Mr Allen Yeung
Government Chief Information Officer
Dear Mr. Yeung,
In light of the latest information from Infocloud website that AliCloud has been accepted to the list of Government Public Cloud Services (‘GPCS’) Provider and that the company’s operations in Mainland China show close relationship with the Chinese authorities, the public has major concern over privacy and security risks to Hong Kong citizens whom data may be stored in places, such as mainland China, where personal data protection regime may not be as strong as Hong Kong. I am writing to enquire the government on the following points:
1. Is it possible that AliCloud will store or process information involving personal data of Hong Kong citizens in the future and if it does, will there be any measures to protect those personal data from breach?
2. According to the government security requirements, GPCS providers should “not disclose any data or information relating to Add-on GPCS to any external parties and not use those data or information for other purposes.” How does the government ensure the GPCS providers will comply to this requirement?
3. Is the government aware of the exact locations of the data centres outside Hong Kong where GPCS have stored government data? Are GPCS providers required to provide the locations of their data centres outside Hong Kong? What are the security and technical requirements for GPCS to ensure the security of data in transmission or in-situ, especially for data that are stored outside Hong Kong?
4. If personal data of Hong Kong citizens were to be transferred outside Hong Kong for storage or for operations involving a third party, are there any precautions that the personal data will not be disclosed to that third-party?
5. How did the government formulate the security requirements to GPCS providers and how is the sensitive level of data stored defined? In general, are there specific requirements on the access rights and the location of sensitive data to be stored? What are the consequences GPCS providers face if they do not meet the security requirements after they are awarded government contracts?
6. Are GPCS providers that opt to use data centers outside Hong Kong and in China required to transfer personal data to jurisdictions with a personal data protection regime similar to Hong Kong?
7. Are GPCS providers required to disclose the data requests by law enforcement agencies both inside and outside Hong Kong, and report any security incidents? How can the government assure Hong Kong citizens that their personal data will not be obtained by the Chinese authorities in any circumstances?
Legislative Councillor (IT)