Page:Unauthorised Access to Credit Data in the TE Credit Reference System.pdf/12

 is immediately deleted after the expiration of the retention period (unless as required by other legal requirement(s));

To formulate personal data protection policies and procedures and adopt measures to regularly review whether employees have complied with these policies and procedures when carrying out their duties;

To review and impose restrictions on the number of times money lending companies can access the TE Credit Reference System, and formulate monitoring measures to detect any non-compliant access;

To formulate policies and measures to verify that the money lending companies have obtained authorisations from the borrowers before accessing their data in the TE Credit Reference System;

To formulate and implement a strong password management policy for the TE Credit Reference System; and

To provide documentary proof to the Commissioner within three months from the date of the Enforcement Notice, proving that the instructions specified in (i) to (vi) above have been complied with.</ol>

<p class="_h2">Recommendations

<li>Section 48(2) of the Ordinance provides that the Commissioner may, after completing an investigation and if she is of the opinion that it is in the public interest to do so, publish a report setting out the results of the investigation, any recommendations and other comments arising from the investigation as she sees fit to make.</li>

<li>This investigation involved the personal data of a significant number of members of the public. Therefore, in addition to serving an Enforcement Notice pursuant to Section 50(1) of the Ordinance, the Commissioner would like to make the following observations and recommendations through this report to Softmedia and other operators of credit reference databases.</li></ol>