III. Privacy issues
Smart ID card development
The Hong Kong British Government first introduced an identity card system for its residents in 1949.1 In 2002, the HKSAR Government introduced a smart identity card with a chip that contains a digital replica of the cardholder's thumbprint, immigration data, and a digital certificate, and has room for other information, including medical and financial data and driving records.2
In early 2005, the HKSAR government disclosed the last of the four consultancy reports assessing the privacy impact of the Smart ID Card Project, an identity card replacement exercise that was implemented in August 2003 and completed in March 2007. The Hong Kong Smart ID Card Replacement Exercise mandated that holders of existing identity cards also had to apply for smart ID cards from January 24 to March 12, 2005. The Replacement Exercise covered all Hong Kong residents, permanent and temporary.3 Failure to apply for a new card constituted an offence that could be prosecuted and subject to a penalty of HKD5,000 (about US$643).4 The multifunction smart ID card contains basic identity details such as the photograph and fingerprint biometric of the holder, and can also contain an electronic certificate (e-Cert) for electronic transactions.5
The smart ID card was criticised for being too complicated to use. For instance, the e-Cert embedded in smart ID cards was designed to promote electronic commerce transactions.6 More than HKD 240million (~US$31 million) was invested in developing and implementing the e-Cert system. But a survey found that only 10% of those with newly obtained ID cards had used e-Cert.7 An additional HKD10 million (~US$1.3 million) was invested in 2005-2006 to promote the use of e-Cert.8 The smart card also functions as a library card for all public libraries, and as an immigration document.9
Since 1998, Hong Kong banks have shared a "blacklist" of loan defaulters and borrowers who have court judgments issued against them under the Code of Practice on Consumer Credit Data issued by the Privacy Commissioner under Section 12 of the PDPO. Through the use of a central credit database operated by a credit reference agency (CRA), credit providers can ask for the credit report of an individual, primarily looking for negative credit data (that is, data relating to default in payment). But faced with an unprecedented five-fold increase in bankruptcies after the financial crisis in 1999, banks proposed an amendment to the PDPO allowing them to share even more personal data through a newly created third-party agency. The so-called "positive data-sharing agency" would be run by a private company and modelled after British and North American institutions.10 The agency would allow banks to share information between each other on the amount of a credit seeker's outstanding credit card debt, cards held, credit limit, past due accounts, residential mortgages, and other types of consumer credit.11 The Hong Kong Monetary Authority and the Privacy Commissioner supported the proposal, but HKSAR legislators, consumer advocates, and the public did not, citing privacy concerns.12 A representative of one of Hong Kong's largest banks even responded to these concerns by saying that "privacy [was] no longer relevant."13
In 2003, the Privacy Commissioner opened a public consultation on the credit issue and proposed relaxing restrictions on data sharing between banks.14 Specifically, amendments to the Consumer Credit Data Code would extend the period of retention of credit application data by a credit reference agency from 90 days to five years and extend the period for retention of file activity data from 12 months to five years. Further proposals would allow the release of file activity data by a credit reference agency to credit providers, and to prevent credit providers from accessing an individual's data held by a credit reference agency except where there was a relevant need to do so.
In June 2003, some of the proposed revisions to the Code of Practice on Consumer Credit Data took effect.15 The revisions allowed positive credit data to be shared among credit providers. A 24-month transitional period (expiring June 2005) was mandated before there could be full access to, and use of, contributed data. Also, a provision was included in the amendment to require credit reference agencies to submit their operational procedures and systems to an annual independent privacy compliance audit. Because the two-year transitional period restricting the sharing of positive credit data expired on June 1, 2005, there is now full usage of positive credit data by credit providers subscribing to the credit reference agency services.
In January 2011, another consultation document was published by the Privacy Commissioner's Office on sharing positive mortgage data for residential properties and both positive and negative mortgage data for non-residential properties.16 The Revised Code was notified in the Gazette on 1 April 2011 and has taken effect since then.17 Under the revised Code, the sharing of pre-existing positive mortgage data requires the prescribed consent of existing mortgage customers. However, since the Code is not legally binding, any breach of it will not have any legal impact.18
In 2008, the Commissioner exercised his inspection power for the first time on the Hospital Authority's patients' personal data system in the wake of a spate of incidents in which patient data was lost, and published a report on its inspection of the Hospital Authority's personal data system. It also published a report covering an investigation into a particular patient's complaint about the loss of his personal data by a hospital.19
Government data leaks
In May 2008, it was reported that some sensitive personal data contained in documents apparently belonging to a government department were leaked onto the Internet via file-sharing software called "FOXY". The personal data consisted of 27 document files comprising internal memos, file minutes, and other documents, some marked "confidential", containing the names, dates of birth, and identification document types and numbers of eleven foreign visitors and three Hong Kong residents, as well as the names, ranks, and post titles of certain officers. Eventually, the department acknowledged that the leakage was due to the carelessness of the relevant staff in collecting and saving electronic copies of the document files for use as templates for sample case documents for self-study and future use in a personal computer at home, where the "FOXY" program was installed.
In July 2010, Octopus Rewards Limited ("ORL"), a company wholly owned by Octopus Holdings Limited ("OHL"), was discovered to have sold the personal data of 1.97 million registered individuals participating in the Octopus Rewards Program to six companies and made a profit of US$5.7 million out of the sale.20 Many Hong Kong residents use Octopus cards and have joined the rewards programme. In fact, Octopus cards could be said as a daily necessity for Hong Kong residents as they are used for both transportation and purchases. Not only is information about a person's journey or purchase recorded, but the holder's name, identity card number, and even credit card number may also be recorded. Octopus cards are like electronic identity cards and tracking devices. Prudence Chan, then CEO of OHL, admitted that Octopus had earned HK$44 million (US$5.7 million) in revenue by selling personal data of its clients to merchants since January 2006. Leong Kwok-kuen, the non-executive Chair of MTR Corporation Limited (OHL's majority shareholder), told the press in a news conference that the group would donate the HK$44 million in revenue to charity. The CEO of OHL, Prudence Chan, resigned over the scandal. A report was published by the PCPD.21 OHL accepted all the recommendations published in the reports of the PCPD, the Hong Kong Monetary Authority, and the Special Committee appointed by the Board of OHL. Octopus confirmed that it would adopt all of the recommendations in the Report released by the PCPD and did not have plans to apply for a judicial review of its findings.
Freedom of information
There is no legislation in Hong Kong that grants citizens a general right of access to government information. It was only near the end of the British colonial era in 1995 that the Hong Kong Government introduced a non-statutory code of practice, the Code on Access to Information,22 allowing citizens to request access to information held by government departments and bureau. The Code has remained in force since the return of the sovereignty over Hong Kong to the PRC. The Code endorses the principle of presumption of disclosure, and does not require citizens to provide reasons for seeking access to information. Citizens unsatisfied with decisions of government departments regarding their requests can complain to the Ombudsman. The Ombudsman can recommend that the department concerned disclose the requested information if he deems the complaint substantiated, but the recommendation is not binding on the departments. The Code includes 16 categories of exemptions, a substantial number of which are either overly broad or ambiguous; and the Code does not cover public enterprises or statutory and advisory bodies in the public sector charged with the functions of public services. The major defect of the Code is that it neither creates statutory rights nor affects the obligations of keeping confidential government information imposed by other laws. And citizens cannot apply for judicial review of violations of the Code by government departments.
In addition, a few laws in Hong Kong require government departments to either proactively publish or disclose upon request certain types of government information, especially information concerning public expenditure as well as public records relating to real estate, commerce, and finance.23 In contrast, however, there are few statutory obligations of disclosure regarding government information that relate to the people's livelihood or that help to promote public participation in policy-makings.
- 1. Hong Kong SAR Government, 'History of Hong Kong Identity Cards,' at http://archive.news.gov.hk/isd/ebulletin/en/category/lawandorder/021206/...
- 2. M. Landler, "Fine-tuning for Privacy, Hong Kong Plans Digital ID," New York Times, February 18, 2002, at C1.
- 3. "Hong Kong Residents Born in 1952-53 Start Applying for Smart ID Cards," Xinhua News Agency, Beijing, January 24, 2005.
- 4. Id.
- 5. "Hong Kong Government Rolling Out ID Cards Based on Keycorp Technology," Australian Associated Press (AAP), July, 28 2004.
- 6. Sylvia Hui, "Few Using too Complex Smart ID Cards," Financial Times: Asia Africa Intelligence Wire, May 26, 2005.
- 7. Id.
- 8. Id.
- 9. Smart ID homepage http://www.smartid.gov.hk/en/app/index.html.
- 10. J. Moir & L. Beckerling, "Privacy Goes Plastic," South China Morning Post, June 13, 2002.
- 11. L. Beckerling, "First Look at Sample Credit Risks Report," South China Morning Post, March 29, 2002.
- 12. See L. Leung, "HKMA Pushes Banks to Share Loan Histories," South China Morning Post, September 21, 2001, at 4; L. Beckerling, "Public Gets Say on Credit Bureau," South China Morning Post, May 4, 2002, at 1; E. Yiu, "Democrats to Consider Proposal for Credit Information Sharing," South China Morning Post, June 24, 2002, at 3, quoting Democratic Party financial affairs spokesman, Sin Chung-kai arguing that banks would only use credit sharing to boost profitability.
- 13. L. Beckerling, "Public Gets Say on Credit Bureau," South China Morning Post, May 4, 2002, at 1, quoting Anna Borzi of HSBC Securities stating "Privacy is over. There are already more things being recorded, coded and monitored than we can poke a stick at. If anybody seriously believes privacy can still be protected they are seriously deluded. That battle has been fought and lost."
- 14. See Privacy Commissioner for Personal Data, Code of Practice on Consumer Credit Data (Hong Kong, PCO, 2002); see also Privacy Commissioner for Personal Data, Consultation Paper on Amendments to the Consumer Credit Data Code, May 25, 2001.
- 15. "Amendments to Code of Practice on Consumer Credit Data Gazettes Tomorrow," Press Release of the Hong Kong Privacy Commissioner's Office, May 22, 2003, available at [link].
- 16. Office of the Privacy Commissioner for Personal Data, Hong Kong, Proposed Revisions to the Code of Practice on Consumer Credit Data: The Sharing of Mortgage Data for Credit Assessment Consultation Document, January 2011 at http://www.pcpd.org.hk/english/publications/con_doc2010.html
- 17. Office of the Privacy Commissioner for Personal Data, Hong Kong, The Personal Data (Privacy) Ordinance, Code of Practice on Consumer Credit Data (2011) at http://www.pcpd.org.hk/english/publications/files/CCDCode_2011_e.pdf
- 18. For discussion of problem of the Code, see Eric TM Cheung, 'Consumer Credit Data Sharing,' Presentation at Symposium of Personal Data and Privacy Protection in Hong Kong,' 12 July 2011, The University of Hong Kong at http://www.lawtech.hk/wp-content/uploads/2011/06/Session-I-1045-1110-Eri....
- 19. PCPD Annual Report (2008-2009).
- 20. Hong Kong Privacy Commissioner, 'The Collection and Use of Personal Data of Members under the Octopus Rewards Programme run by Octopus Rewards Limited , Report Number: R10-9866, 18 October 2010, at http://www.pcpd.org.hk/english/infocentre/press_20101004.html. .
- 21. Id.
- 22. Available at [http://www.access.gov.hk/en/code.htm].
- 23. Article 47 of the Basic Law requires declaration of assets by the Chief Executive. Declaration of interests by other principal officials are provided by the Code for Officials under the Political Appointment System. [http://www.cmab.gov.hk/doc/issues/code_en.pdf]. Other pieces of legislation expressly provide for the disclosure of information. For instance, Sec. 2C of the Town Planning Ordinance (Cap. 131) requires that meetings of the Town Planning Boards be open to the public. Sec. 21 of the Land Registration Regulations (Cap. 128A) provides that members of the public should be allowed to inspect, upon payment, land register or other records in the Land Registry concerning particulars of the property and its owner. Sec. 68 and 69 of the Trade Marks Rules (Cap. 559A), Sec. 147 of the Patents Ordinance (Cap. 514), Sec. 70 of the Registered Designs Ordinance (Cap. 522) allows members of the public to inspect materials regarding the registered intellectual properties. Some legislation indirectly gives rise to a duty of disclosure. For instance, Sec. 6 of the Public Finance Ordinance provides that estimates of expenditure for a financial year shall be included in an Appropriation Bill which shall be introduced into the Legislative Council. As both meetings of the LegCo and relevant minutes as well as discussed documents are generally open to the public, budgetary information are hence publicly accessible.