Hong Kong: PCPD issues enforcement notice to Softmedia
The Office of the Privacy Commissioner for Personal Data (PCPD) published, on June 1, 2023, its Investigation Report No. R23-21242, issued on the same day, in which it issued a compliance order to Softmedia Technology Company Limited, for the violation of Data Protection Principles 4(1) and 2(2) of the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 (PDPO), following an individual's complaint.
Background to the investigation
In particular, the investigation, conducted by Privacy Commissioner, Ada CHUNG Lai-ling, focused on the TE Credit Reference System, which was operated by Softmedia and utilized by approximately 680 money-lending companies. The system stored the credit data of around 180,000 borrowers. The Privacy Commissioner initiated the investigation based on a complaint filed by an individual who discovered that their credit data had been accessed multiple times by eight unknown money-lending companies without their knowledge or consent. The Privacy Commissioner noted that the complainant expressed concerns over inadequate security measures implemented by the TE Credit Reference System to safeguard personal data.
Findings of the PCPD
In its investigation, the Privacy Commissioner found deficiencies in Softmedia's security measures and the retention period of credit data in the following three aspects:
- failure to take practicable steps to protect personal credit data from unauthorized access, processing, or use;
- weak password management; and
- prolonged retention of the credit records of borrowers who had completed their repayments more than five years ago.
The Privacy Commissioner expressed regret over Softmedia's failure to implement appropriate security measures to monitor and manage access to the TE Credit Reference System by money lenders. The absence of robust password policies and the retention of unnecessary data exhibited clear inadequacies in protecting personal data. Consequently, the Privacy Commissioner found that Softmedia contravened Data Protection Principle 4(1) of the PDPO regarding the security of personal data and Data Protection Principle 2(2) related to the appropriate retention of personal data, as outlined in Schedule 1 of the PDPO.
In response to the findings, the Privacy Commissioner issued an enforcement notice to Softmedia, to remedy the contraventions and prevent similar incidents from occurring in the future.
The investigation report also includes recommendations for Softmedia and other credit reference database operators. These include the implementation of a personal data privacy management program to incorporate personal data privacy protection into their data governance responsibilities, the appointment of data protection officer(s) to oversee PDPO compliance, the appointment of an independent compliance auditor to conduct regular compliance audits, and the increase of penalties for contraventions to deter violations by money lenders.