ELECTRONIC TRANSACTIONS ORDINANCE - CHAPTER 553 ELECTRONIC TRANSACTIONS ORDINANCE - LONG TITLE Long title VerDate: An Ordinance to facilitate the use of electronic transactions for commercial and other purposes, to provide for matters arising from and related to such use, to enable the Postmaster General to provide the services of a certification authority and to provide for connected purposes. [Part I, sections 4 and 9, Part V (other than in relation to the matters referred to in Schedule 1) and Part VI, sections 31 and 33 and Parts IX, X, XI and XII } } } 7 January 2000 Part VII and section 32 } 18 February 2000 L.N. 7 of 2000 Sections 3, 5, 6, 7, 8 and 10, Part IV, Part V (in relation to the matters referred to in Schedule 1) and Schedules 1 and 2 } } } 7 April 2000 L.N. 60 of 2000] (Originally 1 of 2000) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 1 Short title VerDate:07/01/2000 PART I PRELIMINARY (1) This Ordinance may be cited as the Electronic Transactions Ordinance. (2)-(3) (Omitted as spent) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 2 Interpretation VerDate:01/07/2007 For the saving and transitional provisions relating to the amendments made by the Resolution of the Legislative Council (L.N. 130 of 2007), see paragraph (12) of that Resolution. (1) In this Ordinance, unless the context otherwise requires- "accept" (接受), in relation to a certificate- (a) in the case of a person named or identified in the certificate as the person to whom the certificate is issued, means to- (i) confirm the accuracy of the information on the person as contained in the certificate; (ii) authorize the publication of the certificate to any other person or in a repository; (iii) use the certificate; or (iv) otherwise demonstrate the approval of the certificate; or (b) in the case of a person to be named or identified in the certificate as the person to whom the certificate is issued, means to- (i) confirm the accuracy of the information on the person that is to be contained in the certificate; (ii) authorize the publication of the certificate to any other person or in a repository; or (iii) otherwise demonstrate the approval of the certificate; (Aded 14 of 2004 s. 2) "addressee" (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary; "asymmetric cryptosystem" (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature; "certificate" (證書) means a record which- (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by the certification authority issuing it; (Amended 14 of 2004 s. 2) "certification authority" (核證機關) means a person who issues a certificate to a person (who may be another certification authority); "certification authority disclosure record" (核證機關披露紀錄), in relation to a recognized certification authority, means the record maintained under section 31 for that certification authority; "certification practice statement" (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates; "code of practice" (業務守則) means the code of practice published under section 33; (Amended 14 of 2004 s. 2) "consent" (同意), in relation to a person, includes consent that can be reasonably inferred from the conduct of the person; (Added 14 of 2004 s. 2) "correspond" (對應), in relation to private or public keys, means to belong to the same key pair; "digital signature" (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated; "electronic record" (電子紀錄) means a record generated in digital form by an information system, which can be- (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium; "electronic signature" (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record; "government entity" (政府單位) means a public officer or a public body; (Added 14 of 2004 s. 2) "hash function" (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that- (a) a record yields the same hash result every time the algorithm is executed using the same record as input; (b) it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and (c) it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm; "information" (資訊) includes data, text, images, sound codes, computer programmes, software and databases; "information system" (資訊系統) means a system which- (a) processes information; (b) records information; (c) can be used to cause information to be recorded, stored or otherwise processed in other information systems (wherever situated); and (d) can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated); "intermediary" (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record; "issue" (發出), in relation to a certificate, means to- (a) create the certificate, and then notify the person named or identified in the certificate as the person to whom the certificate is issued of the information on the person as contained in the certificate; or (b) notify the person to be named or identified in the certificate as the person to whom the certificate is issued of the information on the person that is to be contained in the certificate, and then create the certificate, and then make the certificate available for use by the person; (Replaced 14 of 2004 s. 2) "key pair" (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates; "originator" (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary; "Permanent Secretary" (常任秘書長) means the Permanent Secretary for Commerce and Economic Development (Communications and Technology); (Added 14 of 2004 s. 2. Amended L.N. 130 of 2007) "Postmaster General" (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap 98); "private key" (私人密碼匙) means the key of a key pair used to generate a digital signature; "public key" (公開密碼匙) means the key of a key pair used to verify a digital signature; "recognized certificate" (認可證書) means- (a) a certificate recognized under section 22; (b) a certificate of a type, class or description of certificate recognized under section 22; or (c) a certificate designated as a recognized certificate issued by the certification authority referred to in section 34; "recognized certification authority" (認可核證機關) means a certification authority recognized under section 21 or the certification authority referred to in section 34; "record" (紀錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form; "reliance limit" (倚據限額) means the monetary limit specified for reliance on a recognized certificate; "repository" (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates; "responsible officer" (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance; "rule of law" (法律規則) means- (a) an Ordinance; (b) a rule of common law or a rule of equity; or (c) customary law; "Secretary" (局長) means the Secretary for Commerce and Economic Development; (Amended L.N. 106 of 2002; L.N. 130 of 2007) "sign" and "signature" (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record; "subscriber" (登記人) means a person (who may be a certification authority) who- (a) is named or identified in a certificate as the person to whom the certificate is issued; (b) has accepted that certificate; and (c) holds a private key which corresponds to a public key listed in that certificate; "trustworthy system" (穩當系統) means computer hardware, software and procedures that- (a) are reasonably secure from intrusion and misuse; (b) are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time; (c) are reasonably suitable for performing their intended function; and (d) adhere to generally accepted security principles; "verify a digital signature" (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that- (a) the digital signature was generated using the private key corresponding to the public key listed in a certificate; and (b) the electronic record has not been altered since its digital signature was generated, and any reference to a digital signature being verifiable is to be construed accordingly. (2) For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer. (Amended 14 of 2004 s.2; L.N. 131 of 2004) "accept" (接受) "addressee" (收訊者) "asymmetric cryptosystem" (非對稱密碼系統) "certificate" (證書) "certification authority" (核證機關) "certification authority disclosure record" (核證機關披露紀錄) "certification practice statement" (核證作業準則) "code of practice" (業務守則) "consent" (同意) "correspond" (對應) "digital signature" (數碼簽署) "electronic record" (電子紀錄) "electronic signature" (電子簽署) "government entity" (政府單位) "hash function" (雜湊函數) "information" (資訊) "information system" (資訊系統) "intermediary" (中介人) "issue" (發出) "key pair" (配對密碼匙) "originator" (發訊者) "Permanent Secretary" (常任秘書長) "Postmaster General" (郵政署署長) "private key" (私人密碼匙) "public key" (公開密碼匙) "recognized certificate" (認可證書) "recognized certification authority" (認可核證機關) "record" (紀錄) "reliance limit" (倚據限額) "repository" (儲存庫) "responsible officer" (負責人員) "rule of law" (法律規則) "Secretary" (局長) "sign" and "signature" (簽、簽署) "subscriber" (登記人) "trustworthy system" (穩當系統) "verify a digital signature" (核實數碼簽署) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 2 Interpretation VerDate:01/07/2004 (1) In this Ordinance, unless the context otherwise requires- "accept" (接受), in relation to a certificate- (a) in the case of a person named or identified in the certificate as the person to whom the certificate is issued, means to- (i) confirm the accuracy of the information on the person as contained in the certificate; (ii) authorize the publication of the certificate to any other person or in a repository; (iii) use the certificate; or (iv) otherwise demonstrate the approval of the certificate; or (b) in the case of a person to be named or identified in the certificate as the person to whom the certificate is issued, means to- (i) confirm the accuracy of the information on the person that is to be contained in the certificate; (ii) authorize the publication of the certificate to any other person or in a repository; or (iii) otherwise demonstrate the approval of the certificate; (Aded 14 of 2004 s. 2) "addressee" (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary; "asymmetric cryptosystem" (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature; "certificate" (證書) means a record which- (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by the certification authority issuing it; (Amended 14 of 2004 s. 2) "certification authority" (核證機關) means a person who issues a certificate to a person (who may be another certification authority); "certification authority disclosure record" (核證機關披露紀錄), in relation to a recognized certification authority, means the record maintained under section 31 for that certification authority; "certification practice statement" (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates; "code of practice" (業務守則) means the code of practice published under section 33; (Amended 14 of 2004 s. 2) "consent" (同意), in relation to a person, includes consent that can be reasonably inferred from the conduct of the person; (Added 14 of 2004 s. 2) "correspond" (對應), in relation to private or public keys, means to belong to the same key pair; "digital signature" (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated; "electronic record" (電子紀錄) means a record generated in digital form by an information system, which can be- (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium; "electronic signature" (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record; "government entity" (政府單位) means a public officer or a public body; (Added 14 of 2004 s. 2) "hash function" (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that- (a) a record yields the same hash result every time the algorithm is executed using the same record as input; (b) it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and (c) it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm; "information" (資訊) includes data, text, images, sound codes, computer programmes, software and databases; "information system" (資訊系統) means a system which- (a) processes information; (b) records information; (c) can be used to cause information to be recorded, stored or otherwise processed in other information systems (wherever situated); and (d) can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated); "intermediary" (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record; "issue" (發出), in relation to a certificate, means to- (a) create the certificate, and then notify the person named or identified in the certificate as the person to whom the certificate is issued of the information on the person as contained in the certificate; or (b) notify the person to be named or identified in the certificate as the person to whom the certificate is issued of the information on the person that is to be contained in the certificate, and then create the certificate, and then make the certificate available for use by the person; (Replaced 14 of 2004 s. 2) "key pair" (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates; "originator" (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary; "Permanent Secretary" (常任秘書長) means the Permanent Secretary for Commerce, Industry and Technology (Communications and Technology); (Added 14 of 2004 s. 2) "Postmaster General" (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap 98); "private key" (私人密碼匙) means the key of a key pair used to generate a digital signature; "public key" (公開密碼匙) means the key of a key pair used to verify a digital signature; "recognized certificate" (認可證書) means- (a) a certificate recognized under section 22; (b) a certificate of a type, class or description of certificate recognized under section 22; or (c) a certificate designated as a recognized certificate issued by the certification authority referred to in section 34; "recognized certification authority" (認可核證機關) means a certification authority recognized under section 21 or the certification authority referred to in section 34; "record" (紀錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form; "reliance limit" (倚據限額) means the monetary limit specified for reliance on a recognized certificate; "repository" (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates; "responsible officer" (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance; "rule of law" (法律規則) means- (a) an Ordinance; (b) a rule of common law or a rule of equity; or (c) customary law; "Secretary" (局長) means the Secretary for Commerce, Industry and Technology; (Amended L.N. 106 of 2002) "sign" and "signature" (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record; "subscriber" (登記人) means a person (who may be a certification authority) who- (a) is named or identified in a certificate as the person to whom the certificate is issued; (b) has accepted that certificate; and (c) holds a private key which corresponds to a public key listed in that certificate; "trustworthy system" (穩當系統) means computer hardware, software and procedures that- (a) are reasonably secure from intrusion and misuse; (b) are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time; (c) are reasonably suitable for performing their intended function; and (d) adhere to generally accepted security principles; "verify a digital signature" (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that- (a) the digital signature was generated using the private key corresponding to the public key listed in a certificate; and (b) the electronic record has not been altered since its digital signature was generated, and any reference to a digital signature being verifiable is to be construed accordingly. (2) For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer. (Amended 14 of 2004 s.2; L.N. 131 of 2004) "accept" (接受) "addressee" (收訊者) "asymmetric cryptosystem" (非對稱密碼系統) "certificate" (證書) "certification authority" (核證機關) "certification authority disclosure record" (核證機關披露紀錄) "certification practice statement" (核證作業準則) "code of practice" (業務守則) "consent" (同意) "correspond" (對應) "digital signature" (數碼簽署) "electronic record" (電子紀錄) "electronic signature" (電子簽署) "government entity" (政府單位) "hash function" (雜湊函數) "information" (資訊) "information system" (資訊系統) "intermediary" (中介人) "issue" (發出) "key pair" (配對密碼匙) "originator" (發訊者) "Permanent Secretary" (常任秘書長) "Postmaster General" (郵政署署長) "private key" (私人密碼匙) "public key" (公開密碼匙) "recognized certificate" (認可證書) "recognized certification authority" (認可核證機關) "record" (紀錄) "reliance limit" (倚據限額) "repository" (儲存庫) "responsible officer" (負責人員) "rule of law" (法律規則) "Secretary" (局長) "sign" and "signature" (簽、簽署) "subscriber" (登記人) "trustworthy system" (穩當系統) "verify a digital signature" (核實數碼簽署) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 2 Interpretation VerDate:30/06/2004 (1) In this Ordinance, unless the context otherwise requires- "accept" (接受), in relation to a certificate- (a) in the case of a person named or identified in the certificate as the person to whom the certificate is issued, means to- (i) confirm the accuracy of the information on the person as contained in the certificate; (ii) authorize the publication of the certificate to any other person or in a repository; (iii) use the certificate; or (iv) otherwise demonstrate the approval of the certificate; or (b) in the case of a person to be named or identified in the certificate as the person to whom the certificate is issued, means to- (i) confirm the accuracy of the information on the person that is to be contained in the certificate; (ii) authorize the publication of the certificate to any other person or in a repository; or (iii) otherwise demonstrate the approval of the certificate; (Added 14 of 2004 s. 2) "addressee" (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary; "asymmetric cryptosystem" (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature; "certificate" (證書) means a record which- (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by the certification authority issuing it; (Amended 14 of 2004 s. 2) "certification authority" (核證機關) means a person who issues a certificate to a person (who may be another certification authority); "certification authority disclosure record" (核證機關披露紀錄), in relation to a recognized certification authority, means the record maintained under section 31 for that certification authority; "certification practice statement" (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates; "code of practice" (業務守則) means the code of practice published under section 33; (Amended 14 of 2004 s. 2) "consent" (同意), in relation to a person, includes consent that can be reasonably inferred from the conduct of the person; (Added 14 of 2004 s. 2) "correspond" (對應), in relation to private or public keys, means to belong to the same key pair; "digital signature" (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated; "Director" (署長) means the Director of Information Technology Services; "electronic record" (電子紀錄) means a record generated in digital form by an information system, which can be- (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium; "electronic signature" (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record; "government entity" (政府單位) means a public officer or a public body; (Added 14 of 2004 s. 2) "hash function" (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that- (a) a record yields the same hash result every time the algorithm is executed using the same record as input; (b) it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and (c) it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm; "information" (資訊) includes data, text, images, sound codes, computer programmes, software and databases; "information system" (資訊系統) means a system which- (a) processes information; (b) records information; (c) can be used to cause information to be recorded, stored or otherwise processed in other information systems (wherever situated); and (d) can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated); "intermediary" (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record; "issue" (發出), in relation to a certificate, means to- (a) create the certificate, and then notify the person named or identified in the certificate as the person to whom the certificate is issued of the information on the person as contained in the certificate; or (b) notify the person to be named or identified in the certificate as the person to whom the certificate is issued of the information on the person that is to be contained in the certificate, and then create the certificate, and then make the certificate available for use by the person; (Replaced 14 of 2004 s. 2) "key pair" (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates; "originator" (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary; "Permanent Secretary" (常任秘書長) means the Permanent Secretary for Commerce, Industry and Technology (Communications and Technology); (Added 14 of 2004 s. 2) "Postmaster General" (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap 98); "private key" (私人密碼匙) means the key of a key pair used to generate a digital signature; "public key" (公開密碼匙) means the key of a key pair used to verify a digital signature; "recognized certificate" (認可證書) means- (a) a certificate recognized under section 22; (b) a certificate of a type, class or description of certificate recognized under section 22; or (c) a certificate designated as a recognized certificate issued by the certification authority referred to in section 34; "recognized certification authority" (認可核證機關) means a certification authority recognized under section 21 or the certification authority referred to in section 34; "record" (紀錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form; "reliance limit" (倚據限額) means the monetary limit specified for reliance on a recognized certificate; "repository" (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates; "responsible officer" (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance; "rule of law" (法律規則) means- (a) an Ordinance; (b) a rule of common law or a rule of equity; or (c) customary law; "Secretary" (局長) means the Secretary for Commerce, Industry and Technology; (Amended L.N. 106 of 2002) "sign" and "signature" (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record; "subscriber" (登記人) means a person (who may be a certification authority) who- (a) is named or identified in a certificate as the person to whom the certificate is issued; (b) has accepted that certificate; and (c) holds a private key which corresponds to a public key listed in that certificate; "trustworthy system" (穩當系統) means computer hardware, software and procedures that- (a) are reasonably secure from intrusion and misuse; (b) are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time; (c) are reasonably suitable for performing their intended function; and (d) adhere to generally accepted security principles; "verify a digital signature" (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that- (a) the digital signature was generated using the private key corresponding to the public key listed in a certificate; and (b) the electronic record has not been altered since its digital signature was generated, and any reference to a digital signature being verifiable is to be construed accordingly. (2) For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer. "accept" (接受) "addressee" (收訊者) "asymmetric cryptosystem" (非對稱密碼系統) "certificate" (證書) "certification authority" (核證機關) "certification authority disclosure record" (核證機關披露紀錄) "certification practice statement" (核證作業準則) "code of practice" (業務守則) "consent" (同意) "correspond" (對應) "digital signature" (數碼簽署) "Director" (署長) "electronic record" (電子紀錄) "electronic signature" (電子簽署) "government entity" (政府單位) "hash function" (雜湊函數) "information" (資訊) "information system" (資訊系統) "intermediary" (中介人) "issue" (發出) "key pair" (配對密碼匙) "originator" (發訊者) "Permanent Secretary" (常任秘書長) "Postmaster General" (郵政署署長) "private key" (私人密碼匙) "public key" (公開密碼匙) "recognized certificate" (認可證書) "recognized certification authority" (認可核證機關) "record" (紀錄) "reliance limit" (倚據限額) "repository" (儲存庫) "responsible officer" (負責人員) "rule of law" (法律規則) "Secretary" (局長) "sign" and "signature" (簽、簽署) "subscriber" (登記人) "trustworthy system" (穩當系統) "verify a digital signature" (核實數碼簽署) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 2 Interpretation VerDate:01/07/2002 "accept a certificate" (接受證書) "addressee" (收訊者) "asymmetric cryptosystem" (非對稱密碼系統) "certificate" (證書) "certification authority" (核證機關) "certification authority disclosure record" (核證機關披露紀錄) "certification practice statement" (核證作業準則) "code of practice" (業務守則) "correspond" (對應) "digital signature" (數碼簽署) "Director" (署長) "electronic record" (電子紀錄) "electronic signature" (電子簽署) "hash function" (雜湊函數) "information" (資訊) "information system" (資訊系統) "intermediary" (中介人) "issue" (發出) "key pair" (配對密碼匙) "originator" (發訊者) "Postmaster General" (郵政署署長) "private key" (私人密碼匙) "public key" (公開密碼匙) "recognized certificate" (認可證書) "recognized certification authority" (認可核證機關) "record" (紀錄) "reliance limit" (倚據限額) "repository" (儲存庫) "responsible officer" (負責人員) "rule of law" (法律規則) "Secretary" (局長) "sign" and "signature" (簽、簽署) "subscriber" (登記人) "trustworthy system" (穩當系統) "verify a digital signature" (核實數碼簽署) (1) In this Ordinance, unless the context otherwise requires- "accept a certificate" (接受證書), in relation to a person to whom a certificate is issued, means that the person while having notice of the contents of the certificate- (a) authorizes the publication of the certificate to one or more persons or in a repository; (b) uses the certificate; or (c) otherwise demonstrates the approval of the certificate; "addressee" (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary; "asymmetric cryptosystem" (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature; "certificate" (證書) means a record which- (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by a responsible officer of the certification authority issuing it; "certification authority" (核證機關) means a person who issues a certificate to a person (who may be another certification authority); "certification authority disclosure record" (核證機關披露紀錄), in relation to a recognized certification authority, means the record maintained under section 31 for that certification authority; "certification practice statement" (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates; "code of practice" (業務守則) means the code of practice issued under section 33; "correspond" (對應), in relation to private or public keys, means to belong to the same key pair; "digital signature" (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated; "Director" (署長) means the Director of Information Technology Services; "electronic record" (電子紀錄) means a record generated in digital form by an information system, which can be- (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium; "electronic signature" (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record; "hash function" (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that- (a) a record yields the same hash result every time the algorithm is executed using the same record as input; (b) it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and (c) it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm; "information" (資訊) includes data, text, images, sound codes, computer programmes, software and databases; "information system" (資訊系統) means a system which- (a) processes information; (b) records information; (c) can be used to cause information to be recorded, stored or otherwise processed in other information systems (wherever situated); and (d) can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated); "intermediary" (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record; "issue" (發出), in relation to a certificate, means the act of a certification authority of creating a certificate and notifying its contents to the person named or identified in that certificate as the person to whom it is issued; "key pair" (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates; "originator" (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary; "Postmaster General" (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap 98); "private key" (私人密碼匙) means the key of a key pair used to generate a digital signature; "public key" (公開密碼匙) means the key of a key pair used to verify a digital signature; "recognized certificate" (認可證書) means- (a) a certificate recognized under section 22; (b) a certificate of a type, class or description of certificate recognized under section 22; or (c) a certificate designated as a recognized certificate issued by the certification authority referred to in section 34; "recognized certification authority" (認可核證機關) means a certification authority recognized under section 21 or the certification authority referred to in section 34; "record" (紀錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form; "reliance limit" (倚據限額) means the monetary limit specified for reliance on a recognized certificate; "repository" (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates; "responsible officer" (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance; "rule of law" (法律規則) means- (a) an Ordinance; (b) a rule of common law or a rule of equity; or (c) customary law; "Secretary" (局長) means the Secretary for Commerce, Industry and Technology; (Amended L.N. 106 of 2002) "sign" and "signature" (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record; "subscriber" (登記人) means a person (who may be a certification authority) who- (a) is named or identified in a certificate as the person to whom the certificate is issued; (b) has accepted that certificate; and (c) holds a private key which corresponds to a public key listed in that certificate; "trustworthy system" (穩當系統) means computer hardware, software and procedures that- (a) are reasonably secure from intrusion and misuse; (b) are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time; (c) are reasonably suitable for performing their intended function; and (d) adhere to generally accepted security principles; "verify a digital signature" (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that- (a) the digital signature was generated using the private key corresponding to the public key listed in a certificate; and (b) the electronic record has not been altered since its digital signature was generated, and any reference to a digital signature being verifiable is to be construed accordingly. (2) For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 2 Interpretation VerDate:07/01/2000 (1) In this Ordinance, unless the context otherwise requires- "accept a certificate" (接受證書), in relation to a person to whom a certificate is issued, means that the person while having notice of the contents of the certificate- (a) authorizes the publication of the certificate to one or more persons or in a repository; (b) uses the certificate; or (c) otherwise demonstrates the approval of the certificate; "addressee" (收訊者), in relation to an electronic record sent by an originator, means the person who is specified by the originator to receive the electronic record but does not include an intermediary; "asymmetric cryptosystem" (非對稱密碼系統) means a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify the digital signature; "certificate" (證書) means a record which- (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by a responsible officer of the certification authority issuing it; "certification authority" (核證機關) means a person who issues a certificate to a person (who may be another certification authority); "certification authority disclosure record" (核證機關披露紀錄), in relation to a recognized certification authority, means the record maintained under section 31 for that certification authority; "certification practice statement" (核證作業準則) means a statement issued by a certification authority to specify the practices and standards that the certification authority employs in issuing certificates; "code of practice" (業務守則) means the code of practice issued under section 33; "correspond" (對應), in relation to private or public keys, means to belong to the same key pair; "digital signature" (數碼簽署), in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated; "Director" (署長) means the Director of Information Technology Services; "electronic record" (電子紀錄) means a record generated in digital form by an information system, which can be- (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium; "electronic signature" (電子簽署) means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record; "hash function" (雜湊函數) means an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that- (a) a record yields the same hash result every time the algorithm is executed using the same record as input; (b) it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and (c) it is computationally not feasible that 2 records can be found to produce the same hash result using the algorithm; "information" (資訊) includes data, text, images, sound codes, computer programmes, software and databases; "information system" (資訊系統) means a system which- (a) processes information; (b) records information; (c) can be used to cause information to be recorded, stored or otherwise processed in other information systems (wherever situated); and (d) can be used to retrieve information, whether the information is recorded or stored in the system itself or in other information systems (wherever situated); "intermediary" (中介人), in relation to a particular electronic record, means a person who on behalf of a person, sends, receives or stores that electronic record or provides other incidental services with respect to that electronic record; "issue" (發出), in relation to a certificate, means the act of a certification authority of creating a certificate and notifying its contents to the person named or identified in that certificate as the person to whom it is issued; "key pair" (配對密碼匙), in an asymmetric cryptosystem, means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates; "originator" (發訊者), in relation to an electronic record, means a person, by whom, or on whose behalf, the electronic record is sent or generated but does not include an intermediary; "Postmaster General" (郵政署署長) means the Postmaster General within the meaning of the Post Office Ordinance (Cap 98); "private key" (私人密碼匙) means the key of a key pair used to generate a digital signature; "public key" (公開密碼匙) means the key of a key pair used to verify a digital signature; "recognized certificate" (認可證書) means- (a) a certificate recognized under section 22; (b) a certificate of a type, class or description of certificate recognized under section 22; or (c) a certificate designated as a recognized certificate issued by the certification authority referred to in section 34; "recognized certification authority" (認可核證機關) means a certification authority recognized under section 21 or the certification authority referred to in section 34; "record" (紀錄) means information that is inscribed on, stored in or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form; "reliance limit" (倚據限額) means the monetary limit specified for reliance on a recognized certificate; "repository" (儲存庫) means an information system for storing and retrieving certificates and other information relevant to certificates; "responsible officer" (負責人員), in relation to a certification authority, means a person occupying a position of responsibility in relation to the activities of the certification authority relevant to this Ordinance; "rule of law" (法律規則) means- (a) an Ordinance; (b) a rule of common law or a rule of equity; or (c) customary law; "Secretary" (局長) means the Secretary for Information Technology and Broadcasting; "sign" and "signature" (簽、簽署) include any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating or approving a record; "subscriber" (登記人) means a person (who may be a certification authority) who- (a) is named or identified in a certificate as the person to whom the certificate is issued; (b) has accepted that certificate; and (c) holds a private key which corresponds to a public key listed in that certificate; "trustworthy system" (穩當系統) means computer hardware, software and procedures that- (a) are reasonably secure from intrusion and misuse; (b) are at a reasonable level in respect of availability, reliability and ensuring a correct mode of operations for a reasonable period of time; (c) are reasonably suitable for performing their intended function; and (d) adhere to generally accepted security principles; "verify a digital signature" (核實數碼簽署), in relation to a given digital signature, electronic record and public key, means to determine that- (a) the digital signature was generated using the private key corresponding to the public key listed in a certificate; and (b) the electronic record has not been altered since its digital signature was generated, and any reference to a digital signature being verifiable is to be construed accordingly. (2) For the purposes of this Ordinance, a digital signature is taken to be supported by a certificate if the digital signature is verifiable with reference to the public key listed in a certificate the subscriber of which is the signer. "accept a certificate" (接受證書) "addressee" (收訊者) "asymmetric cryptosystem" (非對稱密碼系統) "certificate" (證書) "certification authority" (核證機關) "certification authority disclosure record" (核證機關披露紀錄) "certification practice statement" (核證作業準則) "code of practice" (業務守則) "correspond" (對應) "digital signature" (數碼簽署) "Director" (署長) "electronic record" (電子紀錄) "electronic signature" (電子簽署) "hash function" (雜湊函數) "information" (資訊) "information system" (資訊系統) "intermediary" (中介人) "issue" (發出) "key pair" (配對密碼匙) "originator" (發訊者) "Postmaster General" (郵政署署長) "private key" (私人密碼匙) "public key" (公開密碼匙) "recognized certificate" (認可證書) "recognized certification authority" (認可核證機關) "record" (紀錄) "reliance limit" (倚據限額) "repository" (儲存庫) "responsible officer" (負責人員) "rule of law" (法律規則) "Secretary" (局長) "sign" and "signature" (簽、簽署) "subscriber" (登記人) "trustworthy system" (穩當系統) "verify a digital signature" (核實數碼簽署) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 3 Matters to which sections 5, 5A, 6, 7, 8 and 17 are not applicable VerDate:30/06/2004 PART II APPLICATION Sections 5, 5A, 6, 7, 8 and 17 do not apply to any- (Amended 14 of 2004 s. 3) (a) requirement or permission for information to be or given in writing; (aa) requirement or permission for a document to be served by personal service or by post; (Added 14 of 2004 s. 3) (b) requirement for the signature of a person; (c) requirement for information to be presented or retained in its original form; (d) requirement for information to be retained, under a rule of law in a matter or for an act set out in Schedule 1, unless that rule of law expressly provides otherwise. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 3 Matters to which sections 5, 6, 7, 8 and 17 are not applicable VerDate:07/04/2000 PART II APPLICATION Sections 5, 6, 7, 8 and 17 do not apply to any- (a) requirement or permission for information to be or given in writing; (b) requirement for the signature of a person; (c) requirement for information to be presented or retained in its original form; (d) requirement for information to be retained, under a rule of law in a matter or for an act set out in Schedule 1, unless that rule of law expressly provides otherwise. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 4 Ordinance to bind Government VerDate:07/01/2000 This Ordinance binds the Government. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 5 Requirement for writing VerDate:07/04/2000 PART III ELECTRONIC RECORDS AND DIGITAL SIGNATURES (1) If a rule of law requires information to be or given in writing or provides for certain consequences if it is not, an electronic record satisfies the requirement if the information contained in the electronic record is accessible so as to be usable for subsequent reference. (2) If a rule of law permits information to be or given in writing, an electronic record satisfies that rule of law if the information contained in the electronic record is accessible so as to be usable for subsequent reference. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 5A Service of documents VerDate:30/06/2004 (1) Without limiting the generality of section 5, if a rule of law under a provision set out in Schedule 3 requires a document to be served on a person by personal service or by post (whether or not there is any further specification as to the address or place at which such service is to be effected), the provision shall be construed as also providing that service of the document in the form of an electronic record to an information system designated by the person satisfies the requirement under the provision if the information contained in the electronic record is accessible so as to be usable for subsequent reference. (2) Without limiting the generality of section 5, if a rule of law under a provision set out in Schedule 3 permits a document to be served on a person by personal service or by post (whether or not there is any further specification as to the address or place at which such service is to be effected), the provision shall be construed as also providing that service of the document in the form of an electronic record to an information system designated by the person is permitted under the provision if the information contained in the electronic record is accessible so as to be usable for subsequent reference. (Added 14 of 2004 s. 4) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 6 Electronic signatures, digital signatures, etc. VerDate:01/07/2004 "within the validity of that certificate" (在該證書的有效期內) (1) Where- (a) a rule of law requires the signature of a person ("the first mentioned person") on a document or provides for certain consequences if the document is not signed by the first mentioned person; and (b) neither the first mentioned person nor the person to whom the signature is to be given ("the second mentioned person") is or is acting on behalf of a government entity, an electronic signature of the first mentioned person satisfies the requirement if- (c) the first mentioned person uses a method to attach the electronic signature to or logically associate the electronic signature with an electronic record for the purpose of identifying himself and indicating his authentication or approval of the information contained in the document in the form of the electronic record; (d) having regard to all the relevant circumstances, the method used is reliable, and is appropriate, for the purpose for which the information contained in the document is communicated; and (e) the second mentioned person consents to the use of the method by the first mentioned person. (Replaced 14 of 2004 s. 5) (1A) Where- (a) a rule of law requires the signature of a person on a document or provides for certain consequences if the document is not signed by the person; and (b) either or both of the person mentioned in paragraph (a) and the person to whom the signature is to be given is or are or is or are acting on behalf of a government entity or government entities, a digital signature of the person mentioned in paragraph (a) satisfies the requirement if the digital signature is- (c) supported by a recognized certificate; (d) generated within the validity of that certificate; and (e) used in accordance with the terms of that certificate. (Added 14 of 2004 s. 5) (2) In subsection (1A)(d), "within the validity of that certificate" (在該證書的有效期內) means that at the time the digital signature is generated- (Amended 14 of 2004 s. 5) (a) the recognition of the recognized certificate is not revoked or suspended by the Government Chief Information Officer, and the certificate is not revoked or suspended by the recognized certification authority that issues the certificate; (Amended 14 of 2004 s. 5; L.N. 131 of 2004) (aa) in the case of a recognized certificate that is a certificate designated as a recognized certificate issued by the recognized certification authority referred to in section 34, the designation is not withdrawn by the certification authority; (Added 14 of 2004 s. 5) (b) if the Government Chief Information Officer has specified a period of validity for the recognition of the recognized certificate, the certificate is within that period; and (Amended L.N. 131 of 2004) (c) if the recognized certification authority has specified a period of validity for the recognized certificate, the certificate is within that period. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 6 Electronic signatures, digital signatures, etc. VerDate:30/06/2004 (1) Where- (a) a rule of law requires the signature of a person ("the first mentioned person") on a document or provides for certain consequences if the document is not signed by the first mentioned person; and (b) neither the first mentioned person nor the person to whom the signature is to be given ("the second mentioned person") is or is acting on behalf of a government entity, an electronic signature of the first mentioned person satisfies the requirement if- (c) the first mentioned person uses a method to attach the electronic signature to or logically associate the electronic signature with an electronic record for the purpose of identifying himself and indicating his authentication or approval of the information contained in the document in the form of the electronic record; (d) having regard to all the relevant circumstances, the method used is reliable, and is appropriate, for the purpose for which the information contained in the document is communicated; and (e) the second mentioned person consents to the use of the method by the first mentioned person. (Replaced 14 of 2004 s. 5) (1A) Where- (a) a rule of law requires the signature of a person on a document or provides for certain consequences if the document is not signed by the person; and (b) either or both of the person mentioned in paragraph (a) and the person to whom the signature is to be given is or are or is or are acting on behalf of a government entity or government entities, a digital signature of the person mentioned in paragraph (a) satisfies the requirement if the digital signature is- (c) supported by a recognized certificate; (d) generated within the validity of that certificate; and (e) used in accordance with the terms of that certificate. (Added 14 of 2004 s. 5) (2) In subsection (1A)(d), "within the validity of that certificate" (在該證書的有效期內) means that at the time the digital signature is generated- (Amended 14 of 2004 s. 5) (a) the recognition of the recognized certificate is not revoked or suspended by the Director, and the certificate is not revoked or suspended by the recognized certification authority that issues the certificate; (Amended 14 of 2004 s. 5) (aa) in the case of a recognized certificate that is a certificate designated as a recognized certificate issued by the recognized certification authority referred to in section 34, the designation is not withdrawn by the certification authority; (Added 14 of 2004 s. 5) (b) if the Director has specified a period of validity for the recognition of the recognized certificate, the certificate is within that period; and (c) if the recognized certification authority has specified a period of validity for the recognized certificate, the certificate is within that period. "within the validity of that certificate" (在該證書的有效期內) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 6 Digital signatures VerDate:07/04/2000 (1) If a rule of law requires the signature of a person or provides for certain consequences if a document is not signed by a person, a digital signature of the person satisfies the requirement but only if the digital signature is supported by a recognized certificate and is generated within the validity of that certificate. (2) In subsection (1), "within the validity of that certificate" (在該 證書的有效期內) means that at the time the digital signature is generated- (a) the recognition of the recognized certificate is not revoked or suspended; (b) if the Director has specified a period of validity for the recognition of the recognized certificate, the certificate is within that period; and (c) if the recognized certification authority has specified a period of validity for the recognized certificate, the certificate is within that period. "within the validity of that certificate" (在該證書的有效期內) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 7 Presentation or retention of information in its original form VerDate:07/04/2000 (1) Where a rule of law requires that certain information be presented or retained in its original form, the requirement is satisfied by presenting or retaining the information in the form of electronic records if- (a) there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form; and (b) where it is required that information be presented, the information is capable of being displayed in a legible form to the person to whom it is to be presented. (2) For the purposes of subsection (1)(a)- (a) the criterion for assessing the integrity of the information is whether the information has remained complete and unaltered, apart from the addition of any endorsement or any change which arises in the normal course of communication, storage or display; and (b) the standard for reliability of the assurance is to be assessed having regard to the purpose for which the information was generated and all the other relevant circumstances. (3) This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being presented or retained in its original form. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 8 Retention of information in electronic records VerDate:07/04/2000 (1) Where a rule of law requires certain information to be retained, whether in writing or otherwise, the requirement is satisfied by retaining electronic records, if- (a) the information contained in the electronic record remains accessible so as to be usable for subsequent reference; (b) the relevant electronic record is retained in the format in which it was originally generated, sent or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; and (c) the information which enables the identification of the origin and destination of the electronic record and the date and time when it was sent or received, is retained. (2) This section applies whether the requirement in subsection (1) is in the form of an obligation or whether the rule of law merely provides consequences for the information not being retained. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 9 Admissibility of electronic records VerDate:07/01/2000 Without prejudice to any rules of evidence, an electronic record shall not be denied admissibility in evidence in any legal proceeding on the sole ground that it is an electronic record. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 10 Construction of this Part subject to Part IV VerDate:07/04/2000 This Part is to be construed subject to Part IV. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 11 Permanent Secretary may make orders excluding application of section 5, 6, 7 or 8, etc. VerDate:30/06/2004 PART IV LIMITATIONS ON OPERATION OF SECTIONS 5, 5A, 6, 7 AND 8 (Amended 14 of 2004 s. 6) (1) The Permanent Secretary may by order published in the Gazette exclude an Ordinance or a particular requirement or permission in an Ordinance or a class or description of requirements or permissions in an Ordinance, to which this Ordinance would otherwise apply, from the application of section 5, 6, 7 or 8. (Amended 14 of 2004 s. 7) (2) The Permanent Secretary may, in relation to an Ordinance to which section 5, 5A, 6, 7 or 8 applies, specify by notice published in the Gazette- (Amended 14 of 2004 s. 7) (a) the manner and format in which information in the form of an electronic record is to be given, presented or retained or a document in the form of an electronic record is to be served for the purposes of that Ordinance or a particular requirement or permission in that Ordinance or a class or description of requirements or permissions in that Ordinance; and (Amended 14 of 2004 s. 7) (b) the procedure and criteria for verification of the receipt of that information and for ensuring the integrity and confidentiality of the information. (3) The Permanent Secretary may specify different requirements under subsection (2)(a) or (b) in relation to persons or cases of different classes or descriptions. (Amended 14 of 2004 s. 7) (4) An order under subsection (1) is subsidiary legislation. (5) A notice under subsection (2) is not subsidiary legislation. (6) In this section, "manner and format" (方式及規格) includes requirements as to software, communication, data storage, how the electronic record is to be generated, sent, stored or received and where a signature is required, the type of signature and how the signature is to be affixed to the electronic record. "manner and format" (方式及規格) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 11 Secretary may make orders excluding application of section 5, 6, 7 or 8 VerDate:07/04/2000 PART IV LIMITATIONS ON OPERATION OF SECTIONS 5, 6, 7 AND 8 (1) The Secretary may by order published in the Gazette exclude an Ordinance or a particular requirement or permission in an Ordinance or a class or description of requirements or permissions in an Ordinance, to which this Ordinance would otherwise apply, from the application of section 5, 6, 7 or 8. (2) The Secretary may, in relation to an Ordinance to which this Ordinance applies, specify by notice published in the Gazette- (a) the manner and format in which information in the form of an electronic record is to be given, presented or retained for the purposes of that Ordinance or a particular requirement or permission in that Ordinance or a class or description of requirements or permissions in that Ordinance; and (b) the procedure and criteria for verification of the receipt of that information and for ensuring the integrity and confidentiality of the information. (3) The Secretary may specify different requirements under subsection (2)(a) or (b) in relation to persons or cases of different classes or descriptions. (4) An order under subsection (1) is subsidiary legislation. (5) A notice under subsection (2) is not subsidiary legislation. (6) In this section, "manner and format" (方式及規格) includes requirements as to software, communication, data storage, how the electronic record is to be generated, sent, stored or received and where a signature is required, the type of signature and how the signature is to be affixed to the electronic record. "manner and format" (方式及規格) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 12 Electronic record to comply with specified requirements to satisfy sections 5, 5A, 6, 7 and 8 VerDate:30/06/2004 If the Permanent Secretary has specified any requirement under section 11(2) in relation to an Ordinance, the information given, presented or retained, the document served or the signature made, as the case may require, for the purpose of that Ordinance does not satisfy that Ordinance unless it complies with the specified requirements. (Amended 14 of 2004 s. 8) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 12 Electronic record to comply with specified requirements to satisfy sections 5, 6, 7 and 8 VerDate:07/04/2000 If the Secretary has specified any requirement under section 11(2) in relation to an Ordinance, the information given, presented or retained or the signature made, as the case may require, for the purpose of that Ordinance does not satisfy that Ordinance unless it complies with the specified requirements. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 13 Rules of court or procedure only to apply where relevant authority provides for application VerDate:30/06/2004 (1) Section 5, 5A, 6, 7 or 8 does not apply in relation to information given, presented or retained, documents served or signatures required for the purposes of any proceedings set out in Schedule 2, unless any rule of law relating to those proceedings provide for its application. (2) Subsection (1) is not to be construed as affecting any provision in a rule of law referred to in that subsection, requiring or permitting, otherwise than by reference to this Ordinance, the use of electronic records or electronic signatures for the purposes of the proceedings to which the rule of law relates. (3) Any authority given by a rule of law to make rules (however described) for the purpose of any proceedings set out in Schedule 2 is to be construed as including a power to provide for- (a) the application of section 5, 5A, 6, 7 or 8; and (b) the specification of the matters referred to in section 11(2)(a) and (b), by subsidiary legislation or otherwise, consequent to such application. (Amended 14 of 2004 s. 9) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 13 Rules of court or procedure only to apply where relevant authority provides for application VerDate:07/04/2000 (1) Section 5, 6, 7 or 8 does not apply in relation to information given, presented or retained or signatures required for the purposes of any proceedings set out in Schedule 2, unless any rule of law relating to those proceedings provide for its application. (2) Subsection (1) is not to be construed as affecting any provision in a rule of law referred to in that subsection, requiring or permitting, otherwise than by reference to this Ordinance, the use of electronic records or electronic signatures for the purposes of the proceedings to which the rule of law relates. (3) Any authority given by a rule of law to make rules (however described) for the purpose of any proceedings set out in Schedule 2 is to be construed as including a power to provide for- (a) the application of section 5, 6, 7 or 8; and (b) the specification of the matters referred to in section 11(2)(a) and (b), by subsidiary legislation or otherwise, consequent to such application. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 14 Sections 5, 6, 7 and 8 not to affect specific provisions as to electronic records in other Ordinances VerDate:07/04/2000 If an Ordinance requires or permits giving, presenting or retaining information in the form of an electronic record or the authentication of information by an electronic signature for the purposes of that Ordinance, but contains an express provision which- (a) specifies requirements, procedures or other specifications for that purpose; (b) requires the use of a specified service; or (c) confers a discretion on a person whether or when to accept electronic records or electronic signatures for that purpose, section 5, 6, 7 or 8 is not to be construed as affecting that express provision. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 15 Consent required for sections 5, 5A and 7 to apply to transactions between persons who are not government entities VerDate:30/06/2004 (1) If an Ordinance requires information to be given by a person to another and neither person is or is acting on behalf of a government entity, section 5(1) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record. (2) If an Ordinance permits information to be given by a person to another and neither person is or is acting on behalf of a government entity, section 5(2) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record. (2A) If an Ordinance requires a document to be served by a person on another by personal service or by post and neither person is or is acting on behalf of a government entity, section 5A(1) applies only if the person on whom the document is to be served consents to it being served in the form of an electronic record. (Added 14 of 2004 s. 10) (2B) If an Ordinance permits a document to be served by a person on another by personal service or by post and neither person is or is acting on behalf of a government entity, section 5A(2) applies only if the person on whom the document is to be served consents to it being served in the form of an electronic record. (Added 14 of 2004 s. 10) (3) (Repealed 14 of 2004 s. 10) (4) If an Ordinance requires information to be presented in its original form and neither the person presenting it nor the person to whom it is to be presented ("the second mentioned person") is or is acting on behalf of a government entity, section 7(1) applies only if the second mentioned person consents to it being presented in the form of an electronic record. (5) (Repealed 14 of 2004 s. 10) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 15 When sections 5, 6 and 7 apply to transactions between persons who are not government entities VerDate:07/04/2000 (1) If an Ordinance requires information to be given by a person to another and neither person is or is acting on behalf of a government entity, section 5(1) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record. (2) If an Ordinance permits information to be given by a person to another and neither person is or is acting on behalf of a government entity, section 5(2) applies only if the person to whom the information is to be given consents to it being given in the form of an electronic record. (3) If an Ordinance requires the signature of a person ("the signer") and neither the signer nor the person to whom the signature is to be given ("the second mentioned person") is or is acting on behalf of a government entity, section 6 applies only if the second mentioned person consents to the signer's digital signature being given. (4) If an Ordinance requires information to be presented in its original form and neither the person presenting it nor the person to whom it is to be presented ("the second mentioned person") is or is acting on behalf of a government entity, section 7(1) applies only if the second mentioned person consents to it being presented in the form of an electronic record. (5) In this section- "consent" (同意) includes consent that can be reasonably inferred from the conduct of the person concerned; "government entity" (政府單位) means a public officer or a public body. "consent" (同意) "government entity" (政府單位) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 16 Sections 5, 6, 7 and 8 not to have effect if their operation affects other statutory requirements VerDate:07/04/2000 (1) If the effect of section 5 on a requirement or permission in an Ordinance for information to be or given in writing ("requirement for writing") is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for writing) cannot be complied with due to the operation of that section, section 5 does not apply to the requirement for writing. (2) If the effect of section 6 on a requirement in an Ordinance for the signature of a person is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for the signature of a person) cannot be complied with due to the operation of that section, section 6 does not apply to the requirement for the signature of a person. (3) If the effect of section 7 on a requirement in an Ordinance for information to be presented or retained in its original form ("requirement for original form") is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for original form) cannot be complied with due to the operation of that section, section 7 does not apply to the requirement for original form. (4) If the effect of section 8 on a requirement in an Ordinance for information to be retained ("requirement for retention") is such that any other requirement in that Ordinance or a related Ordinance (that is a requirement other than the requirement for retention) cannot be complied with due to the operation of that section, section 8 does not apply to the requirement for retention. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 17 Formation and validity of electronic contracts VerDate:30/06/2004 1. This section has come into operation on 7 January 2000 other than in relation to the matters referred to in Schedule 1 of this Ordinance. 2. This section has come into operation on 7 April 2000 in relation to the matters referred to in Schedule 1 of this Ordinance. PART V ELECTRONIC CONTRACTS (1) For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records. (2) Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose. (2A) For the avoidance of doubt, it is declared that in the context of the formation of contracts, if an offer or the acceptance of an offer is in whole or in part expressed by means of an electronic record, an electronic signature attached to or logically associated with the electronic record shall not be denied legal effect on the sole ground that it is an electronic signature. (Added 14 of 2004 s. 11) (3) For the avoidance of doubt, it is stated that this section does not affect any rule of common law to the effect that the offeror may prescribe the method of communicating acceptance. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 17 Formation and validity of electronic contracts VerDate:07/04/2000 1. This section has come into operation on 7 January 2000 other than in relation to the matters referred to in Schedule 1 of this Ordinance. 2. This section has come into operation on 7 April 2000 in relation to the matters referred to in Schedule 1 of this Ordinance. PART V ELECTRONIC CONTRACTS (1) For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records. (2) Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose. (3) For the avoidance of doubt, it is stated that this section does not affect any rule of common law to the effect that the offeror may prescribe the method of communicating acceptance. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 17 Formation and validity of electronic contracts VerDate:07/01/2000 This section has come into operation on 7 January 2000 other than in relation to the matters referred to in schedule 1 of this Ordinance. PART V ELECTRONIC CONTRACTS (1) For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records. (2) Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose. (3) For the avoidance of doubt, it is stated that this section does not affect any rule of common law to the effect that the offeror may prescribe the method of communicating acceptance. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 18 Attribution of electronic record VerDate:07/01/2000 PART VI ATTRIBUTION OF SENDING AND RECEIVING ELECTRONIC RECORDS (1) Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is that of the originator if it was- (a) sent by the originator; (b) sent with the authority of the originator; or (c) sent by an information system programmed by or on behalf of the originator to operate and to send the electronic record automatically. (2) Nothing in subsection (1) is to affect the law of agency or the law on the formation of contracts. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 19 Sending and receiving electronic records VerDate:07/01/2000 (1) Unless otherwise agreed between the originator and the addressee of an electronic record, an electronic record is sent when it is accepted by an information system outside the control of the originator or of the person who sent the electronic record on behalf of the originator. (2) Unless otherwise agreed between the originator and the addressee of an electronic record, the time of receipt of an electronic record is determined as follows- (a) if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs- (i) at the time when the electronic record is accepted by the designated information system; or (ii) if the electronic record is sent to an information system of the addressee that is not the designated information system, at the time when the electronic record comes to the knowledge of the addressee; (b) if the addressee has not designated an information system, receipt occurs when the electronic record comes to the knowledge of the addressee. (3) Subsections (1) and (2) apply notwithstanding that the place where the information system is located is different from the place where the electronic record is taken to have been sent or received under subsection (4). (4) Unless otherwise agreed between the originator and the addressee, an electronic record is taken to have been- (a) sent at the place of business of the originator; and (b) received at the place of business of the addressee. (5) For the purposes of subsection (4)- (a) if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction, or where there is no underlying transaction, the principal place of business of the originator or the addressee, as the case may be; (b) if the originator or the addressee does not have a place of business, the place of business is the place where the originator or the addressee ordinarily resides. (6) Where the originator and the addressee are in different time zones, time refers to Universal Standard Time. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 20 Certification authority may apply to Government Chief Information Officer for recognition VerDate:01/07/2004 PART VII RECOGNITION OF CERTIFICATION AUTHORITIES AND CERTIFICATES BY GOVERNMENT CHIEF INFORMATION OFFICER (Amended L.N. 131 of 2004) (1) A certification authority may apply to the Government Chief Information Officer to become a recognized certification authority for the purposes of this Ordinance. (2) Subject to subsection (4) and section 21(3), an application under subsection (1) must be made in the prescribed manner and in a form specified by the Government Chief Information Officer and the applicant must pay the prescribed fee in respect of the application. (3) An applicant must furnish to the Government Chief Information Officer- (Amended L.N. 131 of 2004) (a) the relevant particulars and documents specified under section 30; (Amended 14 of 2004 s. 12) (b) a report which- (i) contains an assessment as to whether the applicant is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and (ii) is made by a person approved by the Government Chief Information Officer as being qualified to make such a report; and (Replaced 14 of 2004 s. 12) (c) a statutory declaration which- (i) states whether the applicant is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and (ii) is made by a responsible officer of the applicant. (Added 14 of 2004 s. 12) (3A) Any report or statutory declaration required to be furnished under subsection (3) must be made at the expense of the applicant. (Added 14 of 2004 s. 12) (4) The Government Chief Information Officer may waive- (Amended L.N. 131 of 2004) (a) the requirements as to manner and form of making the application in subsection (2); or (b) the requirement of a report or statutory declaration under subsection (3), (Amended 14 of 2004 s. 12) in relation to a certification authority, in the circumstances specified in subsection (5). (5) The Government Chief Information Officer may waive the requirements referred to in subsection (4) only if- (Amended L.N. 131 of 2004) (a) the applicant is a certification authority with a status in a place outside Hong Kong comparable to that of a recognized certification authority ("comparable status"); and (b) the competent authority of that place accords to a recognized certification authority a comparable status on the basis of it being a recognized certification authority. (Amended L.N. 131 of 2004) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 20 Certification authority may apply to Director for recognition VerDate:30/06/2004 PART VII RECOGNITION OF CERTIFICATION AUTHORITIES AND CERTIFICATES BY DIRECTOR (1) A certification authority may apply to the Director to become a recognized certification authority for the purposes of this Ordinance. (2) Subject to subsection (4) and section 21(3), an application under subsection (1) must be made in the prescribed manner and in a form specified by the Director and the applicant must pay the prescribed fee in respect of the application. (3) An applicant must furnish to the Director- (a) the relevant particulars and documents specified under section 30; (Amended 14 of 2004 s. 12) (b) a report which- (i) contains an assessment as to whether the applicant is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and (ii) is made by a person approved by the Director as being qualified to make such a report; and (Replaced 14 of 2004 s. 12) (c) a statutory declaration which- (i) states whether the applicant is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and (ii) is made by a responsible officer of the applicant. (Added 14 of 2004 s. 12) (3A) Any report or statutory declaration required to be furnished under subsection (3) must be made at the expense of the applicant. (Added 14 of 2004 s. 12) (4) The Director may waive- (a) the requirements as to manner and form of making the application in subsection (2); or (b) the requirement of a report or statutory declaration under subsection (3), (Amended 14 of 2004 s. 12) in relation to a certification authority, in the circumstances specified in subsection (5). (5) The Director may waive the requirements referred to in subsection (4) only if- (a) the applicant is a certification authority with a status in a place outside Hong Kong comparable to that of a recognized certification authority ("comparable status"); and (b) the competent authority of that place accords to a recognized certification authority a comparable status on the basis of it being a recognized certification authority. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 20 Certification authority may apply to Director for recognition VerDate:18/02/2000 PART VII RECOGNITION OF CERTIFICATION AUTHORITIES AND CERTIFICATES BY DIRECTOR (1) A certification authority may apply to the Director to become a recognized certification authority for the purposes of this Ordinance. (2) Subject to subsection (4) and section 21(3), an application under subsection (1) must be made in the prescribed manner and in a form specified by the Director and the applicant must pay the prescribed fee in respect of the application. (3) An applicant must furnish to the Director- (a) the relevant particulars and documents specified under section 30; and (b) a report which- (i) contains an assessment as to whether the applicant is capable of complying with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice; and (ii) is prepared by a person acceptable to the Director as being qualified to give such a report. (4) The Director may waive- (a) the requirements as to manner and form of making the application in subsection (2); or (b) the requirement of a report under subsection (3), in relation to a certification authority, in the circumstances specified in subsection (5). (5) The Director may waive the requirements referred to in subsection (4) only if- (a) the applicant is a certification authority with a status in a place outside Hong Kong comparable to that of a recognized certification authority ("comparable status"); and (b) the competent authority of that place accords to a recognized certification authority a comparable status on the basis of it being a recognized certification authority. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 21 Government Chief Information Officer may on application recognize certification authorities VerDate:01/07/2004 (1) The Government Chief Information Officer may- (Amended L.N. 131 of 2004) (a) recognize an applicant under section 20 as a recognized certification authority if the Government Chief Information Officer is satisfied that the applicant is suitable for such recognition; or (Amended L.N. 131 of 2004) (b) refuse the application for recognition. (2) The Government Chief Information Officer must give reasons in writing to the applicant for refusing an application under subsection (1)(b). (Amended L.N. 131 of 2004) (3) The Government Chief Information Officer may, in recognizing a certification authority referred to in section 20(4), waive the whole or part of the prescribed fee as the Government Chief Information Officer may decide in relation to a particular case. (Amended L.N. 131 of 2004) (4) In determining whether an applicant is suitable for recognition under subsection (1), the Government Chief Information Officer shall, in addition to any other matter the Government Chief Information Officer considers relevant, take into account the following- (Amended L.N. 131 of 2004) (a) whether the applicant has the appropriate financial status for operating as a recognized certification authority in accordance with this Ordinance and the code of practice; (b) the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of this Ordinance; (c) the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers; (d) any report or statutory declaration furnished by the applicant under section 20(3); (Replaced 14 of 2004 s. 13) (e) whether the applicant and the responsible officers are fit and proper persons; and (f) the reliance limits set or proposed to be set by the applicant for its certificates. (5) In determining whether a person referred to in subsection (4)(e) is a fit and proper person, the Government Chief Information Officer shall, in addition to any other matter the Government Chief Information Officer considers relevant, have regard to the following- (Amended L.N. 131 of 2004) (a) the fact that the person has a conviction in Hong Kong or elsewhere for an offence for which it was necessary to find that the person had acted fraudulently, corruptly or dishonestly; (b) the fact that the person has been convicted of an offence against this Ordinance; (c) if the person is an individual, the fact that the person is an undischarged bankrupt or has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap 6) within the 5 years preceding the date of the application; and (d) if the person is a body corporate, the fact that the person is in liquidation, is the subject of a winding-up order or there is a receiver appointed in relation to it or it has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap 6) within the 5 years preceding the date of the application. (6) In recognizing a certification authority under subsection (1), the Government Chief Information Officer may- (Amended L.N. 131 of 2004) (a) attach conditions to the recognition; or (b) specify a period of validity for the recognition. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 21 Director may on application recognize certification authorities VerDate:30/06/2004 (1) The Director may- (a) recognize an applicant under section 20 as a recognized certification authority if the Director is satisfied that the applicant is suitable for such recognition; or (b) refuse the application for recognition. (2) The Director must give reasons in writing to the applicant for refusing an application under subsection (1)(b). (3) The Director may, in recognizing a certification authority referred to in section 20(4), waive the whole or part of the prescribed fee as the Director may decide in relation to a particular case. (4) In determining whether an applicant is suitable for recognition under subsection (1), the Director shall, in addition to any other matter the Director considers relevant, take into account the following- (a) whether the applicant has the appropriate financial status for operating as a recognized certification authority in accordance with this Ordinance and the code of practice; (b) the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of this Ordinance; (c) the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers; (d) any report or statutory declaration furnished by the applicant under section 20(3); (Replaced 14 of 2004 s. 13) (e) whether the applicant and the responsible officers are fit and proper persons; and (f) the reliance limits set or proposed to be set by the applicant for its certificates. (5) In determining whether a person referred to in subsection (4)(e) is a fit and proper person, the Director shall, in addition to any other matter the Director considers relevant, have regard to the following- (a) the fact that the person has a conviction in Hong Kong or elsewhere for an offence for which it was necessary to find that the person had acted fraudulently, corruptly or dishonestly; (b) the fact that the person has been convicted of an offence against this Ordinance; (c) if the person is an individual, the fact that the person is an undischarged bankrupt or has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap 6) within the 5 years preceding the date of the application; and (d) if the person is a body corporate, the fact that the person is in liquidation, is the subject of a winding-up order or there is a receiver appointed in relation to it or it has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap 6) within the 5 years preceding the date of the application. (6) In recognizing a certification authority under subsection (1), the Director may- (a) attach conditions to the recognition; or (b) specify a period of validity for the recognition. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 21 Director may on application recognize certification authorities VerDate:18/02/2000 (1) The Director may- (a) recognize an applicant under section 20 as a recognized certification authority if the Director is satisfied that the applicant is suitable for such recognition; or (b) refuse the application for recognition. (2) The Director must give reasons in writing to the applicant for refusing an application under subsection (1)(b). (3) The Director may, in recognizing a certification authority referred to in section 20(4), waive the whole or part of the prescribed fee as the Director may decide in relation to a particular case. (4) In determining whether an applicant is suitable for recognition under subsection (1), the Director shall, in addition to any other matter the Director considers relevant, take into account the following- (a) whether the applicant has the appropriate financial status for operating as a recognized certification authority in accordance with this Ordinance and the code of practice; (b) the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of this Ordinance; (c) the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers; (d) the report referred to in section 20(3)(b) (if applicable); (e) whether the applicant and the responsible officers are fit and proper persons; and (f) the reliance limits set or proposed to be set by the applicant for its certificates. (5) In determining whether a person referred to in subsection (4)(e) is a fit and proper person, the Director shall, in addition to any other matter the Director considers relevant, have regard to the following- (a) the fact that the person has a conviction in Hong Kong or elsewhere for an offence for which it was necessary to find that the person had acted fraudulently, corruptly or dishonestly; (b) the fact that the person has been convicted of an offence against this Ordinance; (c) if the person is an individual, the fact that the person is an undischarged bankrupt or has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap 6) within the 5 years preceding the date of the application; and (d) if the person is a body corporate, the fact that the person is in liquidation, is the subject of a winding-up order or there is a receiver appointed in relation to it or it has entered into a composition or a scheme of arrangement or a voluntary arrangement within the meaning of the Bankruptcy Ordinance (Cap 6) within the 5 years preceding the date of the application. (6) In recognizing a certification authority under subsection (1), the Director may- (a) attach conditions to the recognition; or (b) specify a period of validity for the recognition. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 22 Government Chief Information Officer may recognize certificates VerDate:01/07/2004 (1) The Government Chief Information Officer may recognize certificates issued by a recognized certification authority as recognized certificates, upon application by that authority. (2) An applicant under subsection (1) must make the application in the prescribed manner and in a form specified by the Government Chief Information Officer and furnish to the Government Chief Information Officer the relevant particulars and documents specified under section 30. (3) A recognition under subsection (1) may relate to- (a) all certificates issued by the recognized certification authority; (b) certificates of a type, class or description; or (c) particular certificates. (4) An applicant must pay the prescribed fee (if any) in respect of an application under subsection (1) unless the Government Chief Information Officer waives it in whole or in part. (5) In recognizing certificates under this section, the Government Chief Information Officer shall in addition to any other matter the Government Chief Information Officer considers relevant take into account the following- (Amended L.N. 131 of 2004) (a) whether the certificates are issued in accordance with the certification practice statement; (b) whether the certificates are issued in accordance with the code of practice; (c) the reliance limit set or proposed to be set for that type, class or description or the particular certificate, as the case may require; and (d) the arrangements put in place or proposed to be put in place by the certification authority to cover any liability that may arise from the issue of that type, class or description or the particular certificate, as the case may be. (6) The Government Chief Information Officer may refuse an application under subsection (1). (7) The Government Chief Information Officer must give reasons in writing to the applicant for refusing an application under subsection (6). (8) The Government Chief Information Officer may specify a period of validity for a recognition under this section. (9) The Government Chief Information Officer may upon application renew a recognition under this section. (10) Subsections (2), (3), (4), (5), (6), (7) and (8) apply to a renewal under subsection (9) as they apply to an application for recognition, subject to necessary modifications. (Amended 14 of 2004 s. 14) (Amended L.N. 131 of 2004) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 22 Director may recognize certificates VerDate:30/06/2004 (1) The Director may recognize certificates issued by a recognized certification authority as recognized certificates, upon application by that authority. (2) An applicant under subsection (1) must make the application in the prescribed manner and in a form specified by the Director and furnish to the Director the relevant particulars and documents specified under section 30. (3) A recognition under subsection (1) may relate to- (a) all certificates issued by the recognized certification authority; (b) certificates of a type, class or description; or (c) particular certificates. (4) An applicant must pay the prescribed fee (if any) in respect of an application under subsection (1) unless the Director waives it in whole or in part. (5) In recognizing certificates under this section, the Director shall in addition to any other matter the Director considers relevant take into account the following- (a) whether the certificates are issued in accordance with the certification practice statement; (b) whether the certificates are issued in accordance with the code of practice; (c) the reliance limit set or proposed to be set for that type, class or description or the particular certificate, as the case may require; and (d) the arrangements put in place or proposed to be put in place by the certification authority to cover any liability that may arise from the issue of that type, class or description or the particular certificate, as the case may be. (6) The Director may refuse an application under subsection (1). (7) The Director must give reasons in writing to the applicant for refusing an application under subsection (6). (8) The Director may specify a period of validity for a recognition under this section. (9) The Director may upon application renew a recognition under this section. (10) Subsections (2), (3), (4), (5), (6), (7) and (8) apply to a renewal under subsection (9) as they apply to an application for recognition, subject to necessary modifications. (Amended 14 of 2004 s. 14) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 22 Director may recognize certificates VerDate:18/02/2000 (1) The Director may recognize certificates issued by a recognized certification authority as recognized certificates, upon application by that authority. (2) An applicant under subsection (1) must make the application in the prescribed manner and in a form specified by the Director and furnish to the Director the relevant particulars and documents specified under section 30. (3) A recognition under subsection (1) may relate to- (a) all certificates issued by the recognized certification authority; (b) certificates of a type, class or description; or (c) particular certificates. (4) An applicant must pay the prescribed fee (if any) in respect of an application under subsection (1) unless the Director waives it in whole or in part. (5) In recognizing certificates under this section, the Director shall in addition to any other matter the Director considers relevant take into account the following- (a) whether the certificates are issued in accordance with the certification practice statement; (b) whether the certificates are issued in accordance with the code of practice; (c) the reliance limit set or proposed to be set for that type, class or description or the particular certificate, as the case may require; and (d) the arrangements put in place or proposed to be put in place by the certification authority to cover any liability that may arise from the issue of that type, class or description or the particular certificate, as the case may be. (6) The Director may refuse an application under subsection (1). (7) The Director must give reasons in writing to the applicant for refusing an application under subsection (6). (8) The Director may specify a period of validity for a recognition under this section. (9) The Director may upon application renew a recognition under this section. (10) Subsections (2), (3), (4), (5), (6), (7) and (8) apply to a renewal under subsection (9), subject to necessary modifications. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 23 Government Chief Information Officer may revoke recognition VerDate:01/07/2004 (1) The Government Chief Information Officer may revoke a recognition granted under section 21 or 22 or renewed under section 22 or 27. (2) Before revoking a recognition, the Government Chief Information Officer must give the certification authority a notice of intention to revoke the recognition specifying the reasons for the intended revocation. (3) In a notice under subsection (2), the Government Chief Information Officer must invite the certification authority to make representations as to why the recognition should not be revoked and specify a period for making the representations. (4) If the Government Chief Information Officer decides to revoke a recognition, the Government Chief Information Officer must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made. (5) A revocation of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate. (6) Subject to subsection (7), a revocation takes effect on the expiry of 7 days from the date on which the decision to revoke the recognition is made. (7) If the certification authority appeals under section 28 against the revocation, the revocation does not take effect until the expiry of 7 days from the date on which the Secretary confirms the revocation on appeal. (Amended L.N. 131 of 2004) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 23 Director may revoke recognition VerDate:18/02/2000 (1) The Director may revoke a recognition granted under section 21 or 22 or renewed under section 22 or 27. (2) Before revoking a recognition, the Director must give the certification authority a notice of intention to revoke the recognition specifying the reasons for the intended revocation. (3) In a notice under subsection (2), the Director must invite the certification authority to make representations as to why the recognition should not be revoked and specify a period for making the representations. (4) If the Director decides to revoke a recognition, the Director must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made. (5) A revocation of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate. (6) Subject to subsection (7), a revocation takes effect on the expiry of 7 days from the date on which the decision to revoke the recognition is made. (7) If the certification authority appeals under section 28 against the revocation, the revocation does not take effect until the expiry of 7 days from the date on which the Secretary confirms the revocation on appeal. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 24 Government Chief Information Officer may suspend recognition VerDate:01/07/2004 (1) The Government Chief Information Officer may suspend a recognition granted under section 21 or 22 or renewed under section 22 or 27 for a period not exceeding 14 days. (Amended L.N. 131 of 2004) (2) If the Government Chief Information Officer decides to suspend a recognition, the Government Chief Information Officer must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made. (Amended L.N. 131 of 2004) (3) A suspension of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate. (4) Subject to subsection (5), a suspension takes effect on the expiry of 7 days from the date on which the decision to suspend the recognition is made. (5) If the certification authority appeals under section 28 against the suspension, the suspension does not take effect until the expiry of 7 days from the date on which the Secretary confirms the suspension on appeal. (6) If the period of suspension expires during the validity of a recognition and the recognition is not revoked, the recognition is taken to be reinstated. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 24 Director may suspend recognition VerDate:18/02/2000 (1) The Director may suspend a recognition granted under section 21 or 22 or renewed under section 22 or 27 for a period not exceeding 14 days. (2) If the Director decides to suspend a recognition, the Director must immediately give the certification authority notice in writing of the decision specifying the reasons for the decision and the date on which the decision was made. (3) A suspension of recognition in relation to certificates may relate to all certificates issued by a recognized certification authority or to a type, class or description of certificates or a particular certificate. (4) Subject to subsection (5), a suspension takes effect on the expiry of 7 days from the date on which the decision to suspend the recognition is made. (5) If the certification authority appeals under section 28 against the suspension, the suspension does not take effect until the expiry of 7 days from the date on which the Secretary confirms the suspension on appeal. (6) If the period of suspension expires during the validity of a recognition and the recognition is not revoked, the recognition is taken to be reinstated. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 25 Matters Government Chief Information Officer may take into account in revoking or suspending a recognition VerDate:01/07/2004 The Government Chief Information Officer may, in revoking or suspending a recognition under section 23 or 24, in addition to any other matter that the Government Chief Information Officer considers relevant, take into account the following- (Amended L.N. 131 of 2004) (a) any matter set out in section 21(4); (b) whether the certification authority has failed- (i) to operate in accordance with the certification practice statement; (ii) to comply with the code of practice; (iii) to use a trustworthy system; or (iv) to comply with any provision of this Ordinance; and (c) any report or statutory declaration furnished by the certification authority under section 43(1) or 43A(1). (Replaced 14 of 2004 s. 15) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 25 Matters Director may take into account in revoking or suspending a recognition VerDate:30/06/2004 The Director may, in revoking or suspending a recognition under section 23 or 24, in addition to any other matter that the Director considers relevant, take into account the following- (a) any matter set out in section 21(4); (b) whether the certification authority has failed- (i) to operate in accordance with the certification practice statement; (ii) to comply with the code of practice; (iii) to use a trustworthy system; or (iv) to comply with any provision of this Ordinance; and (c) any report or statutory declaration furnished by the certification authority under section 43(1) or 43A(1). (Replaced 14 of 2004 s. 15) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 25 Matters Director may take into account in revoking or suspending a recognition VerDate:18/02/2000 The Director may, in revoking or suspending a recognition under section 23 or 24, in addition to any other matter that the Director considers relevant, take into account the following- (a) any matter set out in section 21(4); (b) whether the certification authority has failed- (i) to operate in accordance with the certification practice statement; (ii) to comply with the code of practice; (iii) to use a trustworthy system; or (iv) to comply with any provision of this Ordinance; and (c) the relevant report furnished under section 43. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 26 Effect of revocation, suspension of recognition or expiry of validity of recognized certificate VerDate:18/02/2000 (1) Where the revocation or suspension of a recognition of a certification authority has taken effect or the period of validity of a recognition specified under section 21(6)(b) has expired, the provisions of this Ordinance relating to- (a) a recognized certification authority do not apply to that certification authority; (b) recognized certificates issued by a recognized certification authority do not apply to the certificates issued by that certification authority; and (c) digital signatures supported by a recognized certificate issued by a recognized certification authority do not apply to the digital signatures supported by the certificates issued by that certification authority. (2) Where the revocation or suspension of the recognition of a recognized certificate has taken effect, the provisions of this Ordinance relating to a recognized certificate or digital signatures supported by a recognized certificate do not apply to- (a) the certificate of which the recognition is revoked or suspended; (b) any certificate of the type, class or description of certificate the recognition of which is revoked or suspended; (c) digital signatures supported by that certificate or a certificate of that type, class or description, as the case may be. (3) Where the validity of a recognized certificate or the period of validity of a recognition specified under section 22(8) has expired, the provisions of this Ordinance relating to recognized certificates issued by a recognized certification authority and digital signatures supported by a recognized certificate issued by a recognized certification authority do not apply to the certificate and the digital signatures supported by the certificate. (4) The revocation or suspension of the recognition of a certification authority does not affect the valid use of a recognized certificate issued by that certification authority before the revocation or suspension took effect or after the reinstatement of the recognition. (5) The revocation or suspension of the recognition of a certificate does not affect the valid use of the certificate concerned before the revocation or suspension took effect or after the reinstatement of the recognition. (6) The expiry of the period of validity of the recognition of a certificate specified under section 22(8) or the expiry of the period of validity of a recognized certificate does not affect the valid use of the certificate concerned before the expiry of the period of validity of the recognition or the certificate, as the case may be. (7) The expiry of the period of validity of the recognition of a certification authority specified under section 21(6)(b) does not affect the valid use of a recognized certificate issued by that certification authority during the period of validity of its recognition. ELECTRONIC TRANSACTIONS ORDINANCE - SECT 27 Government Chief Information Officer may renew recognition of certification authority VerDate:01/07/2004 (1) A certification authority recognized under section 21 may apply to the Government Chief Information Officer for renewal of a recognition. (2) An application for renewal must be made at least 30 days before but not earlier than 60 days before the expiry of the period of validity of the recognition. (3) An application for renewal must be sent to the Government Chief Information Officer as an electronic record or delivered by hand to the Government Chief Information Officer or left at the office of the Government Chief Information Officer during the ordinary business hours of that office. (4) Subject to subsections (2), (3) and (6), an application for renewal must be made in the prescribed manner and in a form specified by the Government Chief Information Officer. (Amended 14 of 2004 s. 16) (5) Subject to subsection (6), an applicant must pay the prescribed fee in respect of an application for renewal. (5A) An applicant must furnish to the Government Chief Information Officer- (Amended L.N. 131 of 2004) (a) the relevant particulars and documents specified under section 30; (b) a report which- (i) contains an assessment as to whether the applicant is and is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and (ii) is made by a person approved by the Government Chief Information Officer as being qualified to make such a report; and (c) a statutory declaration which— (i) states whether the applicant is and is capable of complying with such provisions of this Ordinance and of the code of practice as are specified in the code of practice for the purposes of this subparagraph; and (ii) is made by a responsible officer of the applicant. (Added 14 of 2004 s. 16) (5B) Any report or statutory declaration required to be furnished under subsection (5A) must be made at the expense of the applicant. (Added 14 of 2004 s. 16). (6) The Government Chief Information Officer may, in the circumstances specified in section 20(5), waive the requirements in subsection (4) or (5A) or the whole or part of the prescribed fee as the Government Chief Information Officer may decide in relation to a particular case. (Amended 14 of 2004 s. 16) (6A) In determining an application for renewal, the Government Chief Information Officer shall, in addition to any other matter the Government Chief Information Officer considers relevant, take into account- (Amended L.N. 131 of 2004) (a) any matter set out in section 21(4)(a), (b), (c), (e) or (f) which applies to the application for renewal as it applies to an application for recognition, subject to necessary modifications; and (b) any report or statutory declaration furnished by the applicant under subsection (5A). (Added 14 of 2004 s. 16) (6B) Where- (a) an applicant has furnished to the Government Chief Information Officer a report for the purpose of complying with the requirements referred to in section 43(1)(a) or 43A(1)(c); and (b) the Government Chief Information Officer considers that had the report been furnished for the purpose of complying with the requirements referred to in subsection (5A)(b), it would have satisfied those requirements, the Government Chief Information Officer may accept the report, and the report shall, for all purposes, be regarded as a report that is furnished under subsection (5A)(b) and that satisfies the requirements referred to in that subsection. (Added 14 of 2004 s. 16) (6C) Where- (a) an applicant has furnished to the Government Chief Information Officer a statutory declaration for the purpose of complying with the requirements referred to in section 43(1)(b) or 43A(1)(d); and (b) the Government Chief Information Officer considers that had the statutory declaration been furnished for the purpose of complying with the requirements referred to in subsection (5A)(c), it would have satisfied those requirements, the Government Chief Information Officer may accept the statutory declaration, and the statutory declaration shall, for all purposes, be regarded as a statutory declaration that is furnished under subsection (5A)(c) and that satisfies the requirements referred to in that subsection. (Added 14 of 2004 s. 16) (7) In renewing the recognition of a certification authority, the Government Chief Information Officer may- (Amended L.N. 131 of 2004) (a) attach conditions to the renewal of the recognition; or (b) specify a period of validity for the renewed recognition. (Replaced 14 of 2004 s. 16) (Amended L.N. 131 of 2004) ELECTRONIC TRANSACTIONS ORDINANCE - SECT 27 Director may renew recognition of certification authority Ve