Ada Chung FCG FCS, Privacy Commissioner for Personal Data, Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), supports the rationale behind limiting the disclosure of personal data in the Companies Register.  

Given its impact on the work of governance professionals, the HKSAR Government’s new inspection regime for the Companies Register has attracted considerable discussion and interest in the governance profession. Back in 2012, the relevant provisions of the Companies Ordinance (Cap 622) (CO), namely, inter alia, Sections 47, 49 to 59 thereof, have already provided for the new inspection regime when the rewritten company law was enacted. Nonetheless, on account of the diverse views expressed by relevant stakeholders at the time, these provisions were not brought into operation in 2014.  Following the completion of the legislature’s scrutiny of the seven pieces of commencement notices and subsidiary legislation introduced by the HKSAR Government, the new inspection regime has been, or is to be, implemented in the following phases.

1. Starting from 23 August 2021, companies may withhold the usual residential addresses (URA) of directors and full identification numbers (IDN) of directors and company secretaries that are contained in their own registers from public inspection.
2. From 24 October 2022 onwards, the Companies Registry (CR) will withhold from public inspection the URA and full IDN of directors, company secretaries and liquidators, etc, which are contained in all the documents filed for registration.
3. Starting from 27 December 2023, the individuals concerned may apply to the CR for withholding their respective URA and full IDN contained in the documents already registered with the CR prior to 24 October 2022 from public inspection.

The new inspection regime is designed to enhance the protection of privacy in relation to personal data of various company officers. Whilst company secretaries have already been allowed to provide their correspondence addresses instead of URA for public inspection under the CO since 2014, the significance of the new inspection regime lies primarily in the removal of the unrestrained public access to obtain the URA and full IDN of individual company officers contained in the Companies Register, thus providing enhanced protection to sensitive personal data.  Under the new regime, for all the documents which are newly registered, only: 

• the correspondence addresses of directors (other than the correspondence addresses of company secretaries), and 
• the partial IDN of directors, company secretaries and other relevant individuals 

will be made available for public inspection. Upon application made to the CR, the URA and full IDN of those individuals will only be made accessible to different groups of authorities or persons as specified in the subsidiary legislation (specified persons), except for certain circumstances where such disclosure by the CR is permissible with an order of the Court or under the CO. Similar protection will also be available for the URA and full IDN contained in documents previously registered with the CR and the company officers concerned may apply for withholding the disclosure of the same to the public.

The legislative history

The new inspection regime can be traced back to 2009 when, as part of the rewrite exercise, the HKSAR Government consulted the public on the draft clauses of the Companies Bill. In December 2009, public views were sought in the First Phase Consultation of the draft Companies Bill as to whether the URA and full IDN of company officers, including company secretaries, on the Companies Register should continue to be made available for public inspection.     The proposed changes were indeed discussed and considered by the relevant Advisory Group formed for the rewrite exercise and the Standing Committee on Company Law Reform in 2007/2008 and then in 2012/2013, with substantial positive feedback from their members, including representatives of the then Hong Kong Institute of Chartered Secretaries.  Consequently, provisions that reflected the new inspection regime were included in the Companies Bill for scrutiny by the legislature, and the new CO, which contained the aforesaid provisions, was enacted in July 2012.  Nevertheless, given the lack of consensus by relevant stakeholders at the time, after the enactment of the primary legislation, the draft Companies (Residential Addresses and Identification Numbers) Regulation was not introduced into the legislature in 2013.   Aiming to elevate its efforts to strengthen the protection of the personal data contained in the Companies Register, the HKSAR Government revived the proposals earlier this year. 

