THE UNIVERSITY OF HONG KONG DEPARTMENT OF COMMUNITY MEDICINE AND SCHOOL OF PUBLIC HEALTH Personal Data Security Policy This policy of the School sets minimum standards for the security of electronic data that include information about individuals. It is a set of basic rules that must be observed when handling databases with personal dataNote 1, including, but not limited to HKID, names and telephone numbers. 1. Any research project that involves personal data must be reported to the School. The protection procedures and measures of personal data must be documented using “Form DS-02”. 2. Without prior permission from the Director, personal data must not be stored with the research data Note 2. If both personal data and research data must be stored in the same database Note 3, prior permission from the Director must be sought. 3. Personal data must only be accessed by the authorized personnel, who are designated by the principal investigator of the research project. 4. All computers with personal data must have deactivated computer port/devices (including USB ports/DVD rewritable drives) and not be connected to the Internet unless prior permission is granted from the Director. These computers must be securely locked. Personal data in electronic form must always be protected with strong encryption Note 4 and password Note 5. Those in other forms must be physically locked after use. 5. Electronic personal data must not be stored in any portable storage devices without prior permission from the Director. If the permission is granted, all personal data must only be stored in the official encrypted devices that are approved by Personal Data Protection Committee. 6. Personal data must not be taken outside the office without prior permission from the Director. 7. Personal data must be securely destroyed immediately after use Note 6. 8. All media with personal data must always be protected against unauthorized access Note 4, and be checked regularly. 9. Any loss or suspected loss of personal data must be reported immediately to the Director for remedial actions, and the School’s other reporting guidelines should be complied with. 10. Other applicable rules, regulations, policies, codes and guidelines of the University, Faculty and School in respect of information security and personal data protection shall also be observed. In connection with data security, the department/school computers should be kept up-to-date by applying the most recent security patches (eg Windows Update in Microsoft Windows). No peer-to-peer applications (eg BitTorrent, Foxy) are allowed to be installed. A firewall (eg Microsoft Windows Firewall) should be installed, and antivirus software (eg Sophos) should be frequently updated (eg daily). I have read and shall abide by this policy when handing personal data. Signature : Printed name : Date : 20130916/Form DS-01 Note 1. Personal data means any data relating directly or indirectly to a living individual; from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable. (Personal Data (Privacy) Ordinance, Code of Practice, 189/709, HKU) Note 2. To properly handle the personal data in the research data, a unique identification number should be generated for each record and used as a key for matching between the personal data and the research data. The personal data should be detached from the research data, encrypted (eg using Winzip with 256-Bit AES encryption), and stored in the departmental safe (please contact the Personal Data Protection Coordinator of the Department for details). Note 3. The database with personal data should be encrypted after use. If the database is in Excel format, a password has to be added to the Excel file when it is saved. If the database is in SPSS/STATA/SAS format, there is no built-in mechanism for encryption or password control. It is recommended that the database should be stored in an encrypted area on the hard disk, eg using TrueCrypt (a freeware, http://www.truecrypt.org/). Note 4. If you want to archive the electronic personal data, you may use 256-Bit AES encryption in Winzip. If you need to get frequent access to the personal data, you may use TrueCrypt (a freeware, http://www.truecrypt.org/) to create an encrypted area on your hard disk for temporary storage of your sensitive file. Note 5. A good password should at least satisfy with the following conditions: 1. Minimum password length is 15 (longer is generally better) 2. Consists of both upper and lower case characters 3. Consists of digits 4. Consists of punctuation characters 5. Should not be a word in any language 6. Should not be based on personal information, eg user ID, family name (http://www.sans.org/resources/policies/Password_Policy.pdf) Note 6. For electronic data, you should use secure data removal tools to remove sensitive data (freeware, Eraser from http://eraser.heidi.ie, DBAN from http://www.dban.org, or Sdelete from http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx) from your hard disk. The unused CD and DVD with sensitive data must be shredded before disposal. 20130916/Form DS-01