Our clients regularly face requests by the Securities and Futures Commission (SFC) and other government authorities to disclose customer personal data for the purposes of an investigation. However, the disclosure of customer personal data to public bodies without receiving the prescribed consent from customers may put the disclosing company at risk of violating the relevant provisions of the Personal Data (Privacy) Ordinance (Cap.486) (PDPO).

This article aims to provide an introduction to the personal data protection regime in Hong Kong relating to customer personal data, and the necessary steps that companies need to undertake in order to shield themselves from violating the PDPO when faced with the request to disclose personal data to regulatory bodies.

Disclosing documents to regulators for the purposes of an investigation 

The SFC has the power to inquire and investigate a company pursuant to s.182 and s.183 of the Securities and Futures Ordinance (Cap 571) for the maintenance of market order. 

Section 182 of the SFO stipulates the grounds upon which the SFC may commence their investigatory procedures and s.183 of the SFO stipulates the steps involved. The SFC will appoint an investigator to serve a notice on the person or company to be investigated, and the investigator may require any person/company believed to have relevant information to produce any record or document specified by the investigator within a reasonable time and to the place required under s.183(1)(a).  

The failure to produce any record or document required to be produced in relation to an investigation under s. 183(1)(a) of the SFO may constitute an offence under s.184(1)(a), provided that the person under investigation has no reasonable excuse for its failure to disclose the relevant information. 

Compliance with the PDPO -The "likely to prejudice" test 

One of the major concerns that companies face when asked to disclose customer personal data to financial regulators is breaching Data Protection Policy 3 (DPP3) set out under Schedule 1 of the PDPO. 

DPP3 of the PDPO requires a data user to obtain the "prescribed consent" of data subjects before using their data for a new purpose, i.e. a purpose other than one for which the personal data was originally collected. Companies should therefore handle requests for the disclosure of customer personal data to the SFC or other government and regulatory bodies in connection with an investigation with caution. 

Exemptions are available to data users. Section 58(2) of the PDPO lists the circumstances in which a data user is not required to obtain the "prescribed consent" of data subjects under DPP3. In particular, companies do not have to comply with DPP3 if they have reasonable grounds for believing that failure to disclose the data would have been likely to prejudice the discharge of functions by a "financial regulator" under s.58(1)(f)(ii) and (g). 

The SFC and the Hong Kong Monetary Authority both fall within the definition of a "financial regulator" under the PDPO. Furthermore, the functions referred to under s.58(1)(f)(ii) and (g), include to protect members of the public against financial loss arising from dishonesty, incompetence, malpractice or serious improper conduct by certain companies involved in financial services. 

Dilemma in the face of request of information 

Depending on the circumstances, companies are faced with the task of having to determine whether the failure to disclose customer personal data to the SFC or other financial regulator in connection with an investigation would be "likely to prejudice" the functions of the SFC or other financial regulator.

In clear-cut cases where there is a direct causal link between the nature of the customer personal data requested by the SFC and the purpose of the investigation, s.58(2) would act as an exemption from DPP3 for the disclosing company.

However, in situations where the relevancy of the customer personal data and the purpose of the investigation are less clear, a company may not be able to rely on the exemption from DPP3 under s.58(2) because the failure to disclose the relevant personal data may have little impact on the discharge of the functions of the SFC or other financial regulator. In such cases a disclosure of personal data without obtaining the "prescribed consent" of the data subject may result in the company finding itself in breach of DPP3. 

Cautionary steps to take 

Companies should protect themselves by stipulating clearly in any customer contracts or agreements their ability to disclose their customers' personal data upon request to government and regulatory bodies, courts with competent jurisdiction and to any other person as may be required pursuant to any applicable laws. It is also advisable that the term should be wide enough to cover the broadest range of investigative activities possible. 

Companies should ensure that they are aware of the purposes of any investigation commenced by the SFC or other financial regulator, and if necessary, they should request additional information relating to the specific purposes for which the financial regulator requires the particular customer personal data, and its relevancy to the investigation. It is only by obtaining such information that companies are able to show that they have properly assessed whether the failure to disclose customer personal data would satisfy the "likely to prejudice" test under s.58(2) of the PDPO, and therefore be able to avail themselves of the exemption from having to comply with DPP3. 

Finally, it is also important to note that with the possible upcoming reforms of the PDPO, there may be clearer provisions regarding how government bodies can deal with the collection and use of customer personal data from companies. We shall continue to monitor the position.