PCPD supports the new regime 

From the perspective of protecting privacy in relation to personal data, I welcome, and have no hesitation in supporting, the new inspection regime which will undoubtedly strengthen the protection of the personal data contained in the Companies Register.  As a matter of fact, the arrangements of the new inspection regime reflect the recommendations made by my Office, the Office of the Privacy Commissioner for Personal Data (PCPD), in our report on the Survey of Public Registers Maintained by Government and Public Bodies published in July 2015.  Among others, we recommended operators of public registers to explore, when providing personal data of a sensitive nature (such as identification document numbers and residential addresses) for public access, less privacy-intrusive means of disclosing the same. For example, by providing partial instead of full identification document numbers and by providing correspondence addresses instead of full residential addresses.  I am pleased to see that the above-mentioned recommendations have been taken into account in the new regime.  Quite contrary to the views expressed in some quarters, in my view the move is of particular importance in the present situation of Hong Kong as there has been a significant increase in the number of doxxing cases since mid-2019, coupled with a worsening trend of cybercrimes and telephone scams that involved the unlawful use of personal data unveiled for the past two years.  This situation is exacerbated by the rapid development of digitalisation and the ease of collecting different kinds of personal data from the public domain, whether from online platforms, internet searches, public registers or the like. It is worth noting that if the personal data available in the public domain is disclosed without appropriate safeguards, or used without regard to the original purpose of collecting the data, it could pose significant risks to privacy, thus jeopardising the interests of the data subjects. This is so especially in the case of sensitive personal data such as full IDN and URA, which practically anyone may obtain from any public register with relative ease nowadays. In this regard, I have grave concerns that personal data has been weaponised by some in Hong Kong and utilised in ways to intimidate, silence or harm others for whatever reasons.   The wave of doxxing that has swelled in Hong Kong since mid-2019 has tested the limits of morality and the law, and should be stopped. Between June 2019 and June 2021, my office has handled over 5,800 doxxing-related complaints and cases discovered proactively by us through our online patrols. Among these cases, 945 of them involved wrongful disclosure of the victims’ identification numbers and/or residential addresses. The figures cry for immediate and effective actions to call the matter to a halt. In the words of the Honourable Mr Justice Jeremy Poon, the Chief Judge of the High Court, ‘doxxing should not and cannot be tolerated in Hong Kong if we still take pride in our city as a civilised society where the rule of law reigns…  The damage of widespread doxxing goes well beyond the victims. It seriously endangers our society as a whole… If doxxing practices are not curtailed, the fire of distrust, fear and hatred ignited by them will soon consume the public confidence in the law and order of the community, leading to disintegration of our society.’   While the Personal Data (Privacy) (Amendment) Bill 2021 was gazetted by the HKSAR Government on 16 July 2021 to introduce a new offence for doxxing and broaden my enforcement powers under the Personal Data (Privacy) Ordinance to deal with doxxing cases more effectively, I believe that strengthening the protection of the personal data contained in public registers will assist in addressing the problem at root. 

Similar arrangements in overseas jurisdictions 

In this regard, Hong Kong is not alone in taking measures to accord more protection to sensitive personal data that appears in the Companies Register. In the UK, for example, company officers’ personal identification numbers are not made available by the Companies House for public inspection on the companies register. For over a decade only their correspondence addresses (better known as service addresses) are made available to the public. Information on directors’ residential addresses is kept on a separate register with restricted access.  Similarly, in Singapore an alternate address instead of the URA may be provided for disclosure on the companies register by company officers, though the full numbers of their Singpass (Singapore citizens’ and residents’ digital ID) are disclosed. On the other hand, in Australia, while identification document numbers are not on the register, under specified circumstances, alternate addresses may be included, for instance, when the Australian Securities and Investments Commission considers that the inclusion of the URA in public records would put the personal safety of the relevant officer and/or his/her family members at risk.   Thus, it is not unorthodox for measures to be taken by regulatory authorities to strengthen the protection given to sensitive personal data in a public register if circumstances warrant.  

Addressing stakeholders’ concerns 

While advocating the importance of the protection of privacy in relation to personal data, I recognise the importance of allowing access to the Companies Register for legitimate purposes of the Register, which are fully set out under Section 45 of the CO.  Not surprisingly, various stakeholders have raised different concerns on the original proposal. Most of the concerns, as I see it, are related to the possible confusion, however slight, that may arise when the full IDN and URA are not available to readily identify the individual concerned, whether for forensic investigation, due diligence checks or other legitimate purposes.   Some refinements to the original proposal have been introduced by the HKSAR Government in response. These include, for example, expanding the scope of specified persons to cover solicitors and foreign lawyers, trust or company service provider licensees (TCSP Licensees), certified public accountants (practising), etc; providing particulars of cross-directorships and introducing administrative measures (such as providing more digits in the IDN) to remove confusion when the disclosure of partial IDN leads to confusing search results.  

Way forward for governance professionals

Undoubtedly, a reasonable balance has to be struck between protecting personal data privacy on the one hand and allowing access to the Companies Register for the legitimate purposes of the Register on the other. Governance professionals are singularly placed in the balance as they bear the brunt, and the advantage, on either side. The present mechanism, as refined, apparently takes into account the need for some professionals, including TCSP Licensees, to carry out due diligence checks of company officers in their daily work. Hence, governance professionals who are TCSP Licensees would continue to enjoy unrestricted access to the personal data on the Companies Register while at the same time, under the new regime, the disclosure of their full IDN is restricted. Notwithstanding the unrestricted access to the Companies Register, TCSP Licensees should be mindful of the restricted use of the data obtained from the Register, namely that their use is confined to the very purposes of the setting up of the Register, as reflected in Section 45 of the CO and the terms of use of the CR’s electronic search service.  Ada Chung FCG FCS  Privacy Commissioner for Personal Data, PCPD