Understanding the Security Features of Hong Kong’s Digital Tax Filing Platform

Introduction

In an era where cybersecurity threats are increasingly sophisticated, the Hong Kong Inland Revenue Department (IRD) has established a comprehensive security framework for its digital tax filing platform, eTAX. As Hong Kong continues its digital transformation journey, protecting taxpayer data has become paramount. The eTAX system serves as a cornerstone of Hong Kong’s digital government services, processing sensitive financial information for millions of taxpayers annually.

This article provides an in-depth examination of the security features, protocols, and compliance measures that safeguard Hong Kong’s digital tax filing ecosystem. From authentication mechanisms to data encryption standards, we explore how the IRD ensures that taxpayer information remains confidential, accurate, and secure throughout the entire tax filing process.

The Evolution of Hong Kong’s Digital Tax Platform

The eTAX platform has undergone significant transformation since its inception. The most recent updates introduced in late 2024 and early 2025 have made the platform more user-friendly, secure, and comprehensive. The 2025 portal is now fully mobile-responsive and supports login via iAM Smart/iAM Smart+, enabling taxpayers to file returns conveniently on mobile devices while maintaining robust security standards.

A significant milestone occurred on 21 July 2025, when the Individual Tax Portal (ITP) replaced the traditional eTAX Account system. This transition represents a fundamental shift in how Hong Kong taxpayers access digital tax services, with enhanced security features integrated throughout the platform. Individuals who held eTAX Accounts before this date can continue to login to the ITP using their Tax Identification Number (TIN) and password, ensuring a seamless transition with no disruption to existing users.

Authentication and Access Control

iAM Smart and iAM Smart+ Integration

The iAM Smart platform, launched in December 2020, serves as the government’s one-stop personalised digital services platform. As of December 2024, the platform has accumulated over 3.1 million registrations and provides access to approximately 460 government, public, and private online services. The integration of iAM Smart with the eTAX system represents a significant advancement in taxpayer authentication security.

The platform is available in two distinct versions, each offering different levels of functionality:

The digital signing function available in iAM Smart+ is particularly significant for tax compliance. The IRD actively encourages taxpayers to utilize iAM Smart to login and digitally sign their tax returns, eliminating the need for physical signatures while maintaining legally binding authentication. This digital signing capability uses cryptographic technologies that ensure non-repudiation, meaning the taxpayer cannot later deny having submitted the return.

Multiple Authentication Options

Recognizing that users have varying levels of technological adoption and preferences, the eTAX platform provides three distinct authentication methods:

• iAM Smart/iAM Smart+: Users can log in seamlessly without entering their TIN or password, using their mobile device for biometric or PIN-based authentication
• TIN + Password: Traditional login method using Tax Identification Number and a user-created password
• Digital Certificate: Personal digital certificates issued by authorized certification authorities, providing PKI-based authentication

This multi-modal approach ensures accessibility while maintaining security standards appropriate to each authentication method’s inherent strength.

iAM Smart 4.0 Enhancements (December 2024)

In December 2024, the government launched iAM Smart 4.0, introducing significant improvements to user experience and accessibility. The updated interface features thematic pages and a Featured Services page, with commonly used services such as eTAX, Contactless e-Channel, and SmartPLAY prominently displayed for direct access.

A particularly noteworthy addition is the “lite” mode, designed specifically to enable elderly people and users with accessibility needs to use the application more conveniently. This inclusive design approach ensures that digital tax services remain accessible to all segments of Hong Kong’s population, regardless of technical proficiency or physical limitations.

Data Encryption and Transmission Security

TLS/SSL Encryption Standards

All data transmitted between users and the eTAX platform is protected using Transport Layer Security (TLS) encryption, the successor to the older Secure Sockets Layer (SSL) protocol. TLS provides enhanced security and encryption capabilities compared to its predecessor, offering better protection against modern cyber threats.

The official eTAX platform is accessible only through verified channels, with users strongly advised to access the system exclusively via GovHK or the IRD’s official website, or by typing the URL https://www.gov.hk/etax directly in the browser address bar. This guidance helps prevent phishing attacks and ensures users connect to the legitimate platform.

Advanced Encryption for Data Exchange

In November 2024, the IRD released an updated version of the encryption tool on the Automatic Exchange of Information (AEOI) portal. Reporting financial institutions are now required to use this enhanced version for encrypting data files, demonstrating the IRD’s commitment to staying current with cryptographic best practices.

The encryption protocols ensure that sensitive financial data remains protected throughout its lifecycle, from initial transmission to storage and eventual archival. Even if data is intercepted during transmission, the encryption renders it unreadable to unauthorized parties.

Session Security and Timeout Protocols

The eTAX platform implements automatic session timeout mechanisms to protect against unauthorized access when users leave their devices unattended. While specific timeout durations are not publicly disclosed for security reasons, the system is designed to balance user convenience with security requirements.

When a session expires, users must re-authenticate to continue their activities, preventing potential unauthorized access if a user forgets to log out. This feature is particularly important when accessing the platform from public terminals or shared computers, though the IRD explicitly advises against conducting tax transactions from such locations.

Legal and Regulatory Compliance

Personal Data (Privacy) Ordinance (PDPO) Compliance

The Personal Data (Privacy) Ordinance, enacted in 1995 and effective since December 1996, represents one of Asia’s longest-standing comprehensive data protection laws. The eTAX platform operates in full compliance with the PDPO, which applies to both private and public sectors and is technology-neutral and principle-based.

The PDPO is structured around six core data protection principles that govern how the IRD handles taxpayer information:

Exemptions Under Tax Law

The PDPO provides specific exemptions relevant to tax administration. When the use of personal data is required or authorized by law or court order, or is necessary for exercising or defending legal rights in Hong Kong, certain compliance requirements may be exempted. This enables the IRD to fulfill its statutory obligations under the Inland Revenue Ordinance while respecting privacy rights to the maximum extent possible.

Future Regulatory Developments

At the Legislative Council Panel on Constitutional Affairs held on 19 February 2024, the Privacy Commissioner reported that the Office of the Privacy Commissioner for Personal Data was working with the Government to review the PDPO to strengthen personal data protection in Hong Kong. Proposed amendments include the introduction of a mandatory data breach notification mechanism, requirements for companies to devise data retention policies, and implementation of administrative fines.

However, these amendments have been put on hold due to concerns over the economic pressure they may exert on small or nano businesses. The Government is considering introducing the amendments through a piecemeal approach to reduce the impact on local businesses. When implemented, these changes will further enhance the privacy protections available to eTAX users.

Institutional Security Framework

Multi-Layered Security Governance

The IRD has established a comprehensive security governance framework that extends beyond mere technical controls. The department adheres fully to the Government’s established security regulations and guidelines, as well as international best practices in data protection. Beyond basic compliance, the IRD has implemented robust self-monitoring mechanisms and a continuous improvement process for IT security management, ensuring adaptability to the constantly evolving cybersecurity landscape.

Independent Security Reviews and Audits

The IRD’s systems undergo regular and rigorous review by multiple stakeholders to ensure comprehensive security assurance:

• Digital Policy Office (DPO): Provides oversight on digital governance and security policy compliance
• Cyber Security and Technology Crime Bureau (CSTCB): Part of the Hong Kong Police Force, the CSTCB regularly provides information on potential cybersecurity threats to IRD systems and assists in deploying sufficient protection measures to mitigate risks
• Audit Commission: Conducts independent reviews to ensure system robustness and security controls are effective
• Independent Security Professionals: External security assessment and audit professionals are engaged to identify vulnerabilities and recommend improvements from an objective perspective

This collaborative effort among government agencies and independent experts ensures that the IRD remains vigilant and proactive in addressing emerging risks. The DPO and CSTCB play particularly vital roles by regularly monitoring the threat landscape and providing early warning of potential vulnerabilities specific to government systems.

International Standards Alignment

As a member of the international community and a global financial center, Hong Kong adheres to global standards set by influential organizations such as the Organisation for Economic Co-operation and Development (OECD). The IRD works to ensure that its policies and practices align with these international frameworks, particularly in areas such as data security and information exchange between jurisdictions. This alignment reinforces the IRD’s credibility and ensures it is well-equipped to handle cross-border data protection challenges in an increasingly interconnected global economy.

