17 January 2002

Howard Womersley Smith

Smart ID cards: Are they smart enough?

As part of a drive to boost e-business and e-government services the Secretary of Information Technology and Broadcasting Bureau, Mrs Carrie Yau, announced just before the holidays the introduction of a new multi-use smart identity card to all 6.8 million Hong Kong identity cardholders from the middle of 2003.

The new smart ID card will contain a small amount of personal information such as thumbprints and a photo, similar to those already printed on identity cards, which will make it easier to confirm the identity of the holder of the card. They will also be able to be used as a library card and as a driving licence.

It is also anticipated that the smart ID cards will come with an option of a free digital certificate. Card holders will be offered a year's free use of a certification system embedded into the smart ID card which will allow card holders to authenticate their identity over the Internet by digital signature and encrypt electronic documents. This will open up a large amount of applications that may be used by card holders, such as government services (which may include the filing of tax returns) and secure Internet banking, stock trading and shopping.

The Government has commissioned Hongkong Post (which already issues digital certificates under the Electronic Transaction Ordinance (Cap. 553)) to create the digital certificate system, called E-cert, in an attempt to make Hong Kong people cyber citizens in a leading cyber city, as Mrs Yau calls it.

What are the legal implications here? Mrs Yau has already pointed out that various amendments will need to be made to existing laws, such as to the Registration of Persons Ordinance (Cap. 177). However, to date she has not spoken in detail on the potentially serious privacy implications of smart ID cards.

The Privacy Commissioner highlighted these implications when he described the proposed smart ID card as a comprehensive personal dossier which, due to its portability and ease of use, could make the embedded personal data accessible to many. The questions which therefore have to be addressed are the extent to which personal data on the cards will be accessible and the legal protection that will be provided to cardholders.

General protections of privacy can be found in Article 40 of the Basic Law (Cap. 2102) which protects the freedom and privacy of communication and in Article 14 of the Bill of Rights Ordinance (Cap. 383). Article 14 is particularly relevant to smart ID cards as it provides individuals with a right to privacy that is binding on the Government. The common law of confidentiality will also apply to data users as well as a number of criminal offences that relate to the unlawful misuse of technology.

However, the Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO) provides the most protection to an individual's personal data and privacy. Its principles require, amongst other things, that the collection of personal data be necessary and that the personal data only be used to carry out a function or activity (unless the individual consents otherwise). Also, any retained personal data must be kept accurate, up-to-date and for no longer than is necessary. These restrictions could prevent cross use of data accumulated from the smart ID cards by separate branches of the Government.

Further, and this should provide comfort to individuals who intend to use the E-Cert system, the data user is required to provide information to individuals about the use of their personal data. This includes, amongst other things, whether it is obligatory or voluntary for the individual to supply the personal data that has been requested and to whom it will be transferred. The best way of communicating this information to an individual would be for a data user, such as the Immigration Department, to have a written personal data policy which it could provide to individuals.

In theory, the existing data protection rules will adequately protect an individual_ s personal data when using a smart ID card. However, ensuring compliance with those rules on a practical level may be more difficult. The Privacy Commissioner is likely to issue a Code of Practice in due course which issuers of the cards, including other branches of the Government, will be bound to apply.

There is some time before the smart ID cards are introduced. Hopefully, the Information Technology and Broadcasting Bureau will consult the Privacy Commissioner, potential Government and private sector data users and individuals so that the smart ID cards are developed to protect the interests of all parties concerned.

An edited version of this article was first published in South China Morning Post on 17/02/2002