Code of Practice on
the Identity Card Number and
other Personal Identifiers
Office of the Privacy Commissioner for Personal Data
12/F, 248 Queen’s Road East, Wanchai, Hong Kong
Tel: 2827 2827
Fax: 2877 7026
? Office of the Privacy Commissioner for Personal Data
Reproduction of any parts of this publication is permitted on condition that it is for non-profit
making purposes and an acknowledgement of this work is duly made in the reproduction.
CODE OF PRACTICE ON THE IDENTITY CARD NUMBER AND OTHER PERSONAL IDENTIFIERS
I DEFINITIONS 2
II THE IDENTITY CARD NUMBER
Collection Limitation Principle 3 Accuracy Principle 6
Section 26 and Duration of Retention Principle 7 Use Limitation Principle 8
Security Safeguard Principle 9
III COPY OF AN IDENTITY CARD
Collection Limitation Principle 11 Accuracy Principle 14
Use Limitation Principle 14
Security Safeguard Principle 15
IV PERSONAL IDENTIFIERS OTHER THAN
THE IDENTITY CARD NUMBER
Collection Limitation Principle 17 Accuracy Principle 18
Section 26 and Duration of Retention Principle 18 Use Limitation Principle 18
V ALL PERSONAL IDENTIFIERS (INCLUDING THE IDENTITY CARD NUMBER)
Security Safeguard Principle 19
VI EXCLUSIONS 19
VII COMMENCEMENT DATE 20
APPENDIX I : Data Protection Principles 21 APPENDIX II : Sections 26, 57 (1) and 58 (1) of the Ordinance 25
THIS CODE OF PRACTICE has been issued by the Privacy Commissioner for Personal Data (“the Commissioner”) in the exercise of the powers conferred on him by section 12(1) of the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”), which empowers him to issue Codes of Practice “for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users”, and pursuant to section 12(8) of the Ordinance, which provides that the Commissioner shall approve a code of practice in respect of all or any requirements of the Ordinance in so far as they relate to personal data that are personal identifiers.
This Code was identified by notice in the Gazette on 19 December 1997. The relevant Gazette Notice, as required by section 12(2), specified that the Code has been approved with effect from 19 December 1997 in relation to the following requirements of the Ordinance: section 26, Data Protection Principles 1, 2, 3 and 4 in Schedule 1.
The provisions of the Code are not legally binding. A breach of the Code by a data user, however, will give rise to a presumption against the data user in any legal proceedings under the Ordinance. Basically the Ordinance provides (in section 13) that:
(a) where a Code of Practice has been issued in relation to any requirement of the Ordinance; (b) the proof of a particular matter is essential for proving a contravention of that requirement; (c) the specified body conducting the proceedings (a magistrate, a court or the Administrative Appeals Board) considers that any particular provision of the Code of Practice is relevant to that essential matter; and if
(d) it is proved that that provision of the Code of Practice has not been observed; then that essential matter shall be taken as proved unless there is evidence that the requirement of the Ordinance was actually complied with in a different way, notwithstanding the non-observance of the Code of Practice.
Aside from legal proceedings, failure to observe a Code of Practice by a data user will weigh unfavourably against the data user in any case before the Commissioner.
CODE OF PRACTICE ON THE IDENTITY CARD NUMBER AND OTHER PERSONAL
The italicized parts in the text are guiding notes and are not themselves part of the Code. I. DEFINITIONS
Unless the context otherwise requires, the terms used in this Code have the following meanings. 1.1 “Personal identifier” means an identifier -
(a) that is assigned to an individual by a data user for the purpose of the operations of the data user; and
(b) that uniquely identifies that individual in relation to the data user,
but does not include an individual's name used to identify that individual.
(Section 2 of the Ordinance refers.)
For the avoidance of doubt, an e-mail address is deemed not to be a personal identifier for the purposes of the Code.
1.2 “Identity card” means an identity card issued under the Registration of Persons Ordinance (Cap. 177).
1.3 “Identity card number” means the personal identifier on an identity card whether in its
original or an altered form.
1.4 “Furnishing” or “provision” of a copy of an identity card may include the furnishing or provision (as the case may be) of the identity card solely to enable the making of a copy thereof immediately, to the extent such furnishing or provision in the circumstances does not constitute an offence under the Registration of Persons Ordinance (Cap.177).