Audit Trails and Transaction Logging

Comprehensive Activity Tracking

The eTAX platform maintains complete audit trails for all submissions and transactions. Every action performed within the system is logged with relevant metadata including timestamps, user identification, IP addresses, and transaction details. This comprehensive logging serves multiple purposes:

• Accountability: Ensures that all actions can be traced to specific users, preventing unauthorized modifications and supporting investigation of any irregularities
• Non-repudiation: Creates an irrefutable record that users cannot later deny having performed specific actions or submitted particular returns
• Fraud Detection: Enables identification of unusual patterns or suspicious activities that may indicate fraudulent behavior
• Compliance Verification: Provides evidence that the IRD and taxpayers have fulfilled their respective obligations under the Inland Revenue Ordinance
• Dispute Resolution: Offers a definitive record that can resolve disputes about submission timing, content, or authenticity

MyGovHK Integration for Transaction Authorization

For users who have linked their MyGovHK account with the eTAX service, the MyGovHK account password can be used as a means of authorizing and signing transactions lodged through eTAX as approved by the Commissioner of Inland Revenue. This integration provides an additional layer of verification while maintaining the convenience of a unified government services platform.

Record Retention and Data Management

The Seven-Year Retention Requirement

Section 51C of the Inland Revenue Ordinance (IRO) stipulates that every person carrying on a business in Hong Kong shall keep records of their income and expenditure for not less than seven years. This requirement extends to all tax-related documents and records, whether maintained in physical or electronic format.

The IRO requires every person carrying on a trade, profession, or business in Hong Kong to keep sufficient records for a period of not less than 7 years after the completion of the transactions, acts, or operations to which those records relate, to enable assessable profits to be readily ascertained. This comprehensive retention requirement ensures that the IRD can obtain necessary information when conducting tax audits to make accurate tax assessments.

Extended Retention for Loss Carry-Forward

The seven-year rule has important implications for businesses with tax losses. Under Hong Kong’s tax regime, losses of an enterprise can offset its profits in future years without any time limit. If an enterprise has assessable profits in a year of assessment but is still in an overall loss position after deducting losses brought forward from previous years, the enterprise is not required to pay tax for that particular year until the losses are fully set off.

Consequently, taxpayers should keep business records of those relevant years of assessment until seven years after the end of the year in which the losses have been fully set off. Therefore, there may be cases where record keeping spans a period significantly longer than the basic seven-year requirement.

Electronic Record Keeping

Businesses are permitted to use electronic recordkeeping systems, reflecting the modern reality of digital business operations. However, source documents such as cheque stubs, invoices, bank deposit slips, and statements must still be retained to substantiate income and expenditure.

Electronic records must remain readable, retrievable, and complete for the required retention period. This necessitates storing them in stable formats such as PDF or XML and using platforms that allow retrieval of full copies if needed during an audit or inspection. Retaining images of original documents on CD-ROMs, DVD-ROMs, or USB drives is acceptable as an alternative to keeping physical documents, provided they meet the readability and retrievability requirements.

Penalties for Non-Compliance

Failure to comply with record retention requirements without reasonable excuse may result in a maximum fine of HK$100,000. Moreover, if documents cannot be produced during a tax review or investigation, the IRD may disallow certain deductions or reassess tax liabilities, potentially leading to a higher tax burden.

The absence of sufficient records may prompt the IRD to assess tax based on alternatives to these records. These alternatives may, for example, be based on changes in the value of the taxpayer’s assets, bank deposits, or profiles of comparable businesses. Such alternative assessments are often unfavorable to taxpayers, making proper record retention not just a legal obligation but a financial necessity.

User Security Best Practices

IRD-Recommended Security Measures

While the eTAX platform implements extensive security controls, user behavior remains a critical component of overall security. The IRD provides comprehensive guidance to help users protect their accounts and data:

• Password Security: Do not use easy-to-guess characters such as your birthday or Hong Kong Identity Card Number as your password, and change your password on a regular basis
• Access Point Security: Avoid conducting transactions from public terminals to prevent potential keylogging or shoulder surfing attacks
• Endpoint Protection: Install proper firewalls, anti-virus software, and anti-spyware software on your computer, and update them on a regular basis
• Confidentiality: Do not disclose your password to anyone, including a person who claims to be a staff member of the IRD (legitimate IRD staff will never ask for your password)
• Official Access Only: Access the eTAX System only through GovHK or the IRD’s official website, or type the URL https://www.gov.hk/etax directly in the browser address bar

System Compatibility and Security

To ensure smooth operations of the eTAX system and high security of transactions, users are recommended to use tested combinations of operating systems and browsers as listed in the System Requirements for GovHK Online Services webpage. While the system is designed to work with popular operating systems and browsers on the market, using verified configurations ensures optimal security and functionality.

