Privacy Commissioner’s Submission in response to the Consultation Paper on Real-name Registration for SIM Cards
In response to the Government’s public consultation on the implementation of a Real-name Registration Programme for Subscriber Identity Module ("SIM") Cards, the Office of the Privacy Commissioner for Personal Data, Hong Kong ("PCPD"), has made a written submission to the Commerce and Economic Development Bureau. The salient observations include:
-
Mobile service operators will have to comply with the requirements of the Personal Data (Privacy) Ordinance ("PDPO"), including the Data Protection Principles ("DPP"), as regards the collection, holding, processing and use of personal data provided by SIM card subscribers.
-
Personal data should only be collected if it is collected for a lawful purpose and necessary for or directly related to the purpose(s) of the proposed programme, and is adequate but not excessive in relation to such purpose(s).
-
Instead of requiring every subscriber to provide a copy of the identity document for registration, subject to operational feasibilities, subscribers should be given an option:
(i) They may choose to register online, and in such a case they would have to provide a copy of the identity document for verification purpose; or
(ii) They may choose to register in person at the service operators’ offices or shops, and in such a case they would only have to produce the original identity document for verification by the staff, but do not have to provide a copy for retention.
-
Subscribers’ personal data shall not be kept for a period longer than is necessary for the fulfilment of the purpose(s) for which the data is to be used. A definite duration (say, not more than 12 months) should be prescribed.
-
The circumstances under which law enforcement agencies could request service operators to provide subscribers’ registration records should be clearly spelt out in the legislation.
-
The Communications Authority in its guidelines to service operators should set out in detail the technical security measures to be taken, and the Communications Authority should regularly carry out inspections of the systems/database used by the service operators to ensure that adequate data security measures have been put in place.
-
Service operators should take all practicable steps to ensure openness and transparency of their personal data policies and practices.
-
With a view to providing sufficient deterrent effect, the Communications Authority could make use of its power under the Telecommunications Ordinance to impose financial penalties on service operators who fail to observe the relevant requirements under the proposed programme.
For a full version of PCPD’s written submission, please click here.