{"id":29101,"date":"2023-07-26T13:20:07","date_gmt":"2023-07-26T13:20:07","guid":{"rendered":"https:\/\/prelive-tdw.visibleone.app\/insight-and-news\/legal-update-pcpd-investigation-report-on-credit-reference-agency-data-subject-complaint\/"},"modified":"2025-11-14T11:01:45","modified_gmt":"2025-11-14T11:01:45","slug":"legal-update-pcpd-investigation-report-on-credit-reference-agency-data-subject-complaint","status":"publish","type":"insight-and-news","link":"https:\/\/www.tannerdewitt.com\/zh-hans\/insight-and-news\/legal-update-pcpd-investigation-report-on-credit-reference-agency-data-subject-complaint\/","title":{"rendered":"Legal Update: PCPD investigation report on credit reference agency data subject complaint"},"content":{"rendered":"\n    \n\n<div style=\"background-image:url('https:\/\/www.tannerdewitt.com\/wp-content\/themes\/tanner-de-witt\/images\/insightdetails.jpeg')\"\n    class=\"insight-news-detail-hero\" id=\"insight-news-detail-hero\">\n\n\t\t<div style=\"background-color:\" class=\"insight-news-detail-hero-overlay \"><\/div>\n            <div class=\"z-[0]\">\n                <div class=\"insight-news-breadcrumbs flex items-end practice-areas-featured-breadcrumbs \">\n                    <a class=\"page-link no-underline\" href=\"https:\/\/www.tannerdewitt.com\/zh-hans\/\">Home<\/a>                <\/div>\n\n\n                <div class=\"hero-title\">\n                    <h1>\n                        Legal Update: PCPD investigation report on credit reference agency data subject complaint                    <\/h1>\n                <\/div>\n                \n                    <div style=\"\" class=\"hero-date \">\n\n                        <span class=\"month\">Jul<\/span>\n                        <span class=\"day\">26<\/span>\n                        <span class=\"year\">2023<\/span>\n                    <\/div>\n\n            <\/div>\n    \n\n    \n\n\n\n<\/div>\n\n\n\n<script >\n    (function () {\n        document.addEventListener(\"DOMContentLoaded\", () => {\n\n            const breadCrumbsContainer = Array.from(document.querySelectorAll(\".practice-areas-featured-breadcrumbs\"));\n\n            breadCrumbsContainer.forEach(container => {\n                const breadCrumbLinks = Array.from(container.querySelectorAll('.page-link'));\n                const breadCrumbSeperators = Array.from(container.querySelectorAll('.separator'));\n\n                if (Array.from(breadCrumbLinks).length === 1) {\n                    const homeNode = breadCrumbLinks[0];\n\n                    if (!homeNode) {\n                        return\n                    }\n\n                    const postTypeNode = homeNode.cloneNode(true);\n                    postTypeNode.textContent = \"Insights and News\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', postTypeNode)\n                    breadCrumbLinks.push(postTypeNode);\n\n                    if (\"Insights\") {\n                        const categoryNode = homeNode.cloneNode(true);\n\n                        categoryNode.textContent = \"Insights\";\n                        container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                        container.insertAdjacentElement('beforeend', categoryNode)\n                        breadCrumbLinks.push(categoryNode);\n                    }\n\n\n                    const titleNode = homeNode.cloneNode(true);\n\n                    titleNode.textContent = \"Legal Update: PCPD investigation report on credit reference agency data subject complaint\";\n                    container.insertAdjacentHTML('beforeend', `<span class=\"separator practice-areas-featured-breadcrumb-item-slash\">\/<\/span>`)\n                    container.insertAdjacentElement('beforeend', titleNode)\n                    breadCrumbLinks.push(titleNode);\n\n\n\n\n                }\n\n                breadCrumbLinks.forEach((link, index) => {\n\n                    link.classList.add('practice-areas-featured-breadcrumb-item-name');\n                    const origin = window.location.origin;\n                    const href = window.location.href;\n\n                    const originSplitter = window.location.href.includes(\"insight-and-news\") ? \"insight-and-news\" : window.location.href.includes('insights-and-news') ? \"insights-and-news\" : \"\"\n\n                    const paths = href.split(originSplitter);\n                    const links = paths[1].split(\"\/\").filter(Boolean)\n\n\n                    const resolvedOrigin = originSplitter ? (href.split(originSplitter)[0] || \"\") : (origin + \"\/\")\n\n                    if (index === 0) {\n\n                        if (!originSplitter) {\n                            link.href = origin\n                        } else {\n                            link.href = resolvedOrigin;\n                        }\n\n\n                    } else if (index === 1) {\n                        link.href = resolvedOrigin + originSplitter\n\n                    }\n                    else if (index === 2) {\n                        console.log(links)\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\")\n                    }\n                    else if (index === 3) {\n\n                        link.href = resolvedOrigin + originSplitter + \"\/\" + (links[0] || \"\") + \"\/\" + (links[1] || \"\")\n\n                    }\n\n\n\n                    \/\/ const words = link.textContent.split(\" \")\n                    \/\/ if (words.length > 4) {\n                    \/\/     link.textContent = words.slice(0, 4).join(\" \") + \"...\"\n                    \/\/ }\n\n                })\n\n                breadCrumbSeperators.forEach(separator => {\n                    separator.textContent = \"\/\"\n                    separator.classList.add('practice-areas-featured-breadcrumb-item-slash')\n                });\n\n\n            })\n\n\n        })\n        removeDivTag()\n    })();\n\n    function removeDivTag() {\n        console.log(\"remasfljas\");\n        const editorContainer = document.querySelector(\".editor-wysiwyg\");\n        \/\/ editorContainer.innerText = editorContainer.innerText.replace(\"<\/div>\", \"\")\n        Array.from(editorContainer.childNodes).forEach(el => {\n            if (el.textContent.includes(\"<\/div>\")) {\n                el.textContent = \"\"\n            }\n        })\n    }\n<\/script>\n<div class=\"editor-wysiwyg my-[40px]\">\n<div class=\"single-section\"><div class=\"single-section\">\n<p>In this snapshot legal update, the Office of the Privacy Commissioner for Personal Data (\u201c<strong>PCPD<\/strong>\u201d) published an investigation report on 1 June 2023 concerning the TE Credit Reference System, developed by Softmedia Technology Company Limited (\u201c<strong>Softmedia<\/strong>\u201d) in January 2016. Softmedia was not a credit reference agency shortlisted by Industry Associations in Hong Kong under the Multiple Credit Reference Agencies Model, nor regulated by the Money Lenders Ordinance (Cap. 163).<\/p>\n<p>The TE Credit Reference System (\u201c<strong>System<\/strong>\u201d) is a platform for money lending companies to assess borrowers\u2019 credit data before approving or rejecting their loan applications.<\/p>\n<p>A member of the public had his credit records and other personal data stored in the System. He was informed by one money lending company that his credit records on the System had been accessed by several other money lending companies. This person made a complaint to the PCPD and the PCPD commenced an investigation of the complaint.<\/p>\n<p>During the investigations, the PCPD found that:<\/p>\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"text-decoration: underline;\">The System did hold personal data, contrary to Softmedia\u2019s contention.<\/span><\/p>\n<p>Softmedia contended that the System held no personal data as it does not store names, addresses, phone numbers or dates of birth and only holds HKID numbers and credit data of borrowers.<\/p>\n<p>The PCPD disagreed. The purpose of the System was to provide a platform for money lending companies to make assessments prior to the loan confirmation, and companies must be able to directly or indirectly ascertain the identity of a data subject from the data in the System. The data on the System therefore constituted \u201cpersonal data\u201d.<\/p>\n<p>2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<span style=\"text-decoration: underline;\"> The mechanisms for borrower consent and authorisations were insufficient.<\/span><\/p>\n<p>According to Softmedia, a money lending company using the System was required to obtain a signed authorisation letter from the borrower before it accessed data on the System.<\/p>\n<p>However, none of the money lending companies involved could provide the PCPD with the complainant\u2019s signed authorisation. The System allowed a money lending company to access data upon making a self-declaration of authorisation and payment of fees. This revealed a loophole in which money lending companies could access credit data without fulfilling the requirement for authorisation.<\/p>\n<p>The PCPD concluded Softmedia contravened the following data protection principles in the Personal Data (Privacy) Ordinance (Cap. 386) (\u201c<strong>PDPO<\/strong>\u201d):<\/p>\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"text-decoration: underline;\">DPP 4(1) \u2013 Unauthorised or accidental access, processing, erasure, loss or use<\/span><\/p>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Softmedia failed to put restrictions on money lending companies in accessing borrowers\u2019 credit data. The PCPD noted that money lending companies have to closely track a borrower\u2019s financial status. However, Softmedia was required to strike a reasonable balance and formulate measures to regulate and monitor use of the System by the money lending companies.<\/p>\n<p>Softmedia relied wholly on users of the System to self-declare that they have obtained consent and authorisation from the borrowers. This arrangement falls below the standards for data privacy.<\/p>\n<p>Softmedia\u2019s password management did not meet the minimum requirements. The System accepted weak passwords in length and complexity, and did not set restrictions requiring a regular change of password.<\/p>\n<p>2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <span style=\"text-decoration: underline;\">DPP 2(2) \u2013 Data retained longer than necessary<\/span><\/p>\n<p>Softmedia did not take practicable steps to ensure that personal data was not kept longer than necessary to fulfil a certain purpose. The Code of Practice on Consumer Credit Data (\u201c<strong>Code<\/strong>\u201d) published by the PCPD specify that account repayment data should only be retained up to five years from the date of final settlement of the amount in default.<\/p>\n<p>However, there are currently over 50,000 credit records of borrowers who have completed repayments more than five years ago. These personal data records should have been erased, but they remained on the database.<\/p>\n<p><strong>Enforcement actions<\/strong><\/p>\n<p>The PCPD served an Enforcement Notice on Softmedia pursuant to the contraventions of the DPPs mentioned above. Among other things, the PCPD directed Softmedia to:<\/p>\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 delete credit data where five or more years have lapsed from final settlement of the loan;<\/p>\n<p>2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 formulate various policies to ensure retention periods meet the requirements under the Code;<\/p>\n<p>3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 impose restrictions on the frequency of access to the System;<\/p>\n<p>4.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 monitor non-compliant access to the System;<\/p>\n<p>5.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 create measures to verify that companies obtained authorisations before accessing data; and<\/p>\n<p>6.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 implement a stronger password management policy.<\/p>\n<p><strong>Recommendations<\/strong><\/p>\n<p>The PCPD made the following recommendations to providers of credit reference databases:<\/p>\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Implement a Personal Data Privacy Management Programme (\u201c<strong>PMP<\/strong>\u201d) to improve personal data protection and data governance. A PMP will provide for the execution of transparent information policies. This will in turn demonstrate good corporate governance and create a positive image for consumers of compliance with laws and regulations.<\/p>\n<p>2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Appoint a Data Protection Officer to oversee compliance with the PDPO and implementation of the PMP. The duties of a Data Protection Officer are to curate a culture of protecting data privacy, encourage staff to respect data privacy protection and carry out personal data protection policies.<\/p>\n<p>3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Appoint an Independent Compliance Auditor to conduct compliance audits on the mechanism of providing credit reference services, to assess whether the mechanism is sufficient to protect security and assess the security of the credit data itself.<\/p>\n<p>4.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Impose strict penalties for contravention of data access requirements, such as stricter access fees, fines or suspension and termination of access rights of money lending companies.<\/p>\n<p>The full version of the PCPD\u2019s Investigation Report is available on this <a href=\"https:\/\/www.pcpd.org.hk\/english\/enforcement\/commissioners_findings\/files\/r23_21242_e.pdf\" rel=\"noreferrer noopener\" target=\"_blank\">link<\/a>.<\/p>\n<p class=\"has-text-align-right\"><strong><em>P\u00e1draig Walsh and Christy Cheung<\/em><\/strong><\/p>\n<p>If you would like to discuss any of the matters raised in this article, please contact:<\/p>\n<p><a href=\"https:\/\/www.tannerdewitt.com\/our-people\/padraig-walsh\/\" rel=\"noreferrer noopener\" target=\"_blank\">P\u00e1draig Walsh<\/a><\/p>\n<p>Partner |\u00a0<a href=\"mailto:padraigwalsh@tannerdewitt.com\" rel=\"noreferrer noopener\" target=\"_blank\">padraigwalsh@tannerdewitt.com<\/a><\/p>\n<p>Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. <\/p>\n\n<\/div><\/div>\n\n<\/div>\n\n\n\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In this snapshot legal update, the Office of the Privacy Commissioner for Personal Data (\u201cPCPD\u201d) published an investigation report on 1 June 2023 concerning the TE Credit Reference System, developed by Softmedia Technology Company Limited (\u201cSoftmedia\u201d) in January 2016. Softmedia was not a credit reference agency shortlisted by Industry Associations in Hong Kong under the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"tags":[],"insight-category":[1121],"insight-month":[1160],"insight-practice-area":[1142],"insight-year":[1161],"class_list":["post-29101","insight-and-news","type-insight-and-news","status-publish","hentry","insight-category-legal-updates-and-insights","insight-month-july","insight-practice-area-technology-media-and-telecommunications-tmt","insight-year-1161"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/29101","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news"}],"about":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/types\/insight-and-news"}],"author":[{"embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/users\/1"}],"version-history":[{"count":1,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/29101\/revisions"}],"predecessor-version":[{"id":30321,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-and-news\/29101\/revisions\/30321"}],"wp:attachment":[{"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/media?parent=29101"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/tags?post=29101"},{"taxonomy":"insight-category","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-category?post=29101"},{"taxonomy":"insight-month","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-month?post=29101"},{"taxonomy":"insight-practice-area","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-practice-area?post=29101"},{"taxonomy":"insight-year","embeddable":true,"href":"https:\/\/www.tannerdewitt.com\/zh-hans\/wp-json\/wp\/v2\/insight-year?post=29101"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}