Hong Kong's privacy watchdog will commence compliance checks on all credit reference agencies after a tech company was accused of enabling other money lenders to access the credit histories of about 180,000 borrowers without authorisation.
According to the official statement, The Office of the Privacy Commissioner for Personal Data (PCPD) said in the light of the concern raised by the community on the handling of borrowers’ credit data by credit reference databases in Hong Kong, the PCPD will proactively commence compliance checks of all credit reference agencies in Hong Kong in order to ensure the protection of the personal data privacy of borrowers and the data security of credit reference databases. The checks will cover whether the security measures adopted by the credit reference agencies in respect of the credit data of borrowers and the retention period of such data comply with the requirements of the PDPO.
The initiative is also based on the recent findings of an investigation report on the unauthorised access to the credit data in the TE Credit Reference System on 1 June. The investigation arose from a complaint lodged by a complainant reporting that his credit data in the TE Credit Reference System was accessed a number of times by eight money lending companies unknown to him without his knowledge nor consent. The complainant was of the view that the TE Credit Reference System did not put in place adequate security measures to protect his personal data.
The TE Credit Reference System was operated by Softmedia Technology Company. Around 680 money lending companies used the TE Credit Reference System, which contained the credit data of about 180,000 borrowers.
As a result of the investigation, the Privacy Commissioner for Personal Data Ada Chung found that the operator of the TE Credit Reference System had failed to take all practicable steps to protect the personal data in the TE Credit Reference System against unauthorised or accidental access, processing, or use, and inappropriately retained over 50,000 credit records longer than was necessary.
“Any violation of the enforcement notice will be deemed as a criminal act, which means we can consider initiating criminal prosecution according to the situation,” she said. The penalty upon the first conviction is a HK$50,000 fine (US$6,380) and two-year imprisonment.
Chung said: “The fact that the operation and management of the TE Credit Reference System is not regulated by any industry code or relevant laws of the financial sector is far from satisfactory. To ensure the protection of borrowers’ personal data and the data security of the credit reference database, I recommend that the operation and management of any credit reference database should be regulated or supervised through laws, regulations, guidelines, industry codes or licensing systems.”
Chung also recommended operators of credit reference databases to implement a personal data privacy management programme, through which the protection of personal data privacy can be incorporated into the organisation’s data governance responsibilities; appoint data protection officers to monitor compliance with the PDPO; appoint an independent compliance auditor to conduct regular compliance audits on the mechanism and means of providing credit reference services; and increase penalties for contraventions to deter the recurrence of violations by money lenders.
HK privacy watchdog vows to monitor data privacy risks related to ChapGPT
HK privacy watchdog sees surge in doxxing complaints in 2022
EC Healthcare defends itself against data sharing allegations made by privacy watchdog
HK privacy watchdog demands 14 social sites to remove 3,900 doxxing items
Get the daily lowdown on Asia's top marketing stories.
We break down the big and messy topics of the day so you're updated on the most important developments in Asia's marketing development – for free.subscribe now open in new window