• Mon
  • Dec 29, 2014
  • Updated: 5:00am
Monitor
PUBLISHED : Tuesday, 19 February, 2013, 12:00am
UPDATED : Tuesday, 19 February, 2013, 4:57am

Privacy Commissioner publicly ventures into surreal territory

Warnings about disclosure of information already legitimately out in the open takes this branch of officialdom beyond realm of common sense

BIO

As the writer of the South China Morning Post’s Monitor column, Tom Holland attempts each day to make sense of the latest developments in business, finance and economic affairs in Hong Kong and mainland China.
 

Oh dear. Hong Kong has got itself all snarled up in another ludicrous muddle.

On Friday governance and transparency advocate David Webb took down from the internet a list of the names of more than 1,000 Hong Kong residents, many of them prominent businesspeople, complete with their identity card numbers legitimately gleaned from freely available web sources.

Webb removed the list after receiving an e-mail message from the city's Office of the Privacy Commissioner for Personal Data (PCPD) warning him that by re-publishing publicly disclosed information he may have been in breach of Hong Kong's data privacy law.

In investigating Webb, the Privacy Commissioner is venturing deep into surreal territory. The very reason Webb put his list on up on the internet in the first place was to demonstrate that there is nothing secret or privileged about ID card numbers. Therefore the Privacy Commissioner's argument that requiring company directors to disclose their identity card numbers in the Companies Registry is a gross intrusion into their personal privacy is a load of nonsense.

But the commissioner's office is clearly not a body willing to be deterred either by common sense or clear evidence.

The same day it issued a statement declaring that "personal data shall only be collected for a purpose directly related to a function and activity of the data user".

"The act of putting up the names and ID card numbers of others which have been obtained from public registers on the internet for uncontrolled public access is use of personal data that is not directly related to the original purpose of collection," it thundered. "The PCPD does not rule out the possibility of taking further enforcement actions."

So to be clear about this, according to the Privacy Commissioner, providing public access to information on public registers constitutes an invasion of personal privacy.

The commissioner's office attempts to support its position by arguing that some companies like to use ID card numbers as a means of customer authentication "hence they should be treated as highly personal and sensitive data".

This betrays a worrying misunderstanding of what identity cards are for.

Companies - banks, mobile phone providers, whoever - that accept identity card numbers as sufficient authentication are guilty of gross laziness and severe negligence, precisely because identity card numbers are no secret.

Security guards in half the office buildings in Central demand to see an identity card before letting in visitors (even though they have no legal right to), and diligently note down the details. Most of the forms you fill in have a box for your identity card number right up there at the top, next to your name.

There's a reason for this. There might be a million Wongs or Smiths out there, but each card number is unique, and identifies the bearer precisely. That's the point of identity cards.

But it means that identity card numbers are no secret, and that relying on them to authenticate yourself (or your customers) is no more secure than using your birthdate as the password to your internet banking account. You'd be silly to try it.

Yet the commissioner persists in its absurd argument that the disclosure of identity card numbers is an invasion of personal privacy.

The sane answer, of course, would not be to threaten transparency campaigners with enforcement actions, or to argue that the directors of registered companies enjoying limited liability should be guaranteed effective anonymity.

The sane answer would be for the government to warn any companies dumb enough to use identity card numbers to authenticate their customers that they are completely clueless about basic commercial security and that they - and not their customers - will be held liable for the losses when they get defrauded.

But on this one we appear not to be in the to be in the land of the sane, but of the surreal. And just for the record: P977776(1). See how much good it does you.

tom.holland@scmp.com

Share

For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive
 
 

 

This article is now closed to comments

dienw
The Privacy Commissioner is basing his case on data protection principle 1(1) of the Personal Data (Privacy) Ordinance which says that "Personal data shall not be collected unless - (a) the data are collected for a lawful purpose directly related to a function or activity of the data user who is to use the data...... Dpp 1(2) says that "personal data shall be collected by means which are lawful and fair in the circumstances of the case".

It seems to me that David Webb's collection of the data is for a lawful purpose and is directly related to the function/activity he is engaged in. It also seems to me that he collected the data by lawful and fair means (they were publicly available).
 
 
 
 
 

Login

SCMP.com Account

or