An Ordinance to protect the security of the computer systems of Hong Kong’s critical infrastructures; to regulate the operators of such infrastructures; to provide for the investigation into, and response to, computer-system security threats and incidents in respect of such computer systems; and to provide for related matters.
[1 January 2026] L.N. 144 of 2025
Enacted by the Legislative Council.
This Ordinance may be cited as the Protection of Critical Infrastructures (Computer Systems) Ordinance.
This Ordinance comes into operation on a day to be appointed by the Secretary for Security by notice published in the Gazette.
In this Ordinance—
appeal board (上訴委員會) means an appeal board appointed under section 4(1) of Schedule 7; appeal panel (上訴委員團) means the appeal panel mentioned in section 47(1); authorized officer (獲授權人員), in relation to a regulating authority, means—(a)if the authority is the Commissioner—a person appointed under section 50(1); or(b)if the authority is a designated authority—a person appointed by the authority under section 51(1); category 1 obligation (第1類責任) means an obligation imposed by Division 1 of Part 4; category 2 obligation (第2類責任) means an obligation imposed by Division 2 of Part 4, and includes an obligation to comply with requirement imposed under section 24(5) or 25(4) or (6); category 3 obligation (第3類責任) means an obligation imposed by Division 3 of Part 4; CI operator (關鍵基礎設施營運者) means an organization designated under section 12; code of practice (實務守則), except in section 55, means a code of practice issued under section 8 (including such a code of practice that is revised under section 8); Commissioner (專員) means the Commissioner of Critical Infrastructure (Computer-system Security) appointed under section 3(1); computer system (電腦系統)—(a)means a set of computer hardware and software that is organized for the collection, processing, storage, transmission or disposition of information; and(b)includes a computer; computer-system security (電腦系統安全), in relation to a critical computer system, means the ability of the system to resist, and the state in which the system is protected from, events and acts that compromise the availability, integrity or confidentiality of—(a)the information stored in, transmitted or processed by, or accessible via, the system; or(b)the services offered by, or accessible via, the system; computer-system security incident (電腦系統安全事故), in relation to a critical computer system, means an event that—(a)involves—(i)access, without lawful authority, to the critical computer system; or(ii)any other act done, without lawful authority, on or through the critical computer system or another computer system; and(b)has an actual adverse effect on the computer-system security of the critical computer system; computer-system security management unit (電腦系統安全管理單位), in relation to a CI operator, means a unit maintained by the operator under section 21(1); computer-system security threat (電腦系統安全威脅), in relation to a critical computer system, means an act (whether known or suspected)—(a)that is, or is capable of being, done on or through the critical computer system or another computer system; and(b)the doing of which is likely to have an adverse effect on the computer-system security of the critical computer system; core function (核心功能), in relation to a critical infrastructure, means—(a)if the infrastructure falls within paragraph (a) of the definition of critical infrastructure in this subsection—the provision of the essential service concerned; or(b)if the infrastructure falls within paragraph (b) of that definition—any function of the infrastructure that is essential to the maintenance of critical societal or economic activities in Hong Kong; court (法院) means—(a)a court as defined by section 3 of the Interpretation and General Clauses Ordinance (Cap. 1); or(b)a magistrate; critical computer system (關鍵電腦系統) means a computer system designated under section 13; critical infrastructure (關鍵基礎設施) means—(a)any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in a sector specified in Schedule 1; or(b)any other infrastructure the damage, loss of functionality or data leakage of which may hinder or otherwise substantially affect the maintenance of critical societal or economic activities in Hong Kong; designated authority (指定當局)—see section 5; designation date (指定日), in relation to a CI operator, means the date on which the operator is designated under section 12; document (文件) includes—(a)any input or output, in whatever form, into or from an information system; and(b)any document, record of information or similar material (whether produced or stored mechanically, electronically, magnetically, optically, manually or by any other means); function (職能) includes a power and a duty; information (資料) includes data, text, images, sound codes, computer programs, software, databases, and any combination of them; information system (資訊系統) has the meaning given by section 2(1) of the Electronic Transactions Ordinance (Cap. 553); organization (機構) includes a company and any other body corporate; regulated organization (受規管機構), in relation to a designated authority, means an organization specified in column 4 of Part 2 of Schedule 2 opposite the authority; regulating authority (規管當局) means the Commissioner or a designated authority; specified critical infrastructure (指明關鍵基礎設施)—see subsection (3); tribunal (審裁處) means a tribunal established by or under an Ordinance.In this Ordinance, a reference to a critical infrastructure operated by a CI operator is a reference to a critical infrastructure in relation to which the operator is designated under section 12.
For the purposes of this Ordinance—
if a critical infrastructure—
is related to a sector specified in column 3 of Part 2 of Schedule 2 opposite a designated authority; and
is operated by a regulated organization of the authority,
the infrastructure is a specified critical infrastructure for the authority; and
a critical infrastructure is otherwise a specified critical infrastructure for the Commissioner.
For the purposes of this Ordinance—
if a CI operator is a regulated organization of a designated authority, the operator is a CI operator regulated by the authority; or
a CI operator is otherwise a CI operator regulated by the Commissioner,
and a reference to a regulating authority that regulates a CI operator is to be construed accordingly.
For the purposes of this Ordinance, an act (including access to a computer system) is done without lawful authority if the person doing the act—
does so in excess of the person’s authority; or
is otherwise not entitled to do so.
For the purposes of this Ordinance, the Chief Executive may appoint a person to be the Commissioner of Critical Infrastructure (Computer-system Security).
The Commissioner is to be appointed for a term of not more than 5 years, but is eligible for reappointment.
The Commissioner is to be entitled to be paid the remuneration and allowances determined by the Secretary for Security.
The functions of the Commissioner are—
to identify critical infrastructures and designate CI operators and critical computer systems;
to issue, revise and maintain codes of practice in respect of category 1 obligations, category 2 obligations and category 3 obligations of CI operators;
to monitor and supervise compliance with the provisions of this Ordinance;
to regulate CI operators with regard to the computer-system security of the critical computer systems of critical infrastructures;
to monitor, investigate and respond to computer-system security threats and computer-system security incidents in respect of the critical computer systems of critical infrastructures;
to coordinate the implementation of this Ordinance with designated authorities and government departments; and
to perform any other functions imposed or conferred on the Commissioner under this or any other Ordinance.
For the purposes of this Ordinance, an authority is a designated authority if it is specified in column 2 of Part 2 of Schedule 2.
The functions of a designated authority are—
to identify critical infrastructures regulated by the authority (subject infrastructures) and designate CI operators and critical computer systems for such infrastructures;
to issue, revise and maintain codes of practice in respect of category 1 obligations and category 2 obligations of CI operators regulated by the authority (subject operators);
to monitor and supervise compliance with category 1 obligations and category 2 obligations;
to regulate subject operators with regard to the computer-system security of the critical computer systems of subject infrastructures to the extent that such regulation relates to category 1 obligations and category 2 obligations;
to facilitate the Commissioner’s performance of the Commissioner’s functions under this Ordinance; and
to perform any other functions imposed or conferred on the authority under this Ordinance.
The Commissioner—
may, in writing, direct a CI operator regulated by the Commissioner to do, or refrain from doing, an act specified in the direction in relation to the compliance with a category 1 obligation or category 2 obligation if the Commissioner is satisfied that—
the operator has failed to comply with the obligation; or
the operator’s compliance with the obligation is defective; and
may, in writing, direct a CI operator to do, or refrain from doing, an act specified in the direction in relation to the compliance with a category 3 obligation if the Commissioner is satisfied that—
the operator has failed to comply with the obligation; or
the operator’s compliance with the obligation is defective.
A designated authority may, in writing, direct a CI operator regulated by the authority to do, or refrain from doing, an act specified in the direction in relation to the compliance with a category 1 obligation or category 2 obligation if the authority is satisfied that—
the operator has failed to comply with the obligation; or
the operator’s compliance with the obligation is defective.
A direction given under subsection (1) or (2) must specify the time within which it has to be complied with.
Without limiting subsections (1) and (2), a direction given under either of those subsections may require the CI operator concerned to revise and resubmit any document that has to be submitted under this Ordinance.
A direction given under subsection (1) or (2) by a regulating authority may be revoked at any time by the authority.
For the purposes of subsections (1)(a)(ii) and (b)(ii) and (2)(b), in considering whether a CI operator’s compliance with an obligation is defective, the regulating authority concerned may take into account whether the operator has observed a relevant provision in a code of practice.
If a direction is given by a regulating authority to a CI operator by virtue of subsection (1)(a)(ii) or (b)(ii) or (2)(b), and the operator is able to show to the satisfaction of the authority that—
the operator has done, or is doing, an act in relation to the obligation concerned; and
because of the act, the operator’s compliance with the obligation is not defective (whether or not on the ground that a relevant provision in a code of practice is observed),
the authority may, in writing, discharge the direction.
A CI operator commits an offence if the operator fails to comply with a direction given under subsection (1) or (2).
A CI operator that commits an offence under subsection (8) is liable—
on summary conviction—to a fine of $3,000,000 and, in the case of a continuing offence, to a further fine of $60,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $5,000,000 and, in the case of a continuing offence, to a further fine of $100,000 for every day during which the offence continues.
A regulating authority may issue a code of practice that provides practical guidance on—
if the authority is the Commissioner—
how a CI operator regulated by the Commissioner is to comply with category 1 obligations and category 2 obligations; and
how a CI operator is to comply with category 3 obligations; or
if the authority is a designated authority—how a CI operator regulated by the authority is to comply with category 1 obligations and category 2 obligations.
A code of practice may include—
a standard; and
a specification.
If a regulating authority issues a code of practice, the authority must—
publish the code on a website of the authority; and
specify, by notice published on a website of the authority—
the date on which the code is to take effect; and
the purposes for which the code is issued.
A regulating authority may from time to time revise (whether in whole or in part) any code of practice issued by the authority.
If a code of practice is revised (whether in whole or in part) under subsection (4), the regulating authority must—
publish the code so revised on a website of the authority; and
specify, by notice published on a website of the authority—
the date on which the revision is to take effect; and
the purposes of the revision.
A regulating authority may revoke (whether in whole or in part) any code of practice issued by the authority.
If a code of practice is revoked (whether in whole or in part) under subsection (6), the regulating authority must specify, by notice published on a website of the authority, the date on which the revocation is to take effect.
A code of practice is not subsidiary legislation.
To avoid doubt, a regulating authority may under this section issue different codes of practice for different purposes under this Ordinance.
A failure by an organization to observe a provision of a code of practice does not by itself make the organization liable to any civil or criminal proceedings.
Despite subsection (1), if in any legal proceedings the court or appeal board concerned is satisfied that a code of practice (or any part of a code of practice) is relevant to determining a matter that is in issue in the proceedings—
the code (or part of the code) is admissible in evidence in the proceedings; and
proof that the organization contravened or did not contravene a relevant provision of the code may be relied on by a party to the proceedings as tending to establish or negate that matter.
In any legal proceedings, a document purporting to be a copy of a code of practice printed from a website of a regulating authority—
is admissible in evidence on production without further proof; and
unless the contrary is proved, is evidence of the information contained in the document.
In this section—
legal proceedings (法律程序) includes the proceedings of an appeal board.A regulating authority may specify—
the form of a document or notification required to be provided or made for the purposes of this Ordinance; and
the way in which it is to be provided or made.
A regulating authority may specify—
more than one form under subsection (1)(a); and
more than one way under subsection (1)(b),
whether as alternatives or to provide for different circumstances.
For the purposes of this Ordinance, a regulating authority may ascertain whether an infrastructure is a specified critical infrastructure for the authority.
A regulating authority must, in ascertaining whether an infrastructure is a specified critical infrastructure for the authority, take into account—
what kind of service is provided by the infrastructure;
what implications there can be if the infrastructure is damaged, loses functionality or suffers any data leakage;
any information provided in respect of the infrastructure for compliance with a requirement under Division 2; and
any other matters the authority considers relevant.
For the purposes of this Ordinance, the Commissioner may, by written notice, designate an organization as a CI operator if—
the organization operates a critical infrastructure; and
the infrastructure is a specified critical infrastructure for the Commissioner.
For the purposes of this Ordinance, a designated authority may, by written notice, designate a regulated organization of the authority as a CI operator if—
the organization operates a critical infrastructure; and
the infrastructure is a specified critical infrastructure for the authority.
To avoid doubt—
more than one CI operator may be designated in relation to a critical infrastructure; and
an organization may be designated as a CI operator for more than one critical infrastructure.
A designation under subsection (1) or (2) has effect until it is revoked by the regulating authority making it.
In considering whether to designate an organization as a CI operator or whether to revoke such a designation, a regulating authority must take into account—
how dependent the core function of the critical infrastructure concerned is on computer systems;
the sensitivity of the digital data controlled by the organization in respect of the infrastructure;
the extent of control that the organization has over the operation and management of the infrastructure;
any information provided in respect of the infrastructure for compliance with a requirement under Division 2; and
any other matters the authority considers relevant.
For the purposes of this Ordinance, a regulating authority may, by written notice to a CI operator regulated by the authority, designate a computer system (whether under the control of the operator or not) that—
is accessible by the operator in or from Hong Kong; and
is essential to the core function of a critical infrastructure operated by the operator,
as a critical computer system for the infrastructure.
A designation under subsection (1) has effect until it is revoked by the regulating authority making it.
In considering whether to designate a computer system (subject system) as a critical computer system or whether to revoke such a designation, a regulating authority must take into account—
the role of the subject system in respect of the core function of the critical infrastructure concerned;
how such a core function would be impacted if the subject system is disrupted or destroyed;
the extent to which the subject system is related to any other computer systems of the CI operator concerned;
the extent to which the subject system and any other computer systems of the operator are related to those of other CI operators;
any information provided in respect of the infrastructure for compliance with a requirement under Division 2; and
any other matters the authority considers relevant.
For the purposes of section 11, a regulating authority may, by written notice, require an organization that—
operates, or appears to be operating, an infrastructure; or
otherwise has, or appears to have, control over an infrastructure,
to provide any information the authority reasonably considers necessary for ascertaining whether the infrastructure is a specified critical infrastructure for the authority.
An organization to which a notice is given under subsection (1) must provide the information concerned within the time, and in the form and way, specified in the notice.
For the purposes of section 12, a regulating authority may, by written notice, require an organization that—
operates, or appears to be operating, a critical infrastructure that is a specified critical infrastructure for the authority; or
otherwise has, or appears to have, control over such a critical infrastructure,
to provide any information the authority reasonably considers necessary for considering whether to designate the organization as a CI operator.
For the purposes of section 12, a regulating authority may, by written notice, require a CI operator regulated by the authority to provide any information the authority reasonably considers necessary for considering whether to revoke the operator’s designation as a CI operator.
An organization to which a notice is given under subsection (1) or (2) must provide the information concerned within the time, and in the form and way, specified in the notice.
For the purposes of section 13, a regulating authority may, by written notice, require a CI operator regulated by the authority to provide any information the authority reasonably considers necessary for considering—
whether to designate a computer system as a critical computer system; or
whether to revoke such a designation.
A CI operator to which a notice is given under subsection (1) must provide the information concerned within the time, and in the form and way, specified in the notice.
The Commissioner—
may, by written notice, require a CI operator regulated by the Commissioner to provide any information the Commissioner reasonably considers necessary for—
better understanding the critical computer systems of the critical infrastructure operated by the operator, so that the Commissioner is able to assess, respond to or prepare for any potential computer-system security threat and potential computer-system security incident in respect of the critical computer systems of the infrastructure; or
ascertaining the compliance of the operator with a category 1 obligation or category 2 obligation; and
may, by written notice, require a CI operator to provide any information the Commissioner reasonably considers necessary for ascertaining the compliance of the operator with a category 3 obligation.
A designated authority may, by written notice, require a CI operator regulated by the authority to provide any information the authority reasonably considers necessary for—
better understanding the critical computer systems of the critical infrastructure operated by the operator, so that the authority is able to assess, respond to or prepare for any potential computer-system security threat and potential computer-system security incident in respect of the critical computer systems of the infrastructure; or
ascertaining the compliance of the operator with a category 1 obligation or category 2 obligation.
A CI operator to which a notice is given under subsection (1) or (2) must provide the information concerned within the time, and in the form and way, specified in the notice.
An organization commits an offence if the organization, without reasonable excuse, fails to comply with section 14(2), 15(3), 16(2) or 17(3).
An organization that commits an offence under subsection (1) is liable—
if the organization is a CI operator at the time of the offence—
on summary conviction—to a fine of $3,000,000 and, in the case of a continuing offence, to a further fine of $60,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $5,000,000 and, in the case of a continuing offence, to a further fine of $100,000 for every day during which the offence continues; or
in any other case—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
For the purposes of this Ordinance, a CI operator must—
subject to subsection (2), maintain in Hong Kong an office that is occupied by the operator for carrying on its business; and
notify, in the form and way specified under section 10, the regulating authority that regulates the operator of the address of the office (office address)—
subject to subparagraph (ii), within 1 month after the operator’s designation date (specified period); or
if the specified period is extended under subsection (2)(b)—within the period so extended.
If the CI operator does not already maintain an office in Hong Kong on the operator’s designation date—
subsection (1)(a) only applies to the operator—
subject to subparagraph (ii), after the expiry of the specified period; or
if the specified period is extended under paragraph (b)—after the expiry of the period so extended; and
the regulating authority may, on application by the operator, extend the specified period if the authority is satisfied that the operator has reasonable grounds for needing such an extension.
If the CI operator’s office address changes after the operator makes a notification under subsection (1)(b), the operator must notify, in the form and way specified under section 10, the regulating authority of the change within 1 month after the date on which the change occurs.
A CI operator commits an offence if the operator fails to comply with subsection (1) or (3).
A CI operator that commits an offence under subsection (4) is liable—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
A CI operator must notify, in the form and way specified under section 10, the regulating authority that regulates the operator of any operator change in relation to a critical infrastructure operated by the operator as soon as practicable and in any event within 1 month after the date on which the change occurs.
A CI operator commits an offence if the operator fails to comply with subsection (1).
A CI operator that commits an offence under subsection (2) is liable—
on summary conviction—to a fine of $3,000,000 and, in the case of a continuing offence, to a further fine of $60,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $5,000,000 and, in the case of a continuing offence, to a further fine of $100,000 for every day during which the offence continues.
In this section—
operator change (營運者變更), in relation to a critical infrastructure, means a change of the organization that operates the infrastructure.A CI operator must, subject to subsection (3), maintain a unit (however described) for—
managing the computer-system security of the critical computer systems of the critical infrastructure operated by the operator; and
ensuring that this Ordinance is complied with in relation to the infrastructure.
For the purposes of subsection (1), the CI operator may—
set up and maintain the computer-system security management unit by itself; or
engage a service provider to set up and maintain the unit.
If the CI operator does not already maintain a computer-system security management unit on the operator’s designation date, subsection (1) only applies to the operator—
subject to paragraph (b), after the expiry of 1 month after that date (specified period); or
if the specified period is extended under subsection (5)—after the expiry of the period so extended.
The CI operator must—
appoint an employee of the operator who has adequate professional knowledge in relation to computer-system security (adequate knowledge) to supervise the computer-system security management unit; and
notify, in the form and way specified under section 10, the regulating authority that regulates the operator of the appointment—
subject to subparagraph (ii), within the specified period; or
if the specified period is extended under subsection (5)—within the period so extended.
If, on the CI operator’s designation date, the operator—
does not already maintain a computer-system security management unit; or
does not already have an employee who has adequate knowledge appointed to supervise such a unit,
the regulating authority may, on application by the operator, extend the specified period if the authority is satisfied that the operator has reasonable grounds for needing such an extension.
