- 繁
- 简
Text Size
- Email
- Facebook
- Whatsapp
- Weibo
- Wechat
- X
- RSS
"Scan QR Code" in WeChat and tap "..." to share.
Search for Keywords

Close Search box

Search for Keywords in Mobile Search Bar

Close Search box
Languages
- 繁體
- 简体

Frequently Asked Questions

Electronic Transactions Ordinance ("ETO")

Q1.

What are the purposes of the ETO?

Q2.

When was the ETO enacted?

Q3.

What is the Electronic Transactions (Exclusion) Order?

Q4.

What is the legal backing of digital signature and electronic signature under the ETO?

Voluntary Certification Authority Recognition Scheme under the ETO

Q1.

What is the Voluntary Certification Authority Recognition Scheme?

Q2.

What is the Code of Practice for Recognized Certification Authorities?

Q3.

What is the benefit of the Voluntary Certification Authority Recognition Scheme?

Q4.

Which certification authorities are now recognized under the ETO?

Q5.

What are the differences between a CA recognized under the ETO and a CA not recognized under the ETO?

Granting Recognition under the Voluntary Certification Authority Recognition Scheme

Q1.

What are the criteria for the CDP to grant recognition to a certification authority?

Q2.

What types of recognition will the CDP grant under the ETO?

Q3.

What is an assessment report that needs to be furnished to CDP?

Q4.

Who can be the person qualified to make an assessment report?

Q5.

Are there guidelines for the assessment of a certification authority?

Q6.

How to submit application for recognition/renewal of recognition as a recognized Certification Authority and/or recognition of certificates?

Digital Certificates for Electronic Transactions

Q1.

What are the uses of digital certificates?

Q2.

What are the recognized digital certificates issued by certification authorities in Hong Kong?

Q3.

How to select and apply for a digital certificate?

Q4.

Can a digital certificate be used for the whole life of an individual?

Q5.

What should I do when my digital certificate is going to expire?

Q6.

What should I do if I lose my digital certificate?

Q7.

Should my digital certificate be shared with someone else?

Q8.

Which e-Government and e-Commerce services are accepting digital certificates?

Electronic Submission to Government

Q1.

How to submit applications / documents in electronic means to Government bureaux/departments?

Q2.

What is the required format when submitting information to Government entities in the form of electronic record?

Electronic Transactions Ordinance ("ETO")

Q1.

What are the purposes of the ETO?

A1.

The ETO aims to provide a clear legal framework for the conduct of secure electronic transactions by giving electronic record and electronic signature the same legal recognition as that of their paper-based counterparts. It also establishes a voluntary recognition scheme for certification authorities to enhance public confidence in the adoption of electronic transactions.

Q2.

When was the ETO enacted?

A2.

The ETO was enacted in January 2000 and last updated in January 2024.

Q3.

What is the Electronic Transactions (Exclusion) Order?

A3.

Under the ETO, the Permanent Secretary for Innovation, Technology and Industry may by Gazette specifies the ordinances that are excluded from the application of sections 5, 6, 7 and 8 of the ETO because of operational, technological, solemnity or other reasons. Please click this link to access the Electronic Transactions (Exclusion) Order .

Q4.

What is the legal backing of digital signature and electronic signature under the ETO?

A4.

The ETO provides legal backing to electronic record and electronic signature, which includes digital signature.

For transactions not involving Government entities, a signature requirement under law can be met by any form of electronic signature so long as it is reliable, appropriate and agreed by the recipient of the signature. For example, banking services in Hong Kong use different forms of electronic signature, including digital signature supported by digital certificate issued by CAs that are either recognized or not recognized under the ETO.

For transactions involving Government entities, a signature requirement under law can be satisfied by digital signature supported by a recognized digital certificate issued by a CA recognized under the ETO. Under the ETO, a Government entity means a public officer or a public body. For example, citizen may use recognized digital certificate issued by recognized CA in submitting Tax Return electronically to Inland Revenue Department of the Hong Kong Government.

Voluntary Certification Authority Recognition Scheme under the ETO

Q1.

What is the Voluntary Certification Authority Recognition Scheme?

A1.

