LCQ10: Measures to complement nation's establishment of data base system
************************************************************************
Question:
The "Opinions of the Communist Party of China Central Committee and the State Council on Establishing a Data Base System to Maximise a Better Role of Data Elements" released last year put forward policy initiatives in relation to establishing a data base system. In addition, the Hong Kong SAR Government is also carrying out a comprehensive e-government audit programme and promoting data exchange across government departments, with a view to building a "smart government". In this connection, will the Government inform this Council:
(1) given that the e-government audit programme will be carried out in two phases, of the bureau/departments (B/Ds) involved in each phase, as well as the timetable, current progress and proposed improvement items of the e-government audit carried out by each B/Ds (set out in a table);
(2) of the definition of the ownership of and the right to use government data (including personal data allocated by the Government (e.g. identity card numbers), data generated from the use of public services (e.g. immigration records), and information provided by members of the public and enterprises to the Government under the law (e.g. addresses)), as set out under the existing legislation; if there is no clear definition, whether it has plans to enact legislation relating to data property rights;
(3) whether there is legislation empowering the Government to make reasonable use of government data relating to personal data of individuals without having to obtain authorisation from such individuals when it is in the public interest (e.g. for governance of society, policy analysis, taking care of the underprivileged groups, and law and order); if not, of the Government's strategies in place to make good use of government data, so as to achieve the function of guiding and regulating social development in an orderly manner; and
(4) given that the Government has indicated earlier on that it is exploring with the Government Services and Data Management Bureau of Guangdong Province the use of "iAM Smart" platform as one of the means for real-name identity authentication on the "Unified Identity Authentication Platform of Guangdong Province", thereby enabling Hong Kong residents to use "iAM Smart" to authenticate themselves when registering and using the government services of Guangdong Province, of the progress of the implementation of the measures concerned, and the legal requirements involved?
Reply:
President,
Having consulted the Constitutional and Mainland Affairs Bureau, my reply to the questions raised by the Hon Carmen Kan is as follows:
(1) The e-government audit is being implemented in two phases. Details are set out in Annex.
The audit work for the 35 bureaux/ departments (B/Ds) under phase one commenced in December 2022. It is expected to be completed by the end of June 2023 and the implementation of recommended digital government initiatives will commence thereafter.
At present, the audit work of phase one by the consultancy firms is still in progress. Based on the preliminary analysis by the consultants, the suggestions to some B/Ds on improving their services by leveraging advanced technologies include application of artificial intelligence and chatbot technologies to improve government hotline service; application of data analytics, geospatial analysis and visualisation dashboard technologies to improve service management; utilisation of blockchain technology to electronically issue and verify certificates or licences; adopting "iAM Smart" and "Consented Data Exchange Gateway" (CDEG) to achieve "single portal for online government services" and facilitate data sharing among B/Ds. Consultancy firms are currently exploring the details with relevant B/Ds.
As for the remaining 38 B/Ds under phase two, it is expected that the audit work will commence in the second quarter of 2023 for completion by end-2023. We target to implement no less than 100 new digital government initiatives before end-2025 for providing services for the convenience and benefit of the public and the business sector by leveraging advanced information technologies.
(2) and (3) For data related to personal information, the Personal Data (Privacy) (Ordinance) (PDPO) (Cap. 486) provides a comprehensive framework for the protection of personal data privacy for citizens. The six Data Protection Principles under the Ordinance, which regulate the purpose and means of data collection; data accuracy and retention; use of data; data security; openness and transparency of data policies, as well as data access and correction, ensure that the entire process of the handling of personal data is subject to adequate safeguards under the law.
Data Protection Principle 3 of the PDPO regulates the use of personal data, stipulating that unless a data subject has given voluntary and expressed consent, personal data shall only be used for the purpose indicated at the time of collection or a directly related purpose. At present, the Government (as a data user) may obtain from members of the public (as data subjects) their express and voluntary consent for using their personal data under a "new purpose".
While the use of personal data shall comply with the requirements of the PDPO, B/Ds only need to use aggregate data and statistical data when conducting policy analysis or launching related service programmes, without the need to process data relating to individuals. In other words, after consolidation of the data collected by the Government, it can be used effectively for analysis and other various purposes. Therefore, the Office of the Government Chief Information Officer (OGCIO) launched the Big Data Analytics Platform in September 2020 to support B/Ds in sharing the non-personal data collected, and strengthen B/Ds in implementing big data analysis and artificial intelligence projects, with the aim to providing more data-driven e-government services.
Regarding the use of personal data, in order to provide citizens with greater convenience and further promote data sharing among B/Ds, the OGCIO is constructing a CDEG to facilitate citizens to give one-off consent on the exchange of their personal data among relevant systems of government departments, saving their need to submit information repeatedly. The design of CDEG is in compliance with the PDPO and also fulfills the objective of promoting data sharing among B/Ds, thereby facilitating the development of more e-government services.
In addition, the personal data collected could be exempted from compliance with Data Protection Principle 3 (in relation to limitation of use of personal data) of the PDPO under particular circumstances during usage. The particular circumstances include section 57 (security in respect of Hong Kong), section 58 (prevention or detection of crime), section 59 (health of data subject), section 59A (care and guardianship of minors), section 60B (legal proceedings), section 61 (news), section 62 (statistics and research), section 63C (emergency situations), etc.
(4) The OGCIO is working closely with the Government Services and Data Management Bureau (GSDMB) of Guangdong Province on evaluating the technical feasibility of using "iAM Smart" for real-name identity authentication during account registration of the "Unified Identity Authentication Platform of Guangdong Province". Next, we will discuss with the GSDMB of Guangdong Province and related departments on different pilot use case scenarios. In formulating the relevant arrangement, we will consult the Department of Justice and the Privacy Commissioner for Personal Data to ensure the arrangement complies with the relevant laws and regulations, as well as the PDPO. Besides, we will conduct security risk assessment and audit, and privacy impact assessment to protect citizens' personal information. Except for the PDPO, the current stage of work does not involve other legal requirements tentatively.
Ends/Wednesday, February 22, 2023
Issued at HKT 12:20
Issued at HKT 12:20
NNNN