Electronic commerce and e-mail on the Internet and Hong Kong's law on the privacy of personal data impose a responsibility on telecommunication-service users. If your organisation handles personal data in Hong Kong, it is almost certainly affected.

The Personal Data (Privacy) Ordinance requires a data user to protect such data, while stored, or in transmission. It has some other important requirements that affect how the Internet is used.

Private and personal data are more and more at risk on the Internet, and the Ordinance requires that the level of protection applied relates to the harm that could result if the data were subject to unauthorised use. There are remedies available – most of them very effective – but using them is often not easy and, without help, the casual user is unlikely to master them.

Staff handling personal data, whether it concerns employees, customers or members of the public, can easily expose companies and organisations to criminal sanctions and civil damages. We should know the risks, be able to pinpoint where they may arise, and understand how to deal with them.

Electronic commerce (EC) in its simplest Internet form would perhaps be web-site advertising with on-line forms that allow signing up for services or ordering of goods. Payment in these cases will often be via a credit card transaction.

Three questions should be asked when planning electronic commerce transaction services:

• Have we taken reasonable steps to prevent the interception of transactions and subsequent misuse of information, especially that of credit card information? Principle 4 of the Ordinance requires this;
• Would a third party be able to interfere easily with or modify a transaction message? Principle 4 again requires us to take reasonable steps, and Principle 3 of the Ordinance says that data must be used only for the original purpose of collection – something that a third party is unlikely to adhere to.
• Have we ensured that the sender of the transaction cannot subsequently deny that he or she initiated it ('non--repudiation')? This is a commercial matter rather than one relating to privacy.

Encryption and digital signatures can deal effectively with these problems, and new standards such as SET (Secured Electronic Transaction^TM) include them. This protocol, used by the credit card industry, protects both the message and the credit card details (by using two different encryption keys) and authenticates the sender as well. The seller never sees the decoded credit card details, so even messages on the merchant's computer do not compromise this important personal data. For more information, visit http://www.mastercard.com/set/

Proxy systems for credit card transactions, such as First Virtual (http://www.fv.com/), also shield the purchaser's credit card details from the merchant but still allow transfer of money and goods to take place. Digicash's ‘ecash’ (you guessed it . . . http://www.digicash.com/) allows for small transactions without credit card use at all. The right approach to collecting payment depends on the frequency, nature and average size of transactions.

At the most basic level, even 40-bit SSL (Secure Sockets Layer) encryption provides adequate protection for much of the type of personal data that will be collected via web-page forms. Encryption is discussed below.

The Ordinance is not just about security. It is relevant to EC in other areas as well.

For example, forms submitted by customers from a web page should comply with Principle 1 of the Ordinance – they should state the purpose for which the data will be used and ask only for data required for that purpose. The purpose should be lawful and directly related to a function or activity of the data user. If the organisation may transfer the personal data to another data user, then the classes of such data users should be listed. It should state, or clearly imply, the consequences of not supplying part of the information requested. All this detail need not be shown on the form itself; a button on the form marked ‘Privacy policy’ could be linked to a page giving the necessary information.

There has been plenty of discussion about the security of 40-bit, 56-bit and 128-bit encryption and US government controls on software that provides the higher levels of encryption. Encryption with 40-bit keys is regarded by computer security experts as weak and some products available from American sources already offer certain types of users in Hong Kong the greatly-superior 56-bit standard. To place this in perspective, consider the following:

For routine personal data of no great sensitivity, readily-obtained 40-bit encryption software will usually suffice, but Hong Kong users need not be confined to that. The US does not have a monopoly on software providing 128-bit encryption. Where this degree of protection really is required - as it might be with medical or legally-privileged data for example – it can be obtained.

Conducting electronic commerce is not the only motivation for Web forms that collect personal details. Other examples are applications for credit cards, submissions of job résumé to agencies, surveys and registering at a web site to obtain free software, news services or ‘personalisation’ of a search engine page.

If a company’s web pages include forms that ask purchasers or applicants to give significant or sensitive personal details, you must provide reasonable protection of that data as it travels and when you receive it. You can use SSL (Secure Sockets Layer) and you should make sure that you choose in Internet Service Provider (ISP) that operates a web server with software that can handle this form of secure data transfer. A recent survey established that some 20-odd ISPs were able to offer secure transfer, 20 would not commit themselves without a firm expression of interest from a customer and the remainder did not offer this level of security at the time. These numbers no doubt change from week to week.

When the data arrives at the web server, they are decoded by SSL and are therefore vulnerable. You may need to consider immediate protection from Internet hackers and even the ISP's personnel. The data should be moved immediately to a computer with no direct connection to the Internet, or encrypted again.

We refer here to e-mail carrying significant personal details, such as an employee file to be submitted to a head office in New York, or details of a customer transmitted as an e-mail generated by a 'Submit' button on a web page. The Ordinance requires such data to be kept secure both when transmitted and when stored.

Unless special steps are taken, the contents of e-mails and some types of attached files will be vulnerable, travelling as they do in a relatively clear text form as the messages follow an unpredictable route through the Internet. Complete copies of messages and attachments may reside for indefinite periods on intermediate servers. Owners of Internet routers may have ready access to personal data that the sender has a duty to protect.

Fortunately, the introduction of S/MIME encrypted e-mail to the major browsers allows safer communication. IT departments should be ready to assist users in setting it up and using it.

The activities of ISP account holders, sending e-mails offering goods and services to named individuals, are controlled by Section 34 of the Ordinance. The use of e-mail to send unsolicited advertising e-mails contravenes the terms and conditions of ISPs in HK. An ISP allowing such activities will technically be breaking the terms of its licence, so this may at first sight seem academic. However, when someone has agreed to receive promotional material by e-mail, for example having registered at a news-headlines site, this can be legitimate. The Ordinance requires the direct marketer to act: On first sending such an e-mail, they must inform the recipient that s/he has the right to ask not to receive further direct marketing. They must change procedures to ensure that any requests by data subjects to ‘opt-out’ of mailing lists are met without charge. Not to comply with either of these is a criminal offence.

Although the Ordinance provides for some exemptions (such as news gathering), personal details of living individuals should not be displayed on the World Wide Web, other than by the individuals themselves or with their express consent. This most often arises as a problem, when raffles, draws or prize winners are announced. The conjunction of name and ID Card number should in particular be avoided. Depending on the circumstances of the case, displaying the winner’s name and district, or ID Card number alone might be acceptable.

The Commissioner issued a Code of Practice on the use of ID Card numbers, other personal identifiers and ID Card photocopies last December. Copies of this code are available from the PCO.

Any person or organisation holding, processing or using personal data solely for another party, for example an ISP passing data through from a subscriber to a merchant, is not treated as a user of that data (Section 2(12)). The other party has all the responsibility for ensuring that the Ordinance is complied with in respect of the personal data concerned.

If the carrier, agent, etc. (mis)uses the data for its own purposes in any way, it immediately becomes a data user of the data and the full provisions of the Ordinance apply, including criminal sanctions and liability for civil damages.

Much of the security required by Hong Kong’s privacy legislation is common sense commercial protection.

Compliance with the Ordinance may serve to reinforce to your staff the need to avoid the dangers of other practices involving exposure of sensitive commercial data that are not personal data. It may generally raise awareness, within the organisation, of the risks of today’s changing regulatory and information technology environment.