Awareness of Fraudulent Communications

The IRD has actively alerted the public to fraudulent emails purportedly issued by the department. In November 2024, the IRD warned members of the public about fraudulent emails informing recipients that a tax audit would be conducted on them and inviting them to download documents containing viruses via provided hyperlinks. The department has emphasized that it has no connection with these fraudulent emails.

Taxpayers should be vigilant about any unexpected communications claiming to be from the IRD, particularly those that:

• Request immediate action or threaten penalties
• Ask for passwords, credit card information, or bank account details
• Contain suspicious links or attachments
• Come from email addresses that don’t match official IRD domains
• Contain grammatical errors or unusual formatting

When in doubt, taxpayers should contact the IRD directly through official channels listed on the department’s website rather than responding to suspicious communications.

Future Security Enhancements

Artificial Intelligence and Data Protection

On 11 June 2024, the Privacy Commissioner for Personal Data (PCPD) published the “Artificial Intelligence: Model Personal Data Protection Framework.” This represents the PCPD’s first guidance document targeted at organizations procuring, implementing, and using artificial intelligence systems in the context of their compliance with the PDPO.

As the IRD continues to modernize its systems, the integration of AI technologies for fraud detection, risk assessment, and service enhancement will need to be balanced with privacy protection requirements. This framework provides a roadmap for responsible AI implementation that protects taxpayer data while enabling innovation.

Critical Infrastructure Protection

The Government released the Protection of Critical Infrastructures (Computer Systems) Bill in December 2024. The Bill aims to protect critical infrastructure, which includes infrastructure that substantially affects the maintenance of critical societal or economic activities in Hong Kong in the event of a data breach.

Under the Bill, operators of critical infrastructure would be required to implement cybersecurity management plans and conduct security risk assessments. Given the essential role of tax collection in government finances and economic stability, the eTAX platform may be subject to enhanced security requirements under this legislation, further strengthening its resilience against cyber threats.

Continuous Security Evolution

The IRD has demonstrated a consistent commitment to security enhancement through regular platform updates and adoption of emerging best practices. The department’s approach to security is not static but evolves in response to changing threat landscapes, technological advancements, and user needs.

Looking forward, we can expect continued improvements in areas such as:

• Enhanced biometric authentication options beyond current iAM Smart capabilities
• Advanced threat detection using machine learning and behavioral analytics
• Improved user experience that balances security with convenience
• Greater integration with international tax information exchange systems while maintaining data protection
• Adoption of emerging encryption standards as cryptographic technologies advance

Conclusion

Hong Kong’s eTAX platform represents a comprehensive approach to secure digital tax administration that balances accessibility, functionality, and security. Through the integration of advanced authentication mechanisms like iAM Smart/iAM Smart+, robust encryption protocols, strict compliance with the Personal Data (Privacy) Ordinance, and comprehensive audit trails, the IRD has created a trusted environment for millions of taxpayers to fulfill their obligations.

The platform’s security framework extends beyond technology to encompass institutional governance, regular independent audits, alignment with international standards, and ongoing user education. The seven-year record retention requirement ensures that historical data remains available for legitimate purposes while respecting privacy principles.

As Hong Kong continues its digital transformation journey, the eTAX platform serves as an exemplar of how government services can leverage technology to improve efficiency and convenience while maintaining the highest standards of data protection and security. The continuous evolution of security measures, informed by emerging threats and best practices, ensures that taxpayer data remains protected in an increasingly complex cybersecurity environment.

For taxpayers, understanding these security features provides confidence in using the digital platform and underscores the importance of their own role in maintaining security through adherence to best practices. The collaborative effort between the IRD’s technical controls and users’ security-conscious behavior creates a resilient ecosystem that protects Hong Kong’s tax administration infrastructure and the sensitive information it processes.