Page:Unauthorised Access to Credit Data in the TE Credit Reference System.pdf/11

 Conclusion

Data Protection Principle 2(2) of the Ordinance provides that personal data should not be kept longer than the period that is necessary for the fulfilment of the purpose for which the data are or are to be used. Paragraphs 3.3, 3.3.1 and 3.3.2 of the Code provide that credit reference agencies can only retain account repayment data in their database for five years after the date of final settlement or the date of discharge from bankruptcy, whichever is earlier. Softmedia clearly did not meet the requirements of the Code or implement a policy of credit record deletion after repayments. It still retains over 50,000 records of borrowers who completed repayments more than five years ago. Softmedia did not comply with the requirements of the Ordinance and also put the personal data of borrowers at risk. Thus, in the opinion of the Commissioner, Softmedia has contravened Data Protection Principle 2(2) as regards the retention period of personal data in this case.

Enforcement Actions

The Commissioner is of the opinion that Softmedia has contravened Data Protection Principles 4(1) and 2(2) of the Ordinance on the security of the TE Credit Reference System and the retention of credit records. She has therefore served an Enforcement Notice on Softmedia pursuant to the powers conferred on her by Section 50(1) of the Ordinance, directing it to take the following actions to remedy and prevent recurrence of the relevant contraventions:

To delete all credit data in the TE Credit Reference System in respect of which five years or more have been lapsed from the date of the final settlement of the loan, regardless of whether the data subject has requested Softmedia directly or through the money lending company for the deletion of the relevant data;

To formulate policies and procedures to ensure that the retention period of credit data in the TE Credit Reference System meets the requirements of the Code including (i) credit data regarding completed repayments will not be retained for more than five years unless as required by other legal requirement(s); (ii) credit data showing a default payment for not exceeding 60 days will not be retained for more than five years; and (iii) the relevant credit data 