Info Center

MPFA Chairman Mrs Ayesha Macpherson Lau published her blog post today (28 September), highlighting that the eMPF Platform (eMPF) project team prioritizes user privacy and data security above all else. This commitment has been embedded in every stage of the design, development and operation of the eMPF. The architecture of the eMPF was developed with comprehensive consideration for information security requirements. 

Mrs Lau reiterated that the project team has implemented multi-layered security measures in accordance with Government policies on the storage and handling of confidential data, with reference to international information security standards and best practices. All user data migrated to the eMPF is stored in servers located in Hong Kong, protected by high-level security measures. These arrangements fully comply with the Personal Data (Privacy) Ordinance.

She stated that all critical data on the platform, including personal information, is protected by multiple layers of encryption. The project team regularly engages independent third parties to conduct risk assessments and audit checks to ensure that the system’s design and implementation meet the highest security standards. These measures facilitate timely enhancements and updates to prevent cyberattacks and data breaches.

Additionally, the eMPF is equipped with a 24-hour network-monitoring system capable of detecting and intercepting cyberattacks in real time. In the event of an emergency, contingency infrastructure and backup data are in place to restore system operations within the shortest possible time, thereby safeguarding user interests.

In addition to system-level security measures, the eMPF enforces stringent protocols for the protection of personal data. These include clearly defined access controls and supervisory arrangements. Only dedicated personnel with valid authorization are permitted to access designated case-related data, solely for the purpose of executing user administrative instructions. This access is restricted to the secured area of the eMPF Administration Office, utilizing encrypted systems connected to servers based in Hong Kong. Data replication in any form is strictly prohibited. This operational model is aligned with prevailing industry practices.

Mrs Lau further explained that since the eMPF processes data from all MPF accounts across Hong Kong, the project team has conducted multiple rounds of stress testing since the system’s early development phase. Following guidelines issued by the Digital Policy Office of the Government, the project team has continuously optimized system performance.

To ensure the stable operation of the eMPF, the project team adopted a phased onboarding strategy. Trustees with smaller MPF assets under management onboarded first, followed gradually by those with larger MPF assets under management. This approach has helped mitigate system load and provide the project team with additional time to monitor the platform’s performance and make necessary adjustments. Furthermore, since the data migrated to the eMPF has been standardized, the processing methodology remains largely consistent regardless of data volume. This consistency enhances operational efficiency and significantly reduces the risk of errors.

For the full version of the article, please visit the MPFA blog. The blog is available in Chinese only.

－Ends－
28 September 2025