To better protect the interest of users of certification services and enhance their confidence in electronic transactions, a Voluntary Certification Authority Recognition Scheme was established pursuant to the ETO. Under this scheme, a certification authority ("CA") may voluntarily apply to the Commissioner for Digital Policy ("CDP") for recognition and once recognized the CA shall comply with the requirements of the ETO and the Code of Practice for Recognized Certification Authorities ("Code of Practice"). Recognition will only be granted to those CAs that have reached a standard acceptable to the CDP and hence the trustworthiness of their systems and services are better ensured.

Q2.

What is the Code of Practice for Recognized Certification Authorities?

A2.

The Code of Practice for Recognized Certification Authorities is published by the CDP, which specifies the standards and procedures for a recognized certification authority ("CA") to carry out its functions. Recognized CAs shall comply with the Code of Practice for Recognized Certification Authorities in providing trustworthy CA services to the public.

Q3.

What is the benefit of the Voluntary Certification Authority Recognition Scheme?

A3.

The Voluntary Certification Authority Recognition Scheme enhances public confidence in electronic transactions that are secured by recognized digital certificates issued by recognized certification authorities("CAs"). Recognition will only be granted to those CAs and digital certificates that have met the trustworthiness standard of the Government, thus protecting the interest of users of services of a recognized CA.

Q4.

Which CAs are now recognized under the ETO?

A4.

There are now two certification authorities("CAs") recognized under the ETO. The Postmaster General is an recognized CA by virtue of the ETO. The Hongkong Post CA service commenced in January 2000. Digi-Sign Certification Services Limited became an recognized CA under the ETO in July 2001. The list of Recognized CAs is published on DPO’s web site.

Q5.

What are the differences between a CA recognized under the ETO and a CA not recognized under the ETO?

A5.

While CAs are free to operate in Hong Kong, only a recognized CA shall comply with the ETO and the Code of Practice. In order to monitor a recognized CA's compliance with the ETO and the Code of Practice and enhance public confidence in using recognized CA's services, the recognized CA shall, among others, submit an annual assessment report conducted by a qualified person, apply for renewal of its recognition every 3 years and apply for recognition of certificate if the certificate is intended to be recognized under the ETO.

Granting Recognition under the Voluntary Certification Authority Recognition Scheme

Q1.

What are the criteria for the CDP to grant recognition to a certification authority?

A1.

The CDP will consider various factors in granting recognition to a certification authority("CA"), including its financial status, liability cover and trustworthiness of the systems for its CA operation, with a view to better protecting users’ interest and enhancing public confidence in electronic transactions with the use of the recognized CA’s services. Please visit Recognition of Certification Authorities and Certificates for the detailed criteria.

Q2.

What types of recognition will the CDP grant under the ETO?

A2.

The CDP grants recognition to certification authorities("CAs") and digital certificates issued by an Recognized CA. Please visit Recognition of Certification Authorities and Certificates for details.

Q3.

What is an assessment report that needs to be furnished to CDP?

A3.

A CA is required to submit an assessment report under one of the following circumstances:

At least once in every 12 months, a recognized certification authority("CA") must furnish to the CDP a report containing an assessment as to whether the recognized CA has, from the specified date until the last day of the period to which the report relates, complied with relevant provisions of the ETO and the Code of Practice for Recognized Certification Authorities ("Code of Practice"); or
Where the CDP considers that there have been or will be major changes in the operation of a recognized CA, the CDP may, by notice given to the CA, specify the major changes and require the CA to furnish to the CDP a report within the period specified in such notice; or
A CA seeking recognition must furnish to the CDP an assessment report as part of the particulars and documents submitted for the application for recognition.

The report must be made by a person approved by the CDP as being qualified to make such a report. An assessment report will typically describe the scope of the assessment, basis of conclusion, exceptions or deficiencies (mainly non-compliance with the ETO or the Code of Practice) identified, and conclusions of the assessment.

Q4.

Who can be the person qualified to make an assessment report?

A4.

The person (i.e. an assessor) to be qualified to make an assessment report shall be:

independent of the certification authority("CA") under assessment;
accredited by a recognized professional organisation or association; and
proficient in:
- the assessment of public key infrastructure and related technologies, such as digital signature and certificate, etc;
- applying information security tools and techniques;
- performing financial reviews;
- performing security reviews; and
- performing third-party reviews.

