Privacy Policy Statement

and

Personal Information Collection Statement

‍

Privacy Policy Statement

The Hong Kong Monetary Authority (“HKMA”) has engaged a service provider (hereinafter referred to as the “Service Provider”) to provide services in relation to this Physical Risk Assessment Platform (“Platform”), with the assistance of certain subcontractors including XDI Pty Ltd. 

The following policies apply in relation to your use of the Platform. For the purposes of this Privacy Policy Statement and the Personal Information Collection Statement below, personal data has the meaning given to it in the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). 

Personal Information Controls

• The Platform does not generally collect or process personal data. 
• Personal data may only be required from you in the case where you submit a request for technical assistance or other enquiry or report an issue through the “Email Support” button on the Platform (“Request”).  
• The Platform has adopted the principle of privacy by design and ensures that in the event that any personal data is collected, processed or used, all tools and functionalities which may collect, process or use such personal data are subject to due consideration of privacy issues.

Exclusion of Personal Data

• Personal data is generally not required for users to be able to use any functionalities of the Platform except the case where you submit a Request.
• The Platform is designed to maintain anonymity, such that in the event of a security incident or data breach, it would not be possible to trace or identify the user from any data affected by the incident or breach. To facilitate this, the Platform adopts the following design: 

1. Only one person (known as the “Org Owner”) is able to sign up to the Platform for each Authorized Institution (“AI”). The Org Owner needs to sign up with a functional email address (“Signup Email”) which must not contain any personal data. For example, it must not be an individual’s work email address (which often contains the individual’s name). 
2. After signing up, the Org Owner can create accounts for other users in the same AI. The usernames assigned to other users would be randomly generated by the Platform and would not contain any personal data. Such usernames cannot be changed.
3. All automated notifications to the AI users on the Platform, for example notifications about Platform updates, would be sent to the Signup Email. Except for submitting a Request, there is no need for users other than the Org Owner to provide an email address for the purpose of using the Platform.
4. Password resets are done via a password reset link which would be sent to the Org Owner’s Signup Email. The Org Owner is responsible for coordinating the password resets for the relevant user.

Collection of Usage Statistics 

• The Platform enables all access logs, activity logs, usage logs, user account changes and logins without retaining personal data.
• General usage statistics (including the statistics listed below) may be collected by the Service Provider and its subcontractors. Such statistics would be collected in a way which does not identify the relevant users. The collection of such statistics is for purposes including improving website performance and users’ experience. 

• Number of hours that the Platform has been running
• Number of addresses being queried daily
• Number of addresses queried by each AI or user 
• Number of portfolio runs and counts of assets per AI
• Monthly active users (i.e. users who have logged in at least once in the past month) per AI

• The Platform uses cookies which are saved by your browser when you access the Platform. The types of cookies used are session cookies and persistent cookies. The cookies enable functionalities to allow users to access certain features (such as the database) and improve website performance and users’ experience (such as allowing users to stay logged in while refreshing a page). The cookies used in connection with the Platform do not collect or store personal data. You may refuse to accept cookies on your browser by modifying the settings in your browser or internet security software.  However, if you do so, you will not be able to utilise or activate certain functionalities of the Platform.

‍

Personal Information Collection Statement 

This Personal Information Collection Statement applies to and governs the collection, use, and processing of any personal data which may be provided by you when making a Request through the “Email Support” button on the Platform.

In submitting any Request, you would need to provide either the Signup Email or your own individual work email address in order to receive a response to your Request. If you provide any personal data in the Request either on your own initiative or as required by the Service Provider for the purpose of handling your Request, or if you choose to provide your own work email address which contains your personal data, the following shall apply. 

The personal data received from you in connection with the submission of any Request may be collected, used, processed and retained by the Service Provider in accordance with the requirements of the PDPO and all other applicable laws and regulations relating to the collection, use, processing and storage of personal data (collectively, “Applicable Laws”). 

Your personal data is collected, used, processed or maintained, at all times to the extent permitted under the Applicable Laws by the Service Provider for the following purposes: (a) handling your Request; (b) providing you with responses thereto; and (c) other purposes related to the operation and maintenance of the Platform (“Purposes”). 

The Service Provider may share your personal data with the HKMA, for purposes connected with the provision of services in relation to the Platform. The use and processing of your personal data by the HKMA will be governed by its Privacy Policy Statement.  

If you include the personal data of other individuals in your Request either on your own initiative or as required by the Service Provider for the purpose of handling your Request, you confirm that before including such personal data, (i) you have informed those individuals of the collection, processing and use of their personal data by the Service Provider pursuant to this Personal Information Collection Statement, and (ii) you have obtained those individuals’ authorisation and consent for you to so include their personal data in your Request. 

Please note that if you are not able to provide the relevant personal data requested by the Service Provider for the Purposes, you may not be able to have your Request resolved or obtain a response thereto.

Any materials containing your personal data will be retained, stored, or destroyed in accordance with the Applicable Laws. In any event, your personal data will not be retained longer than it is necessary to achieve the Purposes or permitted by the Applicable Laws.

You have a right to withdraw your consent to the processing of your personal data in the above manner at any time. You are also entitled to access, correct, or enquire about the personal data held by the Service Provider about you. If you wish to exercise such rights, you can do so by sending your request to the privacy liaison officer in relation to the Platform at servicedesk@climaterisk.hk.

‍