On 24 June 2011, the HKMA issued a press release in relation to the publication by the Privacy Commissioner for Personal Data ("PCPD") on 20 June 2011 of its investigation reports with respect to the collection and use of customers' personal data by four banks as well as the findings of its compliance checks on the credit card application forms for ten banks.
The PCPD found that the four banks had contravened Data Protection Principles 1 and 3 on collection and use of personal data by using vague and loose terms to inform customers of the classes of persons who could use their data, providing the personal information collection statements ("PICS") in too small font size, and disclosing customers' personal data to third parties for marketing purposes without express and voluntary consent. The PCPD also considered one bank to have contravened section 34(1) of the Personal Data (Privacy) Ordinance ("PDPO") in not complying with an opt-out request by poorly handling a customer's request to opt-out from receiving direct marketing.
The PCPD's subsequent compliance checks on selected banks revealed that the banks surveyed were generally compliant with the legal requirements in the collection and use of customers’ data for direct marketing.
Nevertheless, the HKMA has stated that it expects all authorised institutions (i.e. banks) to study the PCPD's investigation reports carefully and take note of the issues raised in the reports including in particular:
- PICS should be printed in legible prints;
- appropriate and practicable assistance should be provided to customers to help them understand the PICS;
- classes of transferees of personal data in the PICS should be specified;
- where personal data of existing customers would be shared with any business partners for monetary gain, prior prescribed consent should be obtained; and
- written policy/guideline should be formulated to ensure compliance with customers’ direct marketing opt-out requests.
The PCPD also highlighted the following observations and recommendations:
- a corporate-wide privacy strategy that applies in all business processes and operational procedures should be in place;
- considerations should be given to the adoption of good privacy practices recommended in the PCPD’s Guidance Note on the Collection and Use of Personal Data in Direct Marketing (issued in October 2010); and
- top management should take the lead to inculcate their staff to share work norms which emphasize compliance with the requirements under the PDPO.
Remarks - The HKMA's circular of 24 June 2011 setting out matters authorised institutions are required to take note of from the PCPD's recent investigation reports, are matters which were raised in earlier guidelines and recommendations issued by the HKMA and the PCPD in October last year. The HKMA's express reminder to authorised institutions of these specific requirements highlights the continuing sensitivity in the market of how organisations such as banks handle customers' personal data for direct marketing purposes.
With the gazettal of the Personal Data (Privacy) (Amendment) Bill 2011 (the "Privacy Bill") on 7 July 2011 and its introduction to the Legislative Council on 13 July 2011, further guidelines and circulars from the PCPD and HKMA (as well as other financial regulators) will be likely in the near future. The Privacy Bill is intended to improve current personal data privacy requirements by, amongst other things, revising selected existing requirements and introducing new requirements on collection and use of personal data for direct marketing purposes and the sale of personal data for monetary gains. However, the PCPD has highlighted concerns with several proposals contained in the Privacy Bill, in particular, the proposal to permit a data user to inform the data subject after collection of their personal data that such data are to be sold, and deeming a data subject's consent to be provided if no express nonconsent is provided by the data subject within the required response period. Both proposals appear to be in contradiction with Data Protection Principle 3, which requires the purpose of the use of data to be provided prior to collection of data and for prescribed consent to be obtained prior to sale of the data. No implementation date for the Privacy Bill has yet been proposed and in light of the PCPD's concerns over conflicting proposals, it may be some time yet before the proposals in the Privacy Bill are in effect.
We last discussed the HKMA and PCPD's requirements for handling customers' personal data and the Government's proposals for amendments to the PDPO in Issue 16 of this Newsletter.