The Bank of East Asia

Wholesale Banking

Privacy Policy Statement

PROTECTION OF PRIVACY
PERSONAL INFORMATION COLLECTION STATEMENT
PROTECTION OF CONFIDENTIALITY STATEMENT

PROTECTION OF PRIVACY

1. INTRODUCTION

Protection of privacy of the individuals' personal data is governed by the Personal Data (Privacy) Ordinance (Cap.486) (the "Ordinance"). Digi-Sign Certification Services Limited ("Digi-Sign") is a data user in terms of the provisions of the Ordinance. Digi-Sign is committed to complying with the Ordinance, and to upholding the data protection principles.

Digi-Sign's mission is to service its customers, business partners, Government of the Hong Kong Special Administrative Region and the business community, contributing to their endeavours and success.

2. PRIVACY POLICY

Digi-Sign adopts a framework for protecting the privacy of individuals' personal data. This framework addresses the requirements of the Ordinance, and provides Digi-Sign personnel with clear and practical guidelines in their role of ensuring the confidentiality, security, proper use and handling of personal data.

3. STATEMENT OF PRACTICES

For the purpose of processing subscriber applications for ID-Cert (the product name of the electronic certificate issued by Digi-Sign), Digi-Sign requires the applicant to provide details, some of which are personal identity information for disclosure in the ID-Cert. The personal identity information that an applicant is called upon to provide includes the following:

  • Family name and other name(s)
  • Date of birth
  • Gender
  • Hong Kong ID Card Number / passport number and issuing authority or country
  • Contact details, including e-mail address

Digi-Sign will not be in a position to complete the processing of a subscriber application, if the personal identity information is incomplete.

Once a subscriber application is received, Digi-Sign will retain in a secure manner the information in a subscriber database. In accordance with its commitment, Digi-Sign will observe the data protection principles of the Ordinance when using and handling the subscriber information. Use of such information will encompass, among others, communication with the ID-Cert holders for the purpose of:

  • Dissemination of updates and responses;
  • User support, renewal and addition of services;
  • Statistical information on the Website usage.

In accordance with this Digi-Sign Privacy Policy, Digi-Sign will not collect personal information, unless:
1. The information is for legitimate and lawful purpose;
2. The information is necessary; and
3. The information is directly related to the stated purpose, and Digi-Sign will use the information accordingly.

The key points relating to the Digi-Sign's privacy practices are outlined below:

Collection of Personal Identification Information

  • Personal identity information collected will be for legitimate and lawful purpose, and only sufficient details are requested relating to that purpose. The collection procedure requires that it is stated to the person from whom information is requested the purpose of the request and use of the information.
  • Collection of personal identity information is by lawful means and in circumstances that it is fair. In doing so, the person from whom the information is requested will be explicitly informed, before or during the collection, whether it is obligatory or voluntary to provide the details. In cases where it is obligatory to supply the information, the collection procedure requires that it is explained to the person the consequences, if this person chooses not to provide the information.
  • The collection procedure requires that it is explained to the person from whom the information is requested that this person has the right to request access to the information, and the right to request correction of the information. For this purpose, the contact details of the Digi-Sign representative are stated in section 6 of this Policy Statement.
  • Personal identity information will not be collected from minors (persons under the age of 18 years) as they are not of the legal age to assume responsibility in accordance with the law.

Collection of Information from Individuals On-line

For individuals using the Digi-Sign Websites, cookie files or other methods may be in use to store and track information. Appropriate warning message will be displayed to the effect that collection of information may occur without notice. Individuals are offered an "opt-out" option, should they choose not to provide the information.

Retention of Personal Information

  • Digi-Sign will retain personal information in accordance with the Code of Practice for Recognized Certification Authorities published by the Director of Information Technology Services under section 33 of the Electronic Transactions Ordinance (Cap.553).
Disclosure of Personal Information
  • When submitting a subscriber application, an individual will be asked to indicate in writing his / her consent to the disclosure of personal information in the ID-Cert.
  • In no circumstances Digi-Sign will disclose or transfer personal information to another party without the consent of the individual who has provided the personal information.

Accuracy of Personal Information

  • Digi-Sign will take all reasonable and practical steps to keep accurate personal information having regard for its use.
  • Whenever there are reasonable grounds to believe that the information is not accurate, having regard for the specific purpose for which it has been retained, Digi-Sign reserves its right to discontinue the use of the information, or to erase the information.
  • Where Digi-Sign has disclosed personal information to a third party for lawful purpose, it will take reasonable and practical steps to advise this third party:
    • Any changes to the personal information since it was first disclosed, having regard for the purpose for which the personal information was provided to the third party; and
    • A specific date after which this third party should cease to use the personal information disclosed by Digi-Sign.

4. SECURITY OF PERSONAL INFORMATION

Protection of the subscribers' personal information is a priority for Digi-Sign. Every reasonable and practical step will be taken to protect the security and confidentiality of the personal information. In particular, there are security measures in place to safeguard against loss, misuse and unauthorized access or alteration. Subscriber information is protected in accordance with the Digi-Sign information security policy, guidelines and practices.

5. DIRECT MARKETING

Digi-Sign has ongoing programs, including working in conjunction with its business partners, to inform subscribers of the product and service offers and bulletins. For any subscriber who wishes to opt-out of these programs, please send a request in writing and address it to the Chief Executive Officer, who is the Personal Data Administrator, using the contact details in section 6.

