The Group strives to attain and maintain high standards of corporate governance best suited the needs and interests of the Group as it believes that an effective corporate governance framework is fundamental to promoting and safeguarding interests of shareholders and other stakeholders and enhancing shareholder value.
Accordingly, the Group has adopted and applied corporate governance principles and practices that emphasise a quality board, effective risk management and internal control systems, stringent disclosure practices, transparency and accountability. It is committed to continuously enhancing these practices and inculcating an ethical corporate culture.
Service & Product Responsibility
As the telecommunications industry changes rapidly, it faces significant pressure from technological advances and rising consumer expectations. Operators need to build consumer trust and meet customers’ growing demands for higher speeds and wider coverage. To do this, they need to do more than merely offering the latest handsets and digital devices. They must also provide customers with flexibility and choices in the services they offer, in order to complement and enrich their customers’ lives. Apart from delivering sustainable value to its customers through digital connectivity, the Group endeavours to provide safe, reliable and high-quality products and network services that meet and surpass customer expectations.
Digitalised Customer Engagement and Experience
Customer engagement is crucial to understanding customer expectations and building brand loyalty. The Group engages with its customers through communication channels such as its customer service centres, social networking platforms, service hotlines, live webchat, online enquiries, emails, websites and mobile applications. The Group’s website at three.com.hk and the My3 application connect the Group to customers and help build long-lasting relationships with customers wherever they are. They give access to information about the Group’s latest promotions and offers and allow customers to manage their data and call time usage, top up, pay their bills, manage roaming services, purchase handsets and accessories, and access the 24/7 online 3iChat customer interface. The awards that the Group has received in recent years are evidence of its success in delivering quality products and services for excellent customer experience.
The Group welcomes customer feedback, which it uses to improve customer experience and to drive positive change in its businesses. The Group has established guidelines to ensure consistency in handling customer enquiries and complaints, and customer service representatives are trained to address customer concerns in a professional manner. All complaints are acknowledged, investigated, and duly followed up, and periodic reviews and analyses of complaints are conducted for continuous improvement. Details of the Group’s service performance targets and actual performance of the Group in areas such as service hotline performance and complaints handling are available on the three.com.hk website.
Data Privacy and Information Security
The rapid development of regulations on data privacy and information security is increasingly affecting the telecommunications industry, posing a growing challenge for operators in maintaining customer relationships. As such, the protection of personal data is fundamental to preserving the trust of customers and employees.
The Group is committed to safeguarding and protecting their personal data. Employees must collect and use personal data only in accordance with applicable data protection laws, the Group policies, procedures and guidelines pertaining to data privacy and security. Employees must not disclose any confidential information on the operation of the Group, nor that of its customers, suppliers, business partners or shareholders, except when disclosure is authorised in accordance with the Information Security Policy.
Data Privacy Policies and Control Systems
The Regulatory Advisory Committee, supported by the Data Protection Committee, is responsible for overseeing personal data protection of the Group. The Policy on Personal Data Governance (formerly known as "Policy on Personal Data Privacy Compliance”) and Information Security Policy together with the Code of Ethics and other related policies, procedures and guidelines of the Group, set out the governance framework for safeguarding employees and customers’ personal data. These policies are reviewed and updated periodically to allow timely communication with employees. Employees are required to submit a self-declaration annually to acknowledge and confirm compliance with all applicable Group policies.
The Group is also committed to ensuring effective customer data management. Legislative and regulatory requirements concerning personal data processing are embedded in all business activities. Appropriate technical and organisational measures have also been implemented. These measures are designed to implement data privacy principles effectively.
Data Privacy Principles
- Collect only necessary and relevant personal data for specified, clear and legitimate purposes
Use of Data / Data Access:
- Use personal data in a lawful, fair and transparent manner
- Provide a clear, transparent, understandable and updated Privacy Notice
- Ensure the use of personal data in compliance with applicable data protection laws
- Restrict employee access to personal data on a need-to-know basis only
- Take appropriate steps to ensure personal data held are accurate and up-to-date
- Use encryption techniques to retain, use and transmit personal data
- Maintain stringent and adequate security measures to protect personal data that the Group is entrusted against unauthorised or unlawful access
- Review security measures regularly to ensure protection level is appropriate
- Keep only personal data that are necessary for the fulfilment of the purposes for which they are being used, and in accordance with internal guidelines for document retention periods
- Erase personal data from the system that are no longer required for the purpose for which they were collected
Rights of Individuals:
- Process personal data in accordance with the rights of individuals under applicable data protection laws
- Handle requests from customers to access, amend or delete their personal data in a manner compliant with applicable data protection laws
Data Privacy Guidelines and Awareness Campaign
All employees are required to fully adhere to the Policy on Personal Data Governance , Internal Guidelines on Data Retention and Access to Personal Data , other relevant policies, procedures and guidelines of the Group as well as applicable data protection laws. Access to physical or computer records containing personal data is strictly controlled and requires management approval granted only on a “need-to-know” basis.
Regular trainings are organised to ensure that employees are up-to-date on the latest requirements and developments of the relevant rules and regulations. The Group issues operational guidelines, handbooks and periodic internal communications and conducts workshops to reinforce the importance of customer data protection among its customer-facing employees. The Group also conducts regular privacy risk assessments to evaluate prevailing privacy risks and the adequacy of mitigating controls.
