Skip to content

Something urgent? Call us now! (852) 3416 1711

Ally Law
Boase Cohen & Collins
Blog

Privacy warning for credit data firms

By Claire Chow

Hong Kong, 9 June 2023: Operators of credit reference systems are advised to implement robust data protection measures and comply with relevant industry rules or face the risk of legal fallout. The warning follows an investigation by the Privacy Commissioner into unauthorised access to one particular credit database which revealed it to be unregulated and beset by major security failings.

The lengthy investigation by the Office of the Privacy Commissioner for Personal Data focused on the so-called TE Credit Reference System operated by Softmedia Technology Company Limited. It was initiated after a citizen complained his credit data had been accessed a number of times by eight money lending companies unknown to him without his knowledge or consent.

The probe revealed the TE Credit Reference System contained the data of about 180,000 borrowers and was used by some 680 money lending companies. But it was not one of the service providers under Hong Kong’s new Multiple Credit Reference Agencies Model – launched last November to strengthen industry governance and resilience – and thus was not regulated by the sector’s authorities or laws covering the financial professions.

Following the investigation, Privacy Commission Ada Chung published a report which found operator Softmedia was responsible for three significant security deficiencies:

Failure to protect personal credit data from unauthorised access: Softmedia failed to implement appropriate security measures to manage access to, and use of, the TE Credit Reference System. The investigation found money lenders could gain unlimited access to a borrower’s credit data for five days with a payment of just $2, and this five-day cycle could be repeated with no limits set in terms of payment or access. Further, Softmedia allowed this access without ensuring borrowers had given their consent. “This arrangement falls far below the general standard and is highly disappointing, both in terms of compliance with legal requirements and the protection of borrowers’ privacy,” says the report.

Weak password management: Despite the volume and nature of the data in question, Softmedia failed to adopt a robust login policy or set expiration dates for passwords. Passwords were allowed that would generally be considered weak in terms of length and complexity. It also meant staff could still access the system even after they had left the money lending company.

Prolonged retention of data: Softmedia retained over 50,000 credit records of borrowers who had completed their repayments more than five years previously. The report notes “this constitutes unnecessary and prolonged retention” while “also exposing the personal data of the borrowers concerned to risks of data breach”.

Ms Chung concluded Softmedia had failed to adequately protect the personal data in the TE Credit Reference System, thus contravening Data Protection Principle 4(1) in Schedule 1 of the Personal Data Protection Ordinance (Cap 486) (“PDPO”), and had also failed to ensure the data was not kept longer than necessary, therefore breaching Data Protection Principle 2(2). She served an enforcement notice on Softmedia, directing it to remedy the contraventions and prevent recurrence.

“The fact that the operation and management of the TE Credit Reference System is not regulated by any industry code or relevant laws of the financial sector is far from satisfactory,” concluded Ms Chung. “To ensure the protection of borrowers’ personal data and the data security of the credit reference database, I recommend that the operation and management of any credit reference database should be regulated or supervised through laws, regulations, guidelines, industry codes or licensing systems.”

She made the following recommendations to operators of credit reference databases:

  • Implement a personal data privacy management programme to improve governance.
  • Appoint data protection officers to monitor compliance with the PDPO.
  • Appoint an independent compliance auditor to conduct regular checks.
  • Increase penalties – for example, terminating access to the database – for those money lenders who violate terms of use.

In conclusion, it is worth noting that any violation of an enforcement notice from the Privacy Commissioner can result in criminal prosecution with a maximum penalty upon first conviction of a $50,000 fine and two years’ imprisonment. Ms Chung also says her office will consider examining other credit reference systems for similar possible violations. Industry operators are advised to take note.

Claire Chow is an Associate with BC&C, having joined the firm in 2019. She covers a broad range of practice areas including Civil and Commercial Litigation, and Judicial Review. She can be contacted at Claire@boasecohencollins.com.

40+ years of legal experience is just a click away.

Friendly and approachable, we are ready to answer your questions and offer you sound advice.

Contact us now

BC&C-contact-us

News & Knowledge

Learn more about what we do and what we say. Subscribe to our newsletter to ensure you receive our updates.

  • This field is for validation purposes and should be left unchanged.

Pádraig Seif reflects on his HK journey

Hong Kong, 3 April 2025: BC&C’s Foreign Legal Consultant Pádraig Seif was delighted to share his experiences as a Hong Kong citizen, business leader and lawyer in a keynote address at a seminar organised by Our Hong Kong Foundation. Born and raised in Germany with Irish roots, Pádraig’s Asian odyssey took him first to Japan […]

Read more

Law & More: Episode 51 – Mohan Bharwaney SC

Hong Kong, 2 April 2025: In this episode, we are joined by Mohan Bharwaney SC, a retired justice of the High Court who has authored a significant number of landmark judgments in the field of personal injury and medical negligence. Mohan reflects on his upbringing in Hong Kong, early days as a barrister and some […]

Read more

Key factors in heat stroke liability

By Stephanie Lai Hong Kong, 1 April 2025: The current legal landscape in Hong Kong establishes a carefully balanced approach to heat-related compensation claims, providing meaningful worker protection while maintaining reasonable boundaries on employer liability. Two recent judgments – in Wong Yun Wa v Surplus Link Limited [2024] HKDC 1145 and Yu Kwok Wa v […]

Read more

Major step for court broadcasting

By Arthur Chan Hong Kong, 24 March 2025: In a significant move, the Judiciary is to launch a two-year pilot scheme for the live broadcasting of hearings in the Court of Final Appeal. The scheme will begin on 1 April and involve “substantive appellate proceedings”. The development comes after the Judiciary conducted four trial runs […]

Read more

Shining a light on four decades

Hong Kong, 19 March 2025: Need inspiration? Conceptual artist Sir Michael Craig-Martin – “The Godfather of Brit Art” – has the answer with his sculpture Bright Idea, a four-metre-tall yellow lightbulb constructed from steel. It is one of a series of designs in which he challenges our perceptions of mundane objects by capturing their “formal […]

Read more
See all news and knowledge
Ally Law