Featured image of the Hong Kong Legislative Council Complex Chamber by Tksteven licensed under the Creative Commons Attribution-Share Alike 3.0 Unported, 2.5 Generic, 2.0 Generic and 1.0 Generic license.
During the meeting of the Legislative Council of Hong Kong on November 22 2017, Hon Charles Mok, who represents the Information Technology functional constituency of the Council, posed a series of questions regarding the provision of an electronic identity for Hong Kong Residents.
The questions are as follows:
The Government put forward in the Policy Address released last month the idea to provide an electronic identity (eID) for Hong Kong residents so that they could use a single digital identity and authentication to conduct government and commercial transactions online. However, notwithstanding that when members of the public applied for smart identity (ID) cards in the past, they could choose to have their cards embedded with an e-Cert which they could use free of charge for the first year, such e-Certs had persistently low utilisation rates. In this connection, will the Government inform this Council:
(1) of the applications and e-government services to which eID authentication will be applicable, and the transactions and records in respect of which digital signatures can be replaced by eID authentication, as
envisaged by the Government; the plans in place to promote the adoption of eID authentication for the online services of public organisations and private enterprises (e.g. banks);
(2) whether the eID authentication platform will be developed by the Government itself or by outsourced service contractors; of the implementation timetable for the authentication service; whether it has set a target utilisation rate of the service three years after its implementation; if so, of the details; if not, the reasons for that;
(3) as the Government will, starting from next year, gradually replace the existing ID cards with the next generation smart ID cards for members of the public, whether it has studied how eID can be integrated into the functions of the next generation smart ID cards to provide members of the public with a more convenient usage experience;
(4) as the eID system will store and process important personal data of all Hong Kong people, of the encryption technologies to be adopted for eID authentication, and whether higher information security standards and more reliable authentication methods, e.g. one-time password authentication and two-level authentication, will be used; of the measures in place to ensure the long-term reliability of those technologies; whether it will conduct regular information security and privacy risk assessments on the eID system, and put in place measures to safeguard the information security of the system; and
(5) whether it will make reference to the experience of overseas countries (e.g. Australia) and conduct an extensive public consultation exercise on issues such as the security of eID authentication and the protection of personal data?
In response, the Secretary for Innovation and Technology, Mr. Nicholas W Yang, gave the following reply:
The Chief Executive announced in the 2017 Policy Address the provision of an electronic identity (eID) for all Hong Kong residents so that they can use a single digital identity and authentication to conduct government and commercial transactions online. This will foster the development of a new economic service model that emphasises on direct interface with residents and consumers and will provide a key digital infrastructure for
smart city development. His reply to the five parts of the question is as follows:
(1) eID will be applicable to most e-Government services requiring authentication, including online and mobile applications. Apart from e-Government services, the Government shall actively promote the use of eID in services or products provided by public and private organisations, in order to enable residents to use a single digital identity for more online services. When designing the relevant system, the Government will provide flexibility for supporting services provided by public and private organisations in future. When the system is being built, we shall actively engage relevant Government departments, as well as public and private organisations to promote the use of eID.
(2) The Government conducting project planning and preparation, including detailed arrangement for system development. It plans to consult the Legislative Council Panel on Information Technology and Broadcasting in the
first quarter of next year, after which we will seek funding approval from the Finance Committee and conduct tender exercise. The Government envisages that the new system will be launched by 2020. It will set target utilisation rate in the system design stage.
(3) The main purpose of eID is to promote online transactions and electronic services. To tie in with the trend of technological development and the general public’s usage of mobile devices, eID will be used in a virtual form on mobile applications or other Internet platforms, and will not use smart ID cards as carrier to eliminate the limitation of using card readers and computers.
(4) The security and encryption measures of the eID system will be based on the latest industry and international standards and guidelines. The Government shall conduct comprehensive privacy and security risk assessment during the design, development and testing stages. After the launch of eID, the Government shall take active measures, including closely monitoring system operation, conducting regular comprehensive privacy
and security risk assessments, formulating incident response mechanisms and related measures, and continuously monitoring network security vulnerabilities and threats to ensure system security.
(5) In our study for this initiative, the Government has made reference to the experience of other countries that have widely adopted electronic identity. Application and use of eID are on a voluntary basis. At the launch of eID, it will provide the applicants and the public with comprehensive information on privacy protection and cyber