6. CONTACT DETAILS

For further details about this Privacy Policy, access or correction of personal information, please contact the Chief Executive Officer, who is the Personal Data Administrator. Contact details are as follows:

Digi-Sign Certification Services Limited
Suite 20, 5/F Hong Kong International Trade & Exhibition Centre
1 Trademart Drive
Kowloon Bay
Hong Kong
Digi-Sign Hotline: Tel: (852) 2917 8833
Fax: (852) 2174 0019
Email: pda@dg-sign.com
Website: http://www.dg-sign.com
Certificates Directory & Certificate Revocation List: <ldap.dg-sign.com>
Office Hours: Monday to Friday 8:30am to 5:30pm
Saturday 8:30am to 12:30pm
Emergency Telephone No.: (852) 2917 8833, for use:

  • Outside Office Hours;
  • On Sunday, or Public Holidays;
  • When tropical cyclone warning signal No. 8 or above is hoisted;
  • When the "black" rainstorm warning signal is hoisted.

Digi-Sign reserves its right to ask that a request to access or correct personal information be in writing. There will be no charge to correct information. Digi-Sign will not normally charge for requests to access information, but reserves its right to charge a reasonable fee to cover the relevant administrative expenses.

It is Digi-Sign's service pledge that all requests will be dealt with promptly. If there is any complaint or objection to the handling of a request, please contact the Chief Executive Officer, who is the Personal Data Administrator.

7. NOTIFICATION OF CHANGES

As part of its ongoing improvement program, Digi-Sign keeps its policies, guidelines and practices, including this Privacy Policy, under review. As and when change is necessary, Digi-Sign will display a revised version on its Website and, where appropriate, will also include the necessary details in the correspondence addressed to all subscribers.

8. NOTICE TO ALL SUBSCRIBERS

Whilst Digi-Sign undertakes due care and skill, and implements necessary security measures in the protection of personal information, Digi-Sign is committed only to reasonable care and skill, and commercially viable security measures.

PERSONAL INFORMATION COLLECTION STATEMENT

PURPOSE STATEMENT:

Digi-Sign Certification Services Limited ("Digi-Sign") is committed to using the personal information collected from subscribers and other parties for legitimate and lawful purpose. This use will be in connection with processing the subscriber applications and management of the subscriber database. Digi-Sign will collect information by lawful and fair means.

STATEMENT OF POSSIBLE TRANSFERS

Personal information will remain within Digi-Sign. There will be no disclosure or transfer of personal information to another party, in a form that would identify an individual person, unless such disclosure is done with prior consent of the person from whom the information was originally collected.

STATEMENT OF RIGHTS OF ACCESS AND CORRECTION:

Digi-Sign acknowledges that the person from whom the information was collected has right of access to the information held by Digi-Sign, and also the right to request correction of the personal information. Individuals who have provided personal information to Digi-Sign may request in writing to access or correct their personal information kept by Digi-Sign.

Please refer to the Digi-Sign Privacy Policy and in particular, the Statement of Practices, regarding request to access or correct personal information.

PROTECTION OF CONFIDENTIALITY STATEMENT

PURPOSE STATEMENT:

Digi-Sign Certification Services Limited ("Digi-Sign") recognizes the responsibility to safeguard the information and data entrusted to it by subscribers and others. Digi-Sign is committed to complying with the relevant legislative provisions and in particular, the Personal Data (Privacy) Ordinance (Cap.486), and section 46 of the Electronic Transactions Ordinance (Cap.553).

Digi-Sign acknowledges that all its personnel, including employees, contractors and agents, will undertake to honour their commitment and duty regarding protection of confidentiality.

CONFIDENTIAL INFORMATION

For the purpose of this Protection of Confidentiality Statement, the term "confidential information" includes:

  • Information collected for processing subscriber applications, encompassing, among others, the following:
    • Subscriber application details
    • Identity documentation and details
    • ID-Cert information kept on subscriber records, excluding details for disclosure in the ID-Cert directory
    • Subscriber Agreement details
  • Information contained in or related to an ID-Cert, encompassing, among others, the following:
    • Reason for revocation of an ID-Cert, excluding information disclosed in the Certificate Revocation List ("CRL")

RELEASE OF RECORDS AND INFORMATION

No document, record or information kept by Digi-Sign will be released to law enforcement agencies, or Government officials, except where the release is in accordance with the law, a subpoena or a court order.

DISCLOSURE REQUEST

The data subject, as defined in the Personal Data (Privacy) Ordinance, has right of access to the information kept by Digi-Sign for subscribers only when:

  • A formal authorization is provided to Digi-Sign, and this may be done electronically and signed by a valid digital signature, or
  • An application is made in a prescribed form, authorizing the access and release of the information; such release may be made to the data subject personally or to a third party named in the application in writing.

For further information, please contact the Chief Executive Officer, who is the Personal Data Administrator, using the contact details in section 6 of the Digi-Sign Privacy Policy.

INFORMATION NOT CLASSIFIED AS CONFIDENTIAL

For the purpose of this Protection of Confidentiality Statement, the terms "confidential information" will exclude:

  • ID-Cert information published in the ID-Cert directory, encompassing, among others, the following:
    • List of the recognized certificates issued by Digi-Sign
    • ID-Cert status
    • Personal information contained in a recognized certificate
    • Revocation of ID-Cert
    • Digi-Sign CRL
  • Information published by Digi-Sign, encompassing, among others, the following:
    • The Digi-Sign Certification Practice Statement
    • Digi-Sign Privacy policy
    • Information and reason code relating to those ID-Cert revoked
    • Information and reason code provided in the Digi-Sign CRL.