Construction Industry Council - Annual Report 2024

CONSTRUCTION INDUSTRY COUNCIL 164 OUR SUSTAINABILITY JOURNEY Roles and Responsibilities To ensure effective implementation of all data privacy measures, we have established a structured governance framework, which includes key roles and processes: • Data Protection Officer The designated Data Protection Officer is responsible for overseeing the implementation of the Personal Data (Privacy) Policy and its accompanying Standard and Procedure. This officer reports directly to the Executive Director and the Audit Committee, ensuring accountability and transparency at the highest level. • Personal Data Champions Each department has appointed Personal Data Champions, who coordinate efforts from the top management at departmental level to enhance employees’ awareness of legal and regulatory requirements and promote prudent management and handling of the organisation’s extensive pool of personal data. Regular meetings were held to address issues of personal data. • Annual Data Review Each department conducts an annual review of its retained personal information inventory and submits a report to ensure compliance with all required privacy standards within the organisation and its vendors who act as data processors. Our top management firmly sets the tone for data protection and cascade to all levels, reflecting the CIC’s commitment to safeguarding personal data and upholding privacy standards across all operations. Safeguarding Data Data Privacy We are committed to protecting and respecting the data we collect, hold and process in compliance with the Personal Data (Privacy) Ordinance (Cap. 486). Our approach to data privacy is built on having the right talent, controls, policies, processes and systems in place to ensure the effective and ethical management of privacy risk. Data Privacy Policy In 2024, we have not only promulgated our own Personal Data (Privacy) Policy and the Standard and Procedure, but also built up and executed mechanisms to ensure compliance with the Personal Data (Privacy) Ordinance (Cap. 486). This policy sets forth a clear approach, establishes the requirements compliant with privacy laws, and defines roles and responsibilities for data privacy and data protection enforcement. The policy’s Standard and Procedure also provide actionable guidance and regulatory requirements for the specific areas of data privacy, such as data collection, consent management, direct marketing, and so on. In addition, the existing Document Retention Policy governs the management and retention of all physical documents produced during business, ensuring proper handling of sensitive information throughout its lifecycle. Moreover, departments devised their respective Data Retention and Erasure Schedules in accordance with legal requirements and operational needs. To uphold data privacy across all levels of the CIC, all staff members strictly adhere to the six Data Protection Principles: • Purpose and manner of collection • Accuracy and retention • Use of data • Data security • Openness and transparency • Access and correction