Security and Privacy Protection

Security and Privacy

In the course of developing the "iAM Smart" platform, OGCIO has been adhering strictly to government policies and guidelines on information technology security as well as the Personal Data (Privacy) Ordinance.

Detailed Descriptions
  • In terms of contractor management:
    • During system development and maintenance support, the contractors can only use test data and work in the development and testing environment. Hence, they have no access to personal data of any resident.
    • OGCIO will also establish access control and monitoring mechanism for OGCIO staff who need to access the personal data.
  • In terms of system management:
    • OGCIO will ensure that the core data (including users' personal data) in the "iAM Smart" system are encrypted using prevailing internationally recognised Advanced Encryption Standard and stored in government data centre.
    • To conform with industry encryption standards, Transport Layer Security will also be adopted to encrypt data to ensure data security and integrity during transmission over the internet.
  • In terms of security standards and privacy protection:
    • The photos of HKIC provided and selfies taken by residents during registration for "iAM Smart" or "iAM Smart+" via mobile phone or self-registration kiosk will be deleted immediately after verification of user's identity.
    • Other personal information provided during registration will only be used for "iAM Smart" or "iAM Smart+" account management. User data will be encrypted and stored in government data centre.
    • In addition, OGCIO will manage and protect user data and privacy in accordance with international standards ISO 27001 and ISO 27701.

List of System Security Standards and Certifications

  • The OGCIO has developed and maintained a comprehensive set of information technology (IT) security policies, standards, guidelines, procedures and relevant practice guides. These include:
    • Baseline IT Security Policy
    • IT Security Guidelines
    • Practice Guide for Security Risk Assessment and Audit
    • Practice Guide for Information Security Incident Handling.
  • These procedures and guidelines were developed with reference to international standards, industry best practices, and professional resources. OGCIO would review the relevant procedures and guidelines from time to time to meet the challenges of security threats posed by emerging technologies.
  • OGCIO has been adhering strictly to the Personal Data (Privacy) Ordinance , government policies and guidelines on information technology:
    • Data storage
    • Network and communication security
    • User access management and application system security
    • Security measures to protect personal data.
  • OGCIO has also sought advice from the Privacy Commissioner for Personal Data and engaged independent third parties to conduct privacy impact assessment and information security risk assessment and audit for implementation of the relevant information security and privacy protection requirements.
  • Fast Identity Online (FIDO) is an authentication protocol that allows online services to provide multiple authentication without passwords. User verification (user biometric verification, etc) will only be performed within the mobile phone. No biometric data will be transmitted outside the mobile phone.
  • Open Authorization framework 2.0 (OAuth 2.0) is an authorization standard protocol. It is used for cross-platform identity authorization. It enables users to authorize a third-party application to access their data stored in another service, without the need to provide the username and password to the third-party application. "iAM Smart" adopts the OAuth 2.0 protocol for the authentication and authorization amongst "iAM Smart" and "iAM Smart+"user, online service and "iAM Smart" system, to ensure the system is safe and reliable.
  • Public Key Infrastructure (PKI) provides a safe and reliable environment for electronic transactions on the Internet.
  • It is a security framework that uses public key encryption technology to protect the confidentiality, integrity, authenticity and non-repudiation of data.
  • OGCIO manages and protects user data and privacy in accordance with international standards ISO 27001 and ISO 27701. OGCIO will pursue the ISO certification after the system launch.
  • The development and operation of the "iAM Smart" system will adopt the information security management system (ISO/IEC 27001) and measures set out by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), which include the establishment and stringent enforcement of data access rights for all personnel to prevent any unauthorised access to personal data.
Download the QR code of Smart Mobile App
Download Now