Union Medical Centre Limited and its subsidiary, affiliated or related companies, including Union Hospital (collectively, "we", "us" or "our") understand the importance of protecting the privacy, confidentiality and security of the personal information we hold by complying with the data protection principles and all relevant provisions under the Personal Data (Privacy) Ordinance.
It is important that you read this Privacy Policy Statement together with the applicable personal information collection statement of the relevant service, website, and/or mobile application provided by us. So that, you are fully aware of how and why we are using your personal data. This Privacy Policy Statement supplements other notices of us and is not intended to override them.
Statement of Practice
Kinds of Personal Data Held
Four broad categories of personal data are held by us. They are personal data contained in:
Medical records which include records containing information related to the physical and/or mental health of an individual;
Personnel records which include job applications and staff personal details, job particulars, details of salary, qualifications, benefits, leave and training records, group medical insurance records, mandatory provident fund schemes participation, performance appraisals, and disciplinary matters, etc.;
Other records which include administration and operational files, service agreements, personal data provided to us from individuals for participating in promotional activities and other events, records relating to direct marketing, newsletters subscriptions, records relating to service request management, enquiries, customer opinions and feedback, compliance check records, statistical analysis, surveys and quality assurance, etc.; and
Records collected on webservers and/or mobile application servers which include personal particulars and email addresses (whereas they can be used to identify an individual under specific circumstances thus may constitute personal data) collected for online appointment booking, enquiry form submission, service request submission and opinions submission, etc.
Main Purposes of Keeping Personal Data
Personal data held in:
Medical records are kept for the purposes of providing patient care or general related purposes (including but not limited to treatment, quality assurance, research, education and charges levied by us);
Personnel records are kept for recruitment and human resource management purposes, relating to such matters as employees' appointment, employment benefits, termination, performance appraisal and discipline, etc.;
Other records are kept for various purposes which vary according to the nature of the record, such as handling of complaints, seeking advice on policy or operational matters, organizing and delivering promotional, educational and training activities and handling of compliance checks, etc.; and
Records collected on webservers and/or mobile application servers are kept for various purposes which vary according to the nature of the record, such as contacting clients for confirmation of online appointment booking, contacting clients to reply their online enquiries, etc.
Information Collected When You Visit Our Website(s) and/or Use Our Mobile Application(s)
When you visit our website(s) and/or use our mobile application(s), the servers will collect data relating to your visits to/use of such website(s) and/or use of such mobile application(s), including but not limited to your IP addresses (and domain names), the types and configurations of browsers, language settings, geo-locations, operating systems, previous sites visited, the time/duration and the pages visited (log files). We use these log files for the purpose of maintaining and improving our website(s) and/or mobile application(s) such as to determine the optimal screen resolution, which pages have been most frequently visited, etc.
We do not use, and have no intention to use the visitor data to personally identify anyone.
Use of Social Media Platform
If you interact with us on social media platforms (e.g., by “Liking” our Facebook page), we can interact with you and send you messages via these platforms. We will interact with you in accordance with the social media platform’s rules, but we are not responsible for how the platform operators collect and handle your personal data. We are not responsible for the content posted on our social media accounts by third parties.
Use of Cookies and other Tracking Mechanisms
Cookies are small blocks of data generated by a webserver while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Some cookies allow us to improve your digital experience when you navigate our website(s) and/or mobile application(s), while others are used to enable us to store and track information about your interests and preferences at our website(s) and/or mobile application(s). We may also engage third parties to track and analyze nonpersonally identifiable data from our website(s) and/or mobile application(s). We use the data collected by such third parties to help us manage and improve our website(s) and/or mobile application(s) and to analyze usage of the same. It is important to note that this is unrelated to and separate from your personal data. However, such third parties may combine the non-personally identifiable data that we provide about you with other information that they have collected to produce personally identifiable data. If you do not wish to allow the use of cookies, you can disable them through your browser settings, but to do so you may not be able to utilize certain functionality of the website(s) and/or mobile application(s).
Outsourcing Arrangements
Our IT systems are developed and maintained by our internal teams as well as carefully selected third-party service providers, all of whom are contractually obligated to comply with stringent confidentiality and data protection requirements. We have implemented rigorous outsourcing governance and oversight mechanisms to ensure the security, confidentiality, and integrity of any personal data processed or stored on our behalf.
We use Amazon Web Services (AWS), operated by Amazon Web Services, Inc., headquartered in Seattle, WA 98108-1226, USA, to host our website and database, with data primarily stored in data centers located in Hong Kong. Email communications related to our website services are handled via email servers based in Singapore. Personal data collected and processed through AWS infrastructure is solely for the legitimate purpose of providing and maintaining these IT and communication services for our organization. AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2 and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of personal data.
Please note, while we control our IT infrastructure and data processing configurations in AWS, we do not control external email servers used by recipients beyond our system boundary. For detailed information on AWS's privacy and compliance practices relevant to Hong Kong, please refer to the following:
As part of our AWS cloud hosting arrangement, we use Amazon CloudFront, a content delivery network (CDN) provided by AWS, to enhance website performance and bolster security measures. CloudFront utilizes a global network of edge servers to accelerate content delivery and employs SSL/TLS encryption to secure communications between users and our website. During your interactions with our website, Amazon CloudFront processes certain technical data, such as your IP address and related metadata, strictly to provide and optimize these content delivery and security services while maintaining compliance with privacy standards.
Should you wish to block Amazon CloudFront scripts, you may do so using browser-based script blockers or other privacy tools. However, please be aware that such actions may degrade your browsing experience or impact website functionality. For more information on Amazon CloudFront’s privacy practices, please refer to the AWS Privacy Notice: https://aws.amazon.com/cn/privacy/
AWS is vigilant about data security and does not disclose or move data in response to a request from the U.S. or other government unless legally required to do so in order to comply with a legally valid and binding order, such as a subpoena or a court order, or as is otherwise required by applicable law. Non-U.S. governmental or regulatory bodies typically must use recognized international processes, such as Mutual Legal Assistance Treaties with the U.S. government, to obtain valid and binding orders. For more information, please refer to the Amazon Information Requests Portal online: https://www.amazon.com/gp/help/customer/display.html?nodeId=GYSDRGWQ2C2CRYEF
This serves to inform our website users that the storage and/or processing of relevant personal data is outsourced to a cloud service provider. Consequently, such personal data may be stored or processed in jurisdictions outside the Hong Kong Special Administrative Region. Users should be aware that, in these jurisdictions, the relevant personal data may be subject to access or disclosure requests by local law enforcement or national security agencies under applicable laws.
Online Payment Gateway
We accept payments for selected services through AlipayHK, AsiaPay, Faster Payment System (FPS), Hang Seng Bank Alipay Service, and WeChat Pay (Hong Kong and Mainland China wallet). When making payments via these gateways, users are required to provide personal information—including, but not limited to, credit/debit card and billing contact details—directly to the respective organisations.
By choosing to make a payment through any of these online gateways, users agree to be bound by each respective service’s payment terms, as set forth by the relevant organisation. These terms may be updated from time to time. We strongly recommend that users read the privacy policies or statements of each service provider before using these payment options.
Below are links to the privacy policies/statements of each relevant organisation for your reference:
Third Party Websites or Mobile Applications
Our website(s) and/or mobile application(s) may from time to time contain links to other third party websites or mobile applications. These other third party websites or mobile applications are independent of our website(s) or mobile application(s). We have no control or management over the contents of such other websites, mobile applications or their privacy policies or compliance with law. It is important for you to note that the provisions of such links do not constitute an endorsement, approval, or any form of association by or with us. We have no control over your personal data submitted by you, if any, to other websites or mobile applications. We recommend that you read the respective privacy policies of other websites or mobile applications carefully.
