LCQ8: Management of data of public and private organisations
************************************************************

     Following is a question by the Hon Duncan Chiu and a written reply by the Secretary for Innovation, Technology and Industry, Professor Sun Dong, in the Legislative Council today (July 6):
 
Question:
 
     Some members of the technology and innovation sector are of the view that with the country developing a digital economy, Hong Kong building a smart city, and the Government planning to fully implement e-Government services in the middle of this year, the Government will face the issue of managing a large amount of data from public and private organisations in respect of government services, industries and commerce as well as daily living (public and private sectors' data). In this connection, will the Government inform this Council:
 
(1) whether it will formulate top-down overall targets, plans and timetables, and relevant guidelines in respect of the management of public and private sectors' data, including their processing, storage and application (e.g. data interchange and even cross-boundary data interchange), and the related security issues, as well as enact legislation to regulate such matters; if not, of the reasons for that; if so, the details, including the officials responsible for leading the relevant work and the participating government departments, and whether it will discuss the relevant work with the Mainland authorities and consult members and organisations of the technology and innovation sector on such work;
 
(2) whether it will consider establishing a central databank for central storage and management of all public and private sectors' data; if so, of the details, including how it will consolidate the data under various government departments, whether enacting legislation is needed, as well as the implementation timetable; if not, the reasons for that, and whether separately establishing a central databank for the public sector and one for the private sector is a feasible option;
 
(3) whether it has explored the major policies and measures put in place by the Mainland and overseas countries in respect of safeguarding the security of public and private sectors' data, as well as the legal frameworks they have adopted; if so, of the outcome of such exploration, including whether there are aspects worth learning for Hong Kong; and
 
(4) as it is learnt that a number of provinces and municipalities on the Mainland (including Beijing, Shanghai and the Guangdong Province) have already established their own big data management authorities to take charge of city data management, including co-ordinating the consolidation, application, as well as opening up and sharing of data resources in respect of government services, the community as well as trades and industries, whether the Government will, by drawing reference from the practices on the Mainland, study the establishment of a similar big data authority in Hong Kong?
 
Reply:
 
President,
 
     The current-term Government attaches great importance to the development of digital economy in Hong Kong. The Innovation, Technology and Industry Bureau (ITIB) is reviewing the Government's policies and support provided in the past few years in encouraging and promoting the development of innovation and technology, smart city and digital economy. We would summarise the experience and timely propose feasible measures to further accelerate the development progress in relevant areas.
 
     In fact, over the past few years, the Government has been promoting the smart city and digital economy development in Hong Kong through a data-driven approach. In this regard, the Government published the first Smart City Blueprint for Hong Kong (Blueprint) and its updated version, the Blueprint 2.0, in 2017 and 2020 respectively, with a view to building Hong Kong into a smart city which is ideal to live and work. Meanwhile, the Government has developed a number of important digital infrastructure facilities, including the "iAM Smart", the Next Generation Government Cloud Infrastructure and Big Data Analytics Platform launched in 2020, and the Shared Blockchain Platform just launched last month, to support Government bureaux and departments (B/Ds) to adopt technologies such as artificial intelligence (AI), blockchain, cloud computing and big data analytics in a more efficient and cost-effective way for the implementation of more people-centric digital government services. The Office of the Government Chief Information Officer (OGCIO) has also set up a data analytics team to provide data analytics advisory service to B/Ds and support them in implementing big data analytics projects.
      
     Having consulted the Security Bureau (SB), my reply to the questions raised by the Hon Duncan Chiu is as follows:
 
(1) and (3) The Government has been closely monitoring and making reference to the latest development on cyber security and data protection in the Mainland and around the world, and carrying out reviews and improvements from technical and legal perspectives from time to time so as to enhance the cyber resilience capabilities.
 
     To protect the security of government information systems and data, the Government has formulated a comprehensive set of government information security incident response mechanism and related measures. First, the Security Regulations promulgated by the SB include dedicated chapters governing information security, which define the security classification of government information and explicitly require government departments to properly classify the information they hold, and take corresponding measures according to the classification to ensure that the information is fully protected in the course of storage and business operations. For example, only authorised persons with operational needs could access classified information or access and use related information systems and data, and classified information stored in the information systems must be encrypted, etc.
      
     Besides, the OGCIO has formulated a set of detailed Government IT Security Policy and Guidelines (Policy and Guidelines) under the framework of the Security Regulations and with reference to international standards. The Policy and Guidelines require all B/Ds to explicitly define and regularly review the access rights of relevant information systems and data, set out technical requirements for the use of encryption, and stipulate that B/Ds must establish information security management framework in order to effectively handle security matters, etc. The Policy and Guidelines also stipulates that B/Ds must regularly conduct independent security risk assessments and audits for their information systems and data security so as to strengthen the security measures. We will continue to review and update the Policy and Guidelines regularly with reference to the latest international standards and industry best practices.
      
