Last month the Hong Kong Privacy Commissioner announced that her office will proactively commence compliance checks with all credit reference agencies in Hong Kong to ensure protection of the personal data privacy of borrowers and the data security of credit reference databases.  She cited “concern raised by the community on the handling of borrowers’ credit data by credit reference databases in Hong Kong”.

It is rare for the Privacy Commissioner to announce a targeted proactive review of a specific industry, which suggests concerns that there are serious data privacy compliance risk/failures across the credit reference agency industry which require immediate review.

Given the number of unregulated credit reference agencies in Hong Kong, the Commissioner has also called for greater regulatory supervision in this space.

Softmedia investigation 

The Commissioner’s announcement was made following the publication of a high-profile investigation report against Softmedia Technology Company Limited - in relation to data security and retention issues in Softmedia’s TE Credit Reference System.

This followed an earlier investigation into the data breach incident of another credit reference agency, TransUnion Limited (Transunion) in 2019. In that case there had been public outcry when newspaper reporters managed to bypass TransUnion’s lax online authentication procedures and access the credit reports of public figures including the ex-Hong Kong Chief Executive.

The investigation into Softmedia stemmed from a borrower’s complaint that his credit data in the credit reference system had been accessed by eight money lenders unknown to him.

The Softmedia findings

The Commissioner found that Softmedia had contravened Data Protection Principle (DPP) 4 (security) and DPP2 (retention) under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in relation to the security of the credit reference system and the retention of credit records.

  • Failure to take appropriate security measures

Softmedia was found to have failed to take appropriate security measures to manage the access to and use of the credit reference system by money lenders.

Whilst Softmedia claimed it had required money lenders to declare that they had obtained borrowers’ consent before accessing the system, it has failed to examine the consents obtained by money lenders such that money lenders could freely access the system without consents.

Softmedia had neither restricted the number of times the money lending companies can access a borrower’s data nor regularly monitored their use of the system, and there were no procedures nor processes in place to detect abnormal or unauthorised access by money lenders.

  • Retention of records

Softmedia was found to have retained 50,000 borrowers’ records who completed repayments more than 5 years ago, in breach of the Commissioner’s Code of Practice on Consumer Credit Data.  

  • Highly disappointing data practice

All the above findings, coupled with the magnitude of around 180,000 data subjects in the credit reference system’s database, led to the Commissioner’s finding that Softmedia’s data practice had “fallen far below the general standard and is highly disappointing”.

Rectification

In the enforcement notice to Softmedia, the Privacy Commissioner ordered Softmedia to rectify the PDPO breaches within 3 months by:

  • deleting all credit data in the credit reference system stored contrary to the Code of Practice on Consumer Credit Data;
  • formulating policies and procedures to meet the retention requirement under the Code of Practice on Consumer Credit Data;
  • formulating personal data protection policies and procedures and adopting measures to regularly review whether employees have complied with these policies and procedures when carrying out their duties;
  • reviewing / imposing restrictions on access to the credit reference system by money lenders and formulating systems to detect unauthorised access to the credit reference system;
  • formulating and implementing a strong password management policy; and
  • formulating policies and procedures to verify that money lenders obtained authorisations from borrowers before accessing the credit reference system.

Recommendation to regulate credit reference databases

With the rapid rise of interactions between money lending corporations and borrowers happening via digital apps and the growth of credit reference agencies/ tech intermediaries which provide systems and access to credit data (including via cloud systems), we often see these tech intermediaries collecting massive databases of personal data including sensitive data such as HKID card numbers.  

This increase in the collection of personal data is also multiplying the data privacy risks for borrowers in the event of a database breach.

In addition to requiring Softmedia to rectify the security and retention breaches in the enforcement notice, the Commissioner has also recommended that the operation and management of any credit reference database should be regulated or supervised through laws, regulations, guidelines, industry codes or licensing systems to safeguard the privacy of borrowers in the investigation report. 

Had Softmedia been regulated, it would have been required to comply with base standards including in corporate governance, internal controls, and use and protection of consumer credit data.  

Looking ahead

The Commissioner’s recommendation for regulation supports an overarching aim to curb privacy risks arising from unregulated credit reference agencies’ handling of massive amounts of customers’ data without proper guardrails.

Going forward, we expect to see more guidelines issued by the Privacy Commissioner in the credit reference industry, to address operational risks in their data protection handling practices. Watch this space and follow our Tech Insights updates on Linklaters Tech in LinkedIn!