Page:Unauthorised Access to Credit Data in the TE Credit Reference System.pdf/9

  regarded as sensitive personal data, and any improper or unauthorised access to them can result in serious financial losses and violate the privacy of the data subjects concerned. Softmedia, as the operator of the credit reference database, apart from providing accurate credit data and highquality services to the money lending companies and data subjects, should also take appropriate security measures in accordance with the requirements of the Ordinance. It should continuously monitor and review the use of the database so that it can detect and investigate any abnormal or improper access or use of the data so as to meet the expectations of the general public and protect the personal data held by Softmedia against unauthorized or accidental access, processing or use.

The investigation revealed that the complainant's personal data was accessed, processed, or used without his authorisation because Softmedia did not take appropriate security measures to monitor and manage the access to and use of the TE Credit Reference System by money lending companies, which is regrettable. In addition, Softmedia has not adopted a strong password policy, or set expiration dates for passwords, notwithstanding the amount and nature of the relevant data. The current operation does not meet the basic requirements of network security, which shows that Softmedia has not taken adequate measures to protect personal data. In the present case, the Commissioner considers Softmedia to have failed to take all practicable steps to protect the personal data in its TE Credit Reference System against unauthorized or accidental access, processing or use and is of the opinion that Softmedia has contravened the requirements of Data Protection Principle 4(1) on the security of personal data.

Softmedia Contravened Data Protection Principle 2(2)

Softmedia Retained the Credit Records of Those Who Had Completed their Repayments for More Than Five Years

Data Protection Principle 2(2) of the Ordinance provides that all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used. 