1. Basic infrastructure

1.1  The Census and Statistics Department (C&SD) is the official government organization of Hong Kong, China, in providing statistical services.  Its headquarters is in Wan Chai District on Hong Kong Island.  There are sub-offices at five different locations with distance ranging from 2.4 to 6.5 kilometres away from the headquarters.

1.2   As at 1 January 2001, C&SD has a total of about 1 560 staff.  The total office size is about 19 200 square metres.

1.3   C&SD currently has two Alpha computers, ten HP-UX computers, four RS-6000 AIX computers and about 1 300 micro-/notebook computers.

1.4   A departmental network connects all the Local Area Networks (mainly Novell Netware and Windows NT) and Wide Area Networks together.  All the sub-offices of C&SD are connected to the headquarters by leased lines.  Network protocols supported are mainly TCP/IP and IPX.

1.5   Lotus Notes is used as the internal e-mail system of C&SD.  The e-mail system of C&SD is further connected to the e-mail system of the Hong Kong Special Administrative Region (HKSAR) government, thus connecting with all the HKSAR government bureaux and departments.  E-mail accounts are provided to all staff at professional grades and above, and also to some other users in need.  Extension of the services to sub-professional grade staff is being planned.

2. Electronic Transactions

2.1   The Electronic Transactions Ordinance (ETO) (Chapter 553 in the Laws of Hong Kong) of the HKSAR came into effect on 7 January 2000.  The electronic certificate (e-Cert) issued by the Postmaster General of the Hong Kong Post Office is a certificate recognized in accordance with the requirements of the ETO and Code of Practice for Recognized Certification Authority.

2.2   The HKSAR government accepts electronic submission under the statutory provisions in the Laws of Hong Kong starting from 7 April 2001 as the relevant provisions in the ETO came into operation on that date.  It also published in the Gazette a notice specifying the format, manner and procedure that would apply when making electronic submission to the government under the law.  These included the coding schemes for the languages used in the electronic records, the manner of delivery of the electronic records, the file format adopted, and the requirement of digital signature, etc.  It is the HKSAR government's policy objective to promote the wider adoption of electronic transactions in Hong Kong so as to foster the development of electronic commerce.

2.3   The requirement of digital signature in electronic submission ensures

1. Authentication - to prove the identity of the parties in an electronic transaction;
2. Integrity - to prove that the message contents have not been altered, deliberately or accidentally during transmission;
3. Non-repudiation - to agree on the terms of transactions and prevent denial of commitment; and
4. Confidentiality - to ensure that the content and information of a transaction is kept private from unauthorized third parties.

2.4   In this connection, C&SD provides electronic forms to selected establishments for completing the questionnaires of economic surveys.  As spreadsheet software is widely used in Hong Kong, the Commissioner for Census and Statistics also accepts files in spreadsheet format under the ETO.

3. Established approach towards data protection

Confidentiality of survey data pertaining to individual persons or companies

3.1   Surveys are conducted by C&SD under the Census and Statistics Ordinance (Chapter 316 in the Laws of Hong Kong).  This Ordinance stipulates that all collected information which may enable identification of individual person or company must be kept confidential and not be released to any unauthorized parties including government departments.  As stipulated in the Ordinance, it is an offence for a staff member of C&SD to disclose data pertaining to individual person or company to any unauthorized persons.  All relevant staff are required to sign a declaration under this Ordinance to ensure that they are fully aware of this.  Moreover, data suppression is done in statistical tables and similar outputs as appropriate so as to ensure that no information pertaining to identifiable individual person or company is revealed or deducible in statistical publications.  The following are some measures taken by C&SD to ensure data protection in respect of collection, storage and transmission of statistical data:

1. Clear procedures on how to ensure confidentiality of individual data during fieldwork are available.  All field staff are required to follow these procedures strictly;
2. All staff are trained on issues concerning confidentiality of individual data, thus enabling them to understand clearly their legal obligations and details of the related procedures.  Training sessions on the "Guide on Conduct and Discipline" are organized regularly;
3. All completed questionnaires are kept in custody at safe locations.  Detailed records of document movements are maintained;
4. All questionnaires are destroyed within a reasonable period after the fieldwork;
5. The reference link between the identity of respondents and the corresponding computer record is removed within a reasonable period after the fieldwork; and
6. All statistical tables are checked to ensure that no information pertaining to individual respondent is revealed or deducible.