Note : It is an offence under section 7AA of the Registration of Persons Ordinance for any person to transfer an identity card to another person without lawful authority or reasonable excuse.
1.5 “Copy of an identity card” means a visual representation or a reproduction of an identity card in a permanent form.
1.6 Words and expressions importing the masculine gender include the feminine, and words and expressions in the singular include the plural, and vice versa.
II. THE IDENTITY CARD NUMBER
The following paragraphs seek to give practical effect to the Personal Data Collection Limitation
Principle (Data Protection Principle 1):
2.1 Unless authorized by law, no data user may compulsorily require an individual to furnish his
identity card number.
2.2 Without prejudice to the generality of paragraphs 2.1 and 2.3, before a data user seeks to
collect from an individual his identity card number, the data user should consider whether there
may be any less privacy-intrusive alternatives to the collection of such number, and should
wherever practicable give the individual the option to choose any such alternative in lieu of
providing his identity card number. Such alternatives may include but are not limited to the
2.2.1 the identification of the individual by another personal identifier of his choice;
Note: A common example would be the furnishing of the individual's passport number.
2.2.2 the furnishing of security by the individual to safeguard against potential loss by the data
Note: A common example would be the furnishing of a deposit for bicycle hire.
2.2.3 the identification of the individual by someone known to the data user.
Note: A common example would be the identification of a visitor to a building by the tenant in
the building whom he visits.
2.3 A data user should not collect the identity card number of an individual except in the
2.3.1 pursuant to a statutory provision which confers on the data user the power or imposes on
the data user the obligation to require the furnishing of or to collect the identity card number;
Note 1: For an example of a statutory power to require the furnishing of ID card number, section 5 of the Registration of Persons Ordinance (Cap. 177) confers on a public officer the power to require any registered person in all dealings with Government to furnish his ID card number and, so far as he is able, the ID card number of any other person whose particulars he is required by law to furnish.
Note 2: For an example of a statutory obligation to collect an identity card number, section 17K of the Immigration Ordinance (Cap. 115) provides:
(1) Every employer shall keep at the place of employment of each of his employees a record of:- (a) the full name of the employee as shown in his identity card or other document by virtue of which he is lawfully employable; and
(b) the type of document held by the employee by virtue of which he is lawfully employable, and the number of that document."
2.3.2 where the use of the identity card number by the data user is necessary: 220.127.116.11 for any of the purposes mentioned in section 57(1) of the Ordinance (safeguarding security, defence or international relations in respect of Hong Kong);
18.104.22.168 for any of the purposes mentioned in section 58(1) of the Ordinance (the prevention or detection of crime, the apprehension, prosecution or detention of offenders, the assessment or collection of any tax or duty, etc.); or
22.214.171.124 for the exercise of a judicial or quasi-judicial function by the data user; Note: An example of the exercise of a quasi-judicial function would be the Administrative Appeals Board hearing an appeal brought to it by an individual under the Administrative Appeals Board Ordinance (Cap.442).
2.3.3 to enable the present or future correct identification of, or correct attribution of personal
data to, the holder of the identity card, where such correct identification or attribution is or will
126.96.36.199 for the advancement of the interest of the holder;
Note: For example, a doctor may require a patient's ID card number to ensure that his past
medical records are correctly attributed to him to enable better treatment.
188.8.131.52 for the prevention of detriment to any person other than the data user;
Note: The ID card number provided by a patient in the previous example may also prevent
medication being given wrongly to that or some other patient as a result of misidentification.
184.108.40.206 to safeguard against damage or loss on the part of the data user which is more than trivial
in the circumstances;
Note: For example, a driver in a motor accident may collect the ID card number of the other
party to facilitate a future claim. 2.3.4 without prejudice to the generality of paragraph 2.3.3, for the following purposes:
220.127.116.11 to be inserted in a document executed or to be executed by the holder of the identity card,
which document is intended to establish or to evidence any legal or equitable right or interest or
any legal liability on the part of any person, other than any right, interest or liability of a transient
nature or which is trivial in the circumstances;
Note: A common example would be the execution by an individual of a contract or an
assignment of real property. As a counter-example, individuals who sign up in a signature
campaign should not also be asked to put down their ID card numbers, as the transaction is
intended not to require any present or future identification of the individual, nor involve any right,
interest or liability on his part.
