LCQ20: Measures implemented by the banking industry to protect the personal data of customers

    Following is a question by the Hon Emily Lau and a written reply by the Secretary for Financial Services and the Treasury, Professor K C Chan, in the Legislative Council today (May 28):


    The Kwun Tong Branch of the Hongkong and Shanghai Banking Corporation Limited (HSBC) lost a computer server containing the data of 159,000 customers on April 26 this year when it was undergoing renovation.  HSBC did not immediately make public the situation, and it was not until May 7, which was several days after the media had made the relevant reports, did it issue a brief statement to confirm the matter.  In this connection, will the Executive Authorities inform this Council whether:

(a) the authorities will investigate the causes of this incident; if so, of the details; if not, the reasons for that;

(b) they will strengthen monitoring the work of banks in protecting the privacy information of customers; if so, of the details; and

(c) they will stipulate that all banks, in the event of similar incidents in the future, shall immediately contact the customers affected and give an account to the public, and shall expeditiously make arrangements for the loss which may be incurred by the customers as a result; if so, of the details; if not, the reasons for that?


Madam President,

    Our responses to the questions raised by Hon Emily Lau are as follows -

(a) The HSBC has already referred the case concerning the loss of a computer server to the police for investigation.  The Hong Kong Monetary Authority (HKMA) has also required the HSBC to submit a report on the incident and will decide the relevant follow-up actions after considering the content of the report in detail.

(b) Banks should comply with the Personal Data (Privacy) Ordinance and the code of practice and guidelines issued by the Privacy Commissioner for Personal Data.  In view of this incident, the HKMA has required the HSBC to conduct a thorough review of its management and control measures implemented during the period of branch renovation and enhance effort to protect the personal data of customers, with a view to preventing similar incidents from occurring again in future.  The HKMA will assess whether the measures implemented by the banking industry to protect the personal data of customers are adequate and effective from time to time.

(c) According to the HKMA's requirement, in the event of any incidents that may have an impact on the protection of the personal data of customers, banks ought to notify affected customers as soon as practicable after ascertaining the extent of impacts on the customers' data, the level of risk of information leakage and the number of affected customers.  Also, banks ought to clearly explain the impacts of the incidents on customers, the follow-up actions implemented by banks concerning the incidents and the steps ought to be taken by customers.  The HKMA will review the relevant arrangements in a timely manner in order to ensure adequate protection of the personal data of bank customers.

Ends/Wednesday, May 28, 2008
Issued at HKT 11:30