1. Statement of Policy

The Massachusetts Institute of Technology (“MIT”) Hong Kong Innovation Node (the “Node”) respects the personal data privacy of all individuals. If we collect, hold, process, or use your personal data in Hong Kong, the privacy of your personal data is protected by the Personal Data (Privacy) Ordinance of Hong Kong (“PDPO”). [1] We require all our staff and agents to comply with the PDPO in the same manner as the PDPO applies to the Node as a whole and to adhere to the PDPO’s standards of security and confidentiality.

  1. Statement of Practice
  2. Kinds of Personal Data Held

The following categories of personal data are held in the Node.

(a)  Records of students, alumni, and other individuals (collectively referred to as “Participants”) who participate in the Node’s classes, workshops, webinars, events, research, and other activities (collectively referred to as “Activities”). Such records include but are not limited to various applications (such as for enrollment in Activities) which contain Participant personal details including but not limited to name, email address, and phone number; participation records (such as photographs, videos, attendance records, coursework, examination/test results or transcript, feedback, etc.); and administrative records (such as payments, charges and fines, disciplinary information, etc.);

(b)       Personnel records, which include but are not limited to job applications and Node staff personal details, such as work history and academic history; job duties; details of salary, payments, and benefits; leave and training records; group medical and dental insurance records; retirement plan participation records; performance appraisals; disciplinary matters, etc.;

(c)  Records collected from the Node’s website, which include but are not limited to records containing names and email addresses, preferences and activities of website users, location information (including IP addresses); and

(d)  Other records, which include but are not limited to administration and operational files; records containing personal data provided to the Node from associates of the Node; log records on the use of data facilities, services, or participation in activities; records of requests to access / correct personal data; inquiries from the public; and research findings and related publications.

  1. Main Purposes of Collecting and Keeping Personal Data

Personal data will only be used for the purposes stated at the time the data is collected, which, broadly speaking, covers academic, educational/teaching, administrative, research, and related activities that are consistent with the Node’s mission to cultivate the innovation capabilities of our students; to increase opportunities and accelerate the path from ideas to impact for start-ups; and to work together with alumni, affiliates, and friends in the community to help galvanize the region’s innovation ecosystem. However, specific purposes will vary depending on the nature of the personal data held.

For example, personal data held in:

(a)  Records of current and former Participants are collected and kept for purposes including but not limited to providing education and assistance to Participants; facilitating communications between the Node and Participants; facilitating the provision of information upon request by Participants in relation to their affairs at the Node (such as requests for academic certificates and transcripts); compiling statistics on enrollment at the Node to facilitate academic planning and management; planning, organizing, promoting, and delivering Activities; and informing Participants of past, present, and future Activities;

(b)  Personnel records are collected and kept for corresponding with staff and for recruitment and human resource management purposes including but not limited to obtaining reference checks, maintaining employee records and assessing work performance, considering eligibility for staff benefits, training and development, handling emergency situations, and organizing social and other activities and events;

(c)  Records collected from the Node’s website are collected and kept for purposes including but not limited to handling various comments, inquiries, and requests submitted through the Node’s website, facilitating website access, and compiling statistics on website usage; and

(d)  Other records are collected and kept for purposes that vary according to the nature of the record, including purposes such as facilitating administration or office functions; compiling, summarizing, aggregating, and/or de-personalizing personal data in connection with research or statistical/analytical activities carried on by the Node in furtherance of the Node’s mission or in connection with furthering the Node’s mission; and facilitating publication of research or other publications relating to the Node.

  1. Collection of Personal Data

(a)  General: When the Node collects personal data from individuals, the Node will provide them with a Personal Information Collection Statement (“PICS”) on or before the collection in an appropriate format and manner in compliance with the PDPO. The Node collects personal data from individuals on a voluntary basis when necessary to enable individuals to participate in Activities or be employed by the Node. When the Node requests your personal data, you are not required to supply it. However, if you do not supply the requested personal data, then you will be unable to participate in Activities, or, if you are employed by the Node or apply to be employed by the Node, then the Node will be unable to employ you.

