2. Statement of practice on personal data held by us

We may collect and hold personal data as an employer, a financial regulator, and in performing our statutory functions under the relevant laws and regulations. When we collect personal data from individuals, we will provide them with a Personal Information Collection Statement (PICS) upon or before the collection in an appropriate format and manner. The PICS will state (among other matters) the purpose of the collection.

The broad categories of personal data held by us, and the main purposes of use are:

1. registration application records and related notifications, used for the purposes of processing such registration applications and performing our statutory and administrative functions and activities;
2. complaint, oversight, inspection, investigation and enquiry, and enforcement records, used for responding to and taking follow-up action on complaints, and performing our statutory and administrative functions and activities;
3. personnel records, used for recruitment and human resources management related purposes;
4. records collected via our websites, used for the purposes stated in section 3 below;
5. survey records, used for research and statistical purposes;
6. submissions in response to public consultations, used for the purposes of understanding the response to the proposals under consultation; and
7. other administration and operational records, used for various purposes depending on the nature of the record (e.g. for organising and delivering events, seminars, forums and other professional development, educational and promotional activities, managing subscription of publications, etc.).

Such personal data may include sensitive personal data. The provision of personal data is generally voluntary unless otherwise specified. A failure to provide the requested personal data, or the provision of inaccurate or incomplete information may result in us not being able to process your request, application, submission, inquiry, complaint or other matter (as the case may be), or to perform our statutory and administrative functions under the relevant laws and regulations.

In performing our statutory and administrative functions under the relevant laws and regulations, personal data held by us may be disclosed to relevant authorities including courts, panels, tribunals, committees, or other Hong Kong or non-Hong Kong regulatory, government, professional or statutory bodies as permitted or required under the law, or pursuant to any regulatory assistance arrangements between us and such other authorities, or to persons engaged by us to assist us in the performance of our statutory functions.  Information collected in response to public consultations may be disclosed to members of the public in Hong Kong or elsewhere. 

Where personal data is transferred to places outside of Hong Kong in connection with such purposes, such places may or may not offer the same or a similar level of personal data protection as in Hong Kong.

3. Personal data collected via forms / sections of our website

 Without prejudice to our statement of practice on personal data held by us as mentioned above, generally:

1. The information you provide through the "Contact Us" section or other similar section / function on the AFRC’s website is used by us to respond to or handle your inquiries, comments, suggestions or other matters, including any necessary follow-up work in connection with discharging our statutory functions and responsibilities. The personal data will not be used for any other purposes, disclosed or transferred without your consent, unless such use, disclosure or transfer is permitted or required by law.
2. Personal data collected from subscribers of our subscription service is used by us to alert you, to send you the requested information and to compile statistics of our readership. The personal data will not be used for any other purposes, disclosed or transferred without your consent unless such use, disclosure or transfer is permitted or required by law.
3. Personal data collected through online forms (including registration applications) is used, disclosed, or transferred for the purposes as set out in the PICS for the relevant forms, and for discharging our statutory functions and responsibilities.
4. Personal data collected through submissions in response to public consultations is used, disclosed, or transferred for the purposes as set out in the PICS for the relevant consultation.
5. Personal data provided in online “Complaint Form” will be used, disclosed or transferred for the purposes related to the complaint (for example, it may need to be disclosed to the person / company against whom a complaint has been made), for discharging our statutory functions or where permitted or required by law. If the information provided is inaccurate or incomplete, consideration of the complaint may be affected.
6. We will keep the personal data provided in online “Whistleblowing Report” secure and we will not disclose any such information to outside parties unless we are legally obliged to do so.

4. Information collected when you visit our website

When you visit our website, a record of your visit is made as a "hit", which may show your Internet Protocol (IP) address and the pages you have visited. No personal data is collected under this circumstance. We use such information for statistical purposes, and for the purposes of maintaining and improving our website including security.

When you browse our website, you should be aware that cookies are used. Cookies are data files stored on your computer or other browsing device. Our website automatically installs and uses cookies on your browser when you access it. The types of cookies used on our website are session cookies and persistent cookies. The purpose of using cookies is to help us improve website performance and user experience. Cookies are also used to compile anonymous statistics about the usage of this website to help analyse our website traffic and better understand the needs of the users of this website.

The cookies used in connection with our website do not collect or store personal data. You may refuse to accept cookies on your browser by modifying the settings in your browser or internet security software. However, if you do so you may not be able to utilise or activate certain functions available on our website.

5. Retention

Different retention periods apply to the various kinds of personal data collected and held by us.  We take all reasonably practicable steps to ensure that personal data will not be kept longer than is necessary for the fulfilment of the purposes (or any directly related purposes) for which the data is or is to be used, unless the retention is otherwise permitted or required by law.

6. Public registers

We are required to maintain public registers containing specified data relating to Practice Units and Public Interest Entity Auditors pursuant to the relevant provisions of the AFRCO or any rules or regulations made thereunder.  In this connection, such public registers may contain certain personal data of individuals, and the public in Hong Kong or elsewhere may inspect such public registers.

7. Security

We take appropriate steps to protect personal data we hold against loss, unauthorised access, use, modification or disclosure. In particular, the AFRC uses industry-standard protocol to encrypt data during network transmission to protect your personal data.

8. Access and correction of personal data

You have the right to request access to and correction of your personal data held by us in accordance with the provisions of the PDPO. Your right of access includes the right to request a copy of your personal data provided to us. Please note that all data access requests should be made using the form specified by the Privacy Commissioner for Personal Data which is accessible from the following link "Data Access Request Form".

When handling a data access or correction request, we will check the identity of the requestor to ensure that he/she is the person legally entitled to make the data access or correction request. A reasonable fee may be charged to offset our administrative and actual costs incurred in complying with your data access requests.

We do not provide online facilities for you to delete or correct personal data held by us.

Any requests for access to or correction of personal data held by us can be made to the Data Protection Officer of the AFRC by post or email.

Note: Please note that where a complainant discloses information to us, and notwithstanding our policy that wherever possible the identity of complainants should not be revealed to outside parties, if the information is held or used for certain purposes related to law enforcement and regulation, we are exempt from the application of data protection principles 3 and 6 (use of personal data and access to personal data) by section 58 of the PDPO.  The information can then be used for these purposes whether or not a complainant gives authority.  The purposes include the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, and protecting the public from financial loss arising from dishonesty, incompetence, malpractice or seriously improper conduct by persons concerned in the provision of financial services.