The Sports Federation & Olympic Committee of Hong Kong, China (the Federation), as a Data User, respects personal data privacy and is committed to fully implementing and complying with the data protection principles and all relevant provisions of the Personal Data (Privacy) Ordinance (Cap 486) and codes of practice issued by the Privacy Commissioner for Personal Data. The Federation is equally committed to ensuring that all its officials, staff and agents uphold these obligations. The Federation undertakes to:
- collect personal data directly related to the functions and activities of the Federation only for lawful purposes, and by lawful and fair means;
- take all reasonably practicable steps to ensure that personal data are accurate, up-to-date and kept no longer than necessary;
- use the personal data collected only for purposes or directly related purposes for which the data were to be used at the time of collection, unless the Data Subject concerned has given his consent to a change of use or such use is permitted by law;
- take all reasonably practicable steps to ensure that personal data are protected against unauthorized or accidental access, processing, erasure or other use;
- take all reasonably practicable steps to ensure that the public is informed of the kinds of personal data that the Federation holds and the purposes for which the data are to be used; and
- permit Data Subjects to access and correct their personal data and process the data access / correction requests in a manner permitted or required by law.
2. Types of Personal Data Processed by the Federation
The Federation, in the course of its operations, may process the following types of personal data of Officers, Committee Members, members, athletes, staff, participants and other individuals:
- Identification data (e.g. name and Hong Kong Identity Card / passport details);
- Personal details (e.g. age, sex, date of birth, marital status, occupation, address, telephone number, e-mail address and other contact details);
- Employment record (e.g. job applications, past and present staff’s job particulars, details of salary, payments, benefits, leave, training records, group medical and dental insurance records, mandatory provident fund schemes participation, performance appraisals, and disciplinary matters);
- Payment details (e.g. bank / credit card details, for enrolment of events / activities);
- Health information (e.g. data from medical / anti-doping tests and emergency contact details);
- Vehicle information (e.g. car plate number, for the use of parking facilities at the Olympic House or at venues of events / activities); and
- Images (e.g. photo of an individual participating in the Federation’s events / activities, and image of a visitor to the Olympic House captured by CCTV system).
3. Main Purposes for Processing Personal Data
3.1 The purposes for which the Federation processes personal data are:
- To verify an individual’s identity;
- To ensure compliance with the rules and regulations of the Federation and that of international sports governing bodies;
- To maintain and develop services, including programmes, activities, and events;
- To enable athletes and officials to participate in international multi-sports Games, including the selection of potential athletes into the Hong Kong, China Delegation;
- To organize, conduct and promote the Federation’s events / activities;
- To maintain relationships with the Federation’s members;
- To handle complaints / enquiries as appropriate;
- To carry out surveys and statistical analyses;
- For purposes related to recruitment of staff, manpower management, and maintenance of employment relationship;
- For security purposes; and
- Where otherwise reasonably necessary for the Federation to carry out its functions.
4. Lawful Bases for Processing Personal Data
4.1 The Federation only processes personal data where there is a lawful basis for doing so.
- Consent: the Data Subject has given clear consent for the Federation to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract the Federation has with a Data Subject, or because a Data Subject has asked the Federation to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for the Federation to comply with the law.
- Vital interests: the processing is necessary to protect the Data Subject’s life.
- Public task: the processing is necessary for the Federation to perform a task in the public interest.
- Legitimate interests: the processing is necessary for the Federation’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
4.2 In addition, the Federation will on occasion need to process special category personal data (e.g. when conducting medical / anti-doping tests) or criminal records information (e.g. when carrying out No Criminal / Sexual Conviction Record Checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required.
5. How the Federation Collects Personal Data
- Generally, the Federation collects personal data from the individual directly. This may be via a form, an online platform or simply in the ordinary course of interaction or communication.
- In some cases, personal data will be supplied by third parties (e.g. a National Sports Association or other professionals or authorities working with that individual) or collected from publicly available resources.
- The Federation will not collect personal data from a minor without prior consent from a person with parental responsibility for the minor.
6. Access to and Sharing of Personal Data
6.1 The Federation may be required to share personal data with third parties, such as:
- professional advisers (e.g. lawyers, insurers and auditors);
- government authorities;
- partners or related organizations (e.g. International Olympic Committee, Organizing Committee of multi-sports Games); and
- where appropriate, parties who will be contacted by us during the handling of a complaint / enquiry case including the party being complained against and/or other parties concerned.
6.2 For the most part, personal data collected by the Federation will remain within the Federation and will be processed by appropriate individuals on a “need to know” basis.
6.3 Some of the Federation’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. All the Federation’s service providers are bound by contractual duty to keep confidential any data they come into contact with against unauthorized access, use and retention.
7. Information Collected on the Federation’s Websites
7.1 A cookie is a small amount of data created in a computer when a person visits a website on the computer. It often includes an anonymous unique identifier. A cookie can be used to identify a computer. Cookies are used by the Federation to collect statistics about the number of visits of users to the Federation’s websites and the users’ preference of websites and online services offered on the Federation’s websites. Users may choose to accept or reject cookies. If users reject cookies, they will not be able to use some of the functions of the websites, such as saving preferences and accessing some online services.
7.2 When a user visits the Federation’s websites, the webserver makes a record of the visit that includes the user’s IP addresses (and domain names), the types and configurations of browsers, language settings, geo-locations, operating systems, previous sites visited, and time/duration and the pages visited (webserver access log). The Federation uses the webserver access log for the purpose of maintaining and improving its websites such as to determine the optimal screen resolution, which pages have been most frequently visited etc. The Federation uses such data only for website enhancement and optimization purposes. The Federation does not use, and have no intention of using the visitor data to personally identify anyone.
8. Protection Measures
The Federation takes appropriate steps to protect the personal data it holds against loss, unauthorized access, use, modification or disclosure. For example, training on personal data protection is provided to staff members who need to handle personal data in their daily work.
Personal data will not be kept longer than is necessary for the fulfilment of the purpose for which it is collected. Personal data that is no longer needed is either irreversibly anonymised (and the anonymised information will be retained) or securely destroyed.
10. Data Access and Correction
10.1 Data access requests should be made in writing using the form prescribed by the Privacy Commissioner for Personal Data . The completed form should be sent directly to the Data Protection Officer by fax (2891 3657), by email (firstname.lastname@example.org), or in person or by post to:
Sports Federation and Olympic Committee of Hong Kong, China
2/F, Olympic House
1 Stadium Path, So Kon Po
10.2 When handling a data access or correction request, the Federation will check the identity of the requester to ensure that he is the person legally entitled to make the data access or correction request.
1 The data access request form is available on the Office of the Privacy Commissioner for Personal Data’s website: https://www.pcpd.org.hk/english/publications/files/Dforme.pdf.