Gabriela Kennedy (Partner) , Heidi Gleeson (Registered Foreign Lawyer) and Alya Bloum(Intern), Hogan Lovells, Hong Kong contributed this entry.
In Hong Kong, the Privacy Commissioner for Personal Data recently exercised his rights under Section 36 of the Personal Data (Privacy) Ordinance and conducted an inspection of the data system of TransUnion Limited, Hong Kong’s major credit reference agency. While the inspection did not reveal any major data breaches or issues, the Commissioner has reported deficiencies in TransUnion’s personal data system and made a number of recommendations for improvement.
TransUnion holds the credit records of approximately 4.3 million consumers in Hong Kong and is the main source of consumer credit data for credit providers. Given the large amount of data held by TransUnionand the risk of loss and damages to consumers in the event that this sensitive personal data were misused, the Commissioner considered that an inspection was warranted.
The major objective of the inspection was to review the data processing cycle of TransUnion to ascertain whether it complies with the data protection principles under the Ordinance (the "DPPs") and with the Code of Practice on Consumer Credit Data, which was issued to provide guidance to CRAs when collecting, storing and processing personal data.
The Inspection Report
On 15 March 2011, the Commissioner issued his inspection report. Whilst the Report noted that TransUnion had in place comprehensive and detailed policies regarding the handling of consumer credit data it also noted areas where there was room for improvement and made twenty recommendations for TransUnion to enhance its personal data system.
The investigation report and its recommendations provide useful guidance for businesses as regards compliance with the data protection requirements under the Ordinance and the Code. We examine below the main recommendations made by the Commissioner.
Purpose and manner of collection of personal data
DPP1 requires that personal data are only collected for a specific purpose and not excessively in relation to that purpose. The Code identifies eight kinds of personal data that may be collected by a CRA, including consumer credit data and public records relating to any debt recovery action. A CRA that collects personal data outside of the eight categories specified in the Code is presumed to have breached DPP1.
The investigation revealed that TransUnion was collecting excessive information about consumers including winding-up court records about company winding-up procedures and personal injury records. The Commission recommended that TransUnion ceases to collect such records (and should destroy any records of such data already collected), as they did not fall within the categories of permitted information under the Code.
Accuracy and retention of personal data
DPP2 requires data users to take reasonable steps in order to ensure the accuracy of personal data collected. Accuracy of credit consumer data is particularly significant given that consumer creditworthiness is evaluated based on such data.
Under the Code, the obligation to provide accurate data falls on the credit providers that supply the personal data to TransUnion. While no such obligation is placed on TransUnion under the Code, the Commissioner indicated that it was good practice for TransUnion to double-check the consumer credit data provided by Subscribers in order to detect inaccuracies.
DPP2 also requires that personal data is only kept so long as necessary for the fulfilment of the purpose for which it was collected. The Commissioner recommended that TransUnion specify the retention period on its request forms and supporting documents as well as in the relevant terms and conditions, and that personal data collection forms should not be kept for more than one year, after which time it should be completely destroyed.
The security obligations under the Ordinance impose a duty on data users to take all reasonably practicable steps to ensure that the personal data they hold is protected against unauthorised or accidental access, processing or erasure. Further, the Code requires CRAs to deploy a number of security measures to safeguard the personal data they hold, including entering into written agreements with the Subscribers by which the latter agree to abide by the DPPs, recording any data breach incidents, and training staff.
The Commissioner urged TransUnion to enhance its security standards by carrying out regular risk assessment and IT security audits. The Commissioner emphasised the importance of training and encouraged TransUnion to conduct regular compliance sessions for its staff.
The investigation revealed the following:
(i) TransUnion outsources the storage of backup tapes containing consumer credit data to a third party Security Company;
(ii) TransUnion’s security procedures when sending data to off-site data rooms leave a lot to be desired (e.g. transportation of the tapes by a security guard by public transport);
(iii) the Security Company had a contractual right to access TransUnion’s the data but without the backup of contractual provisions relating to data protection compliance or confidentiality;
(iv) there were loopholes and gaps in the security of electronic storage devices used by TransUnion.;
(v) TransUnion had commissioned a third party Data Disposal Company to dispose of its electronic storage media;
(vi) there was no comprehensive written agreement between the Data Disposal Company and TransUnion,
The Commissioner was dissatisfied with the way TransUnion was dealing with the Security Company and the Report reinforced the fact that under the Ordinance, it is the data user (i.e. TransUnion) who is liable for the acts of its agent (i.e. the Security Company). The Commissioner encouraged TransUnion: (i)to take appropriate measures to prevent other incidents in the future; (ii) to introduce a duty of confidentiality in its existing agreement with the Security Company and also recommended that TransUnion enter into a written agreement with the Data Disposal Company, containing provision relating to security and confidentiality of data.
Public consultation into the sharing of positive mortgage data
A public consultation was recently carried out regarding proposals made by the financial services industry to widen the scope of the current data sharing regime in Hong Kong to include the sharing of positive mortgage data in certain circumstances. If implemented, the proposals would result in CRAs collecting and storing an increased amount of sensitive personal data, and it would become even more important for TransUnion to ensure that it had a secure data system.
The consultation period ended in January this year and the results of the consultation are yet to be announced. Further updates will be forthcoming when the results of the public consultation are published.