LCQ22: Privacy protection for consumer credit data
Following is a question by the Hon Carmen Kan and a written reply by the Secretary for Financial Services and the Treasury, Mr Christopher Hui, in the Legislative Council today (April 24):
Question:
Regarding privacy protection for consumer credit data, will the Government inform this Council:
(1) whether it knows the number of cases in the past six years in which the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) issued enforcement notices to credit reference agencies (CRAs) for breaching the Personal Data (Privacy) Ordinance (Cap. 486), as well as the organisations involved in such cases, the number of people affected, compliance with the enforcement notices, and the number of organisations which have been prosecuted for contravention of enforcement notices (set out in a table);
(2) given that Cap. 486 does not provide for a mandatory data breach notification mechanism, and that the Privacy Commissioner for Personal Data indicated at the meeting of the Panel on Constitutional Affairs of this Council on February 19 this year that PCPD and the Government were jointly examining the proposed legislative amendments to establish such mechanism, of the progress of the relevant work;
(3) as it has been reported that the website of TransUnion Limited, a CRA, which provided access to personal credit reports, had information security loopholes as revealed in 2018, whether the authorities have continuously monitored the level of its information security and compliance thereafter; if so, of the details; if not, the reasons for that;
(4) given that the Hong Kong Monetary Authority (HKMA) has been working with industry associations to introduce more than one consumer CRA in Hong Kong through the Credit Reference Platform, and has supported the development of the relevant platform, "Credit Data Smart" (CDS), by industry associations, but it is learnt that the platform, which was originally scheduled to be launched in December last year, has not yet been launched, of the latest progress of such platform;
(5) as it is learnt that industry associations have established the Code of Practice for the Multiple Credit Reference Agencies Model setting out the standards and requirements for Selected CRAs and Subscribed Members of CDS to comply on various aspects including the use and protection of personal data, what measures the authorities have put in place to monitor CRAs' compliance with the Code of Practice on Consumer Credit Data and Cap. 486 when CDS has not yet been launched; and
(6) given that the People's Bank of China and the HKMA have agreed to enter into a memorandum of understanding on the pilot programme of interconnection business for cross-boundary credit referencing, what regulatory measures the authorities have put in place to ensure that cross-boundary credit referencing data will only circulate within the Guangdong-Hong Kong-Macao Greater Bay Area in a safe and orderly manner, as well as when the authorities will proceed to launch the pilot tests and implementation work?
Reply:
President,
Having consulted the Constitutional and Mainland Affairs Bureau and the Hong Kong Monetary Authority (HKMA), the consolidated reply is as follows:
(1) Regarding the incidents of unauthorised access to personal data held by credit reference agencies in recent years, the Office of the Privacy Commissioner for Personal Data (PCPD) issued enforcement notices to TransUnion Limited (TransUnion) and Softmedia Technology Company Limited (Softmedia) in 2019 and 2023 respectively. The enforcement notices directed the relevant organisations to rectify the vulnerabilities in the security of their credit databases, which included directing TransUnion to devise clear procedures on identity authentication, and directing Softmedia to change the password settings to safeguard the security of its information system that contained personal data, etc. The consumer credit data held by these two organisations involved around 5.4 million and 180 000 individuals respectively. TransUnion and Softmedia had implemented the relevant security measures according to the above enforcement notices to protect personal data privacy.
(2) At present, the PCPD is comprehensively reviewing the Personal Data (Privacy) Ordinance (Ordinance) and formulating concrete proposals for legislative amendments, which include establishing a mandatory personal data breach notification mechanism, requiring data users to formulate policies on personal data retention period, empowering the Privacy Commissioner to impose administrative fines, direct regulation of data processors, and clarifying the definition of personal data, etc. The PCPD is studying in detail relevant laws and experience of other jurisdictions, while taking account of the actual situation in Hong Kong so as to put forward practicable legislative amendment proposals to align with international developments in privacy protection and strengthen the protection of personal data privacy. In regard to the mandatory personal data breach notification mechanism, the definition of personal data breach incident, the threshold and timeframe for notification, etc need to be considered. Such relevant work is being proactively taken forward at the moment. Once specific legislative amendment proposals are firmed up, the PCPD will consult the Government and the Legislative Council, after which a legislative amendment timetable will be drawn up having regard to actual circumstances.
(3) In an effort to continuously monitor the personal data security standards and compliance situation of TransUnion, the PCPD took the initiative to carry out an inspection of the personal data system of TransUnion in 2021, and subsequently published an investigation report. Inspection results revealed that TransUnion had complied with the requirements of the Ordinance with regard to the security of personal data held, such as adopting appropriate system access control measures through contractual means with credit providers.
In addition, in June 2023, the PCPD also proactively commenced compliance checks of credit reference agencies in Hong Kong, including the three credit reference agencies selected under the "Credit Data Smart" Model (namely TransUnion, Nova Credit and PingAn OneConnect), to ascertain whether the security measures and retention periods adopted by the relevant organisations regarding the consumer credit data of borrowers comply with the requirements of the Ordinance. The PCPD found no contravention of the requirements of the Ordinance in the compliance check of the relevant organisations.
(4) The HKMA has been working closely with Hong Kong Association of Banks, the Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies, and the Hong Kong S.A.R. Licensed Money Lenders Association Limited (collectively "the Industry Associations") to introduce more than one consumer credit reference agency (CRA) in Hong Kong through the Credit Reference Platform (this model referred to as "Credit Data Smart"), with a view to enhancing the service quality of consumer CRAs in Hong Kong and reducing the operational risk of having only one commercially run service provider in the market, particularly the risk of single point of failure.
"Credit Data Smart" has been progressing in an orderly manner as planned. The Industry Associations launched the "Credit Data Smart" pilot programme on November 20, 2023, with the expectation that the selected CRAs would officially offer to the public secure and reliable consumer credit reference services upon successful completion of the pilot programme. According to the information provided by the Industry Associations, over 1 000 employees from nearly 20 institutions including banks, licensed money lenders, platform operator, the Industry Associations and governmental institutions participated in the pilot programme since its launch. The results indicated that the data accuracy of the credit reports and overall service performance of the three CRAs met the requirements set by the Industry Associations.
Accordingly, the Industry Associations announced on April 18 this year the commencement of service of "Credit Data Smart" with effect from April 26.
(5) According to the information provided by the Industry Associations, the three CRAs are required to comply with the industry's rigorous requirements on information security, system and data management, etc as set out in the "Code of Practice for the Multiple Credit Reference Agencies Model" since their selection in November 2022. These CRAs are also required to submit regularly their compliance assessment reports on personal data protection, information and network security etc to the Industry Associations, in order to ensure their compliance with the Personal Data (Privacy) Ordinance, "Code of Practice on Consumer Credit Data" and "Code of Practice for the Multiple Credit Reference Agencies Model". The Industry Associations will continue to review the operations of the three CRAs after the commencement of service of "Credit Data Smart".
(6) Ensuring the security of customer information is the top priority, and the primary consideration of the HKMA underlying any data connectivity initiative is to ensure that any information involved in the process will be processed in a safe and efficient manner and that any information transfer is in compliance with relevant legal and regulatory requirements. In terms of supervision, the HKMA has put in place strict regulatory requirements and guidelines in respect of protection of information security for banks to follow, to ensure the security, confidentiality and integrity of information of businesses and to prevent such information from being accessed or used without proper authorisation. In this regard, the HKMA is planning to issue regulatory circulars to remind the Hong Kong banking industry to comply with all relevant legal and regulatory requirements when handling cross-boundary transfers of credit information, so as to ensure information security and effective risk management.
The People's Bank of China (PBoC) and the HKMA announced on January 24 this year the "three measures on connectivity" and "three measures on facilitation" to deepen the financial co-operation between Hong Kong and the Mainland, and signed a Memorandum of Understanding on Cross-Boundary Credit Referencing (CBCR) pilots. This is to establish co-operative arrangements to, starting out from the Greater Bay Area, jointly promote the co-operation on CBCR pilots, foster cross-boundary transfer of credit information between Hong Kong and the Mainland, and facilitate cross-boundary financing for Shenzhen and Hong Kong enterprises. Under the CBCR pilot scheme, a number of Hong Kong banks and CRAs have expressed interest in participating in the pilots. At the same time, some CBCR pilots have already entered the processes of the relevant Mainland authorities. Relevant institutions will continue to work closely with each other, and facilitate the implementation of the pilots and the conduct of relevant tests in a step by step manner.