HK IT experts concerned about data sharing between govt and financial institutions

IT experts from Hong Kong have raised concerns regarding the Consented Data Exchange Gateway (CDEG), which will be introduced by the end of 2023 to facilitate the sharing of data from government departments to financial institutions upon the authorisation of their enterprise clients.

According to a written statement from Hong Kong's innovation chief Sun Dong in response to lawmaker Carmen Kan's inquiry, the Office of the Government Chief Information Officer (OGCIO) will roll out other functions of CDEG before the end of 2024 for citizens to authorise government departments to share their personal data within the government to facilitate their use of digital government services.

Following enhancement to the functionalities of the "iAM Smart" platform and by providing one-time authorisation on "iAM Smart", citizens can in future make use of CDEG to directly access their personal information in various government services and leverage the "iAM Smart" e-ME function for auto-filling of personal information when applying for other government services, hence obviating the need for repetitive input or submission of the same information.

However, in a conversation with MARKETING-INTERACTIVE, Ho Wa Wong, conveyor of Open Data Working Group, Internet Society Hong Kong, said the question lies in whether the financial institutions will delete the authorised data in a limited timeframe and whether there will be any legal actions against them if the data is leaked.

"Given that there is no data protection law in Hong Kong, the government should appoint data protection officers to monitor and govern data security independently," said Wong.

Meanwhile, Francis Fong, honorary president of the Hong Kong Information Technology Federation said the government’s current data centres and tunnels, as well as the data itself are encrypted.

"However, there are still data security issues that need to be tackled, for example, the setup of firewalls and security surveillance. So far, we haven’t seen government data leakage in Hong Kong. The police, as I recall, also carried out security surveillance on (data) infrastructure to prevent data leaks," he added.

Fong hopes the government could also offer protection to public institutions by including them within the government’s shield of protection and security surveillance.

On the other hand, Sun said the government has established a multi-layered mechanism for data security protection while promoting the sharing of data. The CDEG will not store data shared between government departments and the gateway will be linked to their respective departments with encryption, while regular risk assessment will be conducted.

For Hong Kong Monetary Authority (HKMA)’s Commercial Data Interchange (CDI), Sun said the system connects banks and data providers with encryption and commercial data will not be stored in it. Information security requirements are also in place to protect the privacy of SMEs and to ensure data security, Sun stated.

Sun added the government is also working on legislative proposals to stipulate cybersecurity obligations of critical infrastructure operators, and it targets to introduce the bill into the Legislative Council (LegCo) within 2024.

Related articles:

SG government sets rules for data sharing
HK consumer watchdog reveals suspected data leak following 7-hour ransomware attack