Skip to content

Media Statements

Media Statements

Date: 7 April 2019

Privacy Risks Associated with Fintech to be Addressed by Data Ethics
Complementing Fair Enforcement

Privacy Commissioner Speaks to Banking Industry on
Use of Personal Data in Digital Era 

The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Stephen Kai-yi WONG was invited to give a briefing to the banking industry entitled “Use of Personal Data in the Digital Era” on 1 April 2019.  
Co-organised by the Hong Kong Monetary Authority (HKMA) and the Hong Kong Association of Banks, the seminar was attended by more than 270 banking practitioners, Stored Value Facility operators and HKMA staff members.  
In the briefing, Mr Wong highlighted the proliferation of Fintech, with its applications enabling innovation in financial services and transforming the operations of the financial industry. Mr Wong also acknowledged that Fintech is penetrating into many aspects of our daily lives.
As a note of advice, Mr Wong addressed some of the privacy risks brought about by Fintech, such as virtual banking, open API, etc:
  • Collection and use of personal data without notice or meaningful consent of the users
    • The personal data collected or generated with the use of Fintech, with or without a user’s notice, may be used or disclosed by the providers/operators of Fintech beyond the users’ reasonable expectations, or without the users’ meaningful consent.
  • Use of personal data in unfair or discriminatory ways
    • As an example, credit scoring algorithms make assessment on individuals’ creditworthiness by mixing and analysing sheer volume of public, private and personal data collected from multiple sources. Together with the personal data generated during the interaction between the individual and the lender or may be inferred by data analytics, there is a risk that the data inputted into the assessment is inaccurate, biased, irrelevant or outdated. 
  • Lack of effective means to erase or rectify obsolete or inaccurate personal data
    • Regarding Blockchain, a “block” cannot be deleted or amended even if the data stored in it is obsolete or inaccurate. Service providers/operators of Fintech may lack an effective mechanism to erase or rectify the inaccurate, irrelevant or obsolete data in a timely manner.
  • Data security risks
    • Electronic payments and open APIs involve transmitting personal data electronically among different organisations and end-users, which increases the risk of data leakage or interception during transmission.
  • Obscurity of the identities of data users and data processors
    • The evolving Fintech development would see multiple parties involved in the processing and storage of personal data. 
Mr Wong recommended some good practices for providers/operators of Fintech:
  • Transparency
    • Be transparent about their privacy policies and practices.
    • Adopt plain and user-friendly languages to explain types of personal data to be collected, identify all intended uses of personal data, identify all possible transferees of personal data, explain users’ rights and the security measures adopted.
  • Minimum personal data collection and retention
    • Collect and retain minimum amount of personal data.
    • Obsolete personal data should be deleted or de-identified in a timely manner.
  • Clear and genuine options
    • For those personal data that is “good to have” rather than necessary for the operation of the Fintech, customers should be provided with clear and genuine options to withhold.
    • For those uses or disclosures of personal data that are not necessary for or directly related to the operation of the Fintech, customers should be provided with clear and genuine options to opt in or opt out.
  • Accuracy of data and reliability of algorithms
    • Fintech providers/operators should ensure that the personal data to be used is accurate and impartial.
    • Clarification should be sought from the individuals concerned when accuracy of the personal data is in doubt.
    • Algorithms of Fintech should be tested for reliability and fairness.
  • Security of data
    • Both administrative (e.g. policies and procedures) and technical (e.g. logical access control and encryption) security measures should be in place to provide adequate safeguards to personal data in transit and storage.  Procedures in relation to handling of data breach incidents should be developed.
  • Monitor data processors
    • Adopt contractual and/or other means (e.g. field audit) to govern the data processors. 
    • Fintech providers/operators should be clear about the locations where their data processors store and/or process the personal data.
  • Privacy Impact Assessment (PIA) and Privacy By Design
    • At or before the development stage of a Fintech, the providers/operators should conduct a PIA to identify and properly address all potential privacy risks in the entire data processing life cycle of the Fintech.
    • Adopt privacy friendly design and at the outset, default settings.
Mr Wong reiterated that accountability and data ethics are, in addition to fair enforcement of the law, essential solutions to tackle the privacy challenges. In view of the business model and technological development vis-a-vis legislation and regulatory reform, and increasing public expectation, data ethics can effectively be the bridge between the two.
Mr Wong stated that the Ethical Accountability Framework and the concept of data ethics and stewardship in the development are beneficial to Fintech applications. The Data Stewardship Values recommended for organisations when carrying out advanced data processing activities, namely respectful, beneficial and fair, can effectively help Fintech providers/operators address the privacy concerns and enhance customer trust. 
In the presentation, the Privacy Commissioner also stressed that the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) will continue to strengthen its roles as Enforcer, Educator and Facilitator.  While upholding the principle of fair enforcement, the PCPD would also engage and incentivise organisations by educating and assisting businesses to set up accountability programmes within their organisations and providing guidance to businesses to cultivate a privacy-friendly culture.
The PCPD has recently issued an information leaflet on Fintech, aiming to introduce some common applications of Fintech with privacy implications, explain the privacy risks involved and provide tips to consumers for protecting their personal data privacy when using Fintech, and at the same time recommend good practices to operators of Fintech for addressing the said privacy risks.  The information leaflet can be downloaded here.
Privacy Commissioner Mr Stephen Kai-yi WONG was invited to give a briefing to the banking industry entitled “Use of Personal Data in the Digital Era”.
Privacy Commissioner Mr Stephen Kai-yi WONG answered questions from banking practitioners after the presentation.
Privacy Commissioner Mr Stephen Kai-yi WONG received a token of thanks from Arthur YUEN, Deputy Chief Executive, Hong Kong Monetary Authority.
Privacy Commissioner Mr Stephen Kai-yi WONG pictured with Arthur YUEN, Deputy Chief Executive, Hong Kong Monetary Authority (first from right), Mary HUEN Wai-yi, Chairperson, Hong Kong Association of Banks (first from left) and Deputy Privacy Commissioner Mr Tony LAM (second from right).


Related news coverage and resources: