On 6 October 2014, the Office of the Privacy Commissioner for Personal Data (PCPD) issued “Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry” (Guidance). The Guidance also refers to “financial institutions” (FIs) and is therefore also relevant for the wider financial services industry and its data protection compliance practitioners. The Guidance, which runs to 27 pages,  reinforces the importance of complying with Hong Kong’s Personal Data (Privacy) Ordinance (PDPO). Key highlights are:

  1. Collection, storage, retention, access, use and security: Banks and FIs (Data Users) must have a corporate wide privacy strategy and ensure proper collection, integrity, storage, retention, access and use of personal data throughout its life cycle. They must have suitable Personal Information Collection Statements (PICS) Personal Policy Statements (PPS) and robust personal data policies and risk management in place. Data collected should be “fit for purpose”; not excessive; accurate; only retained for the necessary time; and secure (especially when off site). Data subjects must be notified of any intra-group data sharing or transfer. Measures should be taken before disclosing data to enforcement agencies or regulators. Data access requests must be dealt with within 40 days. Special care must be taken in relation to any “direct marketing” initiatives.  For further information on direct marketing, see our client alert of May 2013.  
  2. PCPD Codes of Practice and/or guidance notes: These publications are invaluable and should be consulted alongside other related requirements, such as the anti-money laundering regime and know-your-client regulations.  
  3. Liability for acts of staff, agents and contractors: Data Users are generally liable for the acts of these persons. Staff should be asked to sign a secrecy or confidentiality agreement recognizing the Data User’s operational expectations. A defence is available if the Data User shows that it took precautionary measures (e.g. ongoing training, internal policies) to prevent contravention. For agents and contractors, relevant PDPO requirements should be incorporated into the service contract and the PCPD’s Data Processors Information leaflet consulted.  
  4. The Internet: Data Users may refer to the PCPD’s Internet Guidance Note which addresses collection, display and transmission of data via the internet. Online PICS should be used, cookies policies made clear and a link to the PPS provided. The PCPD has issued a “best practice” leaflet in this regard.

The specific sensitivity of personal data means that data subjects expect data users to exercise extra care in its handling. The Guidance comments that top management should take note of PDPO obligations and ensure compliance, and it provides useful case studies.

The Guidance can be downloaded from the website of the PCPD.