Media Statements

Government Urged to Tighten Control of Public Registers in Era of Big Data

(28 July 2015) At the media briefing today, the Office of the Privacy Commissioner for Personal Data (the "PCPD") released the report on a survey of the administration of 10 commonly-used public registers maintained by the Government, namely, Bankruptcy register, Births register, Business register, Companies register, Land registers, Marriage register, Register of notice of intended marriage, SFC register of licensed persons, Register of vehicles and Registers of electors. The protection of personal data contained in these registers was examined with reference to the guidelines formulated by the Government in 2000 (the "Guidelines").

2. Public registers contain personal data which can be made available for public access. They are subject to protection under the Personal Data (Privacy) Ordinance (the "Ordinance"), in particular, Data Protection Principle 3. Specifically, the personal data collected from a public register can be used only for purposes in line with or directly related to the purpose of setting up the public register, unless the explicit and voluntary consent of the data subject is obtained.

3. The Privacy Commissioner for Personal Data, Mr Allan Chiang, commented, "Personal data in the public registers, if used indiscriminately or without appropriate safeguards, would attract privacy risks, thus jeopardising the interests of the data subjects."

4. "For example, the unfettered access to the companies, land, and vehicles registers would put sensitive data such as Hong Kong identity card numbers, full residential addresses and signatures at stake. If the data was exploited by persons with malicious intent, the data subject would suffer the risks of financial loss, identity theft and personal safety (through stalking and surveillance)."

5. "In addition, there are risks of 'function creep', where data collected for one purpose is gradually used for other purposes such as direct marketing or data mining to which the individual has not consented. Further, information and communication technologies enable aggregation, matching and further processing of data in the public domain, thus creating profiles about people without their knowledge or consent. Such activities greatly increase their vulnerability to a variety of dangers, for example, human flesh search followed by cyber-bullying, and making decision and inferences about the individuals in ways that are unfair and discriminatory."

6. The survey concluded that compliance with the Guidelines in a number of areas was not satisfactory, with the following issues identified:-

1. Only 32 of the 82 public register-related legislations newly enacted or amended from 1 January 2001 to 31 March 2014 spell out the purposes of the publication of the data and/or the permissible use or secondary use of such data;
2. Only 5 of these legislations contain explicit provisions introducing measures to safeguard against possible misuse of the personal data;
3. Only 4 out of the 10 registers have the purposes of the registers specified in the respective legislations;
4. Only 1 out of the 10 registers have legislative safeguards against misuse of data and only 1 out of the remaining 9 registers provides for administrative safeguards;
5. The lack of legislative or administrative safeguards against data misuse is particularly worrying as most registers have no discretion to reject a request for data access;
6. For those registers which have discretionary power to decide on the provision of specific kinds of personal data or full copy of the relevant document upon request, there are no explicit policies laid down governing the exercise of the discretion;
7. While data subjects are informed by all 10 registers of the purposes of the registers, the clarity and adequacy of the notification could be improved;
8. For the Bankruptcy register, the Business register and the Marriage registers, there is no specific mentioning that the data can be made available to the public;
9. For the Register of notice of intended marriage, no reference is made to the purpose of inspection of the notices throughout the process of inspection which takes place in the Marriages Registries by reviewing the webpages of onsite computers;
10. For online access to a public register, the Guidelines only require the home page to include the specified purposes of the register and the use limitations, thus falling short of ensuring the requestor does read and understand this homepage message.

7. The PCPD has forwarded the report to the relevant Government bureaux and departments, with recommendations on compliance with the Guidelines.

8. Mr Chiang remarked, "Public registers serve legitimate purposes in making data publicly accessible. At the same time, they also provide a rich source of personal data which is subject to the risks of commercial exploitation and fraudulent use. Against this backdrop, the Government has an important leadership role to play in safeguarding the data, particularly as it is collected from the citizens on a mandatory basis. The Guidelines it has formulated in 2000 for protecting personal data contained in public registers remain current and relevant. It is imperative for the Government bureaux and departments operating public registers to follow the Guidelines religiously. This responsibility is all the more important in the modern era of "Big Data" when advances in technologies have aggravated the attendant privacy risks."

9. "We hope that the Government will give due considerations to our recommendations and take appropriate follow-up action not just for the 10 public registers reviewed but all other public registers under its control."

10. "Meanwhile, we can only rely on the Ordinance to deter misuse of personal data in the public registers. This is far from satisfactory. First, without clear and explicit legislative specification of the purposes of the registers, we will continue to face legal uncertainties and challenges in our enforcement work.¹ Further, the sanctions for misuse of personal data generally available in the Ordinance may not be strong enough to do full justice to the wrongful use of the very sensitive personal data contained in the registers."

Read the Survey Report online:
www.pcpd.org.hk/english/resources_centre/publications/surveys/files/survey_public_registers.pdf Read the Executive Summary online:
www.pcpd.org.hk/english/resources_centre/publications/surveys/files/survey_public_registers_summary_e.pdf

-END-

¹ For example, PCPD's enforcement taken in 2013 against the compilation of an online index linking names with identification document numbers was criticised by some sectors (see PCPD's media releases dated 15 February 2013 and 16 February 2013 at
www.pcpd.org.hk/english/news_events/media_statements/press_20130215.html
www.pcpd.org.hk/english/news_events/media_statements/press_20130216.html)

PCPD's investigation in 2013 in relation to a mobile app "Do No Evil" which enabled search for target individuals' litigation and bankruptcy data by general consumers also aroused a lot of controversy (see PCPD's media statement on the investigation at www.pcpd.org.hk/english/news_events/media_statements/press_20130813.html). More recently, PCPD's enforcement notice against a website which re-identified the parties of matrimonial proceedings by name based on records of court judgement from the Judiciary (which are anonymised) was challenged by the website operator in the Administrative Appeal Board hearing and a Board decision is awaited.