Graham Greenleaf
Director, Cyberspace Law & Policy Centre
Faculty of Law, University of New South Wales
26 January 2006

Since 2003 Hong Kong has been replacing its laminated paper ID cards, which have existed since World War II, with a multi-purpose smart card. Both the existing ‘dumb’ card and the new smart card are at the core of personal data flows in Hong Kong.

Since its introduction at the end of World War Two there has been general acceptance of an ID card as a means of dealing with illegal immigration and border security. All persons over the age of 11 residing in Hong Kong are required to obtain an ID card, which includes a unique identification number. By law, a person ‘in all dealings with government’ must provide his ID card number where required , notwithstanding any other law to the contrary (Registration of Persons Ordinance (ROPO) s5(1)(b)). Prior to Hong Kong’s 1996 privacy Ordinance (PDPO, 1996), the card and number were also required by a wide range of private sector organisations in the absence of any law that prevented this. Their use for many purposes created a great deal of convenience for individuals as well as business and government. Proving one’s identity was, and is, a simple matter, the one caveat being that only government authorities have the means to ascertain whether the ID card that is proferred is lost, stolen or a good counterfeit.

In 1997 the Privacy Commissioner, issued a Code of Practice on the ID number (HKPCO Code 1997), as required by the Ordinance (PDPO 1996 s12(8)). The Code specifies, as a rebuttable matter of law, how the Ordinance applies to the ID number (PDPO 1996, s12). This was the main opportunity to control the ID card and number, but the opportunity was lost when the Commissioner took the view that ‘roll-back’ was not a viable option (even in the private sector) in the absence of specific statutory direction or a strong body of public opinion calling for this, and that the most that the Code could (and did) achieve was a degree of ‘ring-fencing’ of existing uses, with some modest gains on the fringes. Because of ROPO s5 it is very difficult for the Commissioner to limit the potential range of uses of the ID card in the public sector.

In the public sector, the Code (HKPCO Code 1997) does not impose limits on the collection of ID numbers by government agencies (para 2.3.1). It also allows the ID numbers to be used as multi-purpose internal identifier by any organisation para 2.3 and particularly para 2.3.3.3). The controls the Commissioner can impose on data matching (discussed later) take on greater significance in this context because the ability of Hong Kong agencies to collect and use ID numbers makes matching exercises so much easier.

In the private sector, the Code allows routine collection of ID numbers (though private bodies cannot legally compel disclosure but they can make it a condition of doing business with an individual) by any organisation that requires some reliability of identification in order to avoid non-trivial losses (HKPCO Code 1997, para 2.6.3) and allows such numbers to be used as multi-purpose internal identifiers by any organisation. At present the main protection against more extensive use of ID numbers by the private sector is the difficulty of collecting ID numbers by automated means. Copies of cards (eg by fax) may be required to verify identity remotely. ID numbers may be shared with other private sector organisations where collected for ‘a purpose shared by both’, but if the disclosure is for purposes of ‘data matching’ it would have to satisfy the separate rules that govern this (discussed later).

The breadth of use of the ID card and number in Hong Kong is illustrated by complaints about them reported by the Commissioner . The Commissioner’s findings in these complaints also illustrate that, while the Code is broad, it is still possible to breach it and the Data Protection Principles (DPPs) underlying it. While they are a particular subset of the complaints received by the Commissioner, they also illustrate the wide range of ‘day to day’ unspectacular events that are the substance of privacy invasion in Hong Kong. Within this Chapter it will not be possible to illustrate typical complaints in many other subject areas.

Wrongful disclosure (DPP 3) makes up the majority of ID complaints, consistent with such complaints comprising more than half of the complaints received in all subject areas. A newspaper that published copy of a witness statement by a police undercover agent engaged on a criminal investigation case which included his ID number and name, was held to have made an unauthorized disclosure ([2002] HKPrivCmr 3). When a prosecuting authority provided a witness statement to a defendant, it was found to be an unauthorized disclosure for it to include the witness’s ID number in the statement ([2004] HKPrivCmr 5). A finance company disclosed to its debt collector a copy of a debtor’s ID card, and the debt collector put a copy on an envelope sent to the debtor. Both were found to have made unauthorized disclosures ([1998] HKPrivCmr 19). Disclosing an ex-employee’s ID number to customers was found to be unauthorized disclosure by an employer, not justified by attempting to stop him poaching business ([1998] HKPrivCmr 10). Despite the fact that customers were informed on collection that their data would be used for direct marketing purposes, inclusion of ID numbers in data provided to an affiliated company was found to be unauthorized disclosure ([2002] HKPrivCmr 7). A property company that disclosed tenants’ ID numbers and other particulars to an affiliated ‘club’ that provided numerous services was found to have done so with no justfication ([2004] HKPrivCmr 7).

