**********************************************
Following is a question by the Hon Leung Kwok-hung and a written reply by the Secretary for Financial Services and the Treasury, Professor K C Chan, in the Legislative Council today (December 8):
Question:
A member of the public has complained to me that a credit reference company which specialises in providing banks and financial institutions with consumer credit data had given incorrect personal data about him to a bank, resulting in the rejection of his bank loan application. Meanwhile, some members of the public have also complained to me that the company has retained the credit records of some members of the public for more than seven years and/or provided banks and financial institutions with such records, thereby violating the requirements of the Code of Practice on Consumer Credit Data (the Code). In this connection, will the Government inform this Council:
(a) apart from the Code promulgated by the Privacy Commissioner for Personal Data (Privacy Commissioner) to regulate consumer credit data, whether the Government has imposed regulation on credit reference agencies (CRAs) at present; if so, how they are regulated and of the scope of regulation; if not, the reasons for that;
(b) whether at present the Hong Kong Monetary Authority (HKMA) has imposed regulation on how banks and financial institutions accept, rely on and use the consumer credit data provided by CRAs; if so, how they are regulated and of the scope of regulation; if not, the reasons for that; and
(c) whether it knows if the Privacy Commissioner or HKMA had in the past three years regularly investigated whether CRAs had retained any credit or other records of members of the public for more than seven years or released such records; if regular investigation had been conducted, how often such investigations had been conducted; if regular investigation had not been conducted, of the reasons for that?
Reply:
President,
The Administration's reply to the question is as follows:
(a) and (b) Both authorised institutions (AIs) (including licensed banks, restricted licence banks and deposit-taking companies) and credit reference agencies (CRAs) are required to comply with the Personal Data (Privacy) Ordinance (PDPO) and relevant codes and requirements issued by the Privacy Commissioner for Personal Data (the Privacy Commissioner) in collecting, holding, processing and using consumer credit data.
In view of the above and the importance of protecting personal data privacy, the Hong Kong Monetary Authority (HKMA) issued a guideline on "The Sharing and Use of Consumer Credit Data through a Credit Reference Agency" (the Guideline) in January 2005, requiring AIs to establish clear and comprehensive policies and procedures to ensure that AIs and their employees comply with the relevant requirements on personal data privacy. The Guideline specifies that AIs should comply with the requirements of the PDPO and the Code of Practice on Consumer Credit Data (the Code) in areas including confidentiality, accuracy, retention period, relevance and proper utilisation of the relevant data.
On the engagement of a CRA, the Guideline requires AIs to enter into a formal contractual agreement with the CRA, which stipulates that the CRA should have effective monitoring systems in place to ensure compliance with the PDPO and the Code. The HKMA would monitor if AIs have established appropriate policies and procedures to safeguard personal data privacy of their customers, and would take follow-up action if any non-compliance with the Guideline is observed.
(c) The Code specifies the Privacy Commissioner's recommended good practice for a CRA to engage an independent compliance auditor as approved by the Privacy Commissioner to conduct regular compliance audits. A compliance audit covers the way in which a CRA provides the consumer credit reference service and the adequacy and efficiency of the measures taken by it to comply with the requirements of the PDPO and the Code, including, amongst others, data retention periods for consumer credit data, which vary depending on the nature of the data and the circumstances. The audit report has to be submitted to the Privacy Commissioner for consideration and/or comments. The two CRAs in Hong Kong have regularly submitted privacy compliance audit reports to the Privacy Commissioner for his consideration and/or comments.
In 2010, the Privacy Commissioner exercised his power under section 36 of the PDPO to carry out an inspection of the personal data system of a CRA to examine and assess its compliance with the requirements of the Code. The Privacy Commissioner is currently compiling the inspection report and will release the inspection report to the public in due course.
Ends/Wednesday, December 8, 2010
Issued at HKT 15:34
NNNN
