Update on the implementation of electronic identity (eID) and single digital identity for Hong Kong Residents

Update on the implementation of electronic identity (eID) and single digital identity for Hong Kong Residents

Featured image
of the Hong Kong Legislative Council Complex Chamber by Tksteven licensed under
 Creative Commons Attribution-Share
, 2.5 Generic, 2.0 Generic and 1.0 Generic license.

During the meeting of the Legislative Council of Hong Kong
on November 22 2017, Hon Charles Mok, who represents the Information Technology
functional constituency of the Council, posed a series of questions regarding
the provision of an electronic identity for Hong Kong Residents. 

The questions
are as follows:

The Government put forward in the Policy Address
released last month the idea to provide an electronic identity (eID) for Hong
Kong residents so that they could use a single digital identity and
authentication to conduct government and commercial transactions online.
However, notwithstanding that when members of the public applied for smart
identity (ID) cards in the past, they could choose to have their cards embedded
with an e-Cert which they could use free of charge for the first year, such
e-Certs had persistently low utilisation rates. In this connection, will the
Government inform this Council:

(1) of the applications and e-government services to which
eID authentication will be applicable, and the transactions and records in
respect of which digital signatures can be replaced by eID authentication, as
envisaged by the Government; the plans in place to promote the adoption of eID
authentication for the online services of public organisations and private
enterprises (e.g. banks);

 (2) whether the eID authentication platform will be
developed by the Government itself or by outsourced service contractors; of the
implementation timetable for the authentication service; whether it has set a
target utilisation rate of the service three years after its implementation; if
so, of the details; if not, the reasons for that;

(3) as the Government will, starting from next year,
gradually replace the existing ID cards with the next generation smart ID cards
for members of the public, whether it has studied how eID can be integrated
into the functions of the next generation smart ID cards to provide members of
the public with a more convenient usage experience;

(4) as the eID system will store and process important
personal data of all Hong Kong people, of the encryption technologies to be
adopted for eID authentication, and whether higher information security standards
and more reliable authentication methods, e.g. one-time password authentication
and two-level authentication, will be used; of the measures in place to ensure
the long-term reliability of those technologies; whether it will conduct
regular information security and privacy risk assessments on the eID system,
and put in place measures to safeguard the information security of the system;

(5) whether it will make reference to the experience of
overseas countries (e.g. Australia) and conduct an extensive public
consultation exercise on issues such as the security of eID authentication and
the protection of personal data?

In response, the Secretary for Innovation and Technology, Mr.
Nicholas W Yang, gave the following reply:

The Chief Executive announced in the 2017 Policy
the provision of an electronic identity (eID) for all Hong Kong
residents so that they can use a single digital identity and authentication to
conduct government and commercial transactions online. This will foster the
development of a new economic service model that emphasises on direct interface
with residents and consumers and will provide a key digital infrastructure for
smart city development. His reply to the five parts of the question is as

(1) eID will be applicable to most e-Government services
requiring authentication, including online and mobile applications. Apart from
e-Government services, the Government shall actively promote the use of eID in services or
products provided by public and private organisations, in order to enable residents
to use a single digital identity for more online services. When designing the
relevant system, the Government will provide flexibility for supporting services provided
by public and private organisations in future. When the system is being built,
we shall actively engage relevant
Government departments, as well as public and private organisations to promote
the use of eID.

(2) The Government conducting project planning and preparation,
including detailed arrangement for system development. It plans to consult the
Legislative Council Panel on Information Technology and Broadcasting in the
first quarter of next year, after which we will seek funding approval from the
Finance Committee and conduct tender exercise. The Government envisages that the new system will be launched by 2020. It will set target utilisation rate in the system design stage.

(3) The main purpose of eID is to promote online
transactions and electronic services. To tie in with the trend of technological
development and the general public's usage of mobile devices, eID will be used in a virtual form on
mobile applications or other Internet platforms, and will not use smart ID
cards as carrier to eliminate the limitation of using card readers and

(4) The security and encryption measures of the eID system
will be based on the latest industry and
international standards and guidelines
. The Government shall conduct comprehensive
privacy and security risk assessment during the design, development and testing
stages. After the launch of eID, the Government shall take active measures, including
closely monitoring system operation, conducting regular comprehensive privacy
and security risk assessments, formulating incident response mechanisms and
related measures, and continuously monitoring network security vulnerabilities
and threats to ensure system security.

(5) In our study for this initiative, the Government has made reference
to the experience of other countries that have widely adopted electronic
identity. Application and use of eID are
on a voluntary basis
. At the launch of eID, it will provide the applicants
and the public with comprehensive information on privacy protection and cyber