Hong Kong Office Of The Privacy Commissioner For Personal Data Issues Updated "Code Of Practice On The Identity Card Number And Other Personal Identifiers: Compliance Guide For Data Users"

INTRODUCTION

In August 2024, the Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) released a revision of the “Code of Practice on the Identity Card Number and other Personal Identifiers: Compliance Guide for Data Users” (the “Code”) which had been in place since 1997. The Code offers practical guidance to organizations as data users on the use, collection, accuracy, retention, and security of Hong Kong Identity Card (“HKID Card”) numbers, HKID Card copies and other personal identifiers. The revised Code takes into account more recent challenges brought by contemporary technological developments.

The main tenor of the Code remains, namely that an individual should not be asked to provide a HKID Card or a HKID Card number unless the data user is so authorised by law. The revised Code emphasizes in its step-by-step guide that data users should consider and offer less privacy-intrusive methods of identification “wherever practicable”¹ before requesting HKID Card numbers.

The Code requires data users to ensure that the copies of HKID Cards they collect are the true copies of HKID Card held by the individuals concerned – in other words the actual HKID Card will need to be inspected before a copy is taken. Given this, the current practice of collecting copies of HKID Cards via instant messaging applications, or through taking photos with smart phones would not satisfy the requirement to inspect the actual HKID Card.²

When it comes to security safeguards, the revised Code also emphasizes that data users should refrain from transmitting a HKID Card copy or image “including by way of instant messaging applications” unless they have taken all reasonably practicable steps to ensure that the intended recipient is the only person who receives such copy or image.³ Apart from encryption and dedicated fax machines, the Code stipulates having dedicated email addresses for receiving confidential material as another method to safeguard security.

CONCLUSION

The PCPD is gradually updating all guidance notes and codes to take account of recent technological developments. Data users should also regularly review their data privacy policies and current personal data collection practices to ensure compliance with relevant laws and regulations.

Footnotes

1. Page 3 of the Code.

2. Page 10 of the Code.

3. Page 11 of the Code.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.