Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Personal Data Security Policy - School of Public Health The

advertisement 
THE UNIVERSITY OF HONG KONG
DEPARTMENT OF COMMUNITY MEDICINE
AND SCHOOL OF PUBLIC HEALTH
Personal Data Security Policy
This policy of the School sets minimum standards for the security of electronic data that
include information about individuals. It is a set of basic rules that must be observed when
handling databases with personal dataNote 1, including, but not limited to HKID, names and
telephone numbers.
1. Any research project that involves personal data must be reported to the School. The protection
procedures and measures of personal data must be documented using “Form DS-02”.
2. Without prior permission from the Director, personal data must not be stored with the research
data Note 2. If both personal data and research data must be stored in the same database Note 3, prior
permission from the Director must be sought.
3. Personal data must only be accessed by the authorized personnel, who are designated by the
principal investigator of the research project.
4. All computers with personal data must have deactivated computer port/devices (including USB
ports/DVD rewritable drives) and not be connected to the Internet unless prior permission is
granted from the Director. These computers must be securely locked. Personal data in electronic
form must always be protected with strong encryption Note 4 and password Note 5. Those in other
forms must be physically locked after use.
5. Electronic personal data must not be stored in any portable storage devices without prior
permission from the Director. If the permission is granted, all personal data must only be stored in
the official encrypted devices that are approved by Personal Data Protection Committee.
6. Personal data must not be taken outside the office without prior permission from the Director.
7. Personal data must be securely destroyed immediately after use Note 6.
8. All media with personal data must always be protected against unauthorized access Note 4, and be
checked regularly.
9. Any loss or suspected loss of personal data must be reported immediately to the Director for
remedial actions, and the School’s other reporting guidelines should be complied with.
10. Other applicable rules, regulations, policies, codes and guidelines of the University, Faculty and
School in respect of information security and personal data protection shall also be observed.
In connection with data security, the department/school computers should be kept up-to-date
by applying the most recent security patches (eg Windows Update in Microsoft Windows).
No peer-to-peer applications (eg BitTorrent, Foxy) are allowed to be installed. A firewall (eg
Microsoft Windows Firewall) should be installed, and antivirus software (eg Sophos) should
be frequently updated (eg daily).
I have read and shall abide by this policy when handing personal data.
Signature
:
Printed name
:
Date
:
20130916/Form DS-01
Note 1.
Personal data means any data relating directly or indirectly to a living individual; from which
it is practicable for the identity of the individual to be directly or indirectly ascertained; and in
a form in which access to or processing of the data is practicable. (Personal Data (Privacy)
Ordinance, Code of Practice, 189/709, HKU)
Note 2.
To properly handle the personal data in the research data, a unique identification number
should be generated for each record and used as a key for matching between the personal data
and the research data. The personal data should be detached from the research data, encrypted
(eg using Winzip with 256-Bit AES encryption), and stored in the departmental safe (please
contact the Personal Data Protection Coordinator of the Department for details).
Note 3.
The database with personal data should be encrypted after use. If the database is in Excel
format, a password has to be added to the Excel file when it is saved. If the database is in
SPSS/STATA/SAS format, there is no built-in mechanism for encryption or password
control. It is recommended that the database should be stored in an encrypted area on the hard
disk, eg using TrueCrypt (a freeware, http://www.truecrypt.org/).
Note 4.
If you want to archive the electronic personal data, you may use 256-Bit AES encryption in
Winzip. If you need to get frequent access to the personal data, you may use TrueCrypt (a
freeware, http://www.truecrypt.org/) to create an encrypted area on your hard disk for
temporary storage of your sensitive file.
Note 5.
A good password should at least satisfy with the following conditions:
1. Minimum password length is 15 (longer is generally better)
2. Consists of both upper and lower case characters
3. Consists of digits
4. Consists of punctuation characters
5. Should not be a word in any language
6. Should not be based on personal information, eg user ID, family name
(http://www.sans.org/resources/policies/Password_Policy.pdf)
Note 6.
For electronic data, you should use secure data removal tools to remove sensitive data
(freeware, Eraser from http://eraser.heidi.ie, DBAN from http://www.dban.org, or Sdelete
from http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx) from your hard disk.
The unused CD and DVD with sensitive data must be shredded before disposal.
20130916/Form DS-01
Related documents
Unit 7 MathLink Activity
Unit 7 MathLink Activity
FDI-2009summer-30min - Scholar
FDI-2009summer-30min - Scholar
ICS 103!!
ICS 103!!
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Secure Email Encryption
Secure Email Encryption
Slide 1
Slide 1
ICS 103!!
ICS 103!!
Movable Drives:
Movable Drives:
Errata - Pearsoncmg
Errata - Pearsoncmg
Basic Encryption Tutorial - UC San Diego Health Sciences
Basic Encryption Tutorial - UC San Diego Health Sciences
model_exam_sol_2004
model_exam_sol_2004
Ch09-SecureStorage
Ch09-SecureStorage
Tips on recovering EFS-encrypted
Tips on recovering EFS-encrypted
When using TrueCrypt, two Windows folder options must not be
When using TrueCrypt, two Windows folder options must not be
GT.M Database Encryption
GT.M Database Encryption
SECURING DATABASE THROUGH TRIPLE LAYER SECURITY Web Site: www.ijaiem.org Email: ,
SECURING DATABASE THROUGH TRIPLE LAYER SECURITY Web Site: www.ijaiem.org Email: ,
Digital evidence obfuscation: recovery techniques
Digital evidence obfuscation: recovery techniques
Auditing (cont'd.) - Faculty & Staff Directory
Auditing (cont'd.) - Faculty & Staff Directory
08 Data encryption
08 Data encryption
Attacks on WinZip encryption
Attacks on WinZip encryption
Hushmail Express Password Encryption in Hushmail
Hushmail Express Password Encryption in Hushmail
4 Encrypting Files
4 Encrypting Files
Download
advertisement