Page:Improper Collection, Retention, Use and Storage of Personal Data of Residents and Visitors by Property Management Companies.pdf/9

  personal data of residents, and earn residents' trust and support in fulfilling their management duty.

Through this report, the Commissioner would like to make the following recommendations to property management bodies:

The Commissioner encourages property management bodies to introduce the "Personal Data Privacy Management Programme" to include the protection of personal data privacy as part of their corporate governance responsibilities, and to adopt the top-down approach to implement open and transparent information policies and conventions, so as to show their determination in exemplifying good corporate governance and in seeking trust from residents. For details, please refer to the "Privacy Management Programme: A Best Practice Guide" issued by the PCPD.

Before formulating policies or measures about the collection of personal data, a Privacy Impact Assessment should be carried out to identify any privacy issues associated with the implementation of the policies or measures, so as to determine whether the policies or measures are really needed and whether there are any less privacy-intrusive alternatives, and to strike a reasonable balance between the discharge of property management duties and the protection of personal data privacy of residents and visitors.

A Data Protection Officer should be appointed to ensure the organisational compliance with the requirements under the Ordinance and implementation of the "Personal Data Privacy Management Programme". Organisations should allocate resources to enhance staff awareness of personal data privacy protection, by clearly disseminating relevant and updated information (e.g. offering practical tips from time to time in internal newsletters, and providing channels such as intranet for easy browsing of necessary information at any time). Organisations should establish a culture of respecting personal data privacy and thoroughly implement policies protecting personal data by adopting a top-down approach. 