Following is a question by the Hon Sin Chung-kai and a written reply by the Secretary for Home Affairs, Dr Patrick Ho, in the Legislative Council today (May 3):
Will the Government inform this Council whether Internet Protocol (IP) addresses are regarded as a type of the "personal data" so defined in the Personal Data (Privacy) Ordinance (Cap 486); if so, of the justifications; if not, whether the Government will review the Ordinance and adopt measures to prohibit the disclosure of IP addresses to third parties without the authorisation of the owners?
According to Section 2(1) of the Personal Data (Privacy) Ordinance (PDPO), "personal data" means any data íV
(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is practicable.
The definition of "personal data" under the PDPO is similar to the definition adopted in data protection laws of other jurisdictions such as Australia and New Zealand. It is also comparable to the definition of "personal data" in the European Union's Directive on the Protection of Personal Data and on the Free Movement of Such Data.
An Internet Protocol (IP) address is a specific machine address assigned by the web surfer's Internet Service Provider (ISP) to a user's computer and is therefore unique to a specific computer. An IP address alone can neither reveal the exact location of the computer concerned nor the identity of the computer user. As such, the Privacy Commissioner for Personal Data (PC) considers that an IP address does not appear to be caught within the definition of "personal data" under the PDPO. That said, whether an IP address together with other data constitutes "personal data" under the PDPO will have to depend on the specific circumstances surrounding the case.
ISPs in Hong Kong have to take out a Public Non-exclusive Telecommunications Service (PNETS) licence issued by the Telecommunications Authority under the Telecommunications Ordinance. Information about customers of ISPs (which may or may not be classified as personal data under the PDPO) is protected by Special Condition 7 of the PNETS licence which provides that -
(a) the licensee shall not disclose information of a customer except with the consent of the customer, which form of consent shall be approved by the Telecommunications Authority, except for the prevention or detection of crime or the apprehension or prosecution of offenders or except as may be authorised by or under any law;
(b) the licensee shall not use information provided by its customers or obtained in the course of provision of service to its customers other than for and in relation to the provision by the licensee of the service under the licence.
A breach of the licence conditions may result in financial penalties and under exceptional circumstances, revocation of the licence.
ISPs in Hong Kong are bound by the PDPO. As data users, ISPs need to comply with Data Protection Principle 3 which provides that personal data shall not be used, disclosed or transferred for a purpose other than for which they were collected at the time of their collection (or a directly related purpose) in the absence of the data subject's prescribed consent.
As explained in paragraph 2 above, the exact location of a computer or the identity of a computer user cannot be traced using an IP address alone. To trace an account user (in the case of a dial-up customer) or the physical address of a user's computer (in the case of a leased circuit or broadband customer) that has made use of a particular IP address at a particular point in time, one must have the IP address, the time of use of the IP address and the appropriate IP assignment logs kept by the ISPs. The provisions of the PDPO together with the relevant licence conditions in the PNETS licence issued to ISPs should therefore be sufficient to prohibit the unauthorised disclosure of information collected by ISPs.
The PC is separately conducting an in-depth research on whether an IP address can be regarded as "personal data" under the PDPO. Apart from a study of the judicial decisions of local and overseas courts on "personal data", the Commissioner has also sought the views of privacy commissioners of other jurisdictions on the scope of coverage of "personal data" in their respective jurisdictions, as well as consulted the professional views of a senior counsel on issues relating to the scope of "personal data". Should research findings conducted by the PC reveal that an IP address should be treated as personal data under the PDPO, disclosure of such information would be regulated by the Ordinance.
Ends/Wednesday, May 3, 2006
Issued at HKT 12:53