The Privacy Commissioner for Personal Data (“the Commissioner”), Mr. Allan Chiang, releases today the report on public consultations conducted in 2007 and 2011 respectively on some proposed revisions to the Code of Practice on Consumer Credit Data (“the Code”).
The report sets out the views received, for and against, during the respective consultation periods, and the Commissioner’s observations and conclusions. A copy of the report and the submissions received may be downloaded from the PCPD’s website at: http://www.pcpd.org.hk/english/publications/con_report2011.html.
Public Consultation in January/February 2011
The Proposal
The 2011 public consultation was conducted by the Office of the Privacy Commissioner for Personal Data (“PCPD”) in response to the proposal made by the financial services industry (“the Industry”) to share more comprehensive consumer credit data through the use of a central credit database operated by a credit reference agency (“CRA”). At present, credit providers are already sharing negative mortgage data for residential properties. Under the proposal, positive mortgage data for residential properties as well as both positive and negative mortgage data for non-residential properties (collectively the “Additional Mortgage Data”) will be additionally shared.
The proposal, which has the support of the Hong Kong Monetary Authority (“HKMA”), aims to facilitate comprehensive credit assessment of consumers thereby promoting responsible lending and borrowing and reducing the risk of over-borrowing by consumers. The Industry pointed out that the proposal will benefit the consumers through offer of more favourable terms and pricing on credit facilities to borrowers. The HKMA is of the view that the expanded sharing of mortgage data is necessary for the maintenance of banking and financial stability in Hong Kong in the longer term. The HKMA has emphasized that responsible borrowing and lending would mitigate the risk of possible property bubble forming and subsequent bursting.
During and after the 5-week consultation period, the PCPD has collected many views expressed by members of the public, Legislative Councilors, District Councilor, political party, academics, members of the legal profession, public organizations, private organizations, professional bodies and associations representing various trades and industries. In particular, the PCPD received 56 written submissions and solicited the views of 877 individuals through a structured questionnaire interview.
Having duly considered the diverse views received, the Commissioner concluded that the Industry has not made out a convincing case that their proposal would benefit the consumers directly and tangibly. Not a single credit provider has volunteered a definitive undertaking that the credit terms and pricing would definitely become more favourable with the implementation of the Industry proposal. Nevertheless, the Commissioner is convinced that the Industry proposal will lead to responsible borrowing and lending. In turn this is, albeit to some extent only, conducive to stabilizing the property market and the banking system. He notes with comfort that this conclusion is in line with the general perception held by the public.
The 6 Privacy Issues
The Commissioner recognizes that the Industry proposal has important implications on data protection and privacy. It has been widely acknowledged that consumer credit data are very private to the individuals concerned. Serious consequences may arise if the credit data are mishandled. Hence, despite the merits of the Industry proposal, its acceptability has to be assessed against consumers’ right of data protection as provided under the Personal Data (Privacy) Ordinance (“the Ordinance”). The privacy concern is whether the Additional Mortgage Data proposed to be shared are necessary and not excessive for the purpose of their intended use, and, if so, what safeguards need to be put in place to ensure data protection.
There are six privacy issues involved in the Industry proposal. A description of these issues and the Commissioner’s determinations in this regard is at the Appendix. This can be summarized as follows.
Privacy Issue 1
The issue is whether the sharing of the Additional Mortgage Data is necessary and not excessive for the purpose of credit risk assessment. The Commissioner has concluded in the affirmative.
Privacy Issue 2
The issue is whether the items of mortgage data proposed to be shared between the CRA and the credit providers are not excessive for the latter’s credit assessment purposes. The Commissioner accepts that they are not excessive except that ‘gender’ could be deleted from the data collection list as it contributes only marginal enhancement to the reliability of customer identification by the CRA.
Privacy Issue 3
The issue is whether it is appropriate for the Additional Mortgage Data in respect of pre-existing mortgages at the time of the implementation of the proposal to be contributed by the credit providers to the CRA, with or without prior explicit notification to the consumers. The Commissioner supports the Industry proposal of sharing pre-existing mortgage data for negative mortgage data but not for positive mortgage data unless prescribed consent is obtained from the consumers.
Privacy Issue 4
The issue is whether it is appropriate to permit, subject to the consumers’ written consent, access to the Additional Mortgage Data by the credit providers to evaluate not only mortgage loan applications but also to assess other new consumer credit applications as well as review and renewal of the consumers’ existing credit facilities.
The Commissioner has concluded that sharing of mortgage data for credit assessment of non-mortgage related credit facilities, irrespective of the amount of the credit, would be excessive in the case of positive data but not excessive in the case of negative data. He considers that a threshold amount of the credit facility involved should be set under which no access to positive mortgage data by the credit provider should be allowed. Pending the Industry’s submission of such a threshold to the satisfaction of HKMA and PCPD, he would restrict the sharing of positive mortgage data to mortgage loan application and review of existing mortgage loans only.
Privacy Issue 5
The Industry proposal is to incorporate a 24-month transitional period before access to the Additional Mortgage Data is allowed for general portfolio reviews of consumers’ credit-worthiness. The Commissioner is pleased to accept the proposal.
Privacy Issue 6
The issue is what and how additional privacy safeguards should be imposed upon the CRA and the credit providers consequent to an enlarged credit database and greater sharing and use of the mortgage data.
The Commissioner notes that the consultation exercise has aroused the community’s interest in the existing system of sharing of consumer credit data between the CRA and the credit providers. People are generally concerned about whether the CRA is measuring up to their expectations. The consensus view collected supports the Commissioner’s suggestions that additional privacy safeguards should be imposed upon the CRA consequent to the proposed enlarged credit database and greater sharing of the mortgage data. Accordingly, the Commissioner will revise the Code to incorporate additional post-implementation safeguards.
Public Consultation in May/June 2007
In May 2007, the Commissioner published a consultation paper proposing certain revisions be made to the Code covering three aspects, namely, (a) technical amendments as a result of the expiration on 1 June 2005 of the twenty-four month transitional period during which credit providers were generally barred from accessing positive credit data in the course of renewal or review of existing credit facilities; (b) amendments relating to the retention of the data in respect of write-off accounts due to a bankruptcy order being made; and (c) miscellaneous amendments. Written submissions were received from 10 stakeholders. Having duly considered the views of these submissions, the Commissioner has decided on the revisions to be made to the Code.
Concluding Remarks
The Commissioner believes he has in his determinations safeguarded personal data privacy to the fullest extent as provided under the Ordinance. He would like to thank all individuals and organizations who have thoughtfully and generously contributed to the discussion of the important privacy subject of protection of consumer credit data. Their views have been instrumental in his determination on the privacy issues involved.
On the basis of the Commissioner’s determinations, the Code will be revised accordingly and the amendments will take effect through publication by notice in the Gazette on 1 April 2011.
END
Appendix
Commissioner’s Determinations on Privacy Issues
Privacy Issue 1
The issue is whether the sharing of the Additional Mortgage Data is necessary and not excessive for the purpose of credit risk assessment. The Commissioner has concluded in the affirmative.
The Commissioner does not agree with the opponents’ view that the additional mortgage information proposed could not be necessary for the purpose of credit risk assessment until real evidence is produced to prove the causal relationship between the absence of such information and the adverse consequences it will bring about. In view of the wider public interest implications of the Industry proposal and the importance of mortgage loans in the Hong Kong’s finance sector [they represent 40% of the banks’ lending market and probably the most substantial part of a consumer’s credit portfolio], the Commissioner considers that he should adopt an anticipatory approach in making a determination on this privacy issue. This is different from the remedial approach adopted in 2003 when the decision to allow credit providers to disclose and share their customers’ positive credit data for unsecured loans was made after a spate of delinquent consumer debts and personal bankruptcies caused by many consumers’ over-commitment in unsecured loans.
In adopting this view, the Commissioner takes comfort from the fact that in U.S.A., U.K. and Canada, both positive and negative mortgage data are being shared. In Australia, draft legislation to permit sharing of the additional positive data was released by the Government in January 2011 and scheduled for passing in 2012. In all these four jurisdictions, non-residential mortgages are not considered as consumer credit loans and hence data-sharing are not regulated as such. The Industry proposal is to include non-residential mortgage data in consumer credit data sharing The Commissioner sees no objection to this proposal, as both residential and non-residential mortgage data relate to the consumer's total indebtedness and there is no logical distinction between the two types of data for credit assessment purposes.
Privacy Issue 2
The issue is whether the items of mortgage data shared between the CRA and the credit providers are not excessive for the latter’s credit assessment purposes.
As far as negative mortgage data are concerned, the Industry proposal is to share the same items of negative data for non-residential mortgages as currently provided under the Code for residential mortgages. The Commissioner accepts that this is not excessive.
As far as positive mortgage data are concerned, the Industry proposal is to restrict credit providers' access to the CRA database to the number of mortgages only. The Commissioner agrees this is the absolute minimum. After reviewing the operational needs of the CRA, he is also satisfied that the Industry proposal for the CRA to collect 10 mortgage data items (viz. name; capacity; Hong Kong Identity Card (HKID) number or travel document number; date of birth; gender; correspondence address; account number; type of facility; account status and closed date) is not excessive.
The Commissioner is aware of the view that the HKID number, being unique, should prima facie suffice for customer identification purpose. However, it is understood that an individual may supply his travel document instead of HKID to secure a mortgage loan and for some countries the travel document number does change when the document is renewed. It is therefore necessary for the CRA to use a combination of personal data in order to identify accurately the customer through data matching. Accuracy is important because it is the customer applying for credit who will suffer from a credit report wrongly compiled due to mismatched data. Nevertheless, the Commissioner considers that ‘gender’ could be deleted from the data collection list as it contributes only marginal enhancement to the reliability of customer identification.
Privacy Issue 3
The issue is whether it is appropriate for the Additional Mortgage Data in respect of pre-existing mortgages at the time of the implementation of the proposal to be contributed by the credit providers to the CRA, with or without prior explicit notification to the consumers.
The Commissioner notes from the views he received the overwhelming objection to the Industry proposal in this respect. While the issue is largely an interpretation of the legal requirements under the Ordinance, the layman’s view, as gauged from the household surveys, is also overwhelmingly against the Industry proposal.
The Commissioner has sought advice from a Senior Counsel on this matter. He agrees with the advice obtained that the purpose of data collection from the customer by the credit provider is to enable the credit provider to consider the original mortgage application, not to enable the credit provider to supply the same whether directly or indirectly to another credit provider in the future for the latter to consider whether to grant any credit to the same customer. Accordingly, the use of the pre-existing mortgage data as proposed by the Industry is not in accordance with the requirements under the Ordinance, unless the prescribed consent of the customer is obtained.
The Commissioner shares the concern of the Industry and HKMA that the exclusion of the pre-existing positive mortgage data would render the credit database significantly less useful in the immediate future. However, he cannot act beyond the bounds of law to address this deficiency. Meanwhile, the Commissioner notes that even if the contribution of pre-existing mortgage data is allowed, the banks would only make arrangements on a best-effort basis, subject to the data being electronically available on their systems. He opines that if the credit providers have the will to work together to improve the reliability of credit assessment, they do have means other than sharing data through CRA as the Industry originally proposed, albeit less operationally convenient.
Following the advice of the Senior Counsel he engaged, the Commissioner has drawn a distinction between positive mortgage data and negative mortgage data in considering the Industry proposal. In the case of negative credit data, since the customer is already in default of his repayment obligation, it would give rise to some more serious risks of default if he were to be given further credit or new credit. On this basis, the Commissioner would invoke an exemption under the Ordinance to permit sharing of pre-existing negative mortgage data of non-residential mortgages. This is in line with the arrangements for sharing pre-existing negative mortgage data for residential mortgages when the Code was last revised.
In short, the Commissioner supports the Industry proposal of sharing pre-existing mortgage data for negative mortgage data but not for positive mortgage data unless prescribed consent is obtained from the consumers.
Privacy Issue 4
The issue is whether it is appropriate to permit, subject to the consumers’ written consent, access to the Additional Mortgage Data by the credit providers to evaluate not only mortgage loan applications but also to assess other new consumer credit applications as well as review and renewal of the consumers’ existing credit facilities.
The Commissioner notes that under the current credit assessment practice, credit providers generally do not require detailed financial data (such as mortgage data) in processing applications for some credit facilities (such as tax loan). Further, overall loan delinquency and credit card bad debt have since 2003 improved significantly without the benefit of sharing positive mortgage data. Also, both the number of personal bankruptcies and the average amount of indebtedness have dropped. He concludes therefore that sharing of positive mortgage data for credit assessment of non-mortgage related credit facilities, irrespective of the amount of the credit, would be excessive. However, he sees no objection extending the existing arrangement of sharing negative data for non-mortgage credit applications/renewals/reviews from residential mortgages to non-residential mortgages.
The Commissioner considered that a threshold amount of the credit facility involved should be set under which no access to positive mortgage data by the credit provider should be allowed. Pending the Industry’s submission of such a threshold to the satisfaction of HKMA and PCPD, he would restrict the sharing of positive mortgage data to mortgage loan application and review of existing mortgage loans only.
Privacy Issue 5
The Industry proposal is to incorporate a 24-month transitional period before access to the Additional Mortgage Data is allowed for general portfolio reviews of consumers’ credit-worthiness. The question is whether the length of this period is appropriate. The Commissioner is pleased to accept the proposal which has received overwhelming support from the stakeholders and the general public.
Privacy Issue 6
The issue is what and how additional privacy safeguards should be imposed upon the CRA and the credit providers consequent to an enlarged credit database and greater sharing and use of the mortgage data.
The Commissioner notes that the consultation exercise has aroused the community’s interest in the existing system of sharing of consumer credit data between the CRA and the credit providers. Apparently, public awareness and perceived importance of personal data privacy are much higher than it was in 2003 when the Code was last revised. People are generally concerned about whether the CRA is measuring up to their expectations. The consensus view collected supports the Commissioner’s suggestions that additional privacy safeguards should be imposed upon the CRA consequent to the proposed enlarged credit database and greater sharing of the mortgage data.
Accordingly, the Commissioner will revise the Code to incorporate the following additional post-implementation safeguards:
(a) The CRA should arrange an independent compliance audit which should commence after 6 months but within 7 months from the implementation date, with a view to submitting to the Commissioner an audit report on the sharing of the Additional Mortgage Data no later than 3 months from the date of commencement of the compliance audit.
(b) To ensure a reasonably practicable IT security arrangement is in place, its regular compliance audits should include an audit on the IT security arrangement of the CRA covering the control objectives of the ISO/IEC 27002 Best Practice on Information Security Management (or its equivalent as approved by the Commissioner).
(c) The CRA should not transfer the consumer credit data held by it to any place outside Hong Kong unless the purpose of use of the data for such transfer is the same as or directly related to the original purpose of collection of the data.