Where actions cause inadvertent disclosures, or make it easier for disclosures to others to occur, this is treated as a breach of the security principle (DPP 4), not the disclosure principle. Where a mobile phone service company provided an Internet billing service to its customers through its website, but used the first six digits of its customers’ ID numbers as the default password, this was held to be in breach of the security principle ([2003] HKPrivCmr 3). A radio station that kept a list of ID numbers of prize-winners as evidence that prizes had been paid out was found to have breached the security principle in allowing other prize-winners to see them when they collected their prize ([1998] HKPrivCmr 5). A similar breach was found to have occurred when a printer for a department store mistakenly included customers’ whole ID numbers on promotional materials, not just the first four digits ([1998] HKPrivCmr 12). A bank staffer left a briefcase in a public bus and lost all the credit card applications and copies of ID cards of applicants gathered during a promotion ([2004] HKPrivCmr 3). The Commissioner did not object to the common practice at many commercial buildings that any person visiting the buildings outside office hours are required to provide personal details in a register including their identity card number, but cautioned about leaving the registers in open view and not destroying the content when no longer required ( [1998] HKPrivCmr 4).

Excessive collection (DPP 1) is a source of ID complaints but not in any important situations due to the Code’s liberal acceptance of collection of ID numbers. It was found to be excessive collection for an employment agent to require an employer to leave a copy of his ID card with the agent as some type of assurance that commission would be paid ([2002] HKPrivCmr 1). Similarly, requiring a copy of an ID card to verify that a cash refund had been given to the correct person was found to be excessive – but requiring production of the ID card for inspection was considered permissible ([2003] HKPrivCmr 1). It was excessive collection to include ID numbers on a membership card for a gift redemption scheme ([1998] HKPrivCmr 14).

The core problem of the Hong Kong ID system is that its purpose has never been defined with precision even for the public sector and not at all for the private sector, and it has therefore always been susceptible to ‘function creep’. The smart ID card capitalises on, and increases the dangers, of this weakness.

The ‘roll-out’ of smart cards to replace the existing ID cards started in 2003 and will be completed in 2006, so its effects have not yet been fully felt. The conversion to a smart-card-based system exacerbates the core problem of lack of defined purpose by being based on an intended but undefined expansion of functions into a multi-purpose smart card. As one key agency put it, '[t]he potential use of the chip is large and new possible functions are emerging all the time' (ITBB, 2001). At various times, uses that have been under consideration include general access to government services, e-voting, health records and an electronic purse. It has been stated by the government that the separate ‘card-face data’ segment will give ‘flexibility’, and will allow ‘case by case’ approval of other applications for the purpose of ‘authenticating citizens before services are provided’ (ITBB, 2002).

The smart ID is being introduced with four non-immigration functions already provided: it will also constitute the driver’s licence, central library card, a token to carry a digital signature, and an online change of address function. The Administration claimed that all the non-immigration uses are voluntary. This is true in the limited sense that it is not compulsory to have extra information on the ID card, and the four applications can be achieved by other means. However in each case the extent of 'voluntariness' is significantly limited or qualified, either in that citizens/consumers will not remain unaffected by new uses even if they ostensibly opt out of them, or in that they are not being given a genuinely non-discriminatory choice (Greenleaf, 2002). It is a multi-function smart card from birth.

Of more concern than these initial multi-functions is the potential for long term expansion of uses, and how this expansion may be largely free of democratic safeguards. The technical capacity of the chip on the card is sufficient for it to carry an extensive array of additional applications and data. During the debates on the enabling legislation for the smart ID card, the Legislative Council (LegCo) did not reconsider the existing uses of the ID card and number by either the public or private sectors, or give serious consideration to imposing limits on future uses.

The resulting legislative amendments (Registration of Persons (Amendment) Ordinance 2003) give LegCo a very weak degree of control over the expansion of uses of the smart ID card and its associated number and database (Greenleaf 2002). The card (and chip) can have new data and functions added merely by amendments to a Schedule to the regulations (Schedule 5 ROP Regs). Such changes are disallowable by LegCo but do not require positive LegCo approval (IGCO s34). Most additional new government uses will not require changes to the card or chip, and can therefore proceed without any LegCo approval. Based on past experience, any changes to the Commissioner’s ID Code to address the multi-functionality of the smart ID card are unlikely to impose any significant restrictions on it.

When the smart ID card was being debated in 2001-02, there was no domestic NGO opposition, no press analysis or even letters to the editor, no significant critical input from the Privacy Commissioner, and no serious LegCo opposition. In submissions to LegCo, the only opposition to the multi-function nature of he card and its expansion came from a visiting academic (Greenleaf 2002), plus a critique of other aspects of the bill from one local academic (Lee 2002).

However, only a couple of months after the ID legislation was passed, Hong Kong politics in 2003 illustrated very clearly that the people of Hong Kong can be roused to massive public protest in order to protect their civil liberties. In June 2003 an estimated half a million people (from a population of 6 million) took to the streets to protest against attempts by the government to introduce a Security law, a law which it claimed it was required to introduce by Article 23 of Hong Kong’s Basic Law. The government was forced to abandon the law.

The new multi-purpose ‘smart’ ID card and information system is arguably more privacy-invasive than systems which caused massive protest and ultimate rejection in Australia and South Korea, and similar in many respects to the proposal which is causing great controversy in the UK. It seems that the people of Hong Kong have become accustomed to a multi-use ID card system and wholly de-sensitised to concerns about the privacy impact of ID cards which would be major privacy issues elsewhere.