If there is any change in respect of an appointment under subsection (4)(a) after it is made, the CI operator must notify, in the form and way specified under section 10, the regulating authority of the change within 1 month after the date of the change.
A CI operator commits an offence if the operator fails to comply with subsection (4)(b) or (6).
A CI operator that commits an offence under subsection (7) is liable—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
If any of the events specified in subsection (2) occurs in respect of a critical infrastructure operated by a CI operator, the operator must notify, in the form and way specified under section 10, the regulating authority that regulates the operator of the event within 1 month after the date on which the event occurs.
For the purposes of subsection (1), the events are that—
a material change occurs to the design, configuration, security or operation of a critical computer system of the critical infrastructure;
a critical computer system of the infrastructure is removed;
a computer system (whether under the control of the CI operator or not) that—
is accessible by the operator in or from Hong Kong; and
is essential to the core function of the infrastructure,
is added to the infrastructure; and
a change occurs to a computer system (whether under the control of the operator or not) that—
is an existing computer system of the infrastructure; and
is accessible by the operator in or from Hong Kong,
such that the system becomes essential to the core function of the infrastructure.
For the purposes of subsection (2)(a), without limiting the meaning of “material”, a change is a material change as described in that subsection if the change—
affects—
the computer-system security of the critical computer system concerned; or
the ability of the CI operator to respond to a computer-system security threat or computer-system security incident in respect of the system; or
makes any information provided in respect of the system for compliance with a requirement imposed under section 16 no longer accurate in a material particular.
A CI operator commits an offence if the operator fails to comply with subsection (1).
A CI operator that commits an offence under subsection (4) is liable—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
A CI operator must submit to the regulating authority that regulates the operator a plan (however described), prepared in accordance with subsection (3), for protecting the computer-system security of the critical computer systems of the critical infrastructure operated by the operator (computer-system security management plan)—
subject to paragraph (b), within 3 months after the operator’s designation date (submission period); or
if the submission period is extended under subsection (2)—within the period so extended.
The regulating authority may, on application by the CI operator, extend the submission period if the authority is satisfied that the operator has reasonable grounds for needing such an extension.
A computer-system security management plan must cover all of the matters specified in Schedule 3.
If there is any revision to a computer-system security management plan after it is submitted, the CI operator must submit the revised plan to the regulating authority that regulates the operator within 1 month after the date on which the revision is made.
A CI operator must implement a computer-system security management plan.
In subsections (3), (4) and (5), a reference to a computer-system security management plan includes such a plan that is revised.
A CI operator commits an offence if the operator fails to comply with subsection (1) or (4).
A CI operator that commits an offence under subsection (7) is liable—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
A CI operator must—
conduct, in accordance with subsection (3), an assessment in respect of the risks relating to the computer-system security of the critical computer systems of the critical infrastructure operated by the operator (computer-system security risk assessment)—
for the first computer-system security risk assessment conducted by the operator—within 12 months after the operator’s designation date (first period); and
for any subsequent computer-system security risk assessment—at least once every 12 months after the expiry of the first period; and
submit to the regulating authority that regulates the operator a report for the assessment—
subject to subparagraph (ii), within 3 months after the expiry of the period within which the assessment is required under paragraph (a) to be conducted; or
if the 3-month period mentioned in subparagraph (i) (submission period) is extended under subsection (2)—within the period so extended.
The regulating authority may, on application by the CI operator, extend the submission period if the authority is satisfied that the operator has reasonable grounds for needing such an extension.
A computer-system security risk assessment conducted for compliance with subsection (1) must cover all of the matters specified in Schedule 4 (Schedule 4 matters).
Subsection (5) applies if a regulating authority—
receives a notification from a CI operator under section 22(1); or
otherwise becomes aware that any of the events specified in section 22(2) has occurred in respect of a critical infrastructure operated by a CI operator.
The regulating authority may, by written notice, require the CI operator—
to conduct a computer-system security risk assessment in respect of all of the critical computer systems of the critical infrastructure, or any part of such systems specified in the notice; and
to submit to the authority a report for the assessment within the time specified in the notice.
A notice given under subsection (5) must specify the matters that the computer-system security risk assessment required to be conducted has to cover (including any Schedule 4 matters).
To avoid doubt, a computer-system security risk assessment that a CI operator is required to conduct under subsection (5) is not to be regarded as a computer-system security risk assessment for the purposes of subsection (1) unless the regulating authority specifies otherwise in the notice given under subsection (5).
A CI operator commits an offence if the operator fails to comply with subsection (1) or a requirement imposed under subsection (5).
A CI operator that commits an offence under subsection (8) is liable—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
A CI operator must—
arrange to carry out, in accordance with subsection (3), an audit in respect of the computer-system security of the critical computer systems of the critical infrastructure operated by the operator (computer-system security audit)—
for the first computer-system security audit arranged to be carried out—within 24 months after the operator’s designation date (first period); and
for any subsequent computer-system security audit—at least once every 24 months after the expiry of the first period; and
submit to the regulating authority that regulates the operator a report for the audit—
subject to subparagraph (ii), within 3 months after the expiry of the period within which the audit is required under paragraph (a) to be carried out; or
if the 3-month period mentioned in subparagraph (i) (submission period) is extended under subsection (2)—within the period so extended.
The regulating authority may, on application by the CI operator, extend the submission period if the authority is satisfied that the operator has reasonable grounds for needing such an extension.
A computer-system security audit carried out for compliance with subsection (1) must—
cover the specified period; and
cover all of the matters specified in Schedule 5 (Schedule 5 matters).
If a regulating authority has reasonable grounds to believe that a CI operator regulated by the authority has not properly implemented a computer-system security management plan (including such a plan that is revised) in respect of a critical infrastructure operated by the operator to the satisfaction of the authority, the authority may, by written notice, require the operator—
to arrange to carry out a computer-system security audit for ascertaining whether the plan, or any part of the plan specified in the notice, is properly implemented; and
to submit to the authority a report for the audit within the time specified in the notice.
Subsection (6) applies if a regulating authority—
receives a notification from a CI operator under section 22(1); or
otherwise becomes aware that any of the events specified in section 22(2) has occurred in respect of a critical infrastructure operated by a CI operator.
The regulating authority may, by written notice, require the CI operator—
to arrange to carry out a computer-system security audit in respect of all of the critical computer systems of the critical infrastructure, or any part of such systems specified in the notice; and
to submit to the authority a report for the audit within the time specified in the notice.
A notice given under subsection (4) or (6) must specify—
the period that the computer-system security audit required to be carried out has to cover; and
the matters that the audit has to cover (including any Schedule 5 matters).
For the purposes of this section, a CI operator may, subject to subsection (9), arrange an auditor to carry out a computer-system security audit whether or not the auditor is an employee of the operator.
For the purposes of this section, a computer-system security audit is not to be regarded as carried out unless it is carried out by an independent auditor.
To avoid doubt, a computer-system security audit that a CI operator is required to arrange to be carried out under subsection (4) or (6) is not to be regarded as a computer-system security audit for the purposes of subsection (1) unless the regulating authority specifies otherwise in the notice given under subsection (4) or (6).
A CI operator commits an offence if the operator fails to comply with subsection (1) or a requirement imposed under subsection (4) or (6).
A CI operator that commits an offence under subsection (11) is liable—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
In this section—
specified period (指明期間)—(a)in relation to a computer-system security audit that falls within subsection (1)(a)(i)—means the first period; or(b)in relation to a computer-system security audit that falls within subsection (1)(a)(ii)—means the 24-month period for carrying out the audit as determined in accordance with that subsection.The Commissioner may conduct a drill (however described) for testing the state of readiness of CI operators in responding to computer-system security incidents in respect of the critical computer systems of critical infrastructures (computer-system security drill).
For the purposes of subsection (1), the Commissioner may, after giving reasonable notice in writing, require a CI operator to participate in a computer-system security drill.
A CI operator commits an offence if the operator fails to comply with a requirement imposed under subsection (2).
A CI operator that commits an offence under subsection (3) is liable—
on summary conviction—to a fine of $3,000,000; or
on conviction on indictment—to a fine of $5,000,000.
A CI operator must submit to the Commissioner a plan (however described), prepared in accordance with subsection (3), detailing the protocol for the operator’s response to computer-system security incidents in respect of the critical computer systems of critical infrastructures (emergency response plan)—
subject to paragraph (b), within 3 months after the operator’s designation date (submission period); or
if the submission period is extended under subsection (2)—within the period so extended.
The Commissioner may, on application by the CI operator, extend the submission period if the Commissioner is satisfied that the operator has reasonable grounds for needing such an extension.
An emergency response plan must cover all of the matters specified in Part 2 of Schedule 3.
If there is any revision to an emergency response plan after it is submitted, the CI operator must submit the revised plan to the Commissioner within 1 month after the date on which the revision is made.
A CI operator must implement an emergency response plan.
In subsections (3), (4) and (5), a reference to an emergency response plan includes such a plan that is revised.
A CI operator commits an offence if the operator fails to comply with subsection (1) or (4).
A CI operator that commits an offence under subsection (7) is liable—
on summary conviction—to a fine of $300,000 and, in the case of a continuing offence, to a further fine of $30,000 for every day during which the offence continues; or
on conviction on indictment—to a fine of $500,000 and, in the case of a continuing offence, to a further fine of $50,000 for every day during which the offence continues.
If a CI operator becomes aware that a computer-system security incident has occurred in respect of a critical computer system of a critical infrastructure operated by the operator, the operator must notify the Commissioner of the incident in accordance with subsection (2).
The notification—
must be made as soon as practicable and in any event within the specified time; and
must—
be made in the form and way specified under section 10 (specified form and way); or
despite not being made in the specified form and way, include information on the nature of the computer-system security incident and identify the critical computer system concerned.
If the notification is not made in the specified form and way, the CI operator must subsequently submit a written record of the computer-system security incident concerned in the specified form and way to the Commissioner within the specified time.
After a CI operator makes a notification of a computer-system security incident under subsection (1) in the specified form and way, or submits a written record of such an incident under subsection (3), the CI operator must further submit a written report of the incident in the specified form and way to the Commissioner within the specified time.
A CI operator commits an offence if the operator fails to comply with subsection (1), (3) or (4).
A CI operator that commits an offence under subsection (5) is liable—
on summary conviction—to a fine of $3,000,000; or
on conviction on indictment—to a fine of $5,000,000.
In this section—
specified time (指明時限), in relation to a provision of this section specified in column 2 of Schedule 6, means the time specified in column 3 of that Schedule opposite the provision.If the Commissioner reasonably suspects that an event that has an actual adverse effect, or is likely to have an adverse effect, on the computer-system security of a critical computer system of a critical infrastructure has occurred, the Commissioner may direct an authorized officer of the Commissioner to make inquiries for the purpose of identifying—
what caused the event; and
whether a computer-system security threat or a computer-system security incident has occurred in respect of the system.
For making inquiries under section 29, an authorized officer of the Commissioner may, by written notice, require the CI operator by which the critical infrastructure concerned is operated—
to produce, within the time and at the place specified in the notice, any document so specified that the officer has reasonable grounds to believe—
to be relevant, or likely to be relevant, to the inquiries; and
to be in the possession, or under the control, of the operator, or otherwise accessible in or from Hong Kong by the operator;
to give an explanation or further particulars in relation to the document;
to send a representative to attend before the officer at the time and place specified in the notice, and to answer a question relating to any matter under investigation that is raised by the officer; and
to answer in writing, within the time specified in the notice, a written question relating to any matter under investigation that is raised by the officer.
If a document is produced for compliance with a requirement imposed under subsection (1), the authorized officer may for making the inquiries inspect, make copies of, take extracts from and take possession of the document.
Subsection (2) applies if a magistrate is satisfied by information on oath laid by an authorized officer of the Commissioner that—
there are reasonable grounds to suspect that there is, or is likely to be, on any premises any document that is relevant to inquiries made under section 30; and
both of the conditions specified in section 32 are met in relation to the inquiries.
The magistrate may issue a warrant authorizing an authorized officer of the Commissioner, and any other person whose assistance is necessary for the execution of the warrant—
to enter the premises, if necessary by force, at any time within—
subject to subparagraph (ii), a period of 7 days; or
if any longer period is specified in the warrant—such a period,
beginning on the date of the warrant; and
to search for, inspect, make copies of, take extracts from, seize and remove any document on the premises that the officer has reasonable grounds to believe to be relevant, or likely to be relevant, to the inquiries.
For the purposes of section 31(1)(b), the conditions are that—
there are reasonable grounds to believe that the CI operator concerned is unwilling or unable to take all reasonable steps to respond to the inquiries; and
there are reasonable grounds to believe that it is in the public interest to issue the warrant, having regard to—
the potential harm that could be caused by the event mentioned in section 29 to the critical infrastructure concerned;
the potential disruption that could be caused by the event to the core function of the infrastructure;
whether or not the purpose mentioned in section 29 could be effectively achieved if the warrant is not issued;
the benefits likely to accrue from doing the acts to be authorized by the warrant; and
the potential impact of doing the acts on the core function of the infrastructure and on any person who may be affected by the acts.
In this Division—
computer-system security investigation (電腦系統安全調查) means an investigation carried out under section 34 and includes any response made under that section; investigated CI operator (被調查的關鍵基礎設施營運者), in relation to a computer-system security investigation, means the CI operator that is the subject of the investigation; investigated system (被調查系統), in relation to a computer-system security investigation, means the critical computer system in respect of which the investigated threat or incident has occurred; investigated threat or incident (被調查的威脅或事故), in relation to a computer-system security investigation, means the computer-system security threat or computer-system security incident that is the subject of the investigation.If the Commissioner reasonably suspects that a computer-system security threat or computer-system security incident has occurred in respect of a critical computer system of a critical infrastructure, the Commissioner may direct an authorized officer of the Commissioner to carry out an investigation into, and to respond to, the threat or incident for one or more of the following purposes—
identifying what caused the threat or incident;
assessing the impact, or potential impact, of the threat or incident;
remedying any harm that has arisen from the threat or incident;
preventing any, or any further, harm from arising from the threat or incident;
preventing any, or any further, computer-system security incident from arising from the threat or incident.
For carrying out a computer-system security investigation, an authorized officer of the Commissioner may, by written notice, require the investigated CI operator to do one or more of the following acts—
to produce, within the time and at the place specified in the notice, any document so specified that the officer has reasonable grounds to believe—
to be relevant, or likely to be relevant, to the investigation; and
to be in the possession, or under the control, of the operator, or otherwise accessible in or from Hong Kong by the operator;
to give an explanation or further particulars in relation to the document;
to send a representative to attend before the officer at the time and place specified in the notice, and to answer a question relating to any matter under investigation that is raised by the officer;
to answer in writing, within the time specified in the notice, a written question relating to any matter under investigation that is raised by the officer.
If a document is produced for compliance with a requirement imposed under subsection (1), the authorized officer may for carrying out the investigation inspect, make copies of, take extracts from and take possession of the document.
Without limiting section 35, for carrying out a computer-system security investigation, the Commissioner may further authorize an authorized officer of the Commissioner to exercise the power specified in subsection (2) if the Commissioner is satisfied that—
there are reasonable grounds to believe that the investigated CI operator is unwilling or unable to take all reasonable steps to assist in the investigation or respond to the investigated threat or incident; and
there are reasonable grounds to believe that it is in the public interest to make the further authorization, having regard to—
the potential harm that could be caused by the investigated threat or incident to the critical infrastructure concerned;
the potential disruption that could be caused by the investigated threat or incident to the core function of the infrastructure;
whether or not the purposes mentioned in section 34 could be effectively achieved if the further authorization is not made;
the benefits likely to accrue from exercising the power; and
the potential impact of exercising the power on the core function of the infrastructure and on the operator.
For the purposes of subsection (1), the power is to, by written notice, require the investigated CI operator to do one or more of the following acts—
not to use the investigated system;
to preserve the state of the system;
to monitor the system;
to perform a scan of the system in order to—
detect any vulnerabilities of the system; and
assess the impact of the investigated threat or incident or of a potential computer-system security incident in respect of the system;
to carry out any remedial measures, or to cease carrying on any activities, in relation to the investigated threat or incident;
to give the authorized officer all other assistance in connection with the computer-system security investigation that the operator is reasonably able to give.
Subsection (2) applies if a magistrate is satisfied by information on oath laid by an authorized officer of the Commissioner that both of the conditions specified in section 39 are met in relation to a computer-system security investigation.
The magistrate may issue a warrant authorizing an authorized officer of the Commissioner, and any other person whose assistance is necessary for the execution of the warrant, to require by written notice, for carrying out the computer-system security investigation, an organization having, or appearing to have, control over the investigated system (other than the investigated CI operator) to do one or more of the following acts—
to produce, within the time and at the place specified in the notice, any document so specified that the officer has reasonable grounds to believe—
to be relevant, or likely to be relevant, to the investigation; and
to be in the possession, or under the control, of the organization, or otherwise accessible in or from Hong Kong by the organization;
to give an explanation or further particulars in relation to the document;
to send a representative to attend before the officer at the time and place specified in the notice, and to answer a question relating to any matter under investigation that is raised by the officer;
to answer in writing, within the time specified in the notice, a written question relating to any matter under investigation that is raised by the officer;
not to use the system;
to preserve the state of the system;
to monitor the system;
to perform a scan of the system in order to—
detect any vulnerabilities of the system; and
assess the impact of the investigated threat or incident or of a potential computer-system security incident in respect of the system;
to carry out any remedial measures, or to cease carrying on any activities, in relation to the threat or incident;
to give the officer all other assistance in connection with the investigation that the organization is reasonably able to give.
If a document is produced for compliance with a requirement imposed under the warrant, the authorized officer may for carrying out the investigation inspect, make copies of, take extracts from and take possession of the document.
Subsection (2) applies if a magistrate is satisfied by information on oath laid by an authorized officer of the Commissioner that—
there are reasonable grounds to suspect that—
there is, or is likely to be, on any premises anything that is relevant to a computer-system security investigation; or
the investigated system of a computer-system security investigation is, or is likely to be, located on certain premises; and
both of the conditions specified in section 39 are met in relation to the investigation.
The magistrate may issue a warrant authorizing an authorized officer of the Commissioner, and any other person whose assistance is necessary for the execution of the warrant, to do one or more of the following acts for carrying out the computer-system security investigation—
to enter the premises, if necessary by force, at any time within—
subject to subparagraph (ii), a period of 7 days; or
if any longer period is specified in the warrant—such a period,
beginning on the date of the warrant;
to search for, inspect, make copies of, take extracts from, seize and remove anything on the premises that the officer has reasonable grounds to believe to be relevant, or likely to be relevant, to the investigation;
to, for the purposes mentioned in section 34, access and inspect, and carry out any remedial measures in relation to, the investigated system or another computer system (accessible system)—
that is accessible via the investigated system; and
that the officer has reasonable grounds to believe to be relevant, or likely to be relevant, to the investigation;
to search for, inspect, make copies of and take extracts from any information—
that is stored in the investigated system or an accessible system; and
that the officer has reasonable grounds to believe to be relevant, or likely to be relevant, to the investigation;
to carry out any other remedial measures in relation to the threat or incident;
to require an organization having, or appearing to have, control over the investigated system to give all other assistance—
that is reasonably necessary to facilitate the officer’s performance of functions for the investigation; and
that the organization is reasonably able to give.
