
    1. A mechanism is set up for incident reporting and breach handling in case there is loss or leakage of personal data, or there is a reason to believe that the personal data held by the Firm has been compromised.
  5. Ongoing Monitoring and Review
    1. The Firm will keep the Privacy Policy and Practices under regular review. Officers responsible for handling personal data will attend relevant training courses to keep themselves updated of the latest personal data policies.
Start Typing
Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer. Read our Privacy Policy

For performance and security reasons we use Cloudflare
Our website uses cookies, mainly from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.