3.2   In C&SD, there are guidelines to enhance the security of information systems.  They are listed below:

1. General security requirement - all the doors of rooms with information system inside must be locked during lunch hours, after office hours and whenever the user is away from the office for a length of time;
2. Physical access control - systems that process confidential data are stored in secure server rooms.  A detailed log of access to special computer rooms, including server rooms, computer halls and computer aided telephone interview rooms, covering staff's/visitor's name, entry and leave time is kept;
3. Data access control - data access is granted on a need-to-know basis;
4. Password management - passwords are changed periodically.

3.3   Internet services are provided by the HKSAR Government's Central Internet Gateway (GCIG).  Only users with valid accounts can access the service.  The bandwidth is currently limited to a total of 1.5 Mbps for the whole C&SD.  The following security measures have been implemented in the GCIG :

1. Firewall system to prevent unauthorized traffic and provide traffic logging and monitoring and;
2. User authentication system and network intrusion detection system to prevent and detect irregularities; and
3. Real time virus scanning and detection system to protect system integrity against computer viruses.

3.4   In early 2001, the Security Bureau of the HKSAR Government has promulgated special security regulations regarding information systems that would take effect on 1 June 2001.  These new regulations relate to the adaptation and use of information systems where classified information, documents and data are involved.

3.5   In response to the new security regulations, C&SD has established a management structure to oversee the security matters within C&SD, and is in the process of formulating its own Departmental IT Security Policy.  A set of IT Security Guidelines will be prepared and promulgated.  Based on the IT Security Guidelines, functional units of C&SD will map out their own implementation procedures and mechanisms to fit in with their operation environment.

3.6   To ensure that data protection considerations are incorporated in the information systems including their development and production, C&SD has a Departmental IT Security Officer.  His/her responsibilities are listed below:

1. To establish and maintain an information protection program to assist all staff of C&SD in the protection of the information they use;
2. To lead in the establishment, maintenance and implementation of information security policies, guidelines and standards for colleagues to develop procedures which fit the operational environment at the operational level;
3. To coordinate with other Bureaux and Departments in the Government on IT security issues;
4. To ensure that information security reviews and audits are performed as necessary; and
5. To initiate investigations and implement rectifications in case of breach of security.

3.7   Anti-virus softwares have been installed in HKSAR Government's Central Internet Gateway, network servers, micro-/notebook computers.  The latest virus pattern files for anti-virus software are available in the bulletin board of C&SD's Lotus Notes so that staff of C&SD can easily and readily update virus pattern files to detect new viruses.

3.8   Data and programs in the computer systems are backed up regularly to off-line storage media such as magnetic tapes. In general, daily, weekly, monthly and/or quarterly backup is performed depending on the need of each system.  For disaster recovery, backup tapes of computer systems in the Departmental Computer Hall are placed offsite in a Disaster Recovery Centre, which is 12 kilometres away from the headquarters.  This arrangement is to enable the resumption of minimal computer service in the event of disasters such as fire and flood.

4. Main data security concerns arising from the use of new technology

4.1   Compatibility is an important issue.  Different data providers may use different computer software to process their data.  Thus, it is unlikely that the electronic forms provided by C&SD are perfectly compatible with all the software used by data providers.

4.2   Many raw data providers have incentives to provide electronic data to C&SD.  Electronic submission could reduce their time and efforts to complete C&SD's survey questionnaires.  However, some data providers are still not very confident with transmitting confidential accounting data to C&SD through the Internet.  More work has to be done to ensure people understand that with suitable arrangements in place, security should not be a problem.

4.3   In view of the significant dependence on the uninterrupted availability of network and computer facilities, C&SD will continue to strengthen the measures to guard against computer viruses and unintentional data loss and keep the measures regularly updated.