For the purposes of sections 37(1) and 38(1)(b), the conditions are that—
there are reasonable grounds to believe that—
for section 37(1)—the investigated CI operator is unwilling or unable to take all reasonable steps to assist in the computer-system security investigation or respond to the investigated threat or incident; or
for section 38(1)(b)—
the investigated CI operator;
the organization mentioned in section 37(2); or
both the investigated CI operator and the organization mentioned in section 37(2),
as the case requires, is or are unwilling or unable to take all reasonable steps to assist in the computer-system security investigation or respond to the investigated threat or incident; and
there are reasonable grounds to believe that it is in the public interest to issue the warrant, having regard to—
the potential harm that could be caused by the investigated threat or incident to the critical infrastructure concerned;
the potential disruption that could be caused by the investigated threat or incident to the core function of the infrastructure;
whether or not the purposes mentioned in section 34 could be effectively achieved if the warrant is not issued;
the benefits likely to accrue from doing the acts to be authorized by the warrant; and
the potential impact of doing the acts on the core function of the infrastructure and on any person who may be affected by the acts.
For carrying out a computer-system security investigation, the Commissioner may, if satisfied that all of the conditions specified in subsection (2) are met in relation to the investigation, authorize an authorized officer of the Commissioner to enter any premises and do one or more of the acts specified in section 38(2) (other than the act specified in section 38(2)(a)) (specified acts) without warrant.
For the purposes of subsection (1), the conditions are that—
there are reasonable grounds to suspect that—
there is, or is likely to be, on the premises anything that is relevant to the computer-system security investigation; or
the investigated system is, or is likely to be, located on the premises;
there are reasonable grounds to believe that—
the investigated CI operator;
the organization mentioned in section 37(2); or
both the investigated CI operator and the organization mentioned in section 37(2),
as the case requires, is or are unwilling or unable to take all reasonable steps to assist in the computer-system security investigation or respond to the investigated threat or incident;
it is not reasonably practicable to obtain a warrant in the circumstances of the case; and
there are reasonable grounds to believe that it is in the public interest to make the entry and do the specified acts, having regard to—
the potential harm that could be caused by the investigated threat or incident to the critical infrastructure concerned;
the potential disruption that could be caused by the investigated threat or incident to the core function of the infrastructure;
whether or not the purposes mentioned in section 34 could be effectively achieved if the entry is not made and the acts are not done;
the benefits likely to accrue from making the entry and doing the acts; and
the potential impact of making the entry and doing the acts on the core function of the infrastructure and on any person who may be affected by the entry and acts.
The authorized officer entering the premises must, if requested, produce the Commissioner’s authorization for inspection.
If a person is to give an explanation or further particulars to an authorized officer, or to answer a question posed by such an officer, for compliance with a specified requirement, the officer must ensure that the person has first been informed or reminded of the limitations imposed by subsection (2) on the admissibility in evidence of the requirement and of the explanation or particulars, or the question and answer.
Despite any other provision in this Ordinance, if—
a person gives an explanation or further particulars to an authorized officer, or answers a question posed by such an officer, for compliance with a specified requirement;
the explanation, particulars or answer might tend to incriminate the person; and
the person claims, before giving the explanation or particulars, or answering the question, that the explanation, particulars or answer might so tend,
the requirement, as well as the explanation or particulars, or the question and answer, are not admissible in evidence against the person in criminal proceedings in a court other than those specified in subsection (3).
The criminal proceedings are those in which the person is charged with—
an offence under section 42; or
an offence under Part V of the Crimes Ordinance (Cap. 200).
In this section—
section 37 or 38 warrant (第37或38條手令) means a warrant issued under section 37 or 38; specified requirement (指明要求) means a requirement—(a)imposed under Division 1 or 2; or(b)imposed under a section 37 or 38 warrant.An organization commits an offence if the organization, without reasonable excuse, fails to comply with a specified requirement.
For the purposes of subsection (1), the fact that complying with a specified requirement might tend to result in self-incrimination is not an excuse not to comply with the requirement.
An organization that commits an offence under subsection (1) is liable—
on summary conviction—to a fine of $300,000; or
on conviction on indictment—to a fine of $500,000.
In this section—
section 37 or 38 warrant (第37或38條手令) means a warrant issued under section 37 or 38; specified requirement (指明要求) means a requirement—(a)imposed under Division 1 or 2; or(b)imposed under a section 37 or 38 warrant.Subsection (2) applies if a regulating authority reasonably suspects—
if the authority is the Commissioner—that an offence under this Ordinance has been, or is being, committed; or
if the authority is a designated authority—that any of the following offences has been, or is being, committed—
an offence under section 7 for a failure to comply with a direction given by the authority;
an offence under section 18 for a failure to comply with a requirement imposed by the authority;
an offence under Division 1 or 2 of Part 4 for a failure to comply with a category 1 obligation or category 2 obligation by a CI operator regulated by the authority.
The regulating authority may direct an authorized officer of the authority to carry out an investigation into the offence and, for this purpose, to require by written notice an organization to do one or more of the following acts—
to produce, within the time and at the place specified in the notice, any document so specified that the officer has reasonable grounds to believe—
to be relevant, or likely to be relevant, to the investigation; and
to be in the possession, or under the control, of the organization, or otherwise accessible in or from Hong Kong by the organization;
to give an explanation or further particulars in relation to the document;
to send a representative to attend before the officer at the time and place specified in the notice, and to answer a question relating to any matter under investigation that is raised by the officer;
to answer in writing, within the time specified in the notice, a written question relating to any matter under investigation that is raised by the officer.
If a document is produced for compliance with a requirement imposed under subsection (2), the authorized officer may for carrying out the investigation inspect, make copies of, take extracts from and take possession of the document.
If a person is to give an explanation or further particulars to an authorized officer, or to answer a question posed by such an officer, for compliance with a requirement imposed under section 43, the officer must ensure that the person has first been informed or reminded of the limitations imposed by subsection (2) on the admissibility in evidence of the requirement and of the explanation or particulars, or the question and answer.
Despite any other provision in this Ordinance, if—
a person gives an explanation or further particulars to an authorized officer, or answers a question posed by such an officer, for compliance with a requirement imposed under section 43;
the explanation, particulars or answer might tend to incriminate the person; and
the person claims, before giving the explanation or particulars, or answering the question, that the explanation, particulars or answer might so tend,
the requirement, as well as the explanation or particulars, or the question and answer, are not admissible in evidence against the person in criminal proceedings in a court other than those specified in subsection (3).
The criminal proceedings are those in which the person is charged with—
an offence under section 45; or
an offence under Part V of the Crimes Ordinance (Cap. 200).
An organization commits an offence if the organization, without reasonable excuse, fails to comply with a requirement imposed under section 43.
For the purposes of subsection (1), the fact that complying with a requirement imposed under section 43 might tend to result in self-incrimination is not an excuse not to comply with the requirement.
An organization that commits an offence under subsection (1) is liable—
on summary conviction—to a fine of $300,000; or
on conviction on indictment—to a fine of $500,000.
Subsection (2) applies if a magistrate is satisfied by information on oath laid by an authorized officer of a regulating authority that there are reasonable grounds to suspect that there is, or is likely to be, anything—
that—
is located on any premises; or
is stored in, or accessible via, any electronic device; and
that is or contains, or is likely to be or to contain, evidence of an offence being investigated under this Part (investigated offence).
The magistrate may issue a warrant authorizing an authorized officer of the regulating authority, and any other person whose assistance is necessary for the execution of the warrant, to do one or more of the following acts for carrying out the investigation—
in relation to premises—
to enter the premises, if necessary by force;
to search for, inspect, seize and remove anything on the premises that the officer has reasonable grounds to believe is or contains, or is likely to be or to contain, evidence of the investigated offence;
in relation to an electronic device—
to access and inspect the device;
to search for, inspect, make copies of and take extracts from any information—
that is stored in, or accessible via, the device; and
that the officer has reasonable grounds to believe is or contains, or is likely to be or to contain, evidence of the investigated offence.
The acts specified in subsection (2) may only be done at any time within—
subject to paragraph (b), a period of 7 days; or
if any longer period is specified in the warrant—such a period,
beginning on the date of the warrant concerned.
For handling appeals under this Part, there is to be an appeal panel.
Part 2 of Schedule 7 has effect with respect to the appeal panel.
An organization aggrieved by any of the following decisions made in relation to the organization may lodge an appeal against the decision—
a decision to give a direction under section 7;
a decision to make a designation under section 12;
a decision to make a designation under section 13;
a decision to impose a requirement under section 24(5);
a decision to impose a requirement under section 25(4) or (6).
Part 3 of Schedule 7 has effect with respect to the appeal.
Subject to subsections (4) and (5), the lodging of an appeal under subsection (1) against a decision does not by itself operate as a stay of execution of the decision.
An organization that lodges an appeal under subsection (1) against a decision may, at any time before the appeal is determined by the appeal board appointed for the appeal, apply to the board for a stay of execution of the decision.
The appeal board must, as soon as reasonably practicable after receiving an application under subsection (4), determine the application.
The appeal board may by order grant the stay subject to any condition as to costs, payment of money into the board or other matters that the board considers appropriate.
An appeal board appointed for an appeal may—
confirm, vary or reverse any decision to which the appeal relates; or
give any direction in relation to the decision as the board considers appropriate.
The appeal board must give reasons in writing for its decision.
The appeal board must serve a copy of its decision and of the reasons for its decision on the parties to the appeal.
The appeal board’s decision takes effect—
subject to paragraph (b), immediately after the decision is made; or
if the board orders that its decision is not to come into operation until a specified date—on that date.
A document purporting to be a copy of a decision or order of the appeal board and to be certified by the chairperson of the board to be a true copy of the decision or order is admissible in any proceedings as evidence of the decision or order.
The decision of the appeal board is final.
The Commissioner may, in writing, appoint a public officer to perform any function conferred or imposed by this Ordinance on an authorized officer of the Commissioner.
The Commissioner must provide the appointed authorized officer with a copy of the appointment.
The Commissioner may perform a function mentioned in subsection (1) as if the Commissioner were an authorized officer appointed under that subsection.
A designated authority may, in writing, appoint—
a public officer;
a person employed—
by the authority; or
otherwise in connection with the authority’s performance of a function under this Ordinance; or
with the consent of the Secretary for Security, any other person or class of persons,
to perform any function conferred or imposed by this Ordinance on an authorized officer of the authority.
The designated authority must provide the appointed authorized officer with a copy of the appointment.
A designated authority may perform a function mentioned in subsection (1) as if the authority were an authorized officer appointed under that subsection.
The Commissioner may, in writing, delegate to a public officer any of the Commissioner’s functions under this Ordinance.
A designated authority may, in writing, delegate to—
a public officer; or
a person employed—
by the authority; or
otherwise in connection with the authority’s performance of a function under this Ordinance,
any of the authority’s functions under this Ordinance.
However, the power to delegate conferred by subsection (1) or (2) may not be delegated.
When performing a function under this Ordinance, a specified officer—
may be assisted by any person whom the officer reasonably requires; and
must produce evidence of the officer’s appointment or delegation (as the case requires), and the relevant warrant (if any), for inspection by a person who is affected by the performance of the function and requires to see them.
In this section—
specified officer (指明人員) means—(a)an authorized officer; or(b)a person to whom any function is delegated under section 52.Any function that may be performed under a provision of this Ordinance by a designated authority in respect of a critical infrastructure that is a specified critical infrastructure for the authority, or a CI operator regulated by the authority, may be performed by the Commissioner as if the Commissioner were the designated authority.
However, the Commissioner must not perform the function unless the Commissioner is satisfied that—
it is necessary to do so for the timely protection of the critical computer systems of the critical infrastructure concerned; or
it is otherwise necessary in the public interest to do so.
The Commissioner may, by written notice (exemption notice), exempt a CI operator from a category 1 obligation, category 2 obligation or category 3 obligation (subject obligation) if the Commissioner is satisfied that it is in the public interest to so exempt the operator.
An exemption notice is not subsidiary legislation.
In considering whether it is in the public interest to exempt a CI operator under subsection (1), the Commissioner must take into account—
whether the operator has done, or is doing, an act that can achieve the same purpose as the compliance with the subject obligation; and
whether—
the operator is subject to an obligation (alternative obligation) that—
is imposed by or under another Ordinance, or any code of practice, direction or requirement (however described); and
corresponds substantially to the subject obligation; and
the operator’s compliance with the alternative obligation achieves the same purpose as the compliance with the subject obligation.
An exemption under subsection (1)—
is in force for a period the Commissioner considers appropriate and specifies in the exemption notice; and
is subject to any condition the Commissioner considers appropriate.
The Commissioner may, by written notice (revocation notice), revoke an exemption under subsection (1) if the Commissioner is satisfied that—
a condition of the exemption has been contravened; or
it is no longer in the public interest to exempt the CI operator concerned under that subsection.
A revocation notice is not subsidiary legislation.
If an exemption is revoked under subsection (5)—
the Commissioner must specify in the revocation notice—
the date on which the revocation is to take effect (revocation date); and
(if applicable) how and by when the CI operator is to comply with the obligation covered by the exemption; and
the provision imposing the obligation is to apply, on and after the revocation date, to the operator with necessary modifications having regard to the revocation notice.
The Commissioner may, by written notice, require a CI operator to provide any information the Commissioner reasonably considers necessary for considering whether to exempt the operator under subsection (1) or whether to revoke such an exemption under subsection (5).
A CI operator to whom a notice is given under subsection (8) must provide the information concerned within the time, and in the form and way, specified in the notice.
A designated authority may prosecute any of the following offences in the name of the authority—
an offence under section 7 for a failure to comply with a direction given by the authority;
an offence under section 18 for a failure to comply with a requirement imposed by the authority;
an offence under Division 1 or 2 of Part 4 for a failure to comply with a category 1 obligation or category 2 obligation by a CI operator regulated by the authority;
an offence under section 45 for a failure to comply with a requirement imposed by an authorized officer of the authority;
an offence of conspiracy to commit an offence mentioned in paragraph (a), (b), (c) or (d).
Any offence prosecuted under subsection (1) must be tried before a magistrate as an offence that is triable summarily.
For prosecuting an offence mentioned in subsection (1) only, an authorized officer of the designated authority concerned, even if the officer is not qualified to practise as a barrister or to act as a solicitor under the Legal Practitioners Ordinance (Cap. 159)—
may appear and plead before a magistrate in any case of which the officer has charge; and
has, in relation to the prosecution, all the other rights of a person qualified to practise as a barrister or to act as a solicitor under that Ordinance.
This section does not derogate from the powers of the Secretary for Justice in respect of the prosecution of criminal offences.
Except in the performance of any function under this Ordinance or for carrying into effect the provisions of this Ordinance, a specified person—
must not suffer or permit any person to have access to any matter relating to the affairs of any person that comes to the specified person’s knowledge in connection with the performance of any function under this Ordinance; and
must not communicate any such matter to any person other than the person to whom such matter relates.
Despite subsection (1), a specified person may—
disclose information that has already been made available to the public;
disclose information for the purposes of any criminal proceedings in Hong Kong or an investigation conducted with a view to bringing any such proceedings;
disclose information for seeking advice from, or giving advice by, any counsel, solicitor or other professional adviser, acting or proposing to act in a professional capacity in connection with any matter arising under this Ordinance;
disclose information in connection with any judicial or other proceedings to which the specified person is a party; and
disclose information in accordance with an order of a court or tribunal, or in accordance with a law or a requirement made under a law.
Despite subsection (1), a regulating authority may—
subject to subsection (4), disclose information to—
the Chief Executive;
the Chief Secretary for Administration;
the Financial Secretary;
the Secretary for Justice;
the Secretary for Security;
the Commissioner of Police of Hong Kong;
the Commissioner of the Independent Commission Against Corruption;
the Privacy Commissioner for Personal Data established under section 5(1) of the Personal Data (Privacy) Ordinance (Cap. 486);
a tribunal; or
a public officer authorized under subsection (9);
disclose information with the consent of—
the person from whom the information was obtained or received; and
if the information does not relate to such person—the person to whom it relates; and
disclose information in summary form that is so framed as to prevent particulars relating to any person from being ascertained from it.
A regulating authority must not disclose information under subsection (3)(a) unless the authority is of the opinion that—
the disclosure will enable or assist the recipient of the information to perform the recipient’s functions; and
it is not contrary to the public interest for the information to be so disclosed.
Subject to subsection (6), if information is disclosed under subsection (1), (2) or (3) (other than subsection (2)(a) or (3)(c))—
the person to whom the information is so disclosed; or
any other person obtaining or receiving the information from that person,
must not disclose the information to any other person.
Subsection (5) does not prohibit the person referred to in subsection (5)(a) or (b) from disclosing the information to any other person if—
the regulating authority disclosing the information consents to the disclosure;
the information has already been made available to the public;
the disclosure is for the purpose of seeking advice from, or giving advice by, any counsel, solicitor or other professional adviser, acting or proposing to act in a professional capacity in connection with any matter arising under this Ordinance;
the disclosure is in connection with any judicial or other proceedings to which the person so referred to is a party; or
the disclosure is in accordance with an order of a court or tribunal, or in accordance with a law or a requirement made under a law.
A regulating authority may attach any condition that it considers appropriate to—
a disclosure of information made by it under subsection (3); or
a consent granted by it under subsection (6)(a).
Subsection (1) does not affect section 13(3) of The Ombudsman Ordinance (Cap. 397) or section 44(8) of the Personal Data (Privacy) Ordinance (Cap. 486).
The Secretary for Security may authorize any public officer as a person to whom information may be disclosed under subsection (3)(a)(x).
In this section—
related person (有關連人士), in relation to a regulating authority, means—(a)a person employed—(i)by the authority; or(ii)otherwise in connection with the authority’s performance of a function under this Ordinance; or(b)a person appointed—(i)as a consultant, agent or adviser of the authority for this Ordinance; or(ii)otherwise in connection with the authority’s performance of a function under this Ordinance; specified person (指明人士) means a person who is or has been—(a)a regulating authority;(b)an authorized officer;(c)a person to whom any function is delegated under section 52(1) or (2);(d)a member of—(i)a regulating authority;(ii)the appeal panel; or(iii)a council, board, committee or other body of a regulating authority established or vested with any responsibility for, or otherwise in connection with the authority’s performance of a function under, this Ordinance;(e)a related person of a regulating authority; or(f)a person employed by or assisting a related person of a regulating authority.A person who contravenes section 57(1) commits an offence.
A person commits an offence if—
the person discloses any information in contravention of section 57(5); and
at the time of the disclosure—
the person knew, or ought to have known, that the information was previously disclosed to the person or any other person under section 57(1), (2) or (3) (other than section 57(2)(a) or (3)(c)); and
the person had no reasonable grounds to believe that section 57(5) did not apply to the person by virtue of section 57(6).
A person who commits an offence under subsection (1) or (2) is liable—
on summary conviction—to a fine at level 6 and to imprisonment for 6 months; or
on conviction on indictment—to a fine of $1,000,000 and to imprisonment for 2 years.
Any information on the identity of a relevant person is not admissible in evidence in—
any proceedings under Part 7;
any civil or criminal proceedings before a court; or
any proceedings before a tribunal.
In such proceedings, a witness is not obliged—
to disclose the name or address of a relevant person who is not a witness in those proceedings; or
to state any matter that would lead, or would tend to lead, to discovery of the name or address of a relevant person who is not a witness in those proceedings.
If a book, document or paper that is in evidence, or liable to inspection, in such proceedings contains an entry—
in which a relevant person is named or described; or
that might lead to discovery of a relevant person,
the appeal board, court or tribunal (as the case requires) must cause all such passages to be concealed from view, or to be obliterated, so far as may be necessary to protect the relevant person from discovery.
