The Privacy Commissioner Mr Raymond Tang issued a consultation document on 28 August 2002 to seek the public's views on a set of proposed provisions on consumer credit data protection in relation to the sharing of positive credit data. The proposal suggests relaxation to certain provisions of the Code of Practice on Consumer Credit Data ("the Code") as a measure to contribute towards alleviating the problem of growing consumer indebtedness and personal bankruptcies.

Consumer's credit information is personal and private to the individual concerned. There are privacy issues arising from the industry's proposal to share positive credit data that may impact upon an individual's personal data privacy.

In January 2002, the Government announced a high-level Roundtable Discussion among industry representatives and government officials to find ways to tackle the problem of rising default rate on loans and credit card. The PCPD was invited to participate in the discussions. The industry proposed to introduce a greater sharing of positive credit data via a credit reference agency as one of the measures to improve the current consumer-lending environment. In June 2002, the PCPD set up a working group to study the industry's proposal.

The Privacy Commissioner Raymond Tang and Professor Dilip Soman (right) of the HK University of Science & Technology interviewed by ATV "Newsline" host Frank Ching

"There are many factors contributing to the rising level of bankruptcy, which has significant social as well as economic impacts. We do not regard the proposal for greater sharing of credit data as a cure for this problem but believe that credit information transparency benefits both credit providers and borrowers in facilitating an efficient credit environment and promoting a responsible lending and borrowing relationship. Prudent lending policy, coupled with proper use of borrower's credit information could safeguard against over-extension of credit to those individuals who do not have sufficient repayment ability," Tang says.

Key features of the draft proposal:

Scope of new credit data

1. A credit reference agency(CRA) may collect from credit providers information on an individual's credit facilities excluding any residential mortgage loans.
   
2. A CRA should not collect from credit providers any information about an individual's personal income, deposits, other assets or non-credit based information such as the individual's employment information.
   
3. Credit data reportable by a credit provider to a CRA may include:

(a)	general credit data such as
	(i) (ii) (iii) (iv)	credit provider's identity, account opening date, type of facility and currency, approved credit limit, original credit amount or approved credit limit and repayment term of credit card;
(b)	repayment data:
	Credit card:
	(i) (ii) (iii)	remaining available credit, date of last statement and date shown on such statement, date and amount of payment(s) made during last reporting period;
	Other credit facilities:
	(i) (ii) (iii) (iv)	remaining available credit, outstanding balance of the account, the date on which repayment last fell due and the amount then due, and date and amount of payment(s) made during the last reporting period;
(c)	account termination data (where applicable):
	(i) (ii)	date of account termination and the fact that the account had been terminated by full repayment.

Restrictions on data sharing

4. Upon a date to be specified by the Privacy Commissioner ("the effective date"), a CRA may collect from a credit provider information about an individual's credit facilities where there is a current borrowing relationship.
   
5. A CRA should not collect from credit providers any information relating to an individual's credit facility repayment details that occurred prior to the effective date.
6. A credit report may display information on the individual's credit facilities data reportable by credit providers and other calculated data derived from these data. Display of repayment history records relating to the credit facilities should be limited to the most recent 24 months.
   
7. A credit report should not disclose the names of the lender of an individual's credit facilities except where that lender is the credit provider requesting the report.
   
8. Credit data used for credit scoring on the individual by the CRA should be limited to data compiled within a period of 5 years immediately preceding the date of the credit scoring.
   
9. Repayment history records relating to an individual's credit facility that are accessible by credit providers should be limited to data compiled within a period of 24 months immediately preceding the date of the access.

Privacy safeguards - Credit provider

Access to credit database

10. A credit provider may access from a CRA's credit data about an individual's credit facility when considering any grant, review or renewal of consumer credit to the individual or to another person for whom the individual proposes to act as a guarantor; or upon default by the individual as principal or as guarantor.
    
11. A credit provider is required to update credit data about an individual's credit facility previously disclosed to a credit reference agency at the end of each reporting period not exceeding 31 days to ensure that the individual is not prejudiced by information that may be out-dated.
    
12. A credit provider should specify to the CRA the event necessitating the access on each occasion of accessing the database.

The Privacy Commissioner Raymond Tang interviewed by Metro Finance Radio host Ng Ming-lam

Notification to consumers

13. Upon application for a new credit facility, a credit provider should inform the borrower that, upon full repayment of the account, the borrower may elect to "opt-out" of the use of the account information by a CRA for future credit reporting and scoring purposes.
    
14. As a matter of good practice, a credit provider should consider giving to the borrower, as soon as reasonably practicable upon the termination of his account by full repayment, a reminder regarding his choice to "opt-out" of the use of the account information for future credit reporting and scoring..

