Skip to content

Media Statements

Media statement- The Privacy Commissioner’s Office has Completed Compliance Checks of All Credit Reference Agencies in Hong Kong to Ensure the Data Security of Credit Reference Databases

Date: 11 January 2024 

The Privacy Commissioner’s Office has Completed Compliance Checks of All Credit Reference Agencies in Hong Kong 
to Ensure the Data Security of Credit Reference Databases

The Office of the Privacy Commissioner for Personal Data (PCPD) published an investigation report on the unauthorised access to the credit data in the TE Credit Reference System in June last year. In the light of the findings of the investigation report and the concern raised by the community on the handling of borrowers’ credit data by credit reference agencies in Hong Kong, the PCPD proactively commenced compliance checks of all credit reference agencies in Hong Kong to ensure the protection of the personal data privacy of borrowers and the data security of credit reference databases. The compliance checks were carried out to ascertain whether the security measures and retention periods adopted by credit reference agencies regarding the credit data of borrowers comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO). The PCPD has now completed the compliance checks and has found no contravention of the PDPO as regards the security measures and retention periods during the compliance check process.
 
The PCPD also makes the following recommendations to all credit reference agencies through the compliance checks, with a view to enhancing their data security measures:
  • Establish and thoroughly implement a Privacy Management Programme to incorporate the protection of personal data privacy into the organisation’s data governance responsibility;
  • Appoint a Data Protection Officer for overseeing compliance with the PDPO;
  • Adopt effective measures to monitor the access to credit reference databases, and regularly review the implementation and effectiveness of the measures;
  • Stipulate and timely review policies and measures regarding the handling of consumers’ credit data, and regularly review the implementation and effectiveness of the measures; and
  • Strengthen employee training on data protection to ensure they have a thorough understanding of the PDPO.
Any person who suspects that his or her credit data has been accessed inappropriately, or prolongedly retained, may enquire with the relevant credit reference agencies, or make enquiries or complaints to the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hkcomplaints@pcpd.org.hk.
 
 
-End-