The qualified person may be an individual possessing all of the above requirements, or a partnership or an organisation comprising individuals that collectively possess all of the above requirements.

Please refer to sections 12.2 - 12.5 of the Code of Practice for Recognized Certification Authorities for more details.

Q5.

Are there guidelines for the assessment of a certification authority?

A5.

To conduct an assessment on a certification authority("CA"), an assessor must follow the " Guidance Note on Compliance Assessment of Certification Authorities" published by the CDP.

Q6.

How to submit application for recognition/renewal of recognition as a recognized Certification Authority and/or recognition of certificates?

A6.

Please refer to Application for Recognition.

Digital Certificates for Electronic Transactions

Q1.

What are the uses of digital certificates?

A1.

From the perspective of functional uses, digital certificates are purposefully designed for public key encryption, digital signature and electronic authentication in conducting electronic transactions. The objective of public key encryption is to ensure confidentiality of message, whereas the use of digital signature is to ensure data integrity, user authenticity and non- repudiation of transaction.

Q2.

What are the recognized digital certificates issued by certification authorities in Hong Kong?

A2.

Recognized digital certificates are the certificates issued by certification authorities (CAs) recognized under the Electronic Transactions Ordinance (Cap. 553). The recognized digital certificates should be issued following the requirements as stipulated in the CAs' Certification Practice Statements which should be prepared in accordance with the requirements specified in the Code of Practice for Recognized Certification Authorities. Please refer to Types of Digital Certificates for details.

Q3.

How to select and apply for a recognized digital certificate?

A3.

You are advised to select the type of recognized digital certificates that meet your personal / business need. Please refer to Types of Digital Certificates for more information on their purposes of use.

To apply for a recognized digital certificate, each recognized certification authority has its own application procedures for its customers. For general understanding, please refer to User Journey of Using Digital Certificates. For detailed application forms and procedures, please refer to:

Q4.

Can a digital certificate be used for the whole life of an individual?

A4.

No, each digital certificate has its own validity period. For security sake, you can only use your digital certificate within the validity period before its expiry. For example, the validity period for Hongkong Post e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) are up to a maximum of 3 years while that for e-Cert (Server) is 1 year. You may visit the respective certification authority's website to obtain the validity period information of each certificate type:

Q5.

What should I do when my digital certificate is going to expire?

A5.

You have to renew your digital certificate before its expiry if you wish to continue using it. For detailed renewal procedures, please refer to the respective certification authority's website:

Q6.

What should I do if I lose my digital certificate?

A6.

If you lose your digital certificate, it may have the chance that your private key would have been compromised. In that case, you should apply to revoke the digital certificate from the certification authority and re-enroll for a new one. In addition, having a backup of your certificate is necessary to access all your old encrypted messages when your certificate is lost.

Q7.

Should my digital certificate be shared with someone else?

A7.

No. You are highly advised to keep safe custody of your digital certificate and reminded not to share it with any other person. Allowing other person to use your digital certificate means the person can make use of it to create digital signature which has the same legal status as that of your hand-written signature.

Q8.

Which e-Government and e-Commerce services are accepting digital certificates?

A8.

Currently, there are a number of e-Government services such as Government Electronic Trading Services, Road Cargo System and Voter Registration, etc. accepting digital certificates. Please also refer to Adoption of Digital Certificates in Hong Kong for more information on e-Government and e-Commerce services.

Electronic Submission to Government

Q1.

How to submit applications / documents in electronic means to Government bureaux/departments?

A1.

Most of the Government services have provided e-option to improve public sector efficiency and service delivery. Please visit the relevant websites of the Government bureaux / departments (B/Ds) for details on electronic submission of information to the respective B/Ds.

Q2.

What is the required format when submitting information to Government entities in the form of electronic record?

A2.

Under the ETO, the Permanent Secretary for Innovation, Technology and Industry may specify by Gazette the manner, format and procedure for submitting information to Government entities in the form of electronic record under various ordinances. Click this link for the latest Gazette Notice.