18.104.22.168 as the means for the future identification of the holder of the identity card where such holder is allowed access to premises or use of equipment which the holder is not otherwise entitled to, in circumstances where the monitoring of the activities of the holder after gaining such access or use is not practicable;
Note: A common example would be the entering of ID card numbers of visitors in a log-book located at the entrance of a government, commercial or residential building, subject to other alternatives for visitors to identify themselves as given in paragraphs 2.2.1 and 2.2.3 above.
22.214.171.124 as a condition for giving the holder of the identity card custody or control of property belonging to another person, not being property of no value or of a value which is trivial in the circumstances.
Note: A common example would be car-rental. A counter-example would be the renting of a beach umbrella, the value of which would obviously be too trivial to justify the collection of the ID card number of the customer.
The following paragraph seeks to give practical effect to the Personal Data Accuracy Principle (Data Protection Principle 2(1)):
2.4 A data user should not collect from an individual his identity card number except by: 2.4.1 means of the physical production of the identity card in person by the individual; 2.4.2 accepting the number as shown on a copy of the identity card which the individual chooses to provide rather than present his identity card in person;
Note: A data user is, however, not obliged to accept an ID card number so provided by an individual. Furthermore, where a data user has a general policy of accepting copies of identity cards provided by individuals pursuant to this paragraph, the requirements of paragraph 3.7 should be complied with.
2.4.3 first accepting the number as furnished, and later checking its accuracy and authenticity by means of the physical production of the identity card in person by the holder, or if that is not reasonably practicable, by means of a copy of the identity card provided by the holder, before the number is used for any purpose.
Note: For example, in the case of an application for a vacancy in the civil service, the ID card number of the applicant as shown on the application form should not be used for integrity checking until it has been verified by examination against the ID card produced by the applicant at a subsequent occasion.
The following paragraph seeks to give practical effect to section 26 and to the Personal Data Duration of Retention Principle (Data Protection Principle 2(2)):
2.5 Without prejudice to the general requirements of the Ordinance:
2.5.1 Where paragraph 126.96.36.199 applies, the data user should take all reasonably practicable steps to erase the record of an identity card number upon the holder of the identity card leaving the premises or ceasing to have the use of the equipment concerned (as the case may be), or within a reasonable time thereafter; and
2.5.2 where paragraph 188.8.131.52 applies, the data user should take all reasonably practicable steps to erase the record of an identity card number upon the holder of the identity card ceasing to have custody or control of the property concerned, or within a reasonable time thereafter.
The following paragraph seeks to give practical effect to the Personal Data Use Limitation
Principle (Data Protection Principle 3):
2.6 Subject to any applicable exemption from Data Protection Principle 3 in the Ordinance, a
data user who has collected the identity card number of an individual should not use it for any
2.6.1 for the purpose for which it was collected pursuant to paragraph 2.3;
Note: Where a data user has collected an ID card number for more than one purpose pursuant to
paragraph 2.3, it may use the number for any of those purposes. For example, an employer who
has collected the ID number of an employee may use such number to show its compliance with
the relevant statutory requirement. It may also use such number for providing medical insurance
to the employee in advancement of his interest.
2.6.2 in carrying out a “matching procedure” permitted under section 30 of the Ordinance;
2.6.3 for linking, retrieving or otherwise processing records held by it relating to the individual;
2.6.4 for linking, retrieving or otherwise processing records relating to the individual held by it
and another data user where the personal data comprised in those records have been collected by
the respective data users for one particular purpose shared by both;
Note: For example, employees' ID card numbers may be used for the linking of their records held
by different data users under the Mandatory Provident Fund system. On the other hand,
customers' records held by two banks which comprise of personal data collected by each one of
them for the purpose of marketing its own services should not be linked via ID card numbers
contained in such records.
2.6.5 for a purpose required or permitted by any other code of practice from time to time in force
under section 12 of the Ordinance; or
2.6.6 for a purpose to which the holder of the identity card has given his prescribed consent.