(b)  Information for Individuals Under Age 13: Consistent with the Children’s Online Privacy Protection Act (COPPA), the Node does not knowingly collect personal data from children under 13 years of age on its general website.

(c)  Personal data collected automatically from the Node’s website: When users visit the Node’s website, in order to provide website users with a smooth browsing experience, understand how website users interact with our website, and display ads that are relevant and engaging for website users, we use technical means, such as cookies, to collect information from website users, such as their IP address, browser and device characteristics, website usage preferences, and information about actions taken on the Node’s website. Some of these cookies are provided by third parties, such as analytics providers and social media platforms, that collect information about your devices and use of our website in order to manage your preferences, optimize your browsing experience, generate statistical data on how you use our website, and track your interaction with embedded content. You may adjust your web browser settings to stop the use of non-necessary cookies, but depending on the web browser being used, limiting or disabling cookies may cause our website to not act as expected or may limit its accessibility and functionality.

  1. Retention

The Node will only hold personal data for as long as it is necessary to fulfill the purpose or a directly related purpose for which they are collected. Generally, we will destroy or anonymize your personal data within 24 months from the date of collection, unless a longer retention period is required or permitted by law.

  1. Disclosure of Personal Data

The Node will take all practicable steps to keep the personal data you have provided confidential. However, the Node may need to disclose, transfer or assign personal data collected by it to third parties to facilitate the purpose for which the personal data was collected. In general, the parties to which we may disclose, transfer or assign personal data include medical practitioners providing medical services to the Node’s staff, if applicable, any agent, contractor, partner, or third-party service provider engaged by the Node to provide services to, with, or on behalf of the Node and any person to whom the Node is under an obligation to make disclosure under any requirements of any law or for the purposes of any guidelines or codes of practice with which the Node is expected to comply. We may also disclose, transfer, or assign personal data internally within the Node (on a need-to-know basis) to facilitate the purpose for which the personal data was collected or a directly related purpose. If you participate in our Activities, with your consent, we may also publish photographs, videos, and other media containing your image or likeness to showcase and raise awareness of our Activities and accomplishments.

Your personal data may be disclosed, transferred, or assigned within or outside Hong Kong. In case it is provided to a place outside Hong Kong, while the Node will take appropriate steps to protect the privacy of the personal data, it should be noted that such place may not have in place data protection laws which are substantially similar to, or serve the same purposes as, the PDPO, so personal data located outside Hong Kong may not be protected to the same or similar level as in Hong Kong.

  1. Security of Personal Data

The Node will take appropriate steps to protect the personal data held by it against unauthorized or accidental access use, loss, processing, erasure, transmission, modification or disclosure. When the Node needs to disclose, transfer or assign personal data to third parties, the Node will take appropriate steps to protect the privacy of the personal data to be disclosed, transferred, or assigned (for example, requiring our service providers to keep confidential any personal data with which they come into contact).

  1. Data Access and Correction

Individuals have the right to request access to and to correct their personal data held by the Node.

Personal data may be made available to concerned individuals who complete the Data Access Request Form and send the completed form by email to the Node’s Operation Manager (hkinnovationnode@mit.edu)

Similarly, requests to correct personal data held by the Node may be made by submitting such requests by email to the Node’s Operation Manager (hkinnovationnode@mit.edu). In accordance with the Personal Data (Privacy) Ordinance, data access requests will normally be addressed within a 40-day period. A fee reflecting the cost of processing the data request may be levied.

  1. Enquiries

Any enquiries regarding personal data privacy policy and practice may be addressed to the Node’s Operation Manager (hkinnovationnode@mit.edu).

[1] This Privacy Statement is also intended to comply with China’s Personal Information Protection Law (“PIPL”) for residents of the People’s Republic of China (“PRC”).