Language Switcher Image Switch Language

Privacy Policy

Data Protection Policy Statement

Independent Committee for Hong Kong Advocacy Limited (hereinafter ICHKA/the Organisation) takes our responsibilities with regard to the management of the requirements of the United Kingdom General Data Protection Regulation under Data Protection Act 2018 (hereinafter UK GDPR) very seriously. This policy sets out how we manage those responsibilities.

ICHKA obtains, uses, stores and otherwise processes personal data relating to potential, current, former clients, contractors, website users and contacts, collectively referred to in this policy as data subjects. When processing personal data, we are obliged to fulfil individuals’ reasonable expectations of privacy by complying with UK GDPR and other relevant data protection legislation (hereinafter data protection law).

This data protection policy statement explains how and what personal data we collect from you.

The data processed by us are deleted or their processing is limited in accordance with Articles 17 and 18 of the UK GDPR. Unless explicitly stated otherwise in this data protection policy statement, the data stored by us are deleted as soon as it is no longer required for its intended purpose and no legal obligations to retain data prevent its deletion. Limitations are imposed on the processing of the data which has been not deleted because it is required for other legally allowed purposes. In other words, such data is blocked and not accessible for processing for any other purpose.

Purposes of the Data Protection Policy

This policy seeks to ensure that we:

  1. are clear about how personal data must be processed and the Organisation’s expectations for all those who process personal data on its behalf;
  2. comply with data protection law and with good practice;
  3. protect the Organisation’s reputation by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights, and
  4. 4. protect the Organisation from risks of personal data breaches and other breaches of data protection law.

Scope

This policy applies to all personal data we process regardless of the location where that personal data is stored (e.g. on an employee’s own device) and regardless of the data subject. All staff and others processing personal data on the Organisation’s behalf must read it. A failure to comply with this policy may result in disciplinary action.

All internal management staff should implement appropriate practices, processes, controls and training to ensure that compliance.

The Executive Committee is responsible for overseeing this policy.


Our Data Protection Officer can be reached through privacy@ichka.org at any time.

Personal data protection principles

When the Organisation processes personal data, it is guided by the following principles, which are set out in the UK GDPR. The Organisation is responsible for, and must be able to demonstrate compliance with, the data protection requirements set out below:

Data must be:

  1. processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
  2. collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation);
  4. accurate and where necessary kept up to date (accuracy);
  5. not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (storage limitation); and
  6. processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (security, integrity and confidentiality).

Data Subjects’ Rights

Data subjects have rights in relation to the way we handle their personal data. These include the following rights:

  1. where the legal basis of our processing is Consent, to withdraw that Consent at any time;
  2. to ask for access to the personal data that we hold (see below);
  3. to prevent our use of the personal data for direct marketing purposes;
  4. to object to our processing of personal data in limited circumstances;
  5. to ask us to erase personal data without delay in the following circumstances:
    1. if it is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
    2. if the only legal basis of processing is Consent and that Consent has been withdrawn and there is no other legal basis on which we can process that personal data;
    3. if the data subject objects to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest;
    4. if the data subject has objected to our processing for direct marketing purposes; or
    5. if the processing is unlawful.
  6. to ask us to rectify inaccurate data or to complete incomplete data;
  7. to restrict processing in specific circumstances e.g. where there is a complaint about accuracy;
  8. to ask us for a copy of the safeguards under which personal data is transferred outside of the EU;
  9. the right not to be subject to decisions based solely on automated processing, including profiling, except where necessary for entering into, or performing, a contract, with the Organisation; it is based on the data subject’s explicit consent and is subject to safeguards; or is authorised by law and is also subject to safeguards;
  10. to prevent processing that is likely to cause damage or distress to the data subject or anyone else;
  11. to be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
  12. to make a complaint to complaint and handling team; and
  13. in limited circumstances, receive or ask for their personal data to be transferred to a third party (e.g. another organisation to which a client is transferring) in a structured, commonly used and machine readable format.

The organisation must verify the identity of an individual requesting data under any of the rights listed.

