Data Collection and Use
We collect adequate but not excessive personal data by lawful and fair means and hold personal data as an employer and a financial regulator for purpose(s) directly related to the functions and activities of the MPFA.
The broad categories of personal data held by us, and the main purposes of use are:
- Licensing / registration application records and related returns and notifications, and submissions in response to public consultation papers – for the purposes set out in the Personal Information Collection Statement (PICS) of the relevant form or document;
- Enquiry, complaint, inspection, supervisory, investigation and enforcement records – for the purposes of responding to and following up enquiries, comments, suggestions, requests or complaints, conducting investigation, taking supervisory or enforcement actions, and performing our statutory and administrative functions and activities;
- Personnel records – for the purposes of recruitment, appointment and human resource management; and
- Other administration and operational records – for various purposes depending on the nature of the records (e.g. for organizing educational, promotional and training activities, managing subscription of publications, and other purposes for proper discharge of the MPFA’s functions).
When or before we collect personal data from individuals, we will provide them with a PICS, which states (among other matters) the purpose(s) of the data collection. Personal data held by us are used for the purpose(s) for which the data are collected or for directly related purpose(s). We do not use the personal data we hold for a new purpose or disclose/ transfer the personal data to a third party, unless with the data subjects’ consent or such use or transfer is permitted or required by law.
Statistics on visits to our website – We record the number of visits to our website, the webpages visited and the visitors’ Internet Protocol (IP) addresses, for compiling statistics, for maintaining and enhancing our website and for security purposes. We do not use and have no intention to use the information to personally identify anyone.
We take practicable steps to ensure that we do not hold personal data for a period longer than is necessary to fulfill the purpose(s) for which the data is or is to be used. Appropriate retention and disposal schedules are maintained for records containing personal data, and disposal of the records is made accordingly.
We take practicable steps to protect the personal data we hold against loss, unauthorized or accidental access, use, processing, erasure, modification or disclosure. Access to personal data is restricted to relevant employees on a “need-to-know” basis. Encryption is used to protect personal data transmitted online.
Outsourcing arrangements – Our information technology (IT) systems and websites are developed and maintained by in-house staff and/or third-party service providers. The third-party service providers do not have access to personal data stored in the relevant systems. They are bound by contract to prevent unauthorized or accidental access, processing, erasure, loss or use of the personal data they may come into contact with and to prevent such data from being kept longer than necessary.
Access and Correction
If you wish to make a data access request to us, please complete and return by fax, email, mail or in person the request form specified by the Privacy Commissioner for Personal Data (Data Access Request Form (No. OPS003)) to the Personal Data Privacy Officer of the MPFA.
Address: Level 12, Tower 1, The Millennity, 98 How Ming Street, Kwun Tong, Hong Kong
Fax No.: (852) 2259 8806
Please note that we may refuse to comply with a data access request in the circumstances specified in section 20 of the Personal Data (Privacy) Ordinance (for example, where the data access request is not made in writing in Chinese or English, where the secrecy provision under section 41 of the Mandatory Provident Fund Schemes Ordinance or section 77 of the Occupational Retirement Schemes Ordinance is applicable, etc).
When handling a data access or correction request, we will check the identity of the requestor to ensure that he/she is the person legally entitled to make the data access or correction request. We may charge a fee for processing a data access request.