     Meanwhile, the Personal Data (Privacy) Ordinance (PDPO) provides legal protection in the collection, use and transfer of personal data. The Office of the Privacy Commissioner for Personal Data (PCPD) also issued the Guidance on Personal Data Protection in Cross-border Data Transfer in 2014 for reference and adoption by various organisations in order to strengthen privacy protection for cross-border data transfer. With the increasing number of organisations using AI and big data analytics, the PCPD published the Guidance on the Ethical Development and Use of AI in August 2021 to assist organisations in complying with the requirements of the PDPO in their development and use of AI applications. The OGCIO also formulated the Ethical Artificial Intelligence Framework to provide B/Ds with a set of practice guide for implementing projects applying technologies such as AI and big data analytics, identifying and managing the potential risk and other issues, such as privacy, security and data management of the relevant projects.
      
     The Government also fully understands that critical infrastructures are the lifeline of the society and economy and are of great significance to the normal operation of the society. If the information systems, information networks or computer systems of the critical infrastructures are disrupted or sabotaged, the normal operation of the major facilities may be affected and will seriously jeopardise the economy, people's livelihood, public safety and even national security. As such, the SB is currently working jointly with the ITIB to make legislative preparatory work regarding the protection of cyber security of critical infrastructures, with a view to strengthening the cyber and data security of critical infrastructures in Hong Kong by clearly defining the cyber security obligations of operators of critical infrastructures through legislation. In formulating the relevant cyber security obligations, the Government will make reference to relevant legislations of other jurisdictions and standards adopted around the world.
 
(2) and (4) In the past few years, the Government has been implementing a series of policies and measures, as well as making good use of relevant infrastructures, to promote the integration, application, and opening and sharing of data to support the digital economy and smart city development.
 
     Regarding the internal management of the Government's data, the OGCIO has made reference to the practices of other regions and implemented data interchange via Application Programming Interfaces (APIs). With the consent from the citizens, the personal data could be shared and transmitted to other relevant systems so as to bring convenience to them in using government services and facilitate the implementation of digital government services. At present, the Next Generation Government Cloud Infrastructure is equipped with relevant facilities which enable regular and real-time data interchange among systems and databases of various government departments via APIs. Various online services launched by the Government during the epidemic have made use of APIs as a means for connecting the systems and databases of various B/Ds for real-time verification of the personal data of citizens which could shorten the processing time. Meanwhile, the "e-ME" auto form filling function provided on the "iAM Smart" platform also facilitates users to store their commonly used personal data in advance. They would not have to repeatedly provide or fill in the same information when using online services in future, such as the proof of personal residential address launched recently.
      
     To further provide citizens with greater convenience, the OGCIO is developing the Consented Data Exchange Gateway (CDEG) to allow citizens to opt for authorising the exchange of their personal data among relevant government departments by means of data interchange through the systems, thus dispensing with the processes of inputting the data repeatedly. The CDEG will also connect to the Commercial Data Interchange being developed by the Hong Kong Monetary Authority (HKMA), with a view to enabling real-time data interchange between financial institutions and government departments. The HKMA is now working with individual government departments, such as the Companies Registry, on the details for data interchange, so that the financial institutions, with the authorisation by their clients, may obtain and check the data of their clients stored in government systems and databases.
      
     On the other hand, the Government has opened up the data of itself and other public and private organisations for free via the Public Sector Information Portal ("data.gov.hk") to facilitate the development of smart city. At present, B/Ds have opened up around 5 000 datasets via the portal, covering data in various domains such as real-time meteorological data, digital maps in different scales, real-time arrival data of all franchised buses, MTR railway lines and over 450 Green Minibus routes. The open data initiative is well received by the industries and the general public with around 3 billion downloads each month.
      
     Riding on the existing foundation, we will also explore the feasibility of setting up a central databank in order to improve the consolidation and management of data.
      
     On the front of Mainland collaboration, the HKSAR Government is working together with the People's Government of Guangdong Province to co-ordinate and promote the development and collaboration of information and communications technologies between Guangdong and Hong Kong as well as in the Greater Bay Area (GBA) through the Hong Kong/Guangdong Expert Group on Co-operation in Informatisation (the Expert Group), and to strengthen the innovative development of emerging digital technologies such as 5G and big data in the GBA. The Expert Group is also exploring ways of consolidating the open data resources (such as cross-boundary data related to transport and traffic) of both places and leveraging appropriate digital technologies to facilitate cross-boundary data flow in both places. In addition, for enabling Hong Kong and Mainland residents to use the government services of both places via the "cross-boundary government services" initiative, the governments of Hong Kong and Guangdong are actively exploring digital authentication technologies to provide residents of both places with more convenient digital government services.

Ends/Wednesday, July 6, 2022
Issued at HKT 14:15

NNNN