Requests (including for data subject access – see below) must be complied with, usually within one month of receipt. Any Data Subject Access Request received by a member of the Organisation is forwarded to the Data Protection Officer at privacy@ichka.org.

Accountability

The organisation must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. The organisation is responsible for, and must be able to demonstrate compliance with, the data protection principles.

We must therefore apply adequate resources and controls to ensure and to document UK GDPR compliance including by:

  1. appointing a suitably qualified staff;
  2. implementing Privacy by Design when processing personal data and completing a Data Protection Impact Assessment (DPIA) where processing presents a high risk to the privacy of data subjects;
  3. integrating data protection into our policies and procedures, in the way personal data is handled by us and by producing required documentation such as Data Protection Policy Statement, Records of Processing and records of Personal Data Breaches;
  4. training staff on compliance with Data Protection Law and keeping a record accordingly; and
  5. regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

The Organisation’s responsibilities

As the Data Controller, we are responsible for establishing policies and procedures in order to comply with data protection law.

Staff responsibilities

Staff members who process personal data about clients or any other individual must comply with the requirements of this policy. Staff members must ensure that:

  1. all personal data is kept securely;
  2. no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
  3. personal data is kept in accordance with the Organisation’s retention schedule;
  4.  any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer;
  5. any data protection breaches are swiftly brought to the attention of the IData Protection Officer and that they support the Complaint handling team in resolving breaches; and
  6. where there is uncertainty around a data protection matter advice is sought from the Information Compliance team and the data protection staff.

Where members of staff are responsible for supervising third-party individuals and organisations (including but not limited to volunteers) doing work which involves the processing of personal information, they must ensure that they are aware of the Data Protection principles.

Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Data Protection Officer.

Data Subjects’ responsibilities

Data subjects are responsible for:

  1. familiarising themselves with the Data Protection Policy Statement provided when their data has been collected by us;
  2. ensuring that their personal data provided to us is accurate and up to date.

Sharing Personal Data

In the absence of Consent, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to the Organisation.

Some bodies have a statutory power to obtain information (e.g. regulatory bodies, government agencies such as the Home Office). The Organisation should seek confirmation of any such power(s) and that a request is made under such power(s) before disclosing personal data in response to a request. If you need guidance, please contact the Data Protection Officer on privacy@ichka.org.

Further, without a warrant, the police have no automatic right of access to records of personal data, though voluntary disclosure may be permitted for the purposes of preventing/detecting crime or for apprehending offenders. You should seek written assurances from the police that the relevant exemption applies. If you need guidance, please contact the Data Protection Officer at privacy@ichka.org.

Some additional sharing of personal data for research purposes may also be permissible, subject to certain safeguards.

Changes to this policy

We reserve the right to change this policy at any time without notice to you so please check regularly to obtain the latest copy.

This policy was last reviewed and announced on 26 July 2024 by the Executive Committee. It will be reviewed in a time no later than 2030.

Appendix – Data Protection Complaints Information Sheet

Under UK GDPR/Data Protection Act 2018, those who collect and use personal information have to follow rules of good practice for handling information. The Act also gives rights to individuals whose information they collect and use. ICHKA aims to comply fully with its obligations under the Act and to ensure that the service it provides for those wishing to gain access to information is simple, efficient, and effective.

If you feel the service you received does not meet these aims or your expectations, please contact the Data Protection Officer, who will try to resolve your issues informally in the first instance: privacy@ichka.org.

Please note that requests for a review of our response must be received within forty days of the date of that response.

If you remain dissatisfied after following these steps, you can complain to the Information Commissioner’s Office (ICO). You should do this within two months of receiving the final response to your complaint. For further advice on making a complaint to the ICO, please see their website at www.ico.gov.uk

You can write to the ICO at:

Information Commissioner’s Office Wycliffe House

Water Lane

WILMSLOW

SK9 5AF

Email: enquiries@ico.gsi.gov.uk

You can also call their helpline (Monday-Friday 09:00-17:00): 01625 545 745