In such proceedings, the appeal board, court or tribunal (as the case requires) may, despite subsection (1), (2) or (3), permit inquiry, and require full disclosure, concerning a relevant person if—
it is of the opinion that justice cannot be fully done between the parties to the proceedings without disclosure of the name of the relevant person; or
in the case of a relevant person falling within paragraph (a) of the definition of relevant person in subsection (5), it is satisfied that the relevant person made a material statement that the relevant person—
knew or believed to be false; or
did not believe to be true.
In this section—
relevant person (有關人士) means—(a)an informer who has given information to an authorized officer with respect to an investigation under Part 5 or 6; or(b)a person who has assisted a regulating authority or authorized officer with respect to such an investigation.A person who complies with a direction or requirement imposed by or under this Ordinance does not incur any civil liability, whether arising in contract, tort, defamation, equity or otherwise, by reason only of the compliance.
A person does not incur any civil liability (whether arising in contract, tort, defamation, equity or otherwise) in respect of an act done, or omitted to be done, by the person in good faith in the performance, or purported performance, of any function under this Ordinance.
Subsection (2) does not affect the liability of the Government for the act or omission.
Subject to subsection (2), this Ordinance does not affect any claims, rights or entitlements that would, apart from this Ordinance, arise on the ground of legal professional privilege.
Subsection (1) does not affect any requirement imposed under this Ordinance to disclose the name and address of a client of a legal practitioner (whether or not the legal practitioner is qualified in Hong Kong to practise as counsel or to act as a solicitor).
If—
a person may require the production of any document under this Ordinance; and
any information or matter contained in the document is recorded otherwise than in a legible form but is capable of being reproduced in a legible form,
the person may also require the production of a reproduction of the recording of the information or matter, or the relevant part of the recording, in a legible form.
If—
a person may require the production of any document under this Ordinance; and
any information or matter contained in the document is recorded in an information system,
the person may also require the production of a reproduction of the recording of the information or matter, or the relevant part of the recording, in a form that enables the information or matter to be reproduced in a legible form.
If a person claims a lien on any document in the person’s possession that is required to be produced under this Ordinance—
the lien does not affect the requirement to produce the document;
no fee is payable for or in respect of the production; and
the production does not affect the lien.
If a regulating authority or authorized officer comes into possession of any property under this Ordinance, section 102 of the Criminal Procedure Ordinance (Cap. 221) applies as if—
the authority or officer were the police within the meaning of that section; and
the property were property that had come into the possession of the police in connection with an offence.
In any legal proceedings for an offence under section 7 or Part 4, the defendant is entitled to be acquitted if—
sufficient evidence is adduced to raise an issue that—
the commission of the offence was due to a cause beyond the defendant’s control; and
the defendant took all reasonable precautions and exercised all due diligence to avoid the commission of the offence by the defendant; and
the contrary is not proved by the prosecution beyond reasonable doubt.
If the defence under subsection (1) involves an allegation that the offence was due to—
the act or omission of another person; or
reliance on information given by another person,
the defendant is not, without the leave of the court, entitled to rely on the defence unless the defendant has issued a notice in accordance with subsection (3).
A notice issued for the purposes of subsection (2) must—
identify or assist in the identification of the person who committed the act or omission or gave the information; and
be issued to the person bringing the legal proceedings at least 7 working days before the hearing of the proceedings.
If the defence under subsection (1) involves an allegation that the offence was due to an act or omission of another person, the defence is not established unless sufficient evidence is adduced to raise an issue that the defendant has taken all reasonable steps to secure the cooperation of that other person in complying with the provision concerned, having regard in particular to the steps which the defendant took, and those which might reasonably have been taken by the defendant, for the purpose of securing the cooperation of that other person.
If the defence under subsection (1) involves an allegation that the offence was due to reliance on information given by another person, the defence is not established unless sufficient evidence is adduced to raise an issue that it was reasonable in all the circumstances for the defendant to rely on the information, having regard in particular to—
the steps which the defendant took, and those which might reasonably have been taken by the defendant, for the purpose of verifying the information; and
whether the defendant had any reason not to believe the information.
This section applies if a provision of this Ordinance that creates an offence makes a reference to a reasonable excuse for a contravention to which the provision relates.
The reference to a reasonable excuse is to be construed as providing for a defence to a charge in respect of the contravention to which the provision relates.
A defendant is to be taken to have established that the defendant had a reasonable excuse for the contravention if—
sufficient evidence is adduced to raise an issue that the defendant had such a reasonable excuse; and
the contrary is not proved by the prosecution beyond reasonable doubt.
Subject to the other provisions of this Ordinance, a notice or other document required to be given or sent (however described) (collectively served) under or for the purposes of this Ordinance is, in the absence of evidence to the contrary, so served if—
for service on a regulating authority—
it is delivered by hand or sent by post to the address of an office specified by the authority for the purpose;
it is sent by facsimile transmission to a facsimile number specified by the authority for the purpose; or
it is sent in the form of an electronic record to an address in an information system specified by the authority for the purpose; or
for service on an organization—
it is delivered by hand or sent by post to—
the address provided by the organization under section 19;
the address of the organization’s registered office within the meaning of the Companies Ordinance (Cap. 622); or
(if neither of the addresses mentioned in sub-subparagraphs (A) and (B) is available) the organization’s last known address;
it is sent by facsimile transmission to a facsimile number specified by the organization for the purpose; or
it is sent in the form of an electronic record to an address in an information system specified by the organization for the purpose.
In this section—
address (地址) includes a number, or any sequence or combination of letters, characters, numbers or symbols of any language, used for sending or receiving a document in electronic form; electronic record (電子紀錄) has the meaning given by section 2(1) of the Electronic Transactions Ordinance (Cap. 553).In any legal proceedings concerning a CI operator or critical computer system, a certificate—
purporting to be signed by, or on behalf of, a regulating authority; and
stating that—
the organization specified in the certificate is a CI operator designated by the authority under section 12; or
the computer system specified in the certificate is a critical computer system designated by the authority under section 13,
must be admitted in the proceedings on its production without further proof.
Until the contrary is proved, the court or appeal board concerned must presume that the certificate is signed by, or on behalf of, the regulating authority concerned.
Until the contrary is proved, the certificate is evidence of the facts stated in it.
In this section—
legal proceedings (法律程序) includes the proceedings of an appeal board.The Secretary for Security may give any directions the Secretary considers appropriate (whether generally or in any particular case) to any of the following persons with respect to the performance of a function under this Ordinance—
the Commissioner;
an authorized officer of the Commissioner;
a public officer to whom the function is delegated under section 52(1).
A person to whom a direction is given under subsection (1) must, in performing the function, comply with that direction.
The Secretary for Security may make regulations for the better carrying out of the provisions of this Ordinance.
Regulations made under this section may prescribe offences for the contravention of the regulations, punishable by a fine.
For an offence punishable on summary conviction, the maximum fine that may be prescribed under subsection (2) for an offence is $3,000,000 and, in the case of a continuing offence, a further fine not exceeding $60,000 may be prescribed for every day during which the offence continues.
For an offence punishable on conviction on indictment, the maximum fine that may be prescribed under subsection (2) for an offence is $5,000,000 and, in the case of a continuing offence, a further fine not exceeding $100,000 may be prescribed for every day during which the offence continues.
The Secretary for Security may by notice published in the Gazette amend any of the Schedules.
A notice under subsection (1) may contain incidental, consequential, supplemental, transitional or savings provisions that are necessary or expedient in consequence of the notice.
Energy
Information technology
Banking and financial services
Air transport
Land transport
Maritime transport
Healthcare services
Telecommunications and broadcasting services
In this Schedule—
authorized institution (認可機構) has the meaning given by section 2(1) of the Banking Ordinance (Cap. 155); Cap. 106 (《第106章》) means the Telecommunications Ordinance (Cap. 106); Cap. 106V (《第106V章》) means the Telecommunications (Carrier Licences) Regulation (Cap. 106 sub. leg. V); Cap. 584 (《第584章》) means the Payment Systems and Stored Value Facilities Ordinance (Cap. 584); Communications Authority (通訊事務管理局) means the Communications Authority established by section 3 of the Communications Authority Ordinance (Cap. 616); designated system (指定系統) has the meaning given by section 2 of Cap. 584; domestic free television programme service licensee (本地免費電視節目服務持牌人) means a holder of a licence granted under section 8(1) of the Broadcasting Ordinance (Cap. 562) (whether in reliance on section 10(1) of that Ordinance or not), or such a licence extended or renewed under section 11(1) of that Ordinance, to provide a domestic free television programme service (as defined by section 2(1) of that Ordinance); Monetary Authority (金融管理專員) means the Monetary Authority appointed under section 5A of the Exchange Fund Ordinance (Cap. 66); settlement institution (交收機構) has the meaning given by section 2 of Cap. 584; space station carrier licence (空間電台傳送者牌照) has the meaning given by section 2(1) of Cap. 106V; system operator (系統營運者) has the meaning given by section 2 of Cap. 584; unified carrier licence (綜合傳送者牌照) has the meaning given by section 2(1) of Cap. 106V.| Column 1 | Column 2 | Column 3 | Column 4 |
| Item | Designated authority | Sector | Regulated organization |
| 1. | Monetary Authority | Banking and financial services | (a)An authorized institution (b)A licensee as defined by section 2 of Cap. 584 |
| (c)A settlement institution of a designated system (d)A system operator of a designated system | |||
| 2. | Communications Authority | Telecommunications and broadcasting services | (a)A holder of a unified carrier licence (b)A holder of a space station carrier licence (c)A domestic free television programme service licensee (d)A licensee as defined by section 13A(1) of Cap. 106 |
The organization of the computer-system security management unit of the CI operator concerned, including details of the roles and responsibilities of personnel engaged for managing risks relating to the computer-system security of the critical computer systems concerned (including reporting lines and accountabilities).
The process of identifying computer systems that are essential to the core function of the critical infrastructure concerned.
The policies and guidelines for—
identifying, assessing, monitoring, responding to and mitigating—
risks relating to the computer-system security of critical computer systems concerned;
vulnerabilities of the systems; and
computer-system security threats and computer-system security incidents in respect of the systems;
detecting computer-system security threats and computer-system security incidents in respect of the systems;
controlling access to, and preventing any act done without lawful authority on, the systems;
ensuring that any changes to the systems are overseen, managed and controlled;
ensuring that all components of the systems are secured, managed and controlled to protect the information stored in, transmitted or processed by, or accessible via, them;
adopting principles that prioritize and integrate security measures throughout the entire development life cycle of the systems;
ensuring the availability of the systems during disruption;
managing contracts and other communications with suppliers of computer-related services and products adopted for the systems in order to ensure that—
the CI operator concerned complies with category 1 obligations, category 2 obligations and category 3 obligations; and
measures for computer-system security as required by the operator are properly implemented; and
reviewing any computer-system security management plan submitted under section 23.
The provision of training to personnel performing obligations relating to the computer-system security of the critical computer systems concerned.
The structure, roles and responsibilities of a team responsible for responding to computer-system security incidents.
The threshold for initiating the protocol mentioned in section 27(1).
The procedures for reporting computer-system security incidents.
The procedures for investigating the cause and assessing the impact of computer-system security incidents.
A recovery plan for resuming the provision of essential services by, or the normal operation of, the critical infrastructure concerned.
A plan for communicating with stakeholders and the general public in respect of computer-system security incidents.
The recommended post-incident measures for mitigating the risks of, and preventing, the recurrence of computer-system security incidents.
The policies and guidelines for reviewing any emergency response plan submitted under section 27.
In this Schedule—
penetration test (滲透測試), in relation to a computer system, means a test that—(a)simulates an attack on the system by electronic means; and(b)aims at identifying the vulnerabilities of the system through the simulated attack; vulnerability assessment (保安漏洞評估), in relation to a computer system, means an assessment that—(a)systematically examines the system for known vulnerabilities; and(b)aims at identifying the vulnerabilities of the system for preventing any exploitation of them.Vulnerability assessment of the critical computer systems concerned.
Penetration test of the critical computer systems concerned.
Identification and prioritization of risks relating to the computer-system security of the critical computer systems concerned (including any weakness relating to security control) (identified risks).
Determination of—
the extent of the likely impact on the computer-system security of the critical computer systems concerned that may result from the identified risks; and
the level of risks that the systems can tolerate.
Identification of the treatment and monitoring required to deal with the identified risks.
Verification of whether the existing protection measures in respect of the critical computer systems concerned have been performed properly, including—
whether computer-system security management plans (within the meaning of section 23(1)) are implemented; and
if so, whether the implementation is done by observing a relevant provision in a code of practice or done in another way.
An opinion on the condition of the computer-system security of the critical computer systems concerned based on the verification mentioned in item 1 of this Schedule.
| Column 1 | Column 2 | Column 3 |
| Item | Provision | Time |
| 1. | Section 28(2)(a) | (a)If the computer-system security incident concerned has disrupted, is disrupting or is likely to disrupt the core function of the critical infrastructure concerned—12 hours after the CI operator concerned becomes aware of the incident. (b)In any other case—48 hours after the operator becomes aware of the incident. |
| 2. | Section 28(3) | 48 hours after the notification concerned is made under section 28(1). |
| 3. | Section 28(4) | 14 days after the date on which the CI operator concerned becomes aware of the computer-system security incident concerned. |
In this Schedule—
appeal (上訴) means an appeal under section 48; IT professional (資訊科技專業人士) means a person who has professional or academic qualifications, or practical experience, in information technology or computer science; legal professional (法律專業人士) means a solicitor or counsel; legal representative (法律代表), in relation to a party to an appeal, means the legal professional who represents the party at the appeal.The Chief Executive must appoint at least 15 individuals whom the Chief Executive considers to be suitable for appointment under this subsection as members of the appeal panel.
The Chief Executive must not appoint to the appeal panel—
a public officer; or
a person employed—
by a regulating authority; or
otherwise in connection with the authority’s performance of a function under this or any other Ordinance.
The Chief Executive is to appoint one of the members of the appeal panel as chairperson.
In appointing the members of the appeal panel, the Chief Executive must ensure that—
the chairperson is—
a former Justice of Appeal of the Court of Appeal;
a former judge, a former recorder or a former deputy judge of the Court of First Instance; or
a person eligible for appointment under section 9 of the High Court Ordinance (Cap. 4);
at least 2 of the members are IT professionals;
at least 2 of the members are legal professionals; and
at least 2 of the members are neither IT professionals nor legal professionals.
Each member of the appeal panel is to be appointed for a period of not more than 2 years, but is eligible for reappointment.
For lodging an appeal against a decision, a person must lodge with the chairperson of the appeal panel a notice setting out the grounds of appeal.
The notice—
must be in the form specified by the chairperson of the appeal panel; and
must be lodged within 1 month after the date on which the person receives notice of the decision.
The chairperson of the appeal panel may in a particular case extend the period specified in subsection (2)(b) if the chairperson considers it appropriate to do so.
As soon as practicable after a notice has been lodged under section 3(1) of this Schedule, the chairperson of the appeal panel must appoint from the panel an appeal board to handle the appeal.
The appeal board is to consist of the following members—
a chairperson;
at least 2 other members (ordinary members).
In appointing the members of the appeal board, the chairperson of the appeal panel must ensure that—
the chairperson of the board is a legal professional;
at least one of the ordinary members is an IT professional;
at least one of the ordinary members is neither an IT professional nor a legal professional; and
the members do not have a disclosable interest in the decision appealed against.
For the purposes of subsection (3)(d), a person has a disclosable interest in a decision if—
the person has, in relation to the decision—
a pecuniary interest (whether direct or indirect); or
a personal interest greater than that which the person has as a member of the public; and
the pecuniary interest or personal interest could conflict or could reasonably be perceived to conflict with the proper performance of the person’s functions under this Ordinance.
An appeal board appointed for an appeal may—
determine the appeal on the basis of written submissions only (without an oral hearing); or
conduct an oral hearing for determining the appeal.
In considering an appeal, every question before an appeal board is to be decided by a majority of votes of the members voting on the question.
Subject to subsection (4), each member of the appeal board has 1 vote.
If there is an equality of votes in respect of any question to be decided, the chairperson of the appeal board has a casting vote in addition to his or her original vote.
Subject to the other provisions in this Schedule, the procedures for the conduct of any hearing for an appeal, and otherwise for handling an appeal, are to be decided by the appeal board.
This Division applies if an appeal board conducts a hearing for determining an appeal.
The hearing is to be presided over by the chairperson of the appeal board.
The quorum for the hearing is 3 members of the appeal board or one half of the members of the board, whichever is the greater.
For determining the quorum, if the number of members of the appeal board is an odd number, the number is to be regarded as having been increased by 1.
The chairperson of the appeal board must—
fix the date, time and place for the hearing so that the hearing may begin as soon as practicable; and
serve on the parties to the appeal a notice of the date, time and place of the hearing.
The appeal board has the following powers when hearing the appeal—
power to take evidence on oath;
power to examine witnesses;
power to receive and consider any material, whether by way of oral evidence, written statements, documents or otherwise, and whether or not the material would be admissible in civil or criminal proceedings;
power to determine the way in which any material mentioned in paragraph (c) is received;
power to award to a person the expenses that, in the board’s opinion, the person has reasonably incurred in attending the hearing;
power to make any order that may be necessary for or ancillary to the conduct of the hearing or the carrying out of its functions.
If it appears to the appeal board that the regulating authority concerned has reversed the decision appealed against, the board may determine the appeal in favour of the appellant.
The regulating authority may participate in the hearing through an authorized officer of the authority or a legal representative, or both.
The appellant may participate in the hearing through one or more of the following persons—
a director of the appellant;
a legal representative;
with the consent of the appeal board—any other person.
The appeal board may make an order as to the payment of the costs and expenses incurred in relation to the hearing, whether by the board, any party to the appeal, or any person attending the hearing as a witness.
Subject to subsection (2), the hearing is to be conducted in private.
After consulting the parties to the appeal, the appeal board may, by order, direct that the hearing, or any part of the hearing, be held in public.
For the purposes of subsection (2), the appeal board must have regard to—
the views or private interests of the parties to the appeal, including any claims as to privilege; and
the public interest.
If at the time fixed for the hearing, the appellant fails to send any representative to attend the hearing, the appeal board may—
if it is satisfied that the failure was due to a reasonable ground—postpone or adjourn the hearing for a period it considers appropriate; or
if it is satisfied that the failure was not due to any reasonable ground—
proceed to hear the appeal; or
by order, dismiss the appeal.
If an appeal is dismissed under subsection (1)(b)(ii)—
the appellant may, within 28 days after the date on which the order for dismissal is made, apply to the appeal board for a review of the order by written notice lodged with the chairperson of the board; and
the board may, if it is satisfied that the failure was due to a reasonable ground, set aside the order for dismissal.
A notice under subsection (2)(a) must be in the form specified by the chairperson of the appeal panel.
The appellant must, as soon as practicable after a notice is lodged under subsection (2)(a), serve a copy of the notice on the other parties to the appeal.
If the appeal board sets aside an order for dismissal under subsection (2)(b), the chairperson of the board must—
fix a new date, time and place for a new hearing of the appeal so that the new hearing may begin as soon as practicable; and
serve, at least 14 days before the date so fixed, on the parties to the appeal a notice of the date, time and place of the new hearing.
The appeal board, when hearing the appeal, has the same privileges and immunities as it would have if the appeal were legal proceedings in a court.
A party, legal representative, witness or any other person who appears before the appeal board at the hearing has the same privileges and immunities as the person would have if the appeal were legal proceedings in a court.