What's New

Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 38 of the disclosure record for the Postmaster General maintained by the Commissioner for Digital Policy (“CDP”) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (“ETO”). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of Relocation of Disaster Recovery Data Centre

Postmaster General (“PMG”) (hereinafter referred to as Hongkong Post CA (“HKPCA”)) planned to relocate its disaster recovery (“DR”) data centre. The then Government Chief Information Officer (the “then GCIO”) considered that the changes involved in the relocation of DR data centre are major changes. In this light, the then GCIO had, by notice given to the HKPCA, required the HKPCA to furnish to the then GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, HKPCA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of HKPCA in relation to the relocation of DR data centre.

In accordance with section 43A(3) of the ETO, the CDP must publish in the disclosure record for HKPCA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the HKPCA. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

A. Date of the Report

  • The date of the report is 2 September 2024.

B. Material Information

  1. In the assessor's opinion, in all material respects:
    1. the management assertions, in respect of HKPCA's and Certizen as its agent's capability to comply with the relevant sections of the COP (See Note 1) set out in Part A of Appendix 3 to PN-870 (See Note 2) related to those provisions set out in section A of the assessment report (See Note 3) and the WebTrust standard, in relation to the relocation are reasonable. In particular, HKPCA with its agent is capable of:
      1. disclosing its business practices in its CPS (see Note 4) in accordance with the applicable ETO and the COP provisions and the MRCP (Note 5), and providing its services in accordance with its disclosed business practices, in relation to the relocation; and
      2. reasonably complying with the applicable ETO and COP provisions (Part A of Appendix 3 to PN-870) set out in section A of the report and the MRCP in respect of the relocation and the use of a trustworthy system and repositories implemented through such trustworthy system, to the extent that they are affected by the relocation.
    2. no information came to the assessor’s attention during the course of the assessment that would indicate that the management assertions, in respect of HKPCA’s and its agent’s capability to comply with the relevant sections of the COP set out in Part B of Appendix 3 to PN-870 related to those provisions set out in section A of the report, in relation to the relocation are not reasonable; and
    3. based on the conclusions drawn in paragraphs (a) and (b) above, the management assertions, in relation to the relocation in respect of HKPCA’s and its agent’s capability of complying with the applicable ETO provisions set up in section A of the report are reasonable.

Statutory Declaration

A. Date of the Declaration

  • The date of the declaration is 4 September 2024.

B. Material Information

  • Having regard to HKPCA’s relocations of its DR data centre, a responsible officer of HKPCA declares that HKPCA as an RCA (See Note 6) is capable of complying with the provisions of the ETO and the provisions of the COP which have been set out under paragraph 2 of Appendix of Annex I of the memorandum from the then GCIO dated 29 September 2023 (see Note 7).

Notes

1. Code of Practice for Recognized Certification Authorities (“COP”) (Version 3.2) issued by the CDP under section 33 of the ETO.

2. Practice Note 870 “The Assessment of Certification Authorities under the Electronic Transactions Ordinance” issued by the Hong Kong Institute of Certified Public Accountants.

3. The section A of the assessment report is extracted as follows:

Applicable ETO provisions

    1. Part X - General Provisions as to Recognized CAs:
      Sections 36, 37, 39, 40, 44 and 45(1).
    2. Part XI - Provisions as to Secrecy, Disclosure and Offences:
      Sections 46, 47 and 48.

Applicable Code of Practice provision

    1. General Responsibilities of a Recognized CA:
      Paragraphs 3.1 to 3.6 inclusive and 3.8.
    2. Certification Practice Statement:
      Paragraphs 4.1 to 4.13 inclusive.
    3. Trustworthy System:
      Paragraphs 5.1 to 5.3 inclusive, 5.6 to 5.17 inclusive and 5.19 to 5.21 inclusive.
    4. Certificates and Recognized Certificates:
      Paragraphs 6.1 to 6.23 inclusive.
    5. Repositories:
      Paragraphs 9.1 to 9.5 inclusive.
    6. Disclosure of Information:
      Paragraphs 10.1 to 10.6 inclusive.
    7. Adoption of Standards and Technology:
      Paragraph 14.1.
    8. Inter-operability:
      Paragraphs 15.1 and 15.2.
    9. All paragraphs in Appendix 1 of the Code of Practice, which are applicable to the requirements stipulated in the MRCP.

4. Certification Practice Statements (“CPS”).

5. Certificate Policy for Mutual Recognition in Electronic Signature Certificates Issued by Hong Kong and Guangdong (“MCRP”).

6. Recognized Certification Authority (“RCA”).

7. Paragraph 2 of Appendix of Annex I of the memorandum from the then GCIO is reproduced below for reference:

2. For the purpose of section 43A(1)(d)(i) of the ETO

2.1 A responsible officer of PMG shall make a statutory declaration which states that, having regard to PMG’s plan to relocate DR data centre, PMG is capable of complying with the following provisions of the COP.

    1. General Responsibilities of a Recognized CA:
      Paragraphs 3.7 and 3.9.
    2. Trustworthy System:
      Paragraph 5.18.
    3. Disclosure of Information:
      Paragraphs 10.7 to 10.9 inclusive.
    4. Consumer Protection:
      Paragraph 16.1.

2.2 A responsible officer of PMG shall make a statutory declaration which states that, having regard to PMG’s plan to relocate its DR data centre, PMG is capable of complying with the MRCP.

Related LinksDomain Name Administration
Previous ArticleDisclosure Record for the Postmaster General - P.37 | Digital Policy Office
Next ArticleDisclosure Record for the Postmaster General - P.39 | Digital Policy Office
Facilitating of the Cross-boundary Data Flow within the Greater Bay Area
The 5th Anniversary of the Promulgation and Implementation of the Hong Kong National Security Law Online Exhibition
One-stop thematic webpage links SMEs to decarbonisation and carbon audit related information and services
The Chief Executive’s 2025 Policy Address
“iAM Smart”
“Smart Silver” ICT Outreach Programme for Elders - A new round of digital outreach activities has launched
Biliteracy and Trilingualism Campaign 2025
The 2025-26 Budget
Support Social Enterprises Every Day!
2025 National Games - Hong Kong
“Smart Silver” Digital Inclusion Programme for Elders
“Smart Silver” Enriched ICT Training Programme for the Elderly (2024-2026)
Government Programme on Tackling Hygiene Black Spots
Legislative Control of Cannabidiol (CBD)
National Security Education Day
Electronic Health System (eHealth)
Improve Electoral System Ensure Patriots Administering Hong Kong
CSDI website
Safeguarding National Security
Multi-functional Smart Lampposts
ICT Event Calendar
Smart Government Innovation Lab
talent.gov.hk
New Patent System
“Smart Silver” Elderly IT Learning Portal
Hong Kong Legal Hub
Guangdong-Hong Kong-Macao Greater Bay Area
Cybersec Infohub
Corruption Prevention Advisory Service
Cyber Security Information Portal
Hong Kong Smart City
Digital Accessibility Campaign
Mutual Recognition of Electronic Signature Certificates issued by Hong Kong and Guangdong
Marketing Consultancy Office (Rehabilitation)
Developing Datacentre in Hong Kong
Wi-Fi․HK
GovHK Website
Government Computer Emergency Response Team Hong Kong (GovCERT․HK)
DATA․GOV․HK
Hong Kong ICT Awards
INFO SEC
Student IT Corner
1823
SIE Fund