I wish to respond to views expressed in your paper concerning the protection of Hong Kong identity card numbers as personal data.
First, there is a misconception that once these numbers are made public, they are not "secret" and hence warrant no protection. Keeping data confidential is not the same as protecting personal data. The latter is a fundamental right to privacy protected by the Personal Data (Privacy) Ordinance.
While personal data is used in our daily lives and not kept private at all times, its collection and use (including disclosure) are subject to protection. It is wrong to suggest that we can freely use any data that has been made public. This is analogous to environmental protection. Human beings consume the resources of the earth and cause irreversible changes to this planet. However, we are still obliged to contain the environmental problems we have created.
The provisions of the ordinance relevant to the present issue are - (1) collection limitation: data collection should be fair, necessary and not excessive in relation to a lawful purpose; and (2) use limitation: data should not be used or disclosed for any purpose other than the original purpose of data collection, or a directly related purpose.
These provisions apply to personal data kept in public registers. Hence persons collecting and using such data should ensure compliance with reference to the specific purposes for which the registers are maintained, and the purpose of their secondary use of the data.
It was argued that ID card numbers were a means of identification and should not be used for authentication. This distinction is meaningless as in real life these numbers are used for authentication. This application is particularly useful for transactions over the phone or internet as it reduces the need for face-to-face authentication. One wonders whether there are tools and means to authenticate an individual with absolute certainty but it is fair to assume businesses know best the risk of adopting ID card numbers to authenticate their customers, either singly or in combination with other identification data.
There was an appeal to the public to openly disclose their ID card numbers to prove that they were valueless means of authentication. This was an irresponsible act. It encourages more face-to-face authentication, to the detriment of personal convenience and economic efficiency.
It also enhances the risk of identity theft causing an administrative nuisance or financial loss to the affected persons.
Allan Chiang, privacy commissioner for personal data