LCQ13: Protection for the privacy of members of the public

     Following is a question by the Hon Cheung Kwok-kwan and a written reply by the Secretary for Financial Services and the Treasury, Mr James Lau, in the Legislative Council today (January 16):
 
Question:
 
     The TransUnion Limited (TransUnion) is the major credit reference agency in Hong Kong and it holds the personal data and credit records of 5.4 million members of the public. Earlier on, some reporters collected from the public domain the personal data of certain public figures and obtained, using such data, from TransUnion's website the credit records of those public figures, thereby revealing that the website had a serious security loophole. This incident, coupled with the fact that several other incidents of massive leakage of clients' personal data by commercial organisations have occurred recently, has aroused grave public concerns about the issue of information security of commercial organisations. In this connection, will the Government inform this Council:
 
(1) whether it knows the channels through which TransUnion collects the credit data of members of the public, and the scope of such data;
 
(2) given that at present, if members of the public indicate that they do not consent to financial institutions' provision of their personal data to TransUnion and access to their credit records, financial institutions will not approve their applications for personal loans or credit cards, whether the Government will review and improve this situation with a view to enhancing the protection for the privacy of members of the public;
 
(3) whether it has studied how other jurisdictions regulate financial institutions' handling their clients' personal data and credit records;
 
(4) whether it will review the role of credit reference agencies and consider subjecting such agencies to the regulation of the Hong Kong Monetary Authority; if so, of the details; if not, the reasons for that;
 
(5) given that certain personal data of public officers, such as government officials and councillors, can be easily found through searching on the Internet, whether the Government will study how, on the premise that the transparency of governance will not be undermined, the protection for the personal data of such public officers against abusive use can be enhanced; and
 
(6) whether it will examine conferring greater law enforcement powers on the Office of the Privacy Commissioner for Personal Data to enhance the protection for the privacy of members of the public?
 
Reply:
 
President,
 
(1) TransUnion mainly collects credit information from credit providers, public records and individuals. The scope of credit information collected by TransUnion is governed by the Code of Practice on Consumer Credit Data (PCPD Code) issued by the Privacy Commissioner for Personal Data (Privacy Commissioner), which includes among others (please see section 3.1 of the PCPD Code for details):
 
(i) general particulars of an individual (such as name, address, contact information, date of birth, Hong Kong Identity Card Number or travel document number;
 
(ii) credit information of an individual (such as credit application data, account general data, account repayment data); and
 
(iii) public record and related data (such as legal action for recovery of a debt, judgements for monies owed, information on the declaration or discharge of bankruptcy).
 
(2) Proper risk management plays a positive role in the day-to-day operations and long-term development of the credit market. For banks, using consumer credit data from Credit Reference Agency (CRA) is for assessing credit applications and conducting credit reviews is an essential part of the banks' credit risk management system during the processing of customer applications for loans, credit cards, or other credit facilities. Banks require complete information for accurate assessment of customers' creditworthiness, and better credit risk management, which reduces bad debts and ensures the stability of the banking system. Borrowing costs for borrowers with good credit ratings could also be reduced.
 
(3) Although regulatory arrangements for CRA vary from jurisdiction to jurisdiction, the main policy objective remains the protection of personal data privacy. In Hong Kong, banks must take reasonable and practicable steps to provide customers with the relevant Personal Information Collection Statement when collecting personal information from customers. This is a common practice elsewhere.
 
(4) The TransUnion incident involved suspected unauthorised access to customer data, which is a personal data protection issue. The Personal Data (Privacy) Ordinance (PDPO) has clear legal provisions on the protection of personal data privacy. Under the PDPO, CRA, when providing credit reference services to banks and other credit providers in Hong Kong, must comply with the PDPO and the PCPD Code issued under the PDPO. The PCPD Code covers requirements relating to the collection, accuracy, use, security, access and correction of data, including the requirement for CRA to take appropriate measures to protect personal credit data in its daily operations to prevent improper access. The Privacy Commissioner is responsible for enforcement and supervision in relation to the PDPO and the PCPD Code.
 
     The Hong Kong Monetary Authority (HKMA) has no plan to subject CRA to financial regulation. The HKMA regulates banks to safeguard depositors and promote the stability and soundness of the banking system. Credit reference services do not affect depositors and the soundness of the banking system. Therefore, TransUnion, like other third-party service providers, does not need to be regulated by the HKMA. The Privacy Commissioner will continue to be responsible for supervisory work for protection of personal data privacy. The HKMA will make reference to the outcome of the investigation being conducted by the Privacy Commissioner, and assist the Privacy Commissioner in liaising with the banking industry to review whether the contractual arrangements between the banking industry and CRA can be improved.
 
(5) and (6) The protection afforded by the PDPO applies to all data subjects. Personal data obtained in the public domain (including the Internet), regardless of the identity of the data subject, are protected by the PDPO. The Government is open to amending and improving the PDPO. Currently, the Constitutional and Mainland Affairs Bureau, together with the Office of the Privacy Commissioner for Personal Data (PCPD), has commenced reviewing the relevant regulations and penalties of the PDPO, and studying proposals including the establishment of a mandatory breach notification mechanism. The PCPD is now conducting compliance investigations on recent data breaches. The Government will keep a close watch on the investigations by the PCPD and reach a view on how the PDPO could be improved, having regard to the investigation results and recommendations by the PCPD, to enable the PCPD to effectively strengthen the regulation in relation to protection of personal data.