Publications and Videos
Newsletter
PRIVATE
THOUGHTS (on-line version)
The Code of Practice on Consumer Credit Data ("the Code") was issued by the Privacy Commissioner for Personal Data ("the Commissioner") in February 1998, and came into operation in November of the same year. The basic aim of the Code was to regulate the handling of consumer credit data by credit providers and credit reference agencies. The issuing of the Code was considered to be necessary because, when a citizen has dealings with a financial institution not for a business purpose, e.g. obtaining a personal loan, such transaction will inevitably give rise to information about his financial behaviour, e.g. whether or not there may be subsequent default in payment. Such data will be valuable in assisting in the overall assessment of the credit-worthiness of the individual in any future transactions. It follows that financial institutions may wish to be able to access the credit history of individuals for the purpose of their credit assessment. In one sense, to allow financial institutions to do so is also in the public interest, since this will help to prevent subsequent bad debts from arising, hence preserve the health and stability of the local financial industry as a whole. However, since the credit data amount to the personal data of the individuals concerned, unlimited access to such information by financial institutions would possibly give rise to misuse and to contravention of the Personal Data (Privacy) Ordinance ("the Ordinance"). With a view to strike the right balance between the competing interests, the Commissioner therefore issued the Code pursuant to his power under section 12 of the Ordinance. Under the Code, a credit reference agency may collect from different credit providers credit data about an individual, put them together in the form of a credit report, and provide the same to a credit provider who may make an enquiry on the individual. Besides data from credit providers, the credit report may also include information from public sources, e.g. information about writs and bankruptcies. The important point to note, however, is that the collection, handling, retention and transfer of all of the said information by credit providers and credit reference agencies are subject to strict control under the Code. From the past three and a half years' operation of the Code, it has come to the attention of the PCPD that certain revisions to the Code may be appropriate. First, in view of the change in economic climate and rising default rate among borrowers in general, it has been suggested that a broader basis for credit assessment is necessary. With this in mind, the PCPD is now considering relaxing the relevant provision in the Code to allow credit reference agencies to retain data relating to credit applications by individuals for a period of five years (as opposed to merely 90 days as currently allowed). Furthermore, in order to give credit providers a more objective basis for evaluation, the proposal is under consideration to allow credit reference agencies to conduct credit scoring, i.e. to use a statistically-tested algorithm to generate an overall credit score on each individual on which an enquiry is received, based on other data held on the individual. Another area in which revision to the Code is considered desirable relates to the change in bankruptcy law in Hong Kong. Under the new law, after an individual has been declared bankrupt, a discharge in bankruptcy will occur automatically after the expiry of a certain number of years. When such automatic discharge happens, the fact of the discharge may not be publicly announced. This has created difficulty in that, under the current Code, any automatic discharge from bankruptcy may not be reflected in the records of a consumer credit reference agency in relation to the individual in question. It is therefore proposed to amend the Code to make it clear that the onus is on a discharged bankrupt to notify the fact of such discharge to a credit reference agency. Such a change to the Code, if implemented, will also be supplemented by public education to bankrupt persons in this regard. Under section 12(9) of the Ordinance, before revising any code of practice issued by him, the Commissioner should consult with such interested parties as he considers appropriate. Accordingly, a Consultation Paper on amendments to the Code was issued by the PCPD in May 2001. A total number of 18 responses to the Consultation Paper have been received. As a second stage to the consultation, the PCPD has now raised further questions to relevant parties with the view of fine-tuning some of the proposed amendments. After this is done, the Commissioner will proceed to amend the Code, which amendments are expected to improve the Code as a basis on which credit evaluation on individuals may be carried out. by Eric Pun
Broadcast on Radio Television Hong Kong on 4 August 2001 [Image of image] 4 August 2001 Dear Raymond, Thank you very much for your e-mail and kind regards. You said you felt shocked when you, learned from the news that I had decided to leave the post of Privacy Commissioner for Personal Data upon expiry of my five-year contract because all along, you are very appreciative of my performance. Thank you very much for speaking highly of me. In fact, if you have knowledge of my work history, you would know why I come to this important decision. I have worked in the government, the banking sector and the IT profession during which I have made different endeavours and have faced new challenges. By doing so, I have derived great satisfaction from my work. On looking back, during the past five years when I was Privacy Commissioner for Personal Data, I had overcome many hurdles and had won the support of people of various sectors. The Personal Data (Privacy) Ordinance, which offers protection to the Hong Kong people in respect of their personal data privacy, became effective in December 1996. At that time, the society as a whole did not attach importance to personal data privacy, the organizations were not concerned about personal data privacy and the public did not know much about their rights under the Ordinance. In those circumstances, to promote a cultural shift in our society of 7 million people was in no way easy. At that time, my most important job as Privacy Commissioner was to enlighten members of the public on the importance of personal data privacy, the reasons why personal data should be reasonably and suitably protected and what rights they have under the present Ordinance. For example, people have the right to make access and correction request to any organization in Hong Kong with respect to their personal data. In case they find that their personal data have been misused, they have the right to make a complaint to our office. Let me quote here a very successful example of cultural shift. For many years, the Hong Kong Identity Card is a well-acknowledged document of identification. It is because of this widely accepted belief that in many cases, for example, in the application for jobs, booking of sports grounds and renting of bicycles, the organizations concerned often unnecessarily request for the photocopying of the identity card and even keep the identity card as security. Such a request may have contravened the "excessive collection of personal data" principle of the Ordinance and at the same time may also cause serious consequences to the individuals concerned. I think that you may still remember that years ago when it was much easier to obtain ID card copies, some rascals swindled money by impersonating property owners and sold their property. The consequence was that the unfortunate buyer not only had no claim on the property but also had to be responsible for the mortgage loan. The first important task after I became Privacy Commissioner was to compile the Identity Card Code of Practice to explicitly restrict the use of identity cards. The Code specifically provides when the ID numbers can (cannot) be recorded or when the ID card copies can (cannot) be made. Such guidelines not only promote the awareness of the public and the organizations on the use of the information contained in the identity cards but also reduce the incidence of frauds by impersonation. Another promotion target of equal importance are the local organizations. Both the government departments as well as the private sectors, in the courses of their operation, have the obligation to comply with the six data protection principles of the Ordinance in the collection and use of the citizens' and their clients' or staff's personal data. It is believed that in recent years, members of the public, in applying for services such as the opening of bank accounts or the provision of mobile phone services, have found that the government departments, the industrial and business organizations, banks, telecommunication companies etc. all state in their application forms the purpose of collection of personal data and that the consent of the data subjects must be obtained should there be any change in the use of the data collected. In the
early stage when I was Privacy Commissioner, in the course of exchanging
views with the industrial and business sectors, I found that they had
reservations about the need to protect their clients' and staff's personal
data. They were of the view that it would bring about extra work and would
affect administration and operation efficiency. However, I often preach
this : "The respect for personal data privacy rights is not purely for
lawful compliance ; the respect for the rights of the citizens, staff
and clients has become an important factor of success in the provision
of services and products in this society of technological advancement.
Without the confidence and trust of the members of the public, organisational
endeavours are bound to result in failure." In our annual baseline survey
of organizations, it was found that the percentage of organizations that
generally agreed to this perspective had increased significantly from
40% in 1997 to 80% this year. This percentage exceeds that of any country
over the world. Hong Kong should be proud of this and I am very delighted. I will
soon leave my present position. My greatest delight is that I believe
we have already laid a solid foundation for our work. But my greatest
regret is that I have to leave my colleagues who have been working so
hard together with me for 5 years. Through their untiring efforts, the
PCPD has won the acclaim of the public for a job well done. Sincerely,
Collection
of ID Card Number by A car park management company (the company) requested a car park user to produce his identity card number for registration when entering a car park for parking. The company claimed that the practice had been enforced to ensure the safety measure ever since there were cars stolen. The user refused to provide such data on the basis that the data required were unnecessary and thus lodged a complaint to the PCPD. Data Protection Principle 1 (DPP1) provides that personal data shall be collected for a lawful purpose directly related to a function or activity of the data user, that the data are adequate but not excessive in relation to the purpose. For the purpose of preventing crime such as car theft, the PCPD is of the view that the recording of the license plate number of visiting cars either on the parking ticket, or some "exit pass" or coupon, which should be carefully kept by the drivers, should generally serve as an adequate alternative to the collection of identity card numbers of drivers. On the advice of the PCPD, the company agreed to stop recording identity card numbers of car park users. The PCPD welcomes the company's cooperative attitude and its willingness in resolving the case with pragmatic practices to ensure that the collection of car park users' personal data would not be excessive.
Public Seminar : "How Can Parents Keep Their Children Safe on the Internet"
The Asian HR Awards [Image of image]Mr Stephen Lau, the Privacy Commissioner for Personal Data , recently received the "Outstanding Contribution to Human Resources" award at the Asian HR Awards in June in Hong Kong. The prize presentation ceremony was held on 27 June 2001 at Hotel Nikko. The award recognizes the contribution of any organization, institution or individual that has made an outstanding effort in raising the profile and level of professionalism in Human Resources practice. Mr Lau received recognition for his efforts in drafting and introducing the Code of Practice on Human Resource Management, which offers practical guidance on personal data privacy in relation to employment data. This code has gained wide support by employers and human resources practitioners. SME Market Day [Image of image]The PCPD participated at the SMEs Market Day Exhibition 2001 from 5 to 6 July. The exhibition, organized by the Trade Development Council, provides support for Hong Kong's small and medium-sized enterprises (SMEs). The PCPD was among the 15 government departments and public bodies that set up booths at the Public Service Pavilion at the exhibition. A presentation was given by the PCPD, providing visitors an opportunity to understand the Ordinance and of its interpretation and requirements and its implications for SME's. Summer Consumer Road Shows [Image of image]A
series of consumer road show were staged at five shopping centres during
the summer months. Catered for parents and school children who were at
their leisure during the summer holiday, the PCPD displayed promotional
panels at various shopping centres, to raise the awareness of personal
data privacy among people from all walks of life. [Image of image]The road shows were held at Hau Tak Estate Shopping Centre (14-15 July), Yiu Tung Estate (21-22 July), Tsz Wan Shan Shopping Centre (28-29 July), Lok Fu Shopping Centre (18-19 August) and New Town Plaza (25-26 August). Fact Sheet on Recruitment Advertisements [Image of image]The PCPD has recently issued a fact sheet on "Frequently asked questions about recruitment advertisements" providing clear guidelines on the requirements of the Code of Practice for Human Resource Management in relation to employment personal data. Under the Code, recruitment advertisements that directly solicit personal data from job applicants and those that do not identify the parties that have placed them are prohibited. The Code was issued by the Privacy Commissioner for Personal Data in September 2000 and came into effect in April 2001.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Back to top | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
End of Page
[Annual Report] [Code of Practice/ Guideline & Explanatory Booklet] [Consultation Document/ Report] [Newsletter] [Guidance Note & Fact Sheet] [Leaflet & Form] [Opinion Survey] [Others] [Investigation Report / Inspection Report] [Information Book]
[About PCPD] [The
Ordinance] [PCPD Activities]
[Information Centre] [Privacy
Zone for Youngsters (Games)]
[Publications & Videos]
[Enquiries & Complaints]
[Case Notes] [Contact
Us] [Search] [Site
Directory] [Graphical Version]
[Chinese Version]
Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer