2024年10月09日
Hong Kong Office of the Privacy Commissioner for Personal Data Issues Updated "Code of Practice on the Identity Card Number and Other Personal Identifiers: Compliance Guide for Data Users"
Author:
- Gabriela Kennedy,
- Joanna Wong
Introduction
In August 2024, the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) released a revision of the “Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users” (the “Code”) which had been in place since 1997. The Code offers practical guidance to organizations as data users on the use, collection, accuracy, retention, and security of Hong Kong Identity Card (“HKID Card”) numbers, HKID Card copies and other personal identifiers. The revised Code takes into account more recent challenges brought by contemporary technological developments.The main tenor of the Code remains, namely that an individual should not be asked to provide a HKID Card or a HKID Card number unless the data user is so authorised by law. The revised Code emphasizes in its step-by-step guide that data users should consider and offer less privacy-intrusive methods of identification “wherever practicable”1 before requesting HKID Card numbers.
The Code requires data users to ensure that the copies of HKID Cards they collect are the true copies of HKID Card held by the individuals concerned – in other words the actual HKID Card will need to be inspected before a copy is taken. Given this, the current practice of collecting copies of HKID Cards via instant messaging applications, or through taking photos with smart phones would not satisfy the requirement to inspect the actual HKID Card.2
When it comes to security safeguards, the revised Code also emphasizes that data users should refrain from transmitting a HKID Card copy or image “including by way of instant messaging applications” unless they have taken all reasonably practicable steps to ensure that the intended recipient is the only person who receives such copy or image.3 Apart from encryption and dedicated fax machines, the Code stipulates having dedicated email addresses for receiving confidential material as another method to safeguard security.
Conclusion
The PCPD is gradually updating all guidance notes and codes to take account of recent technological developments. Data users should also regularly review their data privacy policies and current personal data collection practices to ensure compliance with relevant laws and regulations.
1 Page 3 of the Code.
2 Page 10 of the Code.
3 Page 11 of the Code.