1.    The Privacy Commissioner ("the Commissioner") Mr. Allan Chiang publishes today his report ("Report") of the inspection ("the Inspection") of the personal data system of TransUnion Limited ("TU") which was carried out under section 36 of the Personal Data (Privacy) Ordinance ("the Ordinance").

2. The Report is available for download from the PCPD website: http://www.pcpd.org.hk/english/publications/invest_report.html
 

Background

3.    The Code of Practice on Consumer Credit Data ("the Code") under the Ordinance regulates the processing of consumer credit data by credit reference agencies ("CRA") and credit providers in Hong Kong.   It deals with collection, accuracy, use, security, access and correction of personal data of individuals who are, or have been, applicants for consumer credit. TU is a major CRA in Hong Kong maintaining credit records of about 4.3 million individuals and is the major source of consumer credit information for credit providers.

4.    Given the vast amount of consumer credit data being held by TU and the serious adverse impact it may have on individual consumers if these sensitive data are mishandled, the Commissioner conducted the Inspection in 2010.



Scope of the Inspection

5.    The Inspection covered the entire data processing cycle of the personal data system of TU to ascertain compliance with the six Data Protection Principles (“DPPs”) and the Code.


6.    The Inspection consists of 7 major types of review work:-

(i)    System walk-through based on TU’s supplied information and presentation;
(ii)    Review of policies, guidelines and procedures relevant to the personal data system of TU;
(iii)    Interactive queries with the database system of TU;
(iv)    Interviews with key staff of TU;
(v)    On-site inspection of the physical layout and security measures of TU's operations site;
(vi)    Procedural review through making requests for credit reports in person, by post and on-line; and
(vii)    Customer interview.

Results of Inspection

7.    The Commissioner is pleased to find that TU had in place comprehensive and detailed policies, guidelines and procedures on the proper handling of consumer credit data, and no major data security issues were found in the Inspection.  Senior staff who were responsible for handling consumer credit data were experienced and conversant with the policies, guidelines and procedures underpinning their duties.  There were, however, rooms for improvement identified and the Commissioner has made 20 recommendations for TU to enhance its system of control in the areas of data collection, accuracy, retention, security and access, as well as IT security audit.  In particular, the Commissioner has noticed an obvious slack in TU's control where disposal and storage of consumer credit data were arranged through contractors (paragraphs 5.69 to 5.87 of the Report).  He has made specific recommendations to address the problems identified.


Response of TU

8.    TU is thankful for all the recommendations the Commissioner has made in the Report and will complete considering and, where considered feasible, implementing the Commissioner's recommendations on or before 31 May 2011 except the recommendation on the introduction of IT security audit, which TU will need to consider when the impending revisions to the Code are known.

The Commissioner's remarks

9.    "Consumer credit data are very personal and confidential information and it is of paramount importance that TU have adequate controls to protect them.  Whilst finalizing this Report, a public consultation on the revision of the Code to tie in with the proposal of the financial services industry to share positive mortgage data has just been completed.  It has revealed a strong and clear demand for TU to demonstrate the integrity and reliability of its data protection system.  I urge TU to exercise due diligence in the management of its massive consumer credit database and to implement promptly my recommendations made in the Report," Mr. Chiang said.