15. Subsequently, a credit provider, who is intent upon accessing credit data held by a credit reference agency in respect of a borrower's account which the borrower has previously elected to "opt-out", should seek from the borrower his written consent for it to access such data.
    
16. Upon receipt of an "opt-out" request, the CRA should:

unless such credit provider has confirmed that it has obtained the individual's written consent to access the information, in which case, the credit reference agency may use that account information for providing a credit report or credit score on the individual.

Privacy safeguards - Credit reference agency

Preventing abusive access

17. A CRA should implement an access log record system of all instances of access to its credit database by credit providers and keep it for not less than 2 years for examination by its compliance auditor and/or the Privacy Commissioner.
18. A CRA should promptly report to the senior management of a credit provider and to the Privacy Commissioner incidents involving any suspected abnormal access to its credit database by staff of the credit provider. The credit provider should then undertake a prompt investigation of the incident.

Ensuring compliance

19. As a matter of good practice, a CRA is recommended, at its own expense, to commission an independent compliance audit annually to verify whether its data management practices are adequate in terms of enabling the agency to comply with the requirements of this Code.
    

Other regulatory control measures

20. A CRA should make its credit reference system available for inspection by the Privacy Commissioner.
21. A credit provider, in deciding on the engagement or renewal of any relationship with a CRA for the provision of consumer credit reference services, should treat as an important criterion the demonstration by the agency of its compliance with the requirements of the Ordinance and of the Code of Practice on Consumer Credit Data.

Implementation safeguards

22. There should be a twenty-four month transition period following the effective date for the sharing of positive credit data. During that period, credit providers may report positive credit data of existing borrowers to the CRA, but are prevented from accessing and using these data for the purposes of assessing the renewal or review of existing credit facilities of borrowers until after the transition period has elapsed.
23. The above-mentioned restriction should not apply to new applications for credit made by a borrower to the credit provider during the transition period.

"Co-operation and concerted efforts of all participants in the consumer credit market are necessary to tackle the problem. We are keen to hear the public's views to ensure that a proper balance between the broader public interest and privacy interest of the individual is struck whilst making credit assessment more efficient and rigorous," Raymond Tang says.
Members of the public are welcome to submit their comments to the PCPD in writing on or before 25 October 2002.

The consultation document is available from:
1. PCPD: Unit 2001, 20th Floor, Office Tower Convention Plaza, 1 Harbour Road, Wanchai
2. Public Enquiry Service Centres of District Office
3. PCPD website at www.pcpd.org.hk.

Code of Practice for Fixed and Mobile Service Operators issued by the PCPD, OFTA, ICAC and Consumer Council

The rapid development of information technology has led to the bulk of customers' personal data collected by fixed and mobile service operators. Such personal data, which include customers' telephone numbers, residential addresses and details of call history, may be sensitive in certain circumstances and of value if used for illicit purposes. Therefore, the Consumer Council (CC), the Independent Commission Against Corruption (ICAC), the Office of the Privacy Commissioner for Personal Data (PCPD) and the Office of the Telecommunications Authority (OFTA) jointly issued the first-ever Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators (COP) on 17 June 2002. The publication of the COP, which serves as a general guidance for fixed and mobile service operators, marks the enhanced efforts and collaboration of the four organizations towards promoting the importance of protection of customer information and interests.

The voluntary COP has set out some good practices that should be adopted by fixed and mobile service operators to prevent unauthorized disclosure of customer information. They cover various issues including ethics and data privacy policy, data classification policy, access control policy, technical measures for protection of customer personal data, location security, staff security and transfer of customer personal data.

It is the PCPD's view that the implementation of data protection policies and measures would safeguard customers' personal data privacy, as well as minimizing contravention of the requirements of the Personal Data (Privacy) Ordinance, which in turn helps to build a trustful relationship between service operators and their customers.

Apart from complying with the requirements of the Personal Data (Privacy) Ordinance, all fixed and mobile service operators are also obliged under the existing telecommunications licence conditions to protect their customer information and should not disclose the information without the consent of the customer for purposes other than those related to the provision of services.
A spokesman of Consumer Council urged, 'In a highly competitive market, consumers should exercise their right to choose the service operators who adopt the COP, and through their choice to ensure a high level of standard and put in place the security measure to protect customer privacy."

In addition, an ICAC spokesperson warned that any staff of service operators who solicits or accepts advantages to release customers' information will be in breach of the Prevention of Bribery Ordinance.

Full text of the COP can now be downloaded from the web sites of :
CC (www.consumer.org.hk),
ICAC (www.icac.org.hk),
PCPD (www.pcpd.org.hk) and
OFTA (www.ofta.gov.hk).

The First Conviction Under the Personal Data (Privacy) Ordinance

In April 2001, the PCPD referred a case to the Police for their consideration of prosecution proceedings as a result of the failure by a person to comply with an enforcement notice. Eventually, the defendant was convicted and received a fine sentence. The successful conviction has sent a clear message to the public that the requirements of the Personal Data Privacy Ordinance (" the Ordinance") are not to be taken lightly.

The case originated from a complaint against the defendant, a former hotel telesales consultant, for unfairly collecting and using a customer's data without the customer's or the hotel's approval. The complainant first received a direct marketing call from the defendant who was promoting the hotel's membership campaign. After being offered very attractive membership packages, the complainant agreed to join the membership and gave her personal particulars to the defendant for the purpose of enrolment. However, she later discovered that the terms of the scheme were totally different to what was said by the defendant and therefore lodged a complaint to the hotel. The defendant was subsequently dismissed by the hotel after a number of similar complaints had been received against him. Feeling aggrieved, the defendant took into his possession records of the complainant's personal data and used the data to send out numerous fax letters to the complainant accusing her of causing him to lose the job. Feeling annoyed, the complainant therefore reported the matter to us.

After investigation, the defendant was found to have contravened DPP1(2) of the Ordinance and an enforcement notice was served on him, directing him to retrieve this customer's information to the hotel. He however failed to comply with the enforcement notice. The case was then referred to the police for their consideration of prosecution proceedings pursuant to the section 64(7) of the Ordinance. Section 64(7) provides that a data user who contravenes an enforcement notice served on the data user commits an offence and is liable on conviction to a fine at level 5 and to imprisonment for 2 years and, in the case of a continuing offence, to a daily penalty of $1,000.

The defendant denied having received the enforcement notice but during an identification parade he was positively identified by our officer who served the enforcement notice on him at the material time. The defendant was accordingly charged and convicted on his own plea.

In passing the sentence, the Magistrate stated that had the data concerned been used for other commercial purpose, he would have taken the matter much more seriously and imposed a much more severe sentence.

Summer Vacation Roadshows

In a continued effort to raise public awareness about the importance of safeguarding personal data privacy, the PCPD launched a six-week Privacy Summer Roadshow throughout the past summer months.

Entitled "Privacy Summer Fiesta", the kick-off of the Roadshow was held on 7 July at Times Square in Causeway Bay under the auspices of officiating guests including Privacy Commissioner for Personal Data Mr Raymond Tang; Chairman of Wan Chai District Council Mrs Lam Pei Peggy, SBS, OBE, JP; Principal Assistant Secretary for Home Affairs Bureau Mrs Nancy Hui; Mr Lam Wai Sun and Ms Louisa Wong. Members of the public also had the chance to preview the new training video and VCD produced by the PCPD.

Taking a fun and accessible approach in promoting personal data privacy protection, the 'Privacy Summer Fiesta" provided various platforms such as games and exhibitions to highlight their important message. Many celebrities were also invited to participate in game quizzes with members of the audiences to create a positive and informative atmosphere. In addition, 'Privacy Q & A" booth was set up on site, where members of the public could ask questions regarding personal data privacy. The response had been overwhelming, with active audience participation.

A series of roadshows were then held in the following shopping centres: Discovery Park at Tsuen Wan (12-14 July); New Town Plaza at Shatin (18-21 July); Hing Wah Estate at Chai Wan (9-11 August); Maritime Square at Tsing Yi (12-18 August) and Lok Fu Shopping Centre (28 August-1 September). The Roadshows included interesting games on personal data privacy topics, display boards and the distribution of guidance materials, which attracted more than 10,000 visitors.

SME Market Day

The PCPD set up a booth with various government departments and public bodies at the Public Services Pavilion at the SMEs Market Day Exhibition 2002, held at the Hong Kong Convention and Exhibition Centre on 27 and 28 June 2002. The exhibition was organized by the Trade Development Council, and targeted small and medium-sized enterprises (SMEs) in Hong Kong. A presentation was also given by the PCPD, providing visitors an opportunity to understand the Ordinance and of its interpretation and requirements and its implications.

Privacy Protection in Action: TV Advertisement Competition

In order to develop public consciousness in privacy protection amongst the younger generation , the PCPD will join hands with the Hong Kong Federation of Youth Groups in organizing a "Privacy Television Advertisement Competition for Youth".The ultimate goal of the Competition is to foster a culture where respect for others' privacy rights is regarded as a norm in social behavior, and thereby contributing towards the foundation of a stable and caring society.

Contestants are required to produce a TV advertisement of less than one minute long, with the theme of personal data privacy. It is aimed at raising people's awareness of privacy issues and to educate people, especially the young, to respect other people's right of privacy and to cultivate mutual respect in society. Categories include Secondary School Category and Open Category. Secondary School Category participants must be full-time secondary school students while Open Category participants must be Hong Kong residents not over 34 years of age.

Panel of judges will comprise of academics, legal practitioners and a renowned film director. All selected finalists will be invited to meet with members of the panel of judges. The panel of judges will judge on the basis of story content, creativity and technique.

In order to help youngsters/ potential participants learn more about the techniques of TV advertisement filming techniques, creative thinking, as well as personal data privacy protection, the organizers will hold a public seminar on 9 November 2002 (Saturday) at Studio Theatre, Hong Kong Cultural Centre. Guest speakers include Mr Joe Yiu, Assistant Director, Information Services Department; Mr Lee Lik Chee, renowned film director; Mr Daniel Kong, renowned corporate consultant and trainer, and Mr Raymond Tang, Privacy Commissioner for Personal Data as guest speakers. Interested parties please call on 2827 2827 for further information.

The winning entries will also have the opportunity to be broadcast in local TV as well as on some prominent public display network.

Details of the competition will be announced shortly. Interested parties please visit our website at www.pcpd.org.hk, or visit www.u21.org.hk or call on 2827 2827.

Data Protection Workshops Exclusively for Members

The DPOC will organize a series of exclusive workshops in October and November 2002 on 'Human Resource Management and Personal Data Privacy" and 'How to Handle Customers' Personal Data" for members' participation. The workshops will enable members gain a deeper understanding of the interpretation and application of personal data privacy protection. All workshops will be conducted in Cantonese and will be held from 3pm to 5pm at the PCPD Conference Room on the following dates:

DPOC Luncheon Gatherings

In order to foster better communications between the PCPD and its members, the DPOC organized six luncheon gatherings from June to September 2002.

The luncheons were held under informal settings. Members from the similar business sectors were grouped into six separate luncheons so they could share their work experiences with people in a similar capacity in a relaxing atmosphere. Members in general felt that the luncheons provided them a platform in building up a network with other data protection officers to enhance their work experience and knowledge in personal data protection.

Snapshots of the DPOC luncheon gatherings

Plenary Meeting on 12 April 2002

Over 150 members attended the first Club meeting for this membership year at the Hong Kong Convention and Exhibition Centre on 12 April 2002.

Privacy Commissioner Mr Raymond Tang and Deputy Privacy Commissioner Mr Tony Lam took the opportunity to brief members on the Draft Code of Practice on Monitoring and Personal Data Privacy at Work as well as PCPD's latest news and activities.

Mr Raymond Tang presented souvenirs to Mrs Jennie Chor (left), Mrs Monisa Tam (middle)
and Dr Andy Wing-chiu Chan (above)

Members shared experience with the guests (above) and PCPD staff (right)

At the Privacy Forum session of the Meeting, Mrs. Jennie Chor, Assistant Commissioner (Labour Relations) of Labour Department; Mrs. Monisa Tam, Data Protection Committee Member of Hong Kong Institute of Human Resource Management; and Dr. Andy Wing-chiu Chan, Assistant Professor of Hong Kong Polytechnic University, were invited to speak as special guests. Members were able to share views and experiences with the guests on the topical issue of employee monitoring at workplace. The event also drew the attendance of over 30 members of the Civic Education Committee of the Ho Tung Secondary School.

Rate yourself or your company on a scale of 0 to 10 for each question. Then total your score and see how high you rank as a privacy pro. (10 represents "absolutely" and 0 "absolutely not.")

		My Score
	Do you have a Privacy Information Collection Statement (PICS) or Privacy Policy Statement (PPS) for managing personal data that you collect?
	Do you have a PPS or PICS posted prominently on your Web site?
	Is there a designated person in charge of privacy enforcement in your organization?
	Do you have established security procedures in compliance with the requirements of Data Protection Principle 4 in relation to security of personal data?
	Do you have a system for managing consumer inquiries and complaints about privacy?
	Consumers regard the misuse of their personal data as a violation of privacy. Have you reviewed how you collect, retain, use and transfer personal data so it cannot be misused?
	Do you conduct regular privacy training for employees' so that they understand your privacy policy and how to carry it out?
	Do you have privacy policy for managing employees' personal data?
	Do you have a PPS or PICS for any kind of surveillance activities that you take?
	Do you know about Personal Data (Privacy) Ordinance?

Back to top