On 1 June 2023, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) published an investigation report on a data breach involving the unauthorised access of a credit reference database platform operated by Softmedia Technology Company Limited (Softmedia) (the “Report”). The Report highlights the need for organizations to take adequate steps to protect personal data as the mere imposition of contractual obligations and policies is insufficient if such obligations and policies are not effective or are not enforced. The Report also clarifies that credit data is a form of “sensitive” personal data.
Established in 1991, Softmedia develops and operates various software management systems for clients in financing, retail, beauty, education and other industries. Its clients include listed companies, SMEs and government departments.
Softmedia is not a credit reference agency selected by the Hong Kong Association of Banks, Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies, or the Hong Kong S.A.R. Licensed Money Lenders Association Limited under the Multiple Credit Reference Agencies Model. As a result, Softmedia is not regulated by any of the foregoing associations, nor is it subject to any of the finance industry-related ordinances (e.g., the Money Lenders Ordinance) or codes of practice.
One of Softmedia’s offerings is the TE Credit Reference System platform (TES) that was set up in January 2016 as a platform for money lenders to access the credit data of borrowers before deciding whether to accept or reject a loan application.
By paying HK$2, a lender could gain unlimited access to a borrower’s credit data in TES for five days so long as the lender declared that it had obtained the consent and authorization of the relevant borrower. Upon expiry, the access could be continued at the same rate with no restrictions on the number of times this five-day cycle could be repeated.
As of December 2022, TES had about 680 money lending companies as its users, and had collected the personal information of around 180,000 individuals. This data included their credit data (e.g., previous loan applications, completed repayments, delayed repayments, bad debts, etc.) and Hong Kong Identity Card (HKID) numbers which had been converted into unique codes by an algorithm.
On 30 December 2021, the PCPD received a complaint about Softmedia’s alleged failure to take adequate security measures to protect the personal data stored in TES.
Specifically, a number of money lenders had accessed the complainant’s credit data in TES without the complainant’s consent despite the complainant never hearing of, or making a loan application to any of these companies (Unknown Companies).
The unauthorized access came to the complainant’s attention through a money lending company that had previously made a loan to him. While using the Loan Management System (LMS) – another system also devised by Softmedia for lenders and linked with TES – the company had noticed records of recent access to the complainant’s credit data by the Unknown Companies, and thus contacted the complainant to see if he was in financial need.
Upon receiving the complaint, the PCPD made preliminary enquiries, before commencing the investigation and engaging in six rounds of correspondence with Softmedia. The PCPD also visited Softmedia’s office to interview Softmedia employees.1
While the PCPD investigation found flaws in TES based on the actual complaint, it also took the opportunity to probe into Softmedia’s practices and found other deficiencies relating to their password management and data retention practices, culminating in the “name-and-shame” Report.
The PCPD investigation, and the Report, focused on Data Protection Principles 4 (Security) and 2(2) (Retention).
As revealed by the Report, at least eight money lending companies unacquainted with the complainant had accessed his credit records in TES without his authorization. In the case of one company, the complainant’s data was accessed three times in seven days.
Subject to exemptions under Part 8 of the PDPO, Data Protection Principle 4(1) requires data users to take all practicable steps to ensure that any personal data they hold is protected against unauthorized or accidental access, processing, erasure, loss, or use.
In doing so, data users should give particular consideration to, inter alia, the kind of data in question2, the security measures incorporated into the medium of storage3, and the measures taken to ensure the integrity, prudence and competence of persons having access to the data.4
The PCPD noted that while Softmedia required companies using TES to declare that they had obtained from borrowers a signed authorization letter before uploading and accessing their credit data on the system, no effort appeared to have been made to verify these declarations, e.g., by checking the relevant letters. Indeed, the eight Unknown Companies were all unable to produce an authorization letter signed by the complainant.
Further, the risk of unauthorized access to the credit data was exacerbated by the fact that: (1) Softmedia did not actively monitor the use of TES by the money lending companies; (2) there was no limit on the frequency in which these companies could access a borrower’s credit data; (3) the companies were allowed to set a weak password (both in terms of length and complexity) for logging into the database; and (4) there was no requirement for the password to be changed periodically, leaving the credit data vulnerable to unauthorized access by former employees of the companies.
In light of Softmedia’s failure to address the loophole in its requirement of borrowers’ authorization which was being exploited by the companies using the database, the PCPD concluded that Softmedia had contravened Data Protection Principle 4(1) of the PDPO.
In addition, the PCPD discovered that Softmedia had also breached Data Protection Principle 2(2) of the PDPO by retaining more than 50,000 credit records of borrowers who had completed their repayments over five years ago. In reaching the conclusion above, the PCPD made reference to its Code of Practice on Consumer Credit Data (COP), which sets out the maximum period a credit reference agency should retain account repayment data in its database5.
The PCPD issued an enforcement notice requiring Softmedia to take the following actions within three months to remedy the data breaches and prevent them from reoccurring:
- deleting all credit data from TES where five years or more have lapsed since the borrower settled the final instalment of the loan;
- establishing policies and procedures to ensure the credit data in TES is not retained longer than the period specified by the COP;
- setting limits on the number of times that a money lender can access TES within a certain period;
- devising a monitoring mechanism to detect unauthorized access to the credit data;
- formulating personal data protection policies and procedures and implementing measures to review compliance by employees on a regular basis; and
- tightening security requirements regarding the log-in password for TES.
