• Sun
  • Dec 21, 2014
  • Updated: 9:26am
My Take
PUBLISHED : Thursday, 15 August, 2013, 12:00am
UPDATED : Thursday, 15 August, 2013, 2:25pm

No reason to limit app access to public records

Privacy protection is a good thing, until it is not. When you have a busybody of a privacy commissioner obstructing people's access to public information, it becomes counterproductive.

Commissioner Allan Chiang Yam-wang has ruled that a mobile app called Do No Evil breached data protection laws and ordered the firm that operates it to halt a particularly popular service - an online search of public records like litigation and bankruptcy cases.

If people cannot use the app, to do the searches, they can go to the judiciary, the Official Receiver's Office and the Companies Registry to find the documents, as they did in the past. They are all available for public inspection. As far as we know, and the commission has not disputed it, the company has only collected data from legal proceedings that are already in public records. It has a database of more than two million such records. The firm has voluntarily complied with the commission's order, as fighting it in court will be costly for such a small commercial entity, even if it has an excellent case to argue.

Chiang thinks Do No Evil provides sensitive personal data - including the names of litigants, partial identity card numbers, addresses, claims amounts and company directors' data. So what? I can find all this data if I go to a government office - and not just in bankruptcy and litigation case files, but in vehicle registrations, land-title ownership and business registrations as well.

Chiang claims it is a common misconception that personal data collected from the public domain is open to unrestricted use. No use is unrestricted, but it's not clear Chiang has the competence or power to decide what amounts to legitimate use and how to restrict access to data being used. It is certainly not in his power or mandate to decide the manner in which they can be accessed - whether physically through a public office or a mobile app.

Chiang is fond of saying that the use of personal data for anything other than the original purpose should be restricted unless voluntary consent of the subject is obtained.

It makes sense to restrict how companies and government departments use clients' data they collect; it makes no sense in the case of public records.


For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive



This article is now closed to comments

Mr. Lo is points out the painfully obvious. Access to public records, by definition, cannot be restricted. Technology has drastically eased such access: it has not empowered the commissioner or any other civil servant to withhold such access from the public.
You conflate private data with public record. Unless a government department has officially recorded the information you mention (which in some cases it has), it is not part of the public record, but personal data: the very data Commissioner Chiang is duty-bound to protect.
Mr Lo, what time you leave home, which bus you take, what book you read on that bus, which restaurant you go to for lunch, which school you pick up your kids from, which country park or cinema you take them to on the weekend, the fact that your daughter might not like tomatoes, your vehicle registration details, your property records, any companies you may be affiliated with, your HKID number on those documents, your personal particulars, your marriage certificate, your birth record, the birth record of your children, and much more... are all part of the public domain of information in one way or another. All of these things could be freely accessed by anybody caring to look hard enough.

If I make a bit of a project out of gathering all that data, copy it and package it into an app called 'All About Lo,' on sale for HKD 5, would that be ok for you?

I've been following this all week. A few observations:
1. The PCPD is saying that 're-using data' is somehow illegal because aggregation and ease-of-access is violating an individual's privacy. Private investigation companies use all of these public sources and then build up a profile on a person or company. There are some small skills involved in collecting the public data and making sure it is attached to the correct private person or company. Firms that do this work are careful to not draw too much attention to these services because they fear their access to the public sources will be restricted. A basic search used to start at around HK$8,000 and I assume it is still about the same. This app is making something easily available to the public that is already available to people with money.
2. There is a real risk that people using this information will mis-identify the people they are investigating. If bankruptcy, criminal and civil litigation records used people's full HKID/Passport numbers there would be significantly less chance of inadvertently mixing people up because of similar names. The PCPD should support using full HKID/Passport numbers on all public documents.
3. My initial thought is that this sort of app must synchronize its records to purge those records which would be purged in the public record data sets. It must comply with Spent Conviction or Rehabilitation of Offenders Ordinance and other legislation.
Perhaps the real issue is that the ease of access of data leads to a corresponding increase in the potential for abuse of such data. It seems the real issue is that the PDPO is outdated and failed to foresee that individual public records could be used for novel, unexpected, and potentially abusive purposes if it were convenient to do so. The ease of access to information today presents new challenges to individual privacy that would have been unheard of thirty years ago. To be fair, convenient access to individual public records is not necessarily the issue, but rather the potential for abuse leading to a violation of privacy. The provision of individual public records should be solely undertaken by the government instead of private/commercial parties to ensure stringent control on the data.
To these ends, it would seem appropriate to review the PDPO and related ordinances with respect to: a) a prohibition on the reproduction and dissemination of individual public records; b) an introduction of a time limit on the intention of individual public records; c) a review on the fee schedule for access to individual public records to ensure the fee to access is sufficiently high to deter/prevent abuse of information; d) an introduction of controls to the access of information based on the sensitivity of the information requested, the purpose for the information request, and the identity of the requesting party; e) a review on what individual data should be made public.
What I will say is the apps was marketed like Candy Crush and people played with sensitive personal data like they played Candy Crush.
Perhaps it is time to review what ought to be included in the public records.


SCMP.com Account