Page:Unauthorised Access to Credit Data in the TE Credit Reference System.pdf/7

 Softmedia Contravened Data Protection Principle 4(1)

Unauthorised Access to the Credit Data

Data Protection Principle 4(1) in Schedule 1 to the Ordinance provides that all practicable steps shall be taken to ensure that any personal data (including data in a form through which access to or processing of the data is not practicable) held by a data user is protected against unauthorised or accidental access, processing, erasure, loss, or use.

The participating money lending companies are only charged when they use the TE Credit Reference System (i.e. a money lending company can gain unlimited access to a borrower's credit data for five days with a payment of $2, and this five-day cycle can be repeated with no limits set in terms of payment or access). Thus, a money lending company can gain unlimited access to the credit data of a specific borrower as long as it declares that it has obtained authorisation from the borrower and pays the fees. The investigation revealed that Softmedia neither restricted the number of times the money lending companies can access a borrower's data nor regularly monitored their use of the TE Credit Reference System. Softmedia did not, for example, actively monitor or detect any abnormal access by money lending companies through audit trails.

The Commissioner understands that money lending companies may bear higher financial risks than banks when granting loans to individuals. They may have to closely track a borrower's financial status and credit record. However, this does not mean that money lending companies may access borrowers' credit data without restrictions. As the operator of the TE Credit Reference System, Softmedia should strike a reasonable balance between the actual needs of the money lending companies and the protection of personal data privacy and formulate measures to regulate and monitor the use of the TE Credit Reference System by these companies, such as limiting the maximum number of times they can access the credit data of a borrower within a certain period, to ensure compliance with Data Protection Principle 4(1) of the Ordinance.

This complaint also revealed that at least eight money lending companies unacquainted with the complainant, let alone with his consent or authorisation, accessed his credit data. Regrettably, Softmedia relies on the money lending companies to declare whether they have obtained the 