Hong
Kong’s ID card – An Overview
Graham
Greenleaf Director, Cyberspace Law & Policy Centre
Faculty
of Law, University of New South Wales
26 January 2006
[This is an extract from a
draft book chapter, authored jointly with Robin McLeish.]
Since 2003 Hong Kong has been replacing its laminated paper
ID cards, which have existed since World War II, with a multi-purpose smart
card. Both the existing ‘dumb’ card and the new smart card are at
the core of personal data flows in Hong Kong.
The dumb ID card –
legitimating function creep
Since its introduction at the end of World War Two there has
been general acceptance of an ID card as a means of dealing with illegal
immigration and border security. All persons over the age of 11 residing in
Hong Kong are required to obtain an ID card, which includes a unique
identification number. By law, a person ‘in all dealings with
government’ must provide his ID card number where required ,
notwithstanding any other law to the contrary
(Registration of Persons Ordinance
(ROPO) s5(1)(b)). Prior to Hong Kong’s 1996 privacy Ordinance (PDPO,
1996), the card and number were also required by a wide range of private sector
organisations in the absence of any law that prevented this. Their use for many
purposes created a great deal of convenience for individuals as well as business
and government. Proving one’s identity was, and is, a simple matter, the
one caveat being that only government authorities have the means to ascertain
whether the ID card that is proferred is lost, stolen or a good
counterfeit.
In 1997 the Privacy Commissioner, issued a Code of Practice
on the ID number (HKPCO Code 1997), as required by the Ordinance (PDPO 1996
s12(8)). The Code specifies, as a rebuttable matter of law, how the Ordinance
applies to the ID number (PDPO 1996, s12). This was the main opportunity to
control the ID card and number, but the opportunity was lost when the
Commissioner took the view that ‘roll-back’ was not a viable option
(even in the private sector) in the absence of specific statutory direction or a
strong body of public opinion calling for this, and that the most that the Code
could (and did) achieve was a degree of ‘ring-fencing’ of existing
uses, with some modest gains on the fringes. Because of ROPO s5 it is very
difficult for the Commissioner to limit the potential range of uses of the ID
card in the public sector.
In the public sector, the Code (HKPCO Code 1997) does not
impose limits on the collection of ID numbers by government agencies (para
2.3.1). It also allows the ID numbers to be used as multi-purpose internal
identifier by any organisation para 2.3 and particularly para 2.3.3.3). The
controls the Commissioner can impose on data matching (discussed later) take on
greater significance in this context because the ability of Hong Kong agencies
to collect and use ID numbers makes matching exercises so much easier.
In the private sector, the Code allows routine collection of
ID numbers (though private bodies cannot legally compel disclosure but they can
make it a condition of doing business with an individual) by any organisation
that requires some reliability of identification in order to avoid non-trivial
losses (HKPCO Code 1997, para 2.6.3) and allows such numbers to be used as
multi-purpose internal identifiers by any organisation. At present the main
protection against more extensive use of ID numbers by the private sector is the
difficulty of collecting ID numbers by automated means. Copies of cards (eg by
fax) may be required to verify identity remotely. ID numbers may be shared with
other private sector organisations where collected for ‘a purpose shared
by both’, but if the disclosure is for purposes of ‘data
matching’ it would have to satisfy the separate rules that govern this
(discussed later).
ID card complaints
illustrate ‘day to day’ privacy protection
The breadth of use of the ID card and number in Hong Kong is
illustrated by complaints about them reported by the Commissioner . The
Commissioner’s findings in these complaints also illustrate that, while
the Code is broad, it is still possible to breach it and the Data Protection
Principles (DPPs) underlying it. While they are a particular subset of the
complaints received by the Commissioner, they also illustrate the wide range of
‘day to day’ unspectacular events that are the substance of privacy
invasion in Hong Kong. Within this Chapter it will not be possible to
illustrate typical complaints in many other subject areas.
Wrongful disclosure (DPP 3) makes up the majority of ID
complaints, consistent with such complaints comprising more than half of the
complaints received in all subject areas. A newspaper that published copy of a
witness statement by a police undercover agent engaged on a criminal
investigation case which included his ID number and name, was held to have made
an unauthorized disclosure ([2002] HKPrivCmr 3). When a prosecuting authority
provided a witness statement to a defendant, it was found to be an unauthorized
disclosure for it to include the witness’s ID number in the statement
([2004] HKPrivCmr 5). A finance company disclosed to its debt collector a copy
of a debtor’s ID card, and the debt collector put a copy on an envelope
sent to the debtor. Both were found to have made unauthorized disclosures
([1998] HKPrivCmr
19).
Disclosing an ex-employee’s ID number to customers was found to be
unauthorized disclosure by an employer, not justified by attempting to stop him
poaching business ([1998] HKPrivCmr
10). Despite
the fact that customers were informed on collection that their data would be
used for direct marketing purposes, inclusion of ID numbers in data provided
to an affiliated company was found to be unauthorized disclosure ([2002]
HKPrivCmr 7).
A property company that disclosed tenants’ ID numbers and other
particulars to an affiliated ‘club’ that provided numerous services
was found to have done so with no justfication ([2004] HKPrivCmr
7).
