Skip to content

Media Statements

Media Statement-Privacy Commissioner’s Office has Completed the Inspection of the Customers’ Personal Data System of ZA Bank Limited to Ensure Data Security

Date: 9 October 2023

Privacy Commissioner’s Office has Completed the Inspection of
the Customers’ Personal Data System of ZA Bank Limited to Ensure Data Security

The Office of the Privacy Commissioner for Personal Data (PCPD) today published an Inspection Report on the customers’ personal data system of ZA Bank Limited (ZA Bank).

The rapid development of fintech in the banking industry in Hong Kong in recent years has led to the provision of a one-stop financial service to customers through digital channels. ZA Bank was granted a virtual banking license by the Hong Kong Monetary Authority in March 2019 and became the first virtual bank in Hong Kong in March 2020. The Bank delivers digital banking services to customers mainly through the Internet and mobile applications. Having considered that virtual banks handle vast amounts of sensitive personal data on a daily basis, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, invoked the power vested in her under section 36 of the Personal Data (Privacy) Ordinance (PDPO) to carry out an inspection to review the customers’ personal data system of ZA Bank, in particular to ensure the security of the system.
The findings of the inspection reveal that as of 30 June 2023, ZA Bank had almost 700,000 retail customers. ZA Bank has established a Personal Data Privacy Management Programme and appointed a dedicated Data Protection Officer to systematically and responsibly develop a system to comply with the requirements the PDPO and to manage customers’ personal data. In addition, the Privacy Commissioner is pleased to note that ZA Bank is committed to protecting personal data privacy through measures such as implementing a paperless office, conducting drill exercises to prevent the threat of phishing attacks and promoting a culture of privacy in the workplace. Overall, the Privacy Commissioner considers that ZA Bank has generally complied with the requirements of Data Protection Principles of Schedule 1 to the Ordinance in the handling of customers’ personal data.
Nevertheless, the Privacy Commissioner recommends ZA Bank to strengthen the management of its data processors, enhance the monitoring capabilities of the data loss prevention system, limit the time for staff to access customers’ personal data, centrally manage its internal policies and guidelines on the handling of personal data, and continuously and regularly review its personal data system so as to strengthen the protection of customers’ personal data.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, said “Consequent upon the development of fintech in Hong Kong, there are currently eight virtual banks which offer innovative financial services to the public. I hope that the findings and recommendations of this inspection will not only assist ZA Bank to further strengthen the protection of its customers’ personal data, ensure data security and prevent data breach incidents, but also serve as a reference to other virtual banks in complying with the requirements of the PDPO.”
Through the findings of this inspection, the Privacy Commissioner would like to remind the organisations which handle vast amounts of customers’ personal data to strengthen their measures to safeguard data security, including the following:-
  • Establish a Personal Data Privacy Management Programme;
  • Appoint a Designated Officer as Data Protection Officer
  • Formulate Comprehensive System Security Policies and Procedures;
  • Devise a Role-based Access to Customer Data; and
  • Appoint and Manage Data Processors Prudently.
Please click here to download “Inspection Report: The Customers’ Personal Data System of ZA Bank Limited”.