Security and Privacy Protection
In the course of developing the "iAM Smart"
platform, DPO has been adhering strictly to government policies
and guidelines on information technology security as well as the
Personal Data (Privacy) Ordinance.
Detailed Descriptions
- In terms of contractor management:
- During system development and maintenance support, the contractors can only use test data and work in the development and testing environment. Hence, they have no access to personal data of any resident.
- DPO will also establish access control and monitoring mechanism for DPO staff who need to access the personal data.
- In terms of system management:
- DPO will ensure that the core data (including users' personal data) in the "iAM Smart" system are encrypted using prevailing internationally recognised Advanced Encryption Standard and stored in government data centre.
- To conform with industry encryption standards, Transport Layer Security will also be adopted to encrypt data to ensure data security and integrity during transmission over the internet.
- In terms of security standards and privacy protection:
- The photos of HKIC provided and selfies taken by residents during registration for "iAM Smart" or "iAM Smart+" via mobile phone or self-registration kiosk will be deleted immediately after verification of user's identity.
- Other personal information provided during registration will only be used for "iAM Smart" or "iAM Smart+" account management. User data will be encrypted and stored in government data centre.
- The "iAM Smart" services have been awarded ISO/IEC 27001 and ISO/IEC 27701 international standard certifications, assuring that DPO has formulated and implemented comprehensive information security and privacy management measures. These measures aim to manage and protect user's information and privacy. Integrated management processes have been adopted to ensure appropriate measures are in place to meet the certification requirements in an on-going manner.
List of System Security Standards and Certifications
- Government IT Security Policy and Guidelines
- 《Personal Data (Privacy) Ordinance》(Cap.486)
- Fast IDentity Online
- OAuth 2.0 Authorization Framework
- Public Key Infrastructure (PKI)
- Information Security Management System (ISMS) and Privacy Information Management System (PIMS) International Standards – ISO/IEC 27001 and ISO/IEC 27701
- The DPO has developed and maintained a comprehensive set of information technology (IT) security policies, standards, guidelines, procedures and relevant practice guides. These include:
- Baseline IT Security Policy
- IT Security Guidelines
- Practice Guide for Security Risk Assessment and Audit
- Practice Guide for Information Security Incident Handling.
- These procedures and guidelines were developed with reference to international standards, industry best practices, and professional resources. DPO would review the relevant procedures and guidelines from time to time to meet the challenges of security threats posed by emerging technologies.
- DPO has been adhering strictly to the Personal Data (Privacy) Ordinance , government policies and guidelines on information technology:
- Data storage
- Network and communication security
- User access management and application system security
- Security measures to protect personal data.
- DPO has also sought advice from the Privacy Commissioner for Personal Data and engaged independent third parties to conduct privacy impact assessment and information security risk assessment and audit for implementation of the relevant information security and privacy protection requirements.
- Fast Identity Online (FIDO) is an authentication protocol that allows online services to provide multiple authentication without passwords. User verification (user biometric verification, etc) will only be performed within the mobile phone. No biometric data will be transmitted outside the mobile phone.
- OAuth 2.0 Authorization Framework is an authorization standard protocol. It is used for cross-platform identity authorization. It enables users to authorize a third-party application to access their data stored in another service, without the need to provide the username and password to the third-party application. "iAM Smart" makes reference to OAuth 2.0 protocol for the authentication and authorization amongst "iAM Smart" and "iAM Smart+" user, online service and "iAM Smart" system, to ensure the system is safe and reliable.
- Public Key Infrastructure (PKI) provides a safe and reliable environment for electronic transactions on the Internet.
- It is a security framework that uses public key encryption technology to protect the confidentiality, integrity, authenticity and non-repudiation of data.
- The "iAM Smart" services have been awarded ISO/IEC 27001 and ISO/IEC 27701 international standard certifications, assuring that DPO has formulated and implemented comprehensive information security and privacy management measures. These measures aim to manage and protect user's information and privacy. Integrated management processes have been adopted to ensure appropriate measures are in place to meet the certification requirements in an on-going manner.
- The development and operation of the "iAM Smart" system adhere to the two internationally recognised standards mentioned above, including the establishment and strict enforcement of data access permissions for all personnel to prevent unauthorised access to personal data within the system.