|
[Image of image]
|
This
quarterly newsletter of the PCPD provides guidance on good data protection
practices to organizations. |
Subscribe
Now!!
PRIVATE
THOUGHTS (on-line version)
(Newsletter of the Office of the Privacy Commissioner for Personal Data,
Hong Kong)
October 2002 Issue No.10
| [Image of The Sharing of Positive Credit Data] |
| |
|
The Privacy
Commissioner Mr Raymond Tang issued a consultation document on 28
August 2002 to seek the public's views on a set of proposed provisions
on consumer credit data protection in relation to the sharing of
positive credit data. The proposal suggests relaxation to certain
provisions of the Code of Practice on Consumer Credit Data ("the
Code") as a measure to contribute towards alleviating the problem
of growing consumer indebtedness and personal bankruptcies.
[Image of image]Consumer's
credit information is personal and private to the individual concerned.
There are privacy issues arising from the industry's proposal to
share positive credit data that may impact upon an individual's
personal data privacy.
In January 2002,
the Government announced a high-level Roundtable Discussion among
industry representatives and government officials to find ways to
tackle the problem of rising default rate on loans and credit card.
The PCPD was invited to participate in the discussions. The industry
proposed to introduce a greater sharing of positive credit data
via a credit reference agency as one of the measures to improve
the current consumer-lending environment. In June 2002, the PCPD
set up a working group to study the industry's proposal.
[Image of image]
The Privacy Commissioner Raymond Tang and Professor Dilip Soman
(right) of the HK University of Science & Technology interviewed
by ATV "Newsline" host Frank Ching |
"There
are many factors contributing to the rising level of bankruptcy,
which has significant social as well as economic impacts. We do
not regard the proposal for greater sharing of credit data as a
cure for this problem but believe that credit information transparency
benefits both credit providers and borrowers in facilitating an
efficient credit environment and promoting a responsible lending
and borrowing relationship. Prudent lending policy, coupled with
proper use of borrower's credit information could safeguard against
over-extension of credit to those individuals who do not have sufficient
repayment ability," Tang says.
Key
features of the draft proposal:
Scope
of new credit data
-
A credit reference agency(CRA) may collect from credit providers
information on an individual's credit facilities excluding
any residential mortgage loans.
-
A CRA should not collect from credit providers any information
about an individual's personal income, deposits, other assets
or non-credit based information such as the individual's employment
information.
-
Credit data reportable by a credit provider to a CRA may include:
|
(a)
|
general credit data such as |
| |
(i)
(ii)
(iii)
(iv)
|
credit provider's identity,
account opening date,
type of facility and currency,
approved credit limit, original credit amount or approved credit
limit and repayment term of credit card; |
| |
|
[Image of image]
|
|
|
(b)
|
repayment
data: |
|
|
Credit card: |
| |
(i)
(ii)
(iii)
|
remaining available credit,
date of last statement and date shown on such statement,
date and amount of payment(s) made during last reporting period;
|
| |
|
[Image of image]
|
|
|
|
Other
credit facilities: |
| |
(i)
(ii)
(iii)
(iv)
|
remaining available credit,
outstanding balance of the account,
the date on which repayment last fell due and the amount then
due, and
date and amount of payment(s) made during the last reporting
period; |
| |
|
|
|
(c)
|
account
termination data (where applicable): |
| |
(i)
(ii)
|
date of account termination and
the fact that the account had been terminated by full repayment. |
| |
|
[Image of image]
|
|
Restrictions
on data sharing
-
Upon a date to be specified by the Privacy Commissioner ("the
effective date"), a CRA may collect from a credit provider
information about an individual's credit facilities where there
is a current borrowing relationship.
-
A CRA should not collect from credit providers any information
relating to an individual's credit facility repayment details
that occurred prior to the effective date.
- A
credit report may display information on the individual's credit
facilities data reportable by credit providers and other calculated
data derived from these data. Display of repayment history records
relating to the credit facilities should be limited to the most
recent 24 months.
-
A credit report should not disclose the names of the lender of
an individual's credit facilities except where that lender is
the credit provider requesting the report.
-
Credit data used for credit scoring on the individual by the CRA
should be limited to data compiled within a period of 5 years
immediately preceding the date of the credit scoring.
-
Repayment history records relating to an individual's credit facility
that are accessible by credit providers should be limited to data
compiled within a period of 24 months immediately preceding the
date of the access.
Privacy
safeguards - Credit provider
Access
to credit database
-
A credit provider may access from a CRA's credit data about an
individual's credit facility when considering any grant, review
or renewal of consumer credit to the individual or to another
person for whom the individual proposes to act as a guarantor;
or upon default by the individual as principal or as guarantor.
