System-level security measures and stringent protocols ensure user privacy and data security for Mandatory Provident Fund (MPF) members when they use the centralized eMPF electronic platform, the head of the Mandatory Provident Fund Schemes Authority said Sunday. 

Ayesha Macpherson Lau, MPFA chair, said all user data migrated to the eMPF Platform is stored in servers located in Hong Kong, protected by high-level security measures in accordance with the Personal Data (Privacy) Ordinance.

She also that all critical data on the platform, including personal information, is protected by multiple layers of encryption. Data replication in any form is strictly prohibited.

The eMPF is now in the final phase of onboarding, with the four largest MPF trustees--AIA, Sun Life, Manulife and HSBC--joining eMPF one after the other.

ALSO READ: HK legislature passes bill approving MPF schemes

MPF members will be able to handle their contributions, changes to their investment portfolios and the withdrawal of benefits through the centralized platform.

It is estimated that the eMPF will be able to achieve an average administrative fee reduction of 36 percent in the first two years and a reduction of 41-55 percent within a decade, benefitting over 10 million member accounts.

To ensure that the system meets the highest security standards, the eMPF project team regularly engages independent third parties to conduct risk assessments and audit checks, Lau said.

These measures facilitate timely enhancements and updates to prevent cyberattacks and data breaches, she added.

Lau said the eMPF is also equipped with a 24-hour network-monitoring system capable of detecting and intercepting cyberattacks in real time.

READ MORE: HK govt gazettes notices for onboarding MPF scheme to eMPF Platform

In the event of an emergency, contingency infrastructure and backup data are in place to restore system operations within the shortest possible time, she added.

Lau said the eMPF enforces stringent protocols for the protection of personal data, including clearly defined access controls and supervisory arrangements.

Only validly authorized dedicated personnel are permitted to access designated case-related data, and solely for the purpose of executing user administrative instructions, she said.

She added that this access is restricted to the secured area of the eMPF Administration Office, utilizing encrypted systems connected to servers based in Hong Kong.

And since the eMPF processes data from all MPF accounts across Hong Kong, the project team has conducted multiple stress tests since the system’s early development phase, Lau said. 

Following guidelines issued by the Digital Policy Office of the SAR government, the project team has continuously optimized system performance, she added.