Where actions cause inadvertent disclosures, or make it
easier for disclosures to others to occur, this is treated as a breach of the
security principle (DPP 4), not the disclosure principle. Where a mobile phone
service company provided an Internet billing service to its customers through
its website, but used the first six digits of its customers’ ID numbers as
the default password, this was held to be in breach of the security principle
([2003] HKPrivCmr 3). A radio station that kept a list of ID numbers of
prize-winners as evidence that prizes had been paid out was found to have
breached the security principle in allowing other prize-winners to see them when
they collected their prize ([1998] HKPrivCmr 5). A similar breach was found to
have occurred when a printer for a department store mistakenly included
customers’ whole ID numbers on promotional materials, not just the first
four digits ([1998] HKPrivCmr 12). A bank staffer left a briefcase in a public
bus and lost all the credit card applications and copies of ID cards of
applicants gathered during a promotion ([2004] HKPrivCmr 3). The Commissioner
did not object to the common practice at many commercial buildings that any
person visiting the buildings outside office hours are required to provide
personal details in a register including their identity card number, but
cautioned about leaving the registers in open view and not destroying the
content when no longer required ( [1998] HKPrivCmr 4).
Excessive collection (DPP 1) is a source of ID complaints
but not in any important situations due to the Code’s liberal acceptance
of collection of ID numbers. It was found to be excessive collection for an
employment agent to require an employer to leave a copy of his ID card with the
agent as some type of assurance that commission would be paid ([2002] HKPrivCmr
1). Similarly, requiring a copy of an ID card to verify that a cash refund had
been given to the correct person was found to be excessive – but requiring
production of the ID card for inspection was considered permissible ([2003]
HKPrivCmr 1).
It was excessive collection to include ID numbers on a membership card
for a gift redemption scheme ([1998] HKPrivCmr
14).
The smart ID card –
designed to be out of control
The core problem of the Hong Kong ID system is that its
purpose has never been defined with precision even for the public sector and not
at all for the private sector, and it has therefore always been susceptible to
‘function creep’. The smart ID card capitalises on, and increases
the dangers, of this weakness.
The ‘roll-out’ of smart cards to replace the
existing ID cards started in 2003 and will be completed in 2006, so its effects
have not yet been fully felt. The conversion to a smart-card-based system
exacerbates the core problem of lack of defined purpose by being based on an
intended but undefined expansion of functions into a multi-purpose smart card.
As one key agency put it, '[t]he potential use of the chip is large and new
possible functions are emerging all the time' (ITBB, 2001). At various times,
uses that have been under consideration include general access to government
services, e-voting, health records and an electronic purse. It has been stated
by the government that the separate ‘card-face data’ segment will
give ‘flexibility’, and will allow ‘case by case’
approval of other applications for the purpose of ‘authenticating citizens
before services are provided’ (ITBB,
2002)
The smart ID is being introduced with four non-immigration
functions already provided: it will also constitute the driver’s licence,
central library card, a token to carry a digital signature, and an online change
of address function. The Administration claimed that all the non-immigration
uses are voluntary. This is true in the limited sense that it is not compulsory
to have extra information on the ID card, and the four applications can be
achieved by other means. However in each case the extent of 'voluntariness' is
significantly limited or qualified, either in that citizens/consumers will not
remain unaffected by new uses even if they ostensibly opt out of them, or in
that they are not being given a genuinely non-discriminatory choice (Greenleaf,
2002). It is a multi-function smart card from birth.
Of more concern than these initial multi-functions is the
potential for long term expansion of uses, and how this expansion may be largely
free of democratic safeguards. The technical capacity of the chip on the card
is sufficient for it to carry an extensive array of additional applications and
data. During the debates on the enabling legislation for the smart ID card,
the Legislative Council (LegCo) did not reconsider the existing uses of the ID
card and number by either the public or private sectors, or give serious
consideration to imposing limits on future uses.
The resulting legislative amendments
(
Registration of Persons (Amendment)
Ordinance 2003) give LegCo a very weak degree of control over the
expansion of uses of the smart ID card and its associated number and database
(Greenleaf 2002). The card (and chip) can have new data and functions added
merely by amendments to a Schedule to the regulations (Schedule 5 ROP Regs).
Such changes are disallowable by LegCo but do not require positive LegCo
approval (
IGCO
s34). Most additional new government uses will not require changes to the
card or chip, and can therefore proceed without any LegCo approval. Based on
past experience, any changes to the Commissioner’s ID Code to address the
multi-functionality of the smart ID card are unlikely to impose any significant
restrictions on it.
The enigma of public
opinion
When the smart ID card was being debated in 2001-02, there
was no domestic NGO opposition, no press analysis or even letters to the editor,
no significant critical input from the Privacy Commissioner, and no serious
LegCo opposition. In submissions to LegCo, the only opposition to the
multi-function nature of he card and its expansion came from a visiting academic
(Greenleaf 2002), plus a critique of other aspects of the bill from one local
academic (Lee 2002).
However, only a couple of months after the ID legislation
was passed, Hong Kong politics in 2003 illustrated very clearly that the people
of Hong Kong can be roused to massive public protest in order to protect their
civil liberties. In June 2003 an estimated half a million people (from a
population of 6 million) took to the streets to protest against attempts by the
government to introduce a Security law, a law which it claimed it was required
to introduce by Article 23 of Hong Kong’s Basic Law. The government was
forced to abandon the law.
The new multi-purpose ‘smart’ ID card and
information system is arguably more privacy-invasive than systems which caused
massive protest and ultimate rejection in Australia and South Korea, and similar
in many respects to the proposal which is causing great controversy in the UK.
It seems that the people of Hong Kong have become accustomed to a multi-use ID
card system and wholly de-sensitised to concerns about the privacy impact of ID
cards which would be major privacy issues elsewhere.