Information Centre

Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board

 

Date: 29 June 2010 Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board Background 1.    The Privacy Commissioner for Personal Data (“the Commissioner”) had issued a Code of Practice on Consumer Credit Data (“the Code”) which seeks to regulate the business activities of Credit Reference Agencies (“CRA”) and credit providers (banks, financial institutions, etc.). 2.    A CRA operates a central credit database which collects individuals’ financial information provided by its member subscribers who are credit providers and in return supply them at their request the processed credit data.  3.    The Code, by giving guidance on how credit providers may properly share and access consumer credit data, seeks to strike a balance between protection of individuals’ privacy right in relation to their credit data and “the need to know” on the part of credit providers in their lending business.  It is a compromise which has generally worked well in the past. 4.    The Code permits a credit provider to access the consumer credit data held by a CRA to review existing consumer credit facilities granted to an individual or monitor the indebtedness of the individual when there is currently a default by the individual as the borrower.  The word “review” means consideration by the credit provider of an increase in the credit amount; the curtailing of the credit (including the cancellation of credit or a decrease in credit amount); or putting in place or the implementation of a scheme of arrangement with the individual. The Complaint 5.    The Complainant who held credit cards issued by HSBC discovered that HSBC had accessed his consumer credit data on a monthly basis without his knowledge.  He felt his personal data privacy had been violated and consequently lodged a complaint with the Commissioner. 6.    The Complainant had not been in default with his payments nor had he asked for any increase of credit limit, renewal of credit facilities, preferential program or loan restructuring. 7.    HSBC admitted that it had been pursuing a monthly credit monitoring exercise (the said practice), not only on the complainant but also on all its customers who have existing credit facilities.  The data collected were analyzed by HSBC’s automated system to generate a risk profile (or score) that would alert HSBC which can then increase, decrease or cancel individual customers’ credit facilities.   HSBC claimed that it had given notification to its customers of the credit monitoring exercise in the regular credit card statements. The Commissioner’s Decision 8.    The Commissioner considered the said practice amounted to conducting credit surveillance and monitoring the Complainant’s credit data, neither of which was permitted under the Code (see para 3 above).  Hence he viewed the collection of the Complainant’s credit data by HSBC as unnecessary and excessive (a contravention of Data Proteciton Principle 1(1)). 9.    Inasmuch as HSBC’s main objective was not to review the Complainant’s credit facilities as stated (in small print) in one of its credit card statements to the Complainant, the Commissioner considered HSBC’s notification misleading.  Hence he took the view that the means of collection of the Complainant’s credit data was unfair (a contravention of Data Protection Principle 1(2)). 10.    The Commissioner issued an Enforcement Notice requiring HSBC to cease the said practice; destroy all credit data obtained from the CRA about the Complainant as well as other customers through the said practice.  11.    HSBC appealed to the Administrative Appeals Board (“AAB”) against the Commissioner’s decision. AAB’s Decision 12.    On 3 June 2010, the AAB decided by a two-third majority to allow the appeal and set aside the Enforcement Notice on the ground that HSBC had not contravened any Data Protection Principles. 13.    However, one member of the AAB accepted the Commissioner’s views that it was wrong for HSBC to freely access its customers’ information without restriction and use same to pursue its own business interests in minimizing its overall credit exposure to risk without due regard to the Code. 14.    The other two members disagreed and held that employing the automated system as a way to review the Complainant’s credit facilities fell within the meaning of the Code even though it was not so direct as the traditional manual way of review.  Although the reviews were so frequent that it became a monitoring exercise, it did not take away the character of reviewing the complainant’s credit facilities for the purpose mentioned in the notification i.e. increasing, decreasing or canceling credit amounts.  In fact, the Complainant’s credit card amount was increased in September 2005.  Also, it was not wrong for HSBC to undertake regular risk-based assessments and reviews of all credit facilities which was a lawful purpose directly related to a function and activity of HSBC.  The method employed by HSBC through the automated system required such a large amount of information to do the analysis and for that reason, it could not be said that its collection of personal data was excessive. 15.    These two members also accepted that the collection of credit data was not unfair or unlawful or excessive given that HSBC had considered it effective to use the behavioral credit method which involved the collection of a large amount of personal credit data. The Commissioner’s Perspective 16.    The Commissioner had made his decision from the perspective of a privacy regulator seeking to protect bank customers’ personal data privacy.  He had wanted to restrict access to the positive consumer credit data within what he considered was the limits under the Code.  The AAB’s dissenting view lent support to his decision. 17.    The Commissioner noted that AAB’s decision was made on the specific facts and circumstances of the Complainant’s case, including the fact that his credit facilities had been increased by HSBC during the period.  As there are other similar complaints with different facts and circumstances in the pipeline, the differing views expressed by AAB in this Appeal may well be tested in a future appeal. The Way Forward 18.    The Commissioner wishes to remind the public that a credit report is important to them and they should be aware of their rights under the Code.  They can obtain their own credit reports from the CRA to check the accuracy of their credit data, who has accessed their personal data and the frequency of such access.  Members of the public may ascertain the policy of access to their credit reports adopted by different banks before entering into relationships with them. 19.    Given the sensitive nature of consumer credit data and that the CRAs maintain and process credit data of millions of people regularly, it is in the public interest to ensure that its personal data system is safe and operating in compliance with the law.  For that reason, the Commissioner had decided in March this year to carry out an inspection of the personal data system operated by a major CRA.  The inspection is currently in progress. END Click here to view the AAB's decision   Back to top [Back][Archive]

End of Page

[Media Statement] [Speeches, Articles & Papers] [Exhibition Materials] [Other Related Websites] [Archive] [Other Resources] [On-line Self Training] [Submissions to Public Consultation] [Privacy Commissioner's response following former Deputy Commissioner's conviction] [Response to the loss of medical data by Department of Health] [Privacy Commissioner commits himself to securing patients' data] [Privacy Commissioner commences inspection against Hospital Authority] [Response to data leakage by Immigration Department] [Response to data loss by HSBC] [Privacy is Your Business International Privacy Video Competition] [Privacy Commissioner strives to promote protection of personal data privacy] [Response following former Deputy Commissioner's conviction] [The Privacy Commissioner's clarification on criminalizing data leakage] [The Privacy Commissioner responds to media report today that] [Response to data leakage by the Police] [Progress of Inspection Against Hospital Authority] [The Director of Immigration Department signed formal undertaking] [Speech by Privacy Commissioner at the special meeting of Legislative Council Panel on Home Affairs] [Response to data loss incidents by The Hongkong and Shanghai Banking Corporation Limited] [The Privacy Commissioner completes the Inspection of the Hospital Authority's Personal Data System] [Privacy Commissioner Publishes Inspection Report on Hospital Authority] [Privacy Commissioner explains recommendations on the protection of patients' data privacy] [Privacy Commissioner accepts an Undertaking by HSBC] [Privacy is Your Business International Privacy Video Competition Prize Presentation Ceremony] [Response to Judgment of judicial review application by Cathay Pacific] [Privacy Commissioner welcomes HA's effort to enhance patient data privacy] [Statement by the Privacy Commissioner Following the Judgment made in HCAL 50/2008] [PCPD received a letter from CX Flight Attendants Union] [Impact of Technology on Data Privacy] [Privacy Commissioner responds to taxi industry's proposal of installing CCTVs in taxis] [United Christian Hospital's loss of patients' data] [Privacy Commissioner hosts the 31st APPA Forum] [Privacy Commissioner urges job seekers to be careful when providing personal data] [Launch of a booklet on protection of personal data] [Investigation Report: Employer Collecting Employees' Fingerprint Data for Attendance Purpose] [The Recruitment of Deputy Privacy Commissioner (DPC)] [Response to Media Report on the Use of Fingerprint Recognition System by a School] [Privacy Commissioner Responds to Public Enquiries about the Issue of] [Investigation Report: Tutorial Centre Using a Student's Results Notice for Promotion without the Student's Consent] [Privacy Commissioner Welcomes Hospital Authority's New Measures on the Protection of Patients' Personal Data] [Investigation Report: Food Company Collecting Participants' Personal Data in Lucky Draw Activity] [Privacy Commissioner Responds to] [The need to ensure that individuals are identified by the correct personal identifiers: the case of identification of new born babies] [Public Consultation on Ordinance Review] [] [Response to Media Report on Searching for Others' Personal Data on the Internet] [Privacy Commissioner attended the 31st International Conference of Data Protection and Privacy Commissioners] [Response to Media Enquiries] [The "Value-for-money" Audit Report on PCPD issued by the Director of AuditThe] [Protective measures taken by the Hospital Authority which enhance the protection of new born babies and the accuracy of their personal data] [The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency] [A personal statement by Roderick Woo, the Privacy Commissioner] [Office of the Privacy Commissioner for Personal Data's Annual Report won international awards for three consecutive years] [Privacy Commissioner Launches Privacy Awareness Week 2010] [Response to recent discussion about third parties' requests