A LegCo question was asked today on whether Internet Protocol (IP) addresses are regarded as a type of the “personal data” so defined in the Personal Data (Privacy) Ordinance (Cap 486); and whether the Government will adopt measures to prohibit the disclosure of IP addresses to third parties without the authorization of the owners? This is a issue more related to IT management than IT the technology.
The official reply:
“An Internet Protocol (IP) address is a specific machine address assigned by the web surfer’s Internet Service Provider (ISP) to a user’s computer and is therefore unique to a specific computer. An IP address alone can neither reveal the exact location of the computer concerned nor the identity of the computer user. As such, the Privacy Commissioner for Personal Data (PC) considers that an IP address does not appear to be caught within the definition of “personal data” under the PDPO. That said, whether an IP address together with other data constitutes “personal data” under the PDPO will have to depend on the specific circumstances surrounding the case.
ISPs in Hong Kong are bound by the PDPO. As data users, ISPs need to comply with Data Protection Principle 3 which provides that personal data shall not be used, disclosed or transferred for a purpose other than for which they were collected at the time of their collection (or a directly related purpose) in the absence of the data subject’s prescribed consent. The exact location of a computer or the identity of a computer user cannot be traced using an IP address alone. To trace an account user (in the case of a dial-up customer) or the physical address of a user’s computer (in the case of a leased circuit or broadband customer) that has made use of a particular IP address at a particular point in time, one must have the IP address, the time of use of the IP address and the appropriate IP assignment logs kept by the ISPs. The provisions of the PDPO together with the relevant licence conditions in the licence issued to ISPs are sufficient to prohibit the unauthorised disclosure of information collected by ISPs.
The Privacy Commissioner is separately conducting an in-depth research on whether an IP address can be regarded as “personal data” under the PDPO. Apart from a study of the judicial decisions of local and overseas courts on “personal data”, the Commissioner has also sought the views of privacy commissioners of other jurisdictions on the scope of coverage of “personal data” in their respective jurisdictions, as well as consulted the professional views of a senior counsel on issues relating to the scope of “personal data”. Should research findings conducted by the PC reveal that an IP address should be treated as personal data under the PDPO, disclosure of such information would be regulated by the Ordinance.”
If you are confused on such yes and no answer, typical of bureaucratic statement, the simple answer is yes. ISP will protect IP addresses. To obtain information related to IP addresses from ISP, a court order is required. It is like protecting the HKID card number. You can make up any HKID card number which could belong to someone. But the HKID card number alone is not secret. It is the identity of the person associated with the HKID card which is personal data. Please do not think ISP are remote entities. Many IT managers managing their own networks have such personal data in the form of IP addresses in their possession. Need to think PDPO.