Q: We are a government department providing services to the public. In order to enhance customer service, we provided on our website a service whereby an individual may input his ID number onto the enquiry field when he wishes to know whether he is eligible for certain services / benefits offered by us. Since we have in our possession a database of the individuals who are eligible or entitled to these services / benefits, we can quickly and easily give an accurate response to the enquirer. We wish to know whether such act or practice comply with the requirement of the Ordinance.
A: Although ID number alone, without other identifying particulars of an individual, may not render it practicable for the identity of the individual concerned to be directly or indirectly ascertained, as data user who is in possession of other personal data of the individuals, you should exercise care and caution in handling their ID numbers, lest sensitive personal data of the individuals may be inadvertently disclosed to unrelated parties as a result. This is particularly so when such search may give rise to an increased risk of gaining access to personal data using the ID number as key, given that the ID number is a common identifier that may also be possessed by other data users for other purposes. It appears that the use of other unique identifiers allocated by you and only identifiable within your own system serves better personal data security safeguard.
uploaded on web in February 2009