Hong Kong Computer Society - enterpriseinnovation.net
Hong Kong Computer Society - enterpriseinnovation.net
Hong Kong Computer Society - enterpriseinnovation.net
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
VIEWPOINT CHARLES MOK<br />
Should IP addresses constitute personal data?<br />
The government’s consultation paper for the review of<br />
the Personal Data (Privacy) Ordinance (PDPO) is long<br />
overdue. The ordinance was passed in 1996, before the<br />
Inter<strong>net</strong> became popular—let alone Web 2.0 and social media—and<br />
is thus far behind public awareness and expectation<br />
by the.<br />
The public naturally wants “maximum protection,” but as the<br />
consultation document rightfully states: “balance is needed between<br />
safeguarding personal data privacy and facilitating continued<br />
development of information and communications tech-<br />
<br />
in spite of technological change”—that is, it should maintain<br />
technological neutrality.<br />
Sensitive data<br />
No<strong>net</strong>heless, the IT sector is among the sectors most directly<br />
affected by this ordinance. An example: the proposal in the con-<br />
<br />
“sensitive personal data”—a new introduction to the ordinance<br />
that would call for a higher degree of protection by the data users,<br />
and hence heavier punishment in case of data-leakage. The<br />
government’s rationale is that such biometric data are inalterable,<br />
thus damage caused to data-owners would be severe and<br />
permanent.<br />
However, why single out biometric data to be made “sensitive,”<br />
while in other jurisdictions such as Australia and the UK, sensitive<br />
personal data includes criminal records, racial or ethnic origin, political<br />
opinions, religious or philosophical beliefs, membership in<br />
trade unions, health information, and sexual orientation?<br />
<br />
<br />
technology in schools for attendance keeping, the effects have<br />
Charles Mok is<br />
the president<br />
of Inter<strong>net</strong><br />
<strong>Society</strong> <strong>Hong</strong><br />
<strong>Kong</strong>, and<br />
<br />
Member<br />
of the <strong>Hong</strong> <strong>Kong</strong> Information<br />
Technology Federation. He<br />
has been in the IT industry for<br />
almost 20 years, and is active in<br />
a number of advisory committees<br />
and statutory bodies of the<br />
HKSAR government<br />
already been chilling<br />
for local companies<br />
providing such solutions.<br />
While the PCO<br />
guidelines maintains<br />
that biometric solutions<br />
are acceptable as long<br />
as it is not mandatory,<br />
or that such high level of<br />
secure access control is<br />
<br />
no<strong>net</strong>heless many biometric<br />
solution provid-<br />
ers have simply seen their business dry up since this summer.<br />
Another main concern for the IT sector is the proposal to regulate<br />
data processors—such as application developers, Inter<strong>net</strong> service<br />
or web hosting providers, which provide outsourced services to the<br />
actual data users that hold the personal data of the subjects. Previously,<br />
data processors were not regulated by the ordinance. With<br />
the advent of cloud computing, this is a void to be addressed.<br />
All users affected<br />
Should data processors be regulated directly by the ordinance,<br />
or indirectly—meaning the data user must “ensure that its data<br />
processors provide security protection to personal data at a level<br />
comparable to itself,” as required by the ordinance? Data subjects<br />
would have redress against data users, who would in turn<br />
have redress under contractual law with the data processor.<br />
The IT sector is among the sectors most<br />
directly affected by this ordinance<br />
There are many other areas in the consultation that will affect<br />
all businesses handling any type of personal data, including<br />
its customers and employees. For instance, should there<br />
be mandatory disclosure to data subjects in case of a breach?<br />
Also, the document proposes further empowering the Privacy<br />
Commissioner by making it an offense in cases of unauthorized<br />
obtaining, disclosure and sale of personal data—or repeated<br />
contravention of a data protection principle—and allowing the<br />
Commissioner to impose mo<strong>net</strong>ary penalty on serious contravention<br />
of data protection principles.<br />
However, the document also reveals some recommendations<br />
made by the Commissioner but not taken up by the government—the<br />
IT sector should consider whether IP addresses constitute<br />
personal data. While IP addresses by themselves won’t<br />
identify users, there are circumstances where combined with<br />
other data, IP addresses will be critical in identifying their users.<br />
It is unfortunate that the government has chosen not to even consult<br />
this important issue, which would produce better guidelines<br />
for the industry going forward.<br />
The Personal Data (Privacy) Ordinance consultation document<br />
is at http://www.cmab.gov.hk/doc/issues/PDPO_Consultation_<br />
Document_en.pdf and the deadline for responses is November<br />
30, 2009. <br />
www.cw.com.hk<br />
Nov 2009 <strong>Computer</strong>world <strong>Hong</strong> <strong>Kong</strong> 57