Hong Kong’s Office of the Privacy Commissioner for Personal Data recently released a twenty page guidance note to the banking industry on the proper handling of customers’ personal data. This response by the Commissioner to “[p]romote good practices in relation to the collection, accuracy, retention, use, security of and access to customers’ personal data,” comes on the heels of a surge of complaints by customers against banks and financial institutions. The Guidance offers the banking industry clarity on the application of Hong Kong’s main privacy law – the Personal Data (Privacy) Ordinance (Chapter 486) (the PDPO). While it is not legally binding, the Guidance sets out the "best practices" that should be followed by banks and other financial institutions. Failure to follow the Guidance may lead to reputational issues and could also, potentially, be used to support a claim for violation of the PDPO. Of note is that the Guidance requires banks to make its consents and disclosures "easily understandable" and, if in writing, "easily readable." This underscores the importance of reviewing existing disclosures and consents for compliance and to avoid "fine print" and "legalese". Finally, the Guidance provides that a financial institution can be liable for the acts of its employees, agents, and any third parties (including third parties based outside Hong Kong) that receive and handle the data of its customers.
TIP: Since the banking industry is particularly vulnerable to cyber-attacks and data breaches, banks and other financial institutions in Hong Kong should become familiar with the Guidance and review their respective policies to meet its standards.