A Mandatory Duty of the Collector of Personal Data
Under Data Protection Principle 4 (“DPP4”) scheduled to the PDPO the collector of personal data is obliged to take all practicable steps to ensure that the personal data are protected against unauthorized access.
Money lending has become a major growth business in Hong Kong by lenders who are registered as such.
In normal prudence of their business operation money lenders habitually apply to a credit reference database in order to access the credit rating of a borrower.
The Hong Kong Association of Banks, the Hong Kong Association of Restricted Licensed Banks and Deposit Taking Companies and the HKSAR Licensed Money Lenders Association as the “Industry Associations” have with the support of the Hong Kong Monetary Authority established a new consumer credit reference operating agency model as the Multiple Credit Reference Agency (“MCRA”).
The business of MCRA is to collect consumer credit data from various credit providers in order to provide choices to credit providers with the dual objective of enhancing the resilience of consumer credit reference service to credit providers and the strengthening of a consumer credit reference service for the interest of consumers.
This operating model of MCRA is a platform launched in November 2022 and operated for the Industry Associations as platform operator by the Credit Reference Platform Limited as a wholly owned subsidiary of Hong Kong Interbank Clearing Limited. The unquestioned propriety of the MCRA Model has become an industry respected standard providing choices of credit reference service to credit providers for provision of consumer credit to help them assess credit worthiness of consumers as potential borrowers.
The Office of the Hong Kong Privacy Commissioner for Personal Data (“the Commissioner”) received a complaint from an individual. Credit data of the individual was stored in a database called “TE Credit Reference System” (“the TCR System”) which is a database operated by Soft Media Technology Company (“Soft Media”) whose business model was to provide the database on the TCR System for customary access by money lending companies. The TCR System is a database not comprised in or complying with the MCRA.
The Commissioner has found that Soft Media as the operator of the TCR System failed in its obligations under DPP4 to take sufficient measures as collector of the personal data of consumers to protect the information which it stored in the TCR System against unauthorized or accidental access, processing or use.
This failure of compliance with DPP4 led to the view expressed by the Commissioner that Soft Media as the database operator had allowed unlimited access to the TCR System at a very low fee without ensuring that consent had been obtained from the potential borrowers whose personal data had been entered into the TCR System.
In the particular case of the TCR System Soft Media received many complaints of credit data being retrieved from the TCR System by unidentified money lenders. The greater bulk of these complaints were substantiated establishing that the credit reference system operated by Soft Media was not conducted in accordance with regulation nor with respect to any code of practice and the unlimited access allowed by Soft Media to the TCR System failed to ensure that consent of potential borrowers had been obtained to authorize access by the money lending market to the credit references of the borrowers in the TCR System.
The Commissioner has sent a standard form of notice to Soft Media to demand that it establishes policies and measures in the next 3 months to ensure that money lending companies accessing the TCR System receive authorization from borrowers before permitted access to their data on the TCR System is allowed. Violation of this notice by Soft Media could constitute and establish a breach of the Data Protection Principle 4 and of the PDPO possibly leading to criminal prosecution with the penalty of monetary fine and imprisonment.