Date: 5 June 2023
Privacy Commissioner’s Office Proactively Commences Compliance Checks
of All Credit Reference Agencies
to Ensure the Data Security of Credit Reference Databases
The Office of the Privacy Commissioner for Personal Data (PCPD) published an investigation report on the unauthorised access to the credit data in the TE Credit Reference System last Thursday (1 June). As a result of the investigation, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, found that the operator of the TE Credit Reference System had failed to take all practicable steps to protect the personal data in the TE Credit Reference System against unauthorised or accidental access, processing, or use, and inappropriately retained over 50,000 credit records longer than was necessary, thereby contravening Data Protection Principle (DPP) 4(1) in Schedule 1 to the Personal Data (Privacy) Ordinance (PDPO) relating to the security of personal data and DPP2(2) relating to the duration of retention of personal data respectively. The Privacy Commissioner has served an enforcement notice on the relevant operator, directing it to remedy the contraventions and prevent recurrence of similar contraventions.
In the light of the findings of the above-mentioned investigation report, and the concern raised by the community on the handling of borrowers’ credit data by credit reference databases in Hong Kong, the PCPD will proactively commence compliance checks of all credit reference agencies in Hong Kong in order to ensure the protection of the personal data privacy of borrowers and the data security of credit reference databases. The checks will cover whether the security measures adopted by the credit reference agencies in respect of the credit data of borrowers and the retention period of such data comply with the requirements of the PDPO
Any person who suspects that his or her credit data has been accessed inappropriately, or prolongedly retained, may enquire with relevant credit reference agencies, or make enquiries or complaints to the PCPD (telephone: 2827 2827 or email: email@example.com / firstname.lastname@example.org).