Data Security and Incident Management
Data Security Incidents (“DSIs”) have increased in frequency, scale and severity in recent years globally. Loss or leakage of data, including customers’ or employees’ personal data as well as technical and trade information, could have significant consequences on the operations of the Group and could result in third-party claims and regulatory investigations.
The Cyber Security Working Group, chaired by the Chief Financial Officer, comprises relevant technical specialists from the Information Technology department and the Business Assurance & Compliance function. It oversees the cyber security defences of the Group to ensure that its efforts are effective, coherent and well-coordinated. The Cyber Security Working Group also monitors the cyber threat landscape to gain insights into emerging and existing attacks and their implications.
In the event of a DSI involving personal data, the Group will respond immediately according to applicable procedures to mitigate the potential consequences and secure personal data from further unauthorised access, use or damage. The Legal & Regulatory Affairs Department and the Corporate Security team of the Group will be alerted and the relevant authorities and affected individuals will be notified if required. Guidance on handling DSIs and the notification process is reviewed and updated periodically.
To raise cyber security awareness among employees, periodic training workshops are held. These equip them with adequate skills in handling customer and company information, as well as knowledge relating to the development of relevant cyber security rules and regulations. Through issuing security alerts, the Group also keeps its employees up-to-date and vigilant against fraudulent and phishing emails. Internal measures and policies are in place to minimise the risks associated with data exfiltration by restricting the use of mobile devices and removable drives.
Anti-Corruption and Whistleblowing Mechanism
The Group has zero-tolerance for bribery, corruption and fraud in any form. Stringent policies, guidelines and procedures are in place to uphold high standards of business ethics and integrity. All business partners, suppliers and third-party representatives are also encouraged to adopt the standards.
Anti-Fraud & Anti-Bribery (“AFAB”) Policy and Code of Ethics (the “Code”)
The AFAB Policy outlines the zero-tolerance approach of the Group to bribery and corruption and guides employees in victimising the circumstances which may lead to, or give the appearance of, being involved in corruption or unethical business conduct. It includes provisions relating to kickbacks, political and charitable contributions, gifts and hospitality, and procurement of goods and services. For political donations, in accordance with the AFAB Policy as well as the Media, Public Engagement and Donation Policy, it is the general policy of the Group not to make any forms of donations to political associations or individual politicians.
The Code sets out the professional and ethical standards for the employees to observe in all business dealings, including provisions dealing with conflict of interests, fair dealings and integrity, corruption, political contribution, confidentiality, personal data protection and privacy, as well as whistleblowing procedures.
Confidential Whistleblowing Mechanism
The Group has monitoring measures and procedures in place to detect bribery, fraud or other acts of malpractice. Employees and all other relevant stakeholders are encouraged to raise their concerns of suspected acts of misconduct, malpractice or fraud through the whistleblowing mechanisms of the Group. All reported incidents will be investigated and followed up independently and reported by the internal audit function of the Group to the Audit Committee and senior management. All reported incidents will be treated in a highly confidential manner and whistleblowers will be protected from unfair dismissal, victimisation or unwarranted disciplinary action.
The Group is committed to ensuring that it operates in compliance with all applicable local laws, rules and regulations of the jurisdictions in which it operates. Regulatory frameworks within which the Group operates are scrutinised and monitored, whereby relevant internal policies are prepared and updated accordingly.
Supply Chain Management
The Group engages a broad range of business partners and suppliers in its operations. The Group is committed to maintaining the integrity of its supply chain by managing associated complex legal, social, ethical and environmental risks. Through regular dialogue and cooperation, the Group extends its high level of business ethics and integrity standards to its business partners and suppliers. As a responsible industry leader, the Group is a proponent of sound environmental performance, social well-being and sustainable practices.
Sourcing Responsibly and Engaging Suppliers
The Group recognises its far-reaching influence on its supply chain. The Supplier Code of Conduct sets out the standards expected of its business partners and suppliers, encompassing specific criteria and standards in terms of quality, environmental performance, ethics, health and safety, and regulatory compliance. The Supplier Code of Conduct is also addressed in the Human Rights Policy and Modern Slavery and Human Trafficking Statement of the Group.
Supply Chain Management
The Group follows international best practices and employs a fair, unbiased and transparent tendering process. All tenderers are required to declare any conflicts of interest and be vigilant against fault, bribery and misconduct. Supplier relationships will be suspended or terminated if breaches are discovered.
The Group encourages business partners and suppliers to consider the risks posed to their operations by climate change, and be proactive in mitigating the environmental impact of their activities. The Group also invites business partners and suppliers to emulate the standards, practices and principles outlined below, as well as those contained in the Environmental Policy of the Group.
Group policies including but not limited to the Purchasing Policy, Business Partner Evaluation Policy and AFAB Policy, in conjunction with various controls and procedures, provide direction and guidelines on evaluating and engaging with business partners and suppliers. The procurement teams of the Group are trained to apply these policies and procedures with due care and diligence when engaging with business partners and suppliers. Business partners are required to acknowledge compliance with the Supplier Code of Conduct in the course of their business activities with the Group. Regular assessments and thorough evaluations are also conducted on the business partners and suppliers of the Group.
Key governance and sustainability policies and guidelines of the Group, the Corporate Governance Report and the Sustainability Report are posted on the website of the Company.