According to the “Recommended Procedures for IT Practitioners on Personal Data Handling”[1], information users should not release information that contains confidential information to any IT contractors or third-party users unless it is absolutely necessary for them to complete the task. Under this situation, non-disclosure agreement should be used to govern the responsibility of the contractors or third-party users in maintaining the privacy of information and to protect the reputation and legal position of the University.
[1] The procedures are jointly published by Office of the Privacy Commissioner for Personal Data, ISACA Hong Kong Chapter, Internet Professional Association and The Hong Kong Institution of Engineers.
2. Definitions
The abbreviations and terms used in this document shall have the following meaning:
“Information” means but is not limited to information and data whether concerning personal data, commercial, financial, technical or any other matter.
“Information user” [1] means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the information.
“Confidential Information” means all information which is not marked as “non-confidential” or “non-proprietary” relating to the teaching, research, development or business activities of The Chinese University of Hong Kong. It is hereby expressly declared that all personal data of staff, students, professors, officers and all other members of The Chinese University of Hong Kong shall be Confidential Information.
“personal data”[2] means any data
relating directly or indirectly to a living individual;
from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
in a form in which access to or processing of the data is practicable
Non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. These agreements should comply with all applicable laws and regulations for the jurisdiction to which they apply. To identify requirements for non-disclosure agreements, the following elements should be considered:
a definition of the information to be protected (e.g. confidential information);
expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
required actions when an agreement is terminated;
responsibilities and actions of signatories to avoid unauthorized information disclosure (such as ‘need to know’);
ownership of information, trade secrets and intellectual property, and how these relate to the protection of confidential information;
the permitted use of confidential information, and rights of the signatory to use information;
the right to audit and monitor activities that involve confidential information;
process for notification and reporting of unauthorized disclosure or confidential information breaches;
terms for information to be returned or destroyed at agreement cessation; and
expected actions to be taken in case of a breach of this agreement.
Based on your security requirements, other elements may be needed in a non-disclosure agreement. Two samples of non-disclosure agreement are attached for your reference. You may need to modify the samples or design your own non-disclosure agreements for different circumstances.
When you prepare the non-disclosure agreement, please note that if the receiving party is an individual, you should check his/her HKID to verify the HKID number as written on the agreement. If the receiving party is a company, you are advised to:
Request for a director of the company to sign the agreement.
Keep a copy of the Annual Return of the company, the Register of Directors and its Certificate of Incorporation.
Check the Annual Return of the company to ensure that the agreement is signed by a director
If the agreement is not signed by a director of the company but by another authorized representative, you should try your best to verify the identity and authority of that representative such as requesting the company to provide the minutes to prove the authorization
Last but not least, you should familiarize yourself with the “Data Protection Principles” and the “Recommended Procedures for IT Practitioners on Personal Data Handling” in order to know how to deal with personal data and to ensure compliance with the law and regulations in Hong Kong.
4. Samples
Departments can download the NDA samples for reference.
5. Reference
This document is written by referring to ISO17799:2005 (06.01.5 Confidentiality agreements and 07.2.1 Classification guidelines). In addition, the following documents are also used as references:
This website uses Cookies, including Cookies from Google Analytics, to ensure you get the best browsing experience. If you “Continue” to use this site, you consent to the use of Cookies. Read more about Cookies
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.