Skip to content

Case Notes

Case Notes

This case related to DPP2 - Accuracy and duration of retention of personal data , DPP6 - Access to personal data , Code of Practice on Consumer Credit Data

Case No.:2018C08

A credit reference agency had not handled a data correction request in line with the requirements of the Ordinance, and recorded irrelevant information in a credit report – section 23, section 25 and DPP 2(1).

The Complaint

The complainant was a lawyer. He was appointed as a trustee of a bankruptcy order. The person subject to the order was a defendant of a civil lawsuit.

The complainant discovered that a credit reference agency had erroneously recorded him as the defendant of the civil lawsuit in his credit report. The complainant thereby made a data correction request to the credit reference agency seeking rectification. To support his data correction request, the complainant provided the credit reference agency with the affirmation of the lawsuit illustrating that he was not the defendant of the case but the trustee instead.

The credit reference agency, however, did not remove the lawsuit from the complainant’s credit record. It only updated the status of the lawsuit with reference to the affirmation provided by the complainant. The complainant then made a complaint to this office against the credit reference agency.

Outcome

The credit reference agency failed to explain to the PCPD how the fact that being a trustee (as opposed to being a defendant in a lawsuit) was related to the complainant’s personal credit reference. The PCPD was of the view that the credit reference agency had failed to ensure the accuracy of the complainant’s credit report, in breach of Data Protection Principle 2(1). Following the PCPD’s intervention, the credit reference agency eventually removed the lawsuit from the complainant’s credit report, and furnished the complainant with the corrected report. The credit reference agency also revised its measures to ensure that court cases relating bankruptcy orders would not be recorded in the credit reports of the trustees of the orders.

When handling a data correction request, the data user should provide the requestor with a copy of the corrected data in accordance with section 23 of the Ordinance. If the data in dispute had been disclosed to a third party within 12 months before the receipt of the data access request, the data user should also forward the corrected data to the third party. If the data user decides to refuse a data correction request, the data user should notify the requestor the refusal as well as the reason(s) of the refusal in writing as required by section 25 of the Ordinance. In the present case, the credit reference agency failed to handle the complainant’s data correction request in accordance with the above requirements of the Ordinance.

In view of the findings of this complaint, the PCPD served a warning letter on the credit reference agency, urging it to comply with the Ordinance in ensuring the accuracy of personal credit data and proper handling of data correction request.

Lesson learnt

According to the Code of Practice on Consumer Credit Data issued by PCPD by virtue of section 12 of the Ordinance, a credit reference agency may collect personal data from public domain (such as court case and bankruptcy record) and include the data in the credit report. Notwithstanding that, a credit reference agency is required to ensure that the data recorded in a credit report relates to one’s personal credit. In our opinion, this complaint could have been avoided. If the credit reference agency had examined the writ of summon with due care, it would have noted that the complainant was not the defendant of the case.

In the data-driven economy, customer data has transformed to valuable asset for business operation and promotion. Credit reference agencies, holding a database with enormous customer data, should adhere to higher ethical standards. Apart from complying with the requirements under the Ordinance, credit reference agencies should also aim to meet the stakeholders’ expectation, and use customers’ personal data in a respectful, mutually beneficial and fair manner.

(Uploaded in August 2020)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :