Page:Unauthorised Access to Credit Data in the TE Credit Reference System.pdf/13

 The Commissioner's Observations

Credit data is currently an important indicator of an individual's financial credibility and borrowing capacity. With the development of the digital economy, the proper handling and protection of credit records are essential for protecting personal data privacy and ensuring financial data security. The public will reasonably expect that their personal credit data, whether positive or negative, would be adequately protected by credit reference agencies and would not be subject to unrestricted access by unauthorised or unrelated organisations.

The Commissioner noted that the current operation and management of the TE Credit Reference System is neither regulated by the industry code nor the relevant laws of the financial sector, including the Money Lenders Ordinance (Chapter 163 of the Laws of Hong Kong) and the code of practice of licensed money lenders, and the situation is far from satisfactory. To ensure the data security of the database and the protection of borrowers' personal data privacy, the Commissioner recommends that the operation and management of any credit reference database be regulated or supervised through laws, regulations, guidelines, industry codes or licensing systems. It is of crucial importance that appropriate penalties should be imposed on wrongdoers, that the privacy of borrowers should be adequately protected, and the security of the database should be properly safeguarded.

Implementing a Personal Data Privacy Management Programme

Awareness of personal and credit data protection is already deeply ingrained in the minds of the general public. Data users have the undeniable responsibility to take effective measures to protect such data. The Commissioner encourages organisations to implement a "Personal Data Privacy Management Programme" through which personal data privacy protection can be incorporated into their data governance responsibilities. They should bear in mind the importance of personal data protection in daily operations and adopt a top-down approach in executing open and transparent information policies and standing instructions, so as to signal their determination in exemplifying good corporate governance. This will benefit and help an organisation to earn its reputation, gain trust 