-
A credit provider is required to update credit data about an individual's
credit facility previously disclosed to a credit reference agency
at the end of each reporting period not exceeding 31 days to ensure
that the individual is not prejudiced by information that may
be out-dated.
-
A credit provider should specify to the CRA the event necessitating
the access on each occasion of accessing the database.
[Image of image]
The
Privacy Commissioner Raymond Tang interviewed by Metro Finance
Radio host Ng Ming-lam |
Notification
to consumers
-
Upon
application for a new credit facility, a credit provider should
inform the borrower that, upon full repayment of the account,
the borrower may elect to "opt-out" of the use of the
account information by a CRA for future credit reporting and scoring
purposes.
- As
a matter of good practice, a credit provider should consider giving
to the borrower, as soon as reasonably practicable upon the termination
of his account by full repayment, a reminder regarding his choice
to "opt-out" of the use of the account information for
future credit reporting and scoring..
-
Subsequently, a credit provider, who is intent upon accessing
credit data held by a credit reference agency in respect of a
borrower's account which the borrower has previously elected to
"opt-out", should seek from the borrower his written
consent for it to access such data.
-
Upon receipt of an "opt-out" request, the CRA should:
|
(a)
|
ease using
the account information in any future credit reports and for
credit scoring concerning the individual; and
|
|
(b)
|
cease making
available the account information to other credit providers; |
unless such
credit provider has confirmed that it has obtained the individual's
written consent to access the information, in which case, the credit
reference agency may use that account information for providing
a credit report or credit score on the individual.
Privacy
safeguards - Credit reference agency
Preventing
abusive access
-
A CRA should implement an access log record system of all instances
of access to its credit database by credit providers and keep
it for not less than 2 years for examination by its compliance
auditor and/or the Privacy Commissioner.
-
A CRA should promptly report to the senior management of a credit
provider and to the Privacy Commissioner incidents involving any
suspected abnormal access to its credit database by staff of the
credit provider. The credit provider should then undertake a prompt
investigation of the incident.
Ensuring
compliance
-
As a matter of good practice, a CRA is recommended, at its own
expense, to commission an independent compliance audit annually
to verify whether its data management practices are adequate in
terms of enabling the agency to comply with the requirements of
this Code.
Other
regulatory control measures
- [Image of image]
A CRA should make its credit reference system available for inspection
by the Privacy Commissioner.
-
A credit provider, in deciding on the engagement or renewal of
any relationship with a CRA for the provision of consumer credit
reference services, should treat as an important criterion the
demonstration by the agency of its compliance with the requirements
of the Ordinance and of the Code of Practice on Consumer Credit
Data.
Implementation
safeguards
-
There should be a twenty-four month transition period following
the effective date for the sharing of positive credit data. During
that period, credit providers may report positive credit data
of existing borrowers to the CRA, but are prevented from accessing
and using these data for the purposes of assessing the renewal
or review of existing credit facilities of borrowers until after
the transition period has elapsed.
-
The above-mentioned restriction should not apply to new applications
for credit made by a borrower to the credit provider during the
transition period.
[Image of image]"Co-operation
and concerted efforts of all participants in the consumer credit
market are necessary to tackle the problem. We are keen to hear
the public's views to ensure that a proper balance between the broader
public interest and privacy interest of the individual is struck
whilst making credit assessment more efficient and rigorous,"
Raymond Tang says.
Members of the public are welcome to submit their comments to the
PCPD in writing on or before 25 October 2002.
The consultation
document is available from:
1. PCPD: Unit 2001, 20th Floor, Office Tower Convention Plaza, 1
Harbour Road, Wanchai
2. Public Enquiry Service Centres of District Office
3. PCPD website at www.pcpd.org.hk.
|
| |
| [Image of image] |
| |
| [Image of image] |
[Image of image] |
|
| [Image of image] |
[Image of image] |
[Image of image] |
|
| |
| [Image of PCPD News] |
| [Image of image] |
| [Image of image] |
| |
|
Code
of Practice for Fixed and Mobile Service Operators issued by the
PCPD, OFTA, ICAC and Consumer Council
[Image of image]The
rapid development of information technology has led to the bulk
of customers' personal data collected by fixed and mobile service
operators. Such personal data, which include customers' telephone
numbers, residential addresses and details of call history, may
be sensitive in certain circumstances and of value if used for illicit
purposes. Therefore, the Consumer Council (CC), the Independent
Commission Against Corruption (ICAC), the Office of the Privacy
Commissioner for Personal Data (PCPD) and the Office of the Telecommunications
Authority (OFTA) jointly issued the first-ever Code of Practice
on Protection of Customer Information for Fixed and Mobile Service
Operators (COP) on 17 June 2002. The publication of the COP, which
serves as a general guidance for fixed and mobile service operators,
marks the enhanced efforts and collaboration of the four organizations
towards promoting the importance of protection of customer information
and interests.
The voluntary
COP has set out some good practices that should be adopted by fixed
and mobile service operators to prevent unauthorized disclosure
of customer information. They cover various issues including ethics
and data privacy policy, data classification policy, access control
policy, technical measures for protection of customer personal data,
location security, staff security and transfer of customer personal
data.
It is the PCPD's
view that the implementation of data protection policies and measures
would safeguard customers' personal data privacy, as well as minimizing
contravention of the requirements of the Personal Data (Privacy)
Ordinance, which in turn helps to build a trustful relationship
between service operators and their customers.
[Image of image]Apart
from complying with the requirements of the Personal Data (Privacy)
Ordinance, all fixed and mobile service operators are also obliged
under the existing telecommunications licence conditions to protect
their customer information and should not disclose the information
without the consent of the customer for purposes other than those
related to the provision of services.
A spokesman of Consumer Council urged, 'In a highly competitive
market, consumers should exercise their right to choose the service
operators who adopt the COP, and through their choice to ensure
a high level of standard and put in place the security measure to
protect customer privacy."
In addition,
an ICAC spokesperson warned that any staff of service operators
who solicits or accepts advantages to release customers' information
will be in breach of the Prevention of Bribery Ordinance.
Full text of
the COP can now be downloaded from the web sites of :
CC (www.consumer.org.hk),
ICAC (www.icac.org.hk),
PCPD (www.pcpd.org.hk) and
OFTA (www.ofta.gov.hk).
|
| |
| [Image of Complaint Case] |
| |
|
The
First Conviction Under the Personal Data (Privacy) Ordinance
In April 2001,
the PCPD referred a case to the Police for their consideration of
prosecution proceedings as a result of the failure by a person to
comply with an enforcement notice. Eventually, the defendant was
convicted and received a fine sentence. The successful conviction
has sent a clear message to the public that the requirements of
the Personal Data Privacy Ordinance (" the Ordinance")
are not to be taken lightly.
[Image of image]The
case originated from a complaint against the defendant, a former
hotel telesales consultant, for unfairly collecting and using a
customer's data without the customer's or the hotel's approval.
The complainant first received a direct marketing call from the
defendant who was promoting the hotel's membership campaign. After
being offered very attractive membership packages, the complainant
agreed to join the membership and gave her personal particulars
to the defendant for the purpose of enrolment. However, she later
discovered that the terms of the scheme were totally different to
what was said by the defendant and therefore lodged a complaint
to the hotel. The defendant was subsequently dismissed by the hotel
after a number of similar complaints had been received against him.
Feeling aggrieved, the defendant took into his possession records
of the complainant's personal data and used the data to send out
numerous fax letters to the complainant accusing her of causing
him to lose the job. Feeling annoyed, the complainant therefore
reported the matter to us.
After investigation,
the defendant was found to have contravened DPP1(2) of the Ordinance
and an enforcement notice was served on him, directing him to retrieve
this customer's information to the hotel. He however failed to comply
with the enforcement notice. The case was then referred to the police
for their consideration of prosecution proceedings pursuant to the
section 64(7) of the Ordinance. Section 64(7) provides that a data
user who contravenes an enforcement notice served on the data user
commits an offence and is liable on conviction to a fine at level
5 and to imprisonment for 2 years and, in the case of a continuing
offence, to a daily penalty of $1,000.
The defendant
denied having received the enforcement notice but during an identification
parade he was positively identified by our officer who served the
enforcement notice on him at the material time. The defendant was
accordingly charged and convicted on his own plea.
In passing the
sentence, the Magistrate stated that had the data concerned been
used for other commercial purpose, he would have taken the matter
much more seriously and imposed a much more severe sentence.
|
| |
| [Image of PCPD Activities] |
| |
|
Summer
Vacation Roadshows
In a continued
effort to raise public awareness about the importance of safeguarding
personal data privacy, the PCPD launched a six-week Privacy Summer
Roadshow throughout the past summer months.
Entitled "Privacy
Summer Fiesta", the kick-off of the Roadshow was held on 7
July at Times Square in Causeway Bay under the auspices of officiating
guests including Privacy Commissioner for Personal Data Mr Raymond
Tang; Chairman of Wan Chai District Council Mrs Lam Pei Peggy, SBS,
OBE, JP; Principal Assistant Secretary for Home Affairs Bureau Mrs
Nancy Hui; Mr Lam Wai Sun and Ms Louisa Wong. Members of the public
also had the chance to preview the new training video and VCD produced
by the PCPD.
[Image of image]
[Image of image]Taking
a fun and accessible approach in promoting personal data privacy
protection, the 'Privacy Summer Fiesta" provided various platforms
such as games and exhibitions to highlight their important message.
Many celebrities were also invited to participate in game quizzes
with members of the audiences to create a positive and informative
atmosphere. In addition, 'Privacy Q & A" booth was set up on
site, where members of the public could ask questions regarding
personal data privacy. The response had been overwhelming, with
active audience participation.
A series of
roadshows were then held in the following shopping centres: Discovery
Park at Tsuen Wan (12-14 July); New Town Plaza at Shatin (18-21
July); Hing Wah Estate at Chai Wan (9-11 August); Maritime Square
at Tsing Yi (12-18 August) and Lok Fu Shopping Centre (28 August-1
September). The Roadshows included interesting games on personal
data privacy topics, display boards and the distribution of guidance
materials, which attracted more than 10,000 visitors.
|
| |
|
|
[Image of image]
[Image of image]
|
SME
Market Day
The PCPD set
up a booth with various government departments and public bodies
at the Public Services Pavilion at the SMEs Market Day Exhibition
2002, held at the Hong Kong Convention and Exhibition Centre on
27 and 28 June 2002. The exhibition was organized by the Trade Development
Council, and targeted small and medium-sized enterprises (SMEs)
in Hong Kong. A presentation was also given by the PCPD, providing
visitors an opportunity to understand the Ordinance and of its interpretation
and requirements and its implications.
|
| |
|
Privacy
Protection in Action: TV Advertisement Competition
[Image of image]
In order to
develop public consciousness in privacy protection amongst the younger
generation , the PCPD will join hands with the Hong Kong Federation
of Youth Groups in organizing a "Privacy Television Advertisement
Competition for Youth".The ultimate goal of the Competition
is to foster a culture where respect for others' privacy rights
is regarded as a norm in social behavior, and thereby contributing
towards the foundation of a stable and caring society.
Contestants
are required to produce a TV advertisement of less than one minute
long, with the theme of personal data privacy. It is aimed at raising
people's awareness of privacy issues and to educate people, especially
the young, to respect other people's right of privacy and to cultivate
mutual respect in society. Categories include Secondary School Category
and Open Category. Secondary School Category participants must be
full-time secondary school students while Open Category participants
must be Hong Kong residents not over 34 years of age.
[Image of image]Panel
of judges will comprise of academics, legal practitioners and a
renowned film director. All selected finalists will be invited to
meet with members of the panel of judges. The panel of judges will
judge on the basis of story content, creativity and technique.
In order to
help youngsters/ potential participants learn more about the techniques
of TV advertisement filming techniques, creative thinking, as well
as personal data privacy protection, the organizers will hold a
public seminar on 9 November 2002 (Saturday) at Studio Theatre,
Hong Kong Cultural Centre. Guest speakers include Mr Joe Yiu, Assistant
Director, Information Services Department; Mr Lee Lik Chee, renowned
film director; Mr Daniel Kong, renowned corporate consultant and
trainer, and Mr Raymond Tang, Privacy Commissioner for Personal
Data as guest speakers. Interested parties please call on 2827 2827
for further information.
The winning
entries will also have the opportunity to be broadcast in local
TV as well as on some prominent public display network.
Details of the
competition will be announced shortly. Interested parties please
visit our website at www.pcpd.org.hk, or visit www.u21.org.hk or
call on 2827 2827.
|
| |
| [Image of DPOC Activities] |
| |
|
Data
Protection Workshops Exclusively for Members
The DPOC will
organize a series of exclusive workshops in October and November
2002 on 'Human Resource Management and Personal Data Privacy" and
'How to Handle Customers' Personal Data" for members' participation.
The workshops will enable members gain a deeper understanding of
the interpretation and application of personal data privacy protection.
All workshops will be conducted in Cantonese and will be held from
3pm to 5pm at the PCPD Conference Room on the following dates:
| Topic |
Date |
| 'Human
Resource Management and Personal Data Privacy" |
11
October 2002 (Friday) |
| 18
October 2002 (Friday) |
| 22
October 2002 (Tuesday) |
| 25
October 2002 (Friday) |
| 29
October 2002 (Tuesday) |
| 'How
to Handle Customers' Personal Data" |
5
November 2002 (Tuesday)
|
|
19
November 2002 (Tuesday
|
|
21
November 2002 (Thursday)
|
|
26
November 2002 (Tuesday)
|
|
28
November 2002 (Thursday)
|
|
Enquiry hotline:
2827 2827 |
|
|
DPOC
Luncheon Gatherings
In order to
foster better communications between the PCPD and its members, the
DPOC organized six luncheon gatherings from June to September 2002.
The luncheons
were held under informal settings. Members from the similar business
sectors were grouped into six separate luncheons so they could share
their work experiences with people in a similar capacity in a relaxing
atmosphere. Members in general felt that the luncheons provided
them a platform in building up a network with other data protection
officers to enhance their work experience and knowledge in personal
data protection.
[Image of image]
Snapshots of the DPOC luncheon gatherings
|
| |
|
Plenary
Meeting on 12 April 2002
Over 150 members
attended the first Club meeting for this membership year at the
Hong Kong Convention and Exhibition Centre on 12 April 2002.
Privacy Commissioner
Mr Raymond Tang and Deputy Privacy Commissioner Mr Tony Lam took
the opportunity to brief members on the Draft Code of Practice on
Monitoring and Personal Data Privacy at Work as well as PCPD's latest
news and activities.
[Image of image]
Mr
Raymond Tang presented souvenirs to Mrs Jennie Chor (left), Mrs
Monisa Tam (middle)
and Dr Andy Wing-chiu Chan (above)
[Image of image]
Members
shared experience with the guests (above) and PCPD staff (right)
At the Privacy
Forum session of the Meeting, Mrs. Jennie Chor, Assistant Commissioner
(Labour Relations) of Labour Department; Mrs. Monisa Tam, Data Protection
Committee Member of Hong Kong Institute of Human Resource Management;
and Dr. Andy Wing-chiu Chan, Assistant Professor of Hong Kong Polytechnic
University, were invited to speak as special guests. Members were
able to share views and experiences with the guests on the topical
issue of employee monitoring at workplace. The event also drew the
attendance of over 30 members of the Civic Education Committee of
the Ho Tung Secondary School.
|
| |
| [Image of How's Your PQ (Privacy Quotient)?)] |
| |
|
Rate yourself
or your company on a scale of 0 to 10 for each question. Then total
your score and see how high you rank as a privacy pro. (10 represents
"absolutely" and 0 "absolutely not.")
| |
|
My
Score
|
| [Image of image] |
Do
you have a Privacy Information Collection Statement (PICS) or
Privacy Policy Statement (PPS) for managing personal data that
you collect? |
|
| |
|
| [Image of image] |
Do
you have a PPS or PICS posted prominently on your Web site?
|
|
| |
|
| [Image of image] |
Is there a designated person in charge of privacy enforcement
in your organization? |
|
| |
|
| [Image of image] |
Do
you have established security procedures in compliance with
the requirements of Data Protection Principle 4 in relation
to security of personal data? |
|
| |
|
| [Image of image] |
Do you have a system for managing consumer inquiries and complaints
about privacy? |
|
| |
|
| [Image of image] |
Consumers regard the misuse of their personal data as a violation
of privacy. Have you reviewed how you collect, retain, use and
transfer personal data so it cannot be misused? |
|
| |
|
| [Image of image] |
Do you conduct regular privacy training for employees' so that
they understand your privacy policy and how to carry it out? |
|
| |
|
| [Image of image] |
Do you have privacy policy for managing employees' personal
data? |
|
| |
|
| [Image of image] |
Do you have a PPS or PICS for any kind of surveillance activities
that you take? |
|
| |
|
| [Image of image] |
Do
you know about Personal Data (Privacy) Ordinance? |
|
Take a minute to
add up your total score and grade yourself. |
| |
| Comments |
| [Image of image] |
90-100
Congratulation! You've already done a lot of work to implement
excellent privacy practices. |
|
| [Image of image] |
80-89
You / your company has made a good start on privacy.Comments |
|
| [Image of image] |
70-79
You've taken a few steps but have more work to do to fully implement
excellent privacy practices. |
|
| [Image of image] |
60-69
All the information may not be new to you, but you'll find several,
relatively simple actions you can take to improve you/ your
company's practices. |
|
| [Image of image] |
59
or lower
Your privacy grade is incomplete. Try to get more information
about the PCPD and subscribe "Private Thoughts" regularly. |
Source:
www.bbbonline.org/understandingprivacy
|
| |
|
|
| |
|
Back
to top
|
|