Date: 20 December 2022
Privacy Commissioner’s Office Publishes an Inspection Report on the Personal Data System of TransUnion
The Office of the Privacy Commissioner for Personal Data (PCPD) today published an Inspection Report on the personal data system of TransUnion Limited (TransUnion).
With the advancement in technology and the wide use of TransUnion’s services, there is an increasing public expectation on the data security measures adopted by TransUnion as regards its consumer credit database. In the circumstances, the Privacy Commissioner for Personal Data (the Privacy Commissioner), Ms Ada CHUNG Lai-ling, invoked the power vested in her under section 36 of the Personal Data (Privacy) Ordinance (PDPO) to carry out an inspection to review the personal data system of TransUnion.
On 28 November 2022, TransUnion Credit Information Services Limited, a wholly owned subsidiary of TransUnion, has been appointed as one of the credit reference agencies under the Multiple Credit Reference Agencies Model developed by The Hong Kong Association of Banks, the Hong Kong S.A.R. Licensed Money Lenders Association Limited, and The Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies.
The findings of the inspection reveal that, during the inspection, TransUnion’s consumer credit database stored the personal data and consumer credit records of over 5.6 million consumers. In general, TransUnion attached great importance to the personal data held by it, adopted good practices and the security measures of its consumer credit data system conformed with international standards. The Privacy Commissioner is also pleased to note that TransUnion has accepted the advice of the PCPD in implementing a Personal Data Privacy Management Programme and appointing a designated officer as the data protection officer to institutionalise a proper system for the collection, handling, processing and use of personal data in compliance with the PDPO.
The Privacy Commissioner considers that in the protection of personal data, TransUnion has complied with the requirements of Data Protection Principle 4 of Schedule 1 to the PDPO as regards the security of personal data.
The above notwithstanding, the Privacy Commissioner recommends TransUnion to formulate internal policies and standards which are applicable in Hong Kong based on its global policy, set out the roles and responsibilities of the Data Protection Officer more clearly, standardise the procedures of managing internal activity log records, revise its policies relating to the handling of suspected abnormal access by credit providers, and conduct regular and timely reviews on the practices of its data processors in handling personal data.
During the inspection, TransUnion launched a free “Credit Alert Service” on the advice of the PCPD, which alerts service subscribers by email whenever there are crucial changes to their credit reports (e.g. changes of telephone numbers or addresses, or when there are application enquiries or opening of accounts), so that the individuals concerned are aware of the changes in their credit reports and may take early preventive measures or remedial actions. Besides, TransUnion also launched a new feature, on the advice of the Privacy Commissioner, to allow individuals who were victims or suspected victims of doxxing to add remarks to their credit reports, thereby alerting credit providers using the consumer credit reference service of TransUnion (i.e. banks or financial institutions) to the matter when reviewing the credit reports and assessing the individuals’ credit applications.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, said, “In view of the introduction of multiple credit reference agencies in Hong Kong, I hope that the findings and recommendations made in this inspection report would not only assist TransUnion to further enhance its personal data security, but also serve as a reference to other credit reference agencies in ensuring compliance with the requirements of the PDPO and the Code of Practice on Consumer Credit Data.”
Through the findings of the inspection, the Privacy Commissioner would like to make the following recommendations to organisations which handle vast amounts of customers’ personal data:
-
Establish a Personal Data Privacy Management Programme and appoint a Designated Officer as Data Protection Officer;
-
Formulate a local policy;
-
Fulfil corporate social responsibility and strive to enhance the protection of personal data privacy;
-
Monitor access to personal data; and
-
Prudently appoint and manage data processors.
Download “Inspection Report: Personal Data System of TransUnion Limited”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r22_0684_e.pdf
-End-