Hong Kong Mandatory Provident Fund Schemes Authority outlines eMPF Platform privacy and cyber security safeguards

In a blog post, the Hong Kong Mandatory Provident Fund Schemes Authority’s chair set out how the eMPF Platform has been designed, developed and is operated with user privacy and data security as a priority. The post describes a multi-layer security approach aligned with Government policies on handling confidential data and referencing international information security standards and best practices. All user data migrated to eMPF is stored on servers located in Hong Kong and the arrangements are described as fully compliant with the Personal Data (Privacy) Ordinance. Critical data, including personal information, is protected by multiple layers of encryption, supported by independent third-party risk assessments and audit checks, and a 24-hour network monitoring system intended to detect and intercept cyberattacks in real time. The post also describes contingency infrastructure and backup data to restore operations quickly in an emergency, strict access controls limiting case-related data access to authorised personnel in a secured administration office environment, and a prohibition on data replication. Separately, the project team reports multiple rounds of stress testing and ongoing performance optimisation following Digital Policy Office guidelines, supported by phased onboarding of trustees from smaller to larger assets under management to manage system load and enable monitoring and adjustments.