Skip to content

Case Notes

Case Notes

This case related to DPP2 - Accuracy and duration of retention of personal data , DPP6 - Access to personal data

Case No.:2012C04

The Complainant was dissatisfied that the CRA had failed to ensure the accuracy of the data received from the bank

1. The Complaint

1.1 The Complainant obtained a copy of his credit report (the "Report") from a credit reference agency (the "CRA"). He found that he was erroneously shown as the "Principal" of a credit card account (the "Account") of XYZ Bank ("XYZ Bank") with certain past due amount (the "Inaccurate Data"). The Complainant and his mother were the supplementary and principal card holders of the Account respectively. He alleged that he could not possibly be named as a Principal of the Account as he was under the age of 18 when the Account was opened. Later, he made a data correction request (the "DCR") to the CRA requesting the latter to correct the Inaccurate Data.

1.2 The Complainant was dissatisfied that the CRA had failed to ensure the accuracy of the data received from XYZ Bank and had contravened DPP2(1). He also complained against the CRA for not following the notification requirement under section 23(1)(c) of the Ordinance to supply a copy of the corrected data to the banks (the "Banks") that had previously made enquiries with the CRA in relation to his credit applications. He considered that it was the reason why his subsequent credit applications were rejected by the Banks.

1.3 In addition, he also complained against XYZ Bank for contributing the Inaccurate Data to the CRA which amounted to contravention of DPP2(1) and Clause 2.5 of the Code of Practice on Consumer Credit Data (the "Code").

2. Findings of the Commissioner

The CRA

2.1 The Commissioner considered that the primary responsibility of ensuring accuracy in the data provided to the CRA must rest with each credit provider, i.e. XYZ Bank in the present case. It is noted that the system of the CRA has been equipped with automatic functions and procedures to identify abnormalities. He therefore found that the CRA has not contravened DPP2(1)(a) and (b).

2.2 Although the CRA confirmed that it had complied with the DCR by supplying the Complainant with an amended report (the "Amended Report") with the Inaccurate Data deleted within 40 days upon receipt of the DCR, the Commissioner was of the view that the CRA still has to comply with the notification requirement of section 23(1)(c) and DPP2(1)(c) of the Ordinance. It is not acceptable for the CRA to have assumed that the Banks, in considering the Complainant’s subsequent credit applications, would have relied solely on the most updated credit report and wholly disregarded what happened in the previous applications. The CRA cannot say it had no reason to believe that the Banks had ceased using the Inaccurate Data and thus failed to observe the notification requirement. Hence, the CRA had contravened the requirements under section 23(1)(c) and DPP2(1)(c).

XYZ Bank

2.3 XYZ Bank submitted that even though the Complainant was a supplementary card holder, he would also be liable for all sums payable in respect of the transaction instructions given by him after he ceased to be a minor. As the Complainant was no longer a minor when the charges payable under the payment fell due and remained unsettled, XYZ Bank contributed the negative credit data of the Complainant to the CRA by choosing the most appropriate code pursuant to the contribution format prescribed by the CRA. XYZ Bank eventually reported a code indicating that the Account was an "Individual Account" for which the Complainant was solely responsible and it was translated into "Principal" in the Report by the CRA.

2.4 As a matter of fact, as a supplementary card holder, the Complainant was not solely responsible for the outstanding amount under the Account. Hence, the code chosen by XYZ Bank did not accurately describe the actual status of the Complainant. If there was no code provided by the CRA that accurately described the status of the Complainant, XYZ Bank should have either liaised with the CRA to create a new code or refrained from contributing the Complainant’s credit data to the CRA until there is an appropriate solution. Hence, the Commissioner found that XYZ Bank had contravened DPP2(1)(a) and Clause 2.5 of the Code.

3. Enforcement Notice

3.1 The Commissioner decided to issue an enforcement notice directing the CRA to supply the Banks with a copy of the data as so corrected.

3.2 It was noted that the CRA had deleted the Inaccurate Data from the Report and due to the change of industry practice, XYZ Bank currently contributes only the credit data of the principal card holder to the CRA. In view of the aforesaid, the Commissioner opined that the contravention on the part of XYZ Bank has ceased and similar contraventions are unlikely in the future. Hence, the Commissioner decided not to serve an enforcement notice but a warning was issued to XYZ Bank.

4.Improvement Actions taken by the CRA

4.1 The CRA complied with the enforcement notice. It also upgraded its system and revised its working procedures by giving the notification under section 23(1)(c) whenever correction to personal data is made pursuant to a DCR.

uploaded on web in July 2014


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :