In this snapshot legal update, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published an investigation report on 1 June 2023 concerning the TE Credit Reference System,developed by Softmedia Technology Company Limited (“Softmedia”) in January 2016. Softmedia was not a credit reference agency shortlisted by Industry Associations in Hong Kong under the Multiple Credit Reference Agencies Model, nor regulated by the Money Lenders Ordinance (Cap. 163).

The TE Credit Reference System (“System”) is a platform for money lending companies to assess borrowers’ credit data before approving or rejecting their loan applications.

A member of the public had his credit records and other personal data stored in the System. He was informed by one money lending company that his credit records on the System had been accessed by several other money lending companies. This person made a complaint to the PCPD and the PCPD commenced an investigation of the complaint.

During the investigations, the PCPD found that:

  1. The System did hold personal data, contrary to Softmedia’s contention.

Softmedia contended that the System held no personal data as it does not store names, addresses, phone numbers or dates of birth and only holds HKID numbers and credit data of borrowers. The PCPD disagreed. The purpose of the System was to provide a platform for money lending companies to make assessments prior to the loan confirmation, and companies must be able to directly or indirectly ascertain the identity of a data subject from the data in the System. The data on the System therefore constituted “personal data”.

2. The mechanisms for borrower consent and authorisations were insufficient.

According to Softmedia, a money lending company using the System was required to obtain a signed authorisation letter from the borrower before it accessed data on the System. However, none of the money lending companies involved could provide the PCPD with the complainant’s signed authorisation. The System allowed a money lending company to access data upon making a self-declaration of authorisation and payment of fees. This revealed a loophole in which money lending companies could access credit data without fulfilling the requirement for authorisation.

The PCPD concluded Softmedia contravened the following data protection principles in the Personal Data (Privacy) Ordinance (Cap. 386) (“PDPO”):

    1.  DPP 4(1) – Unauthorised or accidental access, processing, erasure, loss or use

Softmedia failed to put restrictions on money lending companies in accessing borrowers’ credit data. The PCPD noted that money lending companies have to closely track a borrower’s financial status. However, Softmedia was required to strike a reasonable balance and formulate measures to regulate and monitor use of the System by the money lending companies. Softmedia relied wholly on users of the System to self-declare that they have obtained consent and authorisation from the borrowers. This arrangement falls below the standards for data privacy.  Softmedia’s password management did not meet the minimum requirements. The System accepted weak passwords in length and complexity, and did not set restrictions requiring a regular change of password.

2. DPP 2(2) – Data retained longer than necessary

Softmedia did not take practicable steps to ensure that personal data was not kept longer than necessary to fulfil a certain purpose. The Code of Practice on Consumer Credit Data (“Code”) published by the PCPD specify that account repayment data should only be retained up to five years from the date of final settlement of the amount in default. However, there are currently over 50,000 credit records of borrowers who have completed repayments more than five years ago. These personal data records should have been erased, but they remained on the database.

Enforcement actions
The PCPD served an Enforcement Notice on Softmedia pursuant to the contraventions of the DPPs mentioned above. Among other things, the PCPD directed Softmedia to:

    1.  delete credit data where five or more years have lapsed from final settlement of the loan;
    2.  formulate various policies to ensure retention periods meet the requirements under the Code;
    3.  impose restrictions on the frequency of access to the System;
    4.  monitor non-compliant access to the System;
    5. create measures to verify that companies obtained authorisations before accessing data; and
    6. implement a stronger password management policy.

The PCPD made the following recommendations to providers of credit reference databases:

    1.  Implement a Personal Data Privacy Management Programme (“PMP”) to improve personal data protection and data governance. A PMP will provide for the execution of transparent information policies. This will in turn demonstrate good corporate governance and create a positive image for consumers of compliance with laws and regulations.
    2.  Appoint a Data Protection Officer to oversee compliance with the PDPO and
      implementation of the PMP. The duties of a Data Protection Officer are to curate a culture of protecting data privacy, encourage staff to respect data privacy protection and carry out personal data protection policies.
    3.  Appoint an Independent Compliance Auditor to conduct compliance audits on the mechanism of providing credit reference services, to assess whether the mechanism is sufficient to protect security and assess the security of the credit data itself.
    4.  Impose strict penalties for contravention of data access requirements, such as stricter access fees, fines or suspension and termination of access rights of money lending companies.

      Author: Pádraig Walsh

More from Tanner De Witt