Protection Measures
Security arrangements will be reviewed regularly to ensure that the personal data we hold is protected against unauthorized or accidental access, processing, erasure, loss or use. The security arrangements include, without limitation, the following:
- Restriction of access to personal data on a “need-to-know” basis;
- Restriction of the access rights of staff to office areas storing confidential information;
- Provision of clear guidelines to staff on the proper handling of data access request;
- Provision of timely personal data privacy training; and
- Regular review and enhancement of data security for protection of personal data in the information systems against malicious attacks.
Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data during transmission to our website. Any transmission of personal data is at your own risk.
Data Retention
We will take all reasonably practicable steps to erase personal data collected which is no longer necessary for the purposes for which it is to be used.
Disclosure of Personal Data
When you provide personal data to us, please make sure the data provided is accurate and complete. Failure to provide accurate or complete information may affect our ability to provide services for the healthcare purposes mentioned.
You should note that your personal data (including health information) may be made available to:
- Appropriate persons in Union Medical Centre Limited and its subsidiary, affiliated or related companies;
- Doctors/healthcare providers/other relevant persons outside Union Medical Centre Limited and its subsidiary, affiliated or related companies;
- Visitors/ staff/ students/ trainees from hospitals/ healthcare or educational institutions (local or overseas) whose presence at Union Medical Centre Limited and its subsidiary, affiliated or related companies are authorized;
- Appropriate government departments/ Hospital Authority/ third parties in disaster situations; and
- Appropriate government departments/ agencies/ authorities etc. when disclosure is required or permitted by law, is necessary for public health purposes or enables verification of your identity/status for charging or other purposes.
In addition to the above, we will only use, disclose or transfer the personal data you provided to us for, first, purposes relating to your healthcare or directly related purposes or, secondly, where permitted by law. We will need to obtain your consent before using your personal data for any other purposes.
Direct Marketing
Without your consent, we cannot use or provide to third parties (whether intra-group and/or external parties) your personal data for the purpose of direct marketing. Subject to your consent, we may use or provide to third parties (whether intra-group and/or external parties) your personal data for direct marketing purposes in accordance with the personal information collection statement provided to you on or before collection of your personal data. You may withdraw your consent at any time by writing to the Marketing Department, Union Hospital, 18 Fu Kin Street, Tai Wai, Shatin, New Territories, Hong Kong Special Administrative Region or by email at marketing@union.org.
Data Access & Correction
If you wish to access or correct your personal data, you may do so under the Personal Data (Privacy) Ordinance. Please contact our Nursing Staff during office hours / Data Protection Officer by mail to Union Hospital, 18 Fu Kin Street, Tai Wai, Shatin, New Territories, Hong Kong Special Administrative Region (Marked Confidential) or via email at privacy@union.org.
Updates to Privacy Policy Statement
This Privacy Policy Statement may from time to time be updated, revised or amended. Any update, revision or amendment will be effective immediately upon being posted on website(s) and/or mobile application(s) of us. Where legally required, we shall notify you and/or obtain your consent for any major changes. If you do not accept the updates, revision or amendment, and/or provide your consent, then we may not be able to provide goods or services to you. You are advised to check the website(s) and/or mobile application(s) of us for updates to this Privacy Policy Statement on a regular basis.
Governing Law and Jurisdiction
These terms and conditions are governed by and construed in accordance with the laws of Hong Kong Special Administrative Region and you agree to submit to the exclusive jurisdiction of the courts of Hong Kong Special Administrative Region.
Enquiries
Any enquiries regarding personal data privacy policy and practice, please contact our Data Protection Officer by mail to Union Hospital, 18 Fu Kin Street, Tai Wai, Shatin, New Territories, Hong Kong Special Administrative Region or via email at privacy@union.org (Marked Confidential).
This Privacy Policy Statement is effective from the date of posting and supersedes any previous versions. This Privacy Policy Statement has been translated into Chinese. If there is any inconsistency or ambiguity between the English version and the Chinese version, the English version shall prevail.
We keep our privacy policy statement under regular review. This statement was last updated on 15 Oct 2025.
