Media Statement: PCPD cautions after ID numbers of 1,100 persons deliberately disclosed online
The Office of the Privacy Commissioner for Personal Data (the "PCPD") warns that misuse of personal data contained in public registers may be a contravention of the requirements of the data privacy law in Hong Kong. A compliance check on an online database containing the ID numbers of more than 1,100 people is under way to stop possible personal data breach. The PCPD does not rule out the possibility of taking further enforcement actions.
The PCPD notes with concern the recent commentary in the media that ID card numbers are not personal data but mere identifiers, the set-up of an online index containing the ID card numbers of more than 1,100 people, and a campaign calling on others to disclose their ID card numbers on social media. To date, the PCPD has not received any complaints against these acts. However, to dispel any misconception of the law which these reports may have engendered amongst the public, the PCPD highlights the following important points:
1. As a general rule, data users who collect personal data must observe the provisions of the Personal Data (Privacy) Ordinance ("the Ordinance") and the Data Protection Principles (DPPs).
2. Amongst these, DPP1 requires that personal data shall only be collected for a purpose directly related to a function and activity of the data user; that adequate but not excessive data shall be collected in a lawful and fair way; and that data subjects shall be informed of the purpose for which the data is collected and to be used.
3. DPP3 stipulates that unless with the data subject's prior consent, personal data shall be used for the purpose for which it was originally collected or a directly related purpose.
The fact that certain ID card numbers can be found on public registers does not mean they are no longer "personal data". The act of putting up the names and ID card numbers of others which have been obtained from public registers on the internet for uncontrolled public access is use of personal data that is not directly related to the original purpose of collection and may run contrary to DPP3.
The PCPD reminds members of the public that HKID card numbers are unique and often used to verify or authenticate a person's identity, and hence they should be treated as highly personal and sensitive data, and protected against any unwarranted disclosure or misuse. If ID card numbers coupled with other personal data such as names and home addresses fall into the wrong hands, the affected persons could be at risk of identity fraud or other crimes.
The PCPD dismisses as theoretical the argument that ID card numbers are a means of identification, not authentication. In real life, as ID card numbers are unique, they are often used for authentication of identity particularly in electronic transactions to replace face-to-face authentication.
According to information from the Hong Kong Police Force, the Police handled 104 and 103 cases of "use of ID cards relating to others" in 2011 and 2012 respectively.
- End -