for patients data] [Opinion Survey: Senior Citizens' Attitudes and Perceptions towards Personal Data Privacy] [Public Seminar on] [Privacy Campaign for Insurers] [Google collected Wi-Fi data] [Google collected Wi-Fi data in Hong Kong] [Google collected Wi-Fi data in Hong Kong] [Privacy Commissioner attended the 33rd Asia Pacific Privacy Authorities Forum] [Privacy Commissioner responds to a local magazine's editorial on privacy issues] [Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications] [Privacy Commissioner responds to an opinion survey report on Octopus cards and privacy issues] [Privacy Commissioner's Finding against HSBC was set aside by the Administrative Appeals Board] [The Personal Data (Privacy) Ordinance and Octopus Card System] [Privacy Commissioner initiates investigation on the Octopus] [Privacy Commissioner Publishes Information Leaflet on Privacy Impact Assessment] [Privacy Commissioner published new revised edition of a book to provide in-depth interpretation] [The Privacy Commissioner gives interim report on the investigation of Octopus] [The Privacy Commissioner Completed the Compliance Check on Google's Collection of Wi-Fi Payload Data] [The Privacy Commissioner has completed a Privacy Compliance Assessment Report on the Smart Identity Card System] [Collection of Visitors' Fingerprint Data by a Theme Park] [Investigation Report: Beauty Centre Transferring a Client's Personal Data to a Third Party without the Client's Consent] [Hong Kong Letter - Roderick Woo, Privacy Commissioner for Personal Data] [Mr. Allan Chiang took office as Privacy Commissioner] [A short video introducing the Personal Data (Privacy) Ordinance] [Privacy Commissioner reminds data users of the requirements of the Ordinance when engaging direct marketing activities] [PCPD joined APEC Cross-border Privacy Enforcement Arrangement] [Privacy Commissioner discussed organizations’ collection and use of personal data for direct marketing with a political commentary group] [Amended Data Access Request Form takes effect] [Response to media reports on the attendance records of the Personal Data (Privacy) Advisory Committee] [Privacy Commissioner completed investigation on Octopus Holdings Ltd] [Multi-media Information] [Investigation Report – Octopus Rewards Program] [Privacy Commissioner publishes Guidance on the Collection and Use of Personal Data in Direct Marketing] [Privacy Commissioner responds to Government's proposals on Review of the Personal Data (Privacy) Ordinance] [PCPD's Statement regarding investigations into the Octopus Group of Companies] [Hong Kong Letter - Allan Chiang, Privacy Commissioner for Personal Data] [Investigation Report: A Telecommunications Company Authorized Another Company to Conduct Telemarketing] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of a personal data privacy case when he was Postmaster General in 2005] [A Personal Statement by Mr. Allan CHIANG in response to media reports on his handling of personal data privacy cases when he was Postmaster General from 2003 to 2006] [Online Survey of the] [PCPD's Submission in response to Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance] [The Sharing of Mortgage Data for Credit Assessment] [Public Forum on Proposed Revisions to the Code of Practice on Consumer Credit Data] [Privacy concerns about resumption of Google Street View car operation] [Public Consultation on the Sharing of Mortgage Data for Credit Assessment Ended] [Consumer Roadshow on Protection of Personal Data] [Consultation Report on the Sharing of Mortgage Data for Credit Assessment] [Amendments to Code of Practice on Consumer Credit Data To Take Effect]

[About PCPD] [The Ordinance] [PCPD Activities] [Information Centre] [Personal Data Privacy Liberal Studies] [Privacy Zone for Youngsters]
[Publications & Videos] [Enquiries & Complaints] [Case Notes] [Contact Us] [Search] [Site Directory] [Graphical Version]
[Chinese Version]

Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer