Date: 15 February 2017
Privacy Commissioner Reiterates that the “PopVote Systems”
May Contravene the Data Protection Principles and Strongly Requests it to
Continue the Suspension of Unfair Personal Data Collection
and Use of the related Telegram
Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner
”) Mr Stephen Kai-yi WONG today met with the representatives of the “Citizens United in Action” (“CUIA
”) as requested and reiterated that the “Chief Executive Election Civil Referendum 2017” (“the activities
”) involved unfair personal data collection and had data security loopholes. In view of the significant and on-going security risks, the Privacy Commissioner once again strongly requested the online platform should continue to be suspended and stop collecting personal data and using the related Telegram.
During the meeting today, the Privacy Commissioner elaborated the following concerns and observations that might contravene the Principle of Fair
Collection under the Personal Data (Privacy) Ordinance (“Ordinance
Lack of Information Regarding the Collection Purposes and Proper Legal Basis (examples)
Unclear Identity of the Data Users (examples)
The titles of the activities are “CE Civil Referendum 2017” and “Nominate a Civil Candidate”, explicitly refer to two stages (i.e. the “nomination” and the “voting”). The activities, however, have not stated the background and purposes, or following the previous practices of similar activities where “non-official” or “of no legal effect” were clearly stated, which may cause confusion or mislead the participants.
Misleading Information stated in the “Personal Information Collection Statements” (examples)
According to the information stated in the PopVote website, the CUIA commissioned the Public Opinion Programme at The University of Hong Kong (POP) and Centre for Social Policy Studies at the Hong Kong Polytechnic University (CSPS) to provide services to the activities. However, other parties or associations have publicly stated that they are involved in planning or participating in the activities. That blurs the identity of the data users and, as a result, the accountability of the activities may be compromised.
The PopVote website carries the emblem of The University of Hong Kong (“University”), an address of an office in the University and a contact email with domain name “.hku.hk”, which necessarily reflect the close relationship between PopVote and the University. On the other hand, a website footnote in small print states that “Everything carried in this website does not represent the stand of the University of Hong Kong. Dr Robert Ting-Yiu Chung, Director of Public Opinion Programme, is responsible for everything posted herewith.” This may also cause confusion to the participants.
In the “Personal Information Collection Statements” provided by PopVote, it states that the Hong Kong Identity Card ("HKID") number of a participant shall be hashed to become unique, irretrievable and garbled codes before passing to the PopVote Systems. Therefore PopVote does not collect or retain his identity card number.
However, due to the narrow scope of combination of the HKID numbers, it is pointed out by some information technology experts (including local ones) that the said garbled codes can be easily interpreted and re-identified. As referred to paragraph 1.3 of the “Code of Practice on the Identity Card Number and Other Personal Identifiers” issued by the Privacy Commissioner, an altered form of an identity card number is still defined as “HKID Card number”, and is protected by the Ordinance. Therefore the above statement regarding “does not collect or retain (your) identity card number” may have misled the members of the public.
The Privacy Commissioner cited the practices in previous activities of similar nature as examples, and stressed that the participants of the activities are likely to be misled, “Comparatively speaking, the previous activities have stated their objectives and are comprehensible. For example, the "3.23 Civil Referendum Project" organised by Public Opinion Programme at The University of Hong Kong in 2012 explained that the background and objectives was to make use of the results of public opinion surveys to form a comprehensive reference for the public and the election committee members, and made it clear that the civil referendum did not have legal status. However such explanation and statements were not found in the activities’ webpage this time. Nor did it illustrate its differences with the existing relevant law and mechanism. On the other hand, the previous activities focused on the opinion poll of candidates who had officially declared their candidacy for the election of the Chief Executive. However the activities this time include both the nomination (including those not yet announced to run) and voting in the subsequent stage, and hence would create confusion in relation to the official election laws and procedures. The participants are therefore more likely to be misled, particularly for those Hong Kong people living abroad.”
During the meeting Privacy Commissioner raised again the security concerns of the activities, such as the “de-identification” technology adopted by PopVote on the personal data it collects can be easily interpreted and re-identified, exposing to the risk of data breach. Meanwhile, the use of the related Telegram, the instant messaging programme, to verify a participant’s identity for voting is also questioned by some computer security experts including the local ones. In fact CULA has openly admitted the existence of security risks and performed maintenance. The existing privacy risks may contravene the Data Security Principle under the Ordinance 2
The PCPD has initiated compliance check for the activities, and strongly repeats its request for the relevant organisations
to comply with the requirements stated in law to 1) collect personal data in a lawful and fair way; and 2) take reasonably practicable steps to safeguard personal data. Otherwise they should continue to suspend the activities. Individuals
should fully understand the purposes of the activities, the privacy risks involved and consequences before participating.
Note 1: Data Protection Principle 1 (Data Collection Principle) - Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user. Data collected should be necessary but not excessive. Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
Note 2: Data Protection Principle 4 (Data Security Principle) - A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.