LCQ20: Information security of the health code system

     Following is a question by the Hon Charles Peter Mok and a written reply by the Secretary for Food and Health, Professor Sophia Chan, in the Legislative Council today (June 24):
     In an effort to facilitate the cross-boundary activities of residents of Guangdong, Hong Kong and Macao, the Government is taking forward a scheme for mutual recognition of health codes. Residents of the three places holding proof of a negative result of a nucleic acid test for coronavirus disease 2019 issued within seven days by a designated medical institution shall be exempted from undergoing a compulsory quarantine for 14 days upon entry. Some Hong Kong residents are worried that their sensitive personal data, such as medical records, will be transferred to Mainland security departments through the health code system, resulting in their personal privacy being intruded on. Regarding the information security of the health code system, will the Government inform this Council:
(1) of the expected number of applicants for the health code and the duration for which the mutual recognition scheme will be put in place; the details of the mutual recognition scheme (including the procedure to be followed by applicants); whether Hong Kong residents are required to install in their mobile phones or other electronic devices health code applications launched by the Mainland authorities and input personal data into such applications in order to use the relevant services; if so, of the types of information (including personal data) collected via such applications as well as its retention period and, among such information, the types of personal data to be transferred out of Hong Kong or handed over to data users outside Hong Kong for processing or retention;
(2) whether special information security measures will be adopted for the health code system; of the measures put in place to guard against an excessive collection of personal data by the system and an overly lax restriction on the authority of using such data, so as to prevent the personal data of Hong Kong residents from being accessed, processed, deleted or used accidentally or without their authorisation;
(3) of the local and Mainland government departments/institutions authorised to access the health codes and relevant personal data of Hong Kong residents, and the mechanisms to be followed by them before accessing the information; whether it will request the relevant Mainland government departments/institutions to impose restrictions on the use of such information for purposes other than the purpose of preventing the occurrence or the spread of an infectious disease or contamination (e.g. establishing a DNA database and preventing or detecting crimes), and to expeditiously delete information which is no longer needed for the quarantine work; if so, of the details;
(4) whether mutual recognition of health codes among the three places will be carried out in a manner that (i) collects and transfers the least amount of personal data and (ii) reduces the amount of personal data required to be retained (in particular biometric data and user locations (if applicable)); of the ways to protect the personal data of Hong Kong residents from being transferred out of Hong Kong or used for non-specified purposes without authorisation; and
(5) whether it has, before implementing the scheme for mutual recognition, sought the advice of the Privacy Commissioner for Personal Data on issues about the collection, processing and use of personal data, etc., and engaged independent third parties to conduct privacy and information security risk assessments and audits; if so, of the details; if not, the reasons for that; whether the authorities have followed the various data protection principles set out in the Personal Data (Privacy) Ordinance (Cap. 486) when designing the system concerned?
     Guangdong, Hong Kong and Macao are closely connected and there are frequent economic and trade activities among the three places. Currently, the coronavirus disease 2019 (COVID-19) outbreaks in Guangdong and Macao have relatively subsided. In view of this and in line with our "suppress and lift" strategy, the Hong Kong Special Administrative Region (SAR) Government is maintaining close communication with the relevant departments of Guangdong Province and Macao SAR Government on the mutual recognition of virus test results and exemption of designated cross-border travellers from compulsory quarantine under the framework of joint prevention and control. To facilitate people who need to travel between Guangdong and Hong Kong or Hong Kong and Macao, the Governments of Guangdong, Hong Kong and Macao are considering the launch of a pilot scheme on mutual recognition of test results and mutual exemption of quarantine in order to relax cross-boundary flow of people among the three places within certain limits.

     In consultation with the Innovation and Technology Bureau, my consolidated reply to the various parts of the question raised by the Hon Charles Peter Mok is as follows:

     To complement the launch of the pilot scheme, one of the preparatory tasks of the Hong Kong SAR Government is to develop a Hong Kong Health Code system, which enables the virus test results of participants of the pilot scheme in Hong Kong to be uploaded onto the code. Before departing from Hong Kong, eligible persons with negative test results can connect to the electronic platform through a web browser using smartphones or mobile devices, and apply for the Hong Kong Health Code online and download it to the relevant mobile phone or device. The relevant procedure does not involve additional installation of mobile application programmes. To facilitate the mutual recognition of test results by the boundary control officers of Guangdong, Hong Kong and Macao, participants of the pilot scheme can on their own accord choose to exchange the Hong Kong Health Code for use on the "Yuekang Code" or "Macao Health Code" systems of Guangdong or Macao for health declaration purpose when they enter Guangdong or Macao.

     The Hong Kong Health Code computer system will only collect basic personal information and nucleic acid test results from applicants for the purpose of applying for the Hong Kong Health Code. The development process is premised on the protection of personal privacy and the code exchange procedures must also be explicitly initiated and agreed by the applicant. Data will be encrypted during transmission between the computer system and mobile device to ensure security. The Hong Kong SAR Government has consulted the views of the Office of the Privacy Commissioner for Personal Data with regards to the Hong Kong Health Code. At the same time, we will also engage an independent third party to conduct a privacy impact assessment as well as an information security risk audit in order to ensure that the system and the data exchange process comply with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) and the Information Technology Security Policy and Guidelines of the Hong Kong SAR Government.

     We will announce the details as soon as possible once the Governments of Guangdong, Hong Kong and Macao have completed discussion on the pilot scheme.

Ends/Wednesday, June 24, 2020
Issued at HKT 11:50