Our ref : 51/WKC/0744 October 2002Clerk to the Bills Committee on Registration of Persons (Amendment) Bill 2001Legislative Council SecretariatLegislative Council8 Jackson RoadCentralHong Kong Dear SirsRegistration of Persons (Amendment) Bill 2001The Chamber has followed the discussion on the Smart ID Card with interest and we welcome the opportunity to comment on the above Bill. The Bill and the related papers have been considered by our members, especially the Information Services Committee and the Chamber e-committee. Our comments are set out below.General commentsWe observe that the switch to Smart ID Cards will cost more than $3 billion. Accordingly, we believe the implementation of the project should be guided by two principles. Firstly, as a government task which impinges upon the individual, it should not impose any more requirement on the individual than is necessary for its regulatory purpose. Secondly, as an expensive, publicly funded project, it should aim to maximise the benefits to the public.The first principle means that from the regulatory point of view, the Smart ID Card should be used for just that purpose and no more, that is, registration of persons. ID card holders should not be required to furnish any more information on the Smart ID Card that may give rise to more regulatory power than is provided for in the Ordinance, whether the information is regarded as positive (e.g. education, honours) or negative (e.g. tax, crime).The second principle requires that the potential of the chip in the Smart ID Card be used to the full. A smart card is capable of multiple uses and it will be a waste of public resources if these uses are not exploited.The two principles may appear to conflict with each other – one requires to narrow while the other seeks to expand the use of the smart card. However, these apparent conflicts can be resolved by making a clear distinction between the regulatory use on the one hand, and the additional applications on the other. For the purpose of regulatory use, only the Registration of Persons Ordinance should apply. All other uses not covered by the Registration of Persons Ordinance must be entirely voluntary. Non-immigration applicationsWith the caveat that additional uses must be voluntary, we support the use of the Smart ID Card for non-immigration applications. The latter could cover both government services and commercial services.The most apparent benefit of allowing non-immigration applications in the Smart ID Card is to increase efficiency of government services. A number of applications are mentioned in the Legislative Council paper, namely, library registration, driving license, etc. There can be many more e-government applications. The public can benefit directly from the convenience offered by the smart card. More importantly, the widespread use of the smart card for government services will facilitate the adoption of electronic technology by the community. The importance of such an "e-adoption" at the grassroot level cannot be over-emphasised. It could become the catalyst to making Hong Kong a genuine e-community.But the full potential of the Smart ID Card cannot be realised without opening it up also to commercial applications. As a medium with the potential for 100% coverage, the Smart ID Card has the character of an information infrastructure upon which many other applications can be built. As such it facilitates e-commerce and e-business, which will surely be beneficial for growth in both business and employment in this important sector.The Smart ID Card can help take Hong Kong to the forefront of technology. For the man in the street, it also gives a positive signification to the ID Card, that it is not merely an apparatus for government control but a high-tech personal tool that actually makes life easier and better.Concerns over multiple usesWe are aware of the concerns over multiple uses of the Smart ID Card, and we share some of these concerns. But we believe the problems are not insurmountable.First, despite provisions prohibiting the unauthorised access, use, storage and disclosure of ROP information, there is a concern that in multiple applications, a capacity provider may circumvent the provisions by requiring the user to agree to a waiver of their rights, including consent to access, use, store or disclose ROP information. This should be prevented. As a matter of principle, end users should not be forced by the capacity provider to give up privacy or other rights as part of the cost for access to the capacity. The relevant provisions of the Personal Data Privacy Ordinance should apply. Besides, a more general and oft-quoted concern is that of personal privacy, the "big brother" fear. The Chamber is one of the strongest advocates over protection of personal privacy, but we consider that worry misplaced. The privacy question should be considered within the overall context of smart card regulation, and not just the Smart ID Card. In terms of legal provision, the Personal Data Privacy Ordinance already provides sufficient protection for privacy. Furthermore, there are additional safeguards in the current Bill to ensure that there is no room for abuse in the use of the Smart ID Card. On the enforcement side, there is no justification to allege that the Immigration Department is more prone to breach the Personal Data Privacy Ordinance than ordinary commercial operators. The same standard of regulation and control should apply equally to the government and commercial operations.Another issue is that of unfair competition between the government and other smart card operators, a concern which we feel should be addressed. This involves a variety of complicated technical questions which may not be easy to tackle. Despite that, our current thinking is that the concern can be allayed by a clear indication from the government upfront about the interface between the Smart ID Card and other commercial applications. As a government-provided information infrastructure, the Smart ID Card should be used as a platform for other commercial applications, rather than a product itself which competes with other like-products in the market. In other words, it should be a facilitator of, not a competitor with, other e-commerce applications.e-CertsTaking the above concerns into account, we support the inserting of electronic certificates into the Smart ID Card as the way forward. The e-Cert will act as an enabling application, linking the Smart ID Card to other e-government or e-business services. As long as people have the choice to opt out, we support the one-stop approach in embedding the e-Cert into the Smart ID Card at the point of issuance. This will have the advantage of producing a large number of users in a relatively short time, thus making the Smart ID Card a credible infrastructure for e-commerce. Needless to say, much publicity is needed to prepare the public for the issuance of the Smart Card. To safeguard the public's choice, opting out must be allowed both at the point of issuance and at any time afterwards.In the present proposal, eligibility for the e-Cert is limited only to the Post Office, the official certification authority (CA). Our view is that eventually access should be opened up to other CA's from the private sector. Given that the market is not yet mature, we do not object to the more cautious stand of the Administration. As more CA's come along, however, we would like to see that barrier gradually removed.I hope you will find these comments useful.Yours sincerely Eden WoonCEO
Top