Under section 50 of the PDPO, where the PCPD considers there has been a contravention, it may direct data users to take remedial actions within a specified period of time. Failure to comply with such enforcement action may expose data users to criminal liability – a maximum fine of up to HK$100,000 and imprisonment for two years.
The Report sheds light on various issues that are pertinent to all organizations who provide access to personal data in the course of their business:
- “Personal data” includes pseudonymised data: The PCPD disagreed with Softmedia’s assertions that no personal data was involved in the TES because it did not store the borrowers’ names, addresses and phone numbers, and only contained a set of codes that had been irreversibly converted from HKID numbers by an algorithm. Since each code was assigned to, and could uniquely identify, an individual borrower for the purpose of Softmedia’s operations, it fell within the meaning of a “personal identifier” and “data” under section 2(1) of the PDPO. The PCPD also reasoned that had TES contained no personal data as Softmedia claimed, the system could not have achieved its stated purpose of allowing money lenders to assess loan applications from specific borrowers with reference to their credit records. In other words, data users should bear in mind that any data, even if converted into a numerical identifier, could amount to personal data if it is “practicable for the identity of [an] individual to be directly or indirectly ascertained” by a third party using such data, including through the combination of data 6.
- Importance of an adequate data protection policy: The PCPD was highly critical of the passive approach Softmedia adopted towards protecting the borrowers’ credit data against unauthorized access, given that credit records are “generally regarded as sensitive personal data”, any improper access to them “can result in serious financial losses and violate the privacy of the data subjects concerned”7. While there is no statutory definition of “sensitive” personal data, the PCPD has suggested that information relating to an individual’s health, finances or location can be considered sensitive, and has in this case, explicitly added consumer credit data to this amorphous category8. Therefore, organizations which process such personal data as part of their business need to ensure that active steps are taken to secure the data against unauthorized access, such as restricting the frequency of access by the same database user, requiring a strong log-in password and periodic password changes. In the case of organisations that provide access to credit data (such as Softmedia), data users should require more than just the unsubstantiated assurance of the database user that they have obtained consent from the data subject and impose effective deterrents against unauthorized access (e.g., raising fees or terminating access).
- Avoiding an indefinite data retention period: According to Softmedia, the borrowers could request that their credit data be removed from TES once they had paid off the loan and five years had lapsed since the final repayment. This placed the responsibility regarding data retention on the data subject instead of on the data user, which is not the intention of the PDPO. Instead, where the retention of the personal data is no longer necessary for the purpose of the business, data users need to take the initiative to delete the data from their system, regardless of whether the data subjects have made a request or not. Data users should have in place monitoring or review processes that assist it in determining on a regular basis whether there is data that needs to be purged.
- Designated personnel for data protection: Unlike most other jurisdictions, companies in Hong Kong are not required to appoint a data protection officer. However, Softmedia might have been able to avoid the aforesaid pitfalls if it had appointed a data protection officer to oversee compliance with the company's obligations under the PDPO. Such an officer could be entrusted with raising staff awareness of the importance and mechanisms of personal data protection, and making regular reports to management. Other businesses that similarly deal with high volumes of personal data (especially sensitive personal data) as a central part of their services should also consider engaging independent data management professionals to conduct compliance audits and security checks.
- Nature of business is no defence: While the PCPD acknowledged that businesses in certain industries (e.g., money lending) may have a greater need to use data subjects’ personal data more frequently, this does not mean that such businesses can compromise on their data protection practices in the name of efficiency/convenience, but will still need to uphold the same standards required of all data users under the PDPO.
The Report serves as a timely reminder of the importance of proper data management and the need for data users to implement effective data protection measures. It is not sufficient for companies to adopt data privacy policies if such policies are not enforced and/or there are no processes in place to regularly ensure compliance with these policies.
Furthermore, compliance cannot be achieved on an ad hoc basis, but should be part of wider efforts at the organisational level to ensure proper data governance (i.e. a top-down approach), and the establishment of a data management framework to ensure that errant data protection practices do not slip through the cracks.
A revision of the PDPO is likely to take place before too long and once the PCPD is given broader enforcement powers we expect higher penalties for contraventions of the PDPO to follow. This underscores again the importance of good data governance and data management for all data users in Hong Kong.
The authors would like to thank Amory Hui, Summer Intern at Mayer Brown, for his assistance with this Legal Update.
1 Under Section 42 of the Personal Data (Privacy) Ordinance (“PDPO”), the PCPD is empowered to enter any premises occupied by the relevant data user and carry out investigations subject to notice requirements, or, with a warrant issued by a magistrate.
2 See Data Protection Principle 4(1)(a), Schedule 1 of the PDPO
3 See Data Protection Principle 4(1)(c), Schedule 1 of the PDPO
4 See Data Protection Principle 4(1)(d), Schedule 1 of the PDPO
5 See paragraphs 3.3.1, 3.3.2, 3.4A and 3.4B of the COP. Note that under sections 13(1) and (2) of the PDPO, data users will not be liable for mere non-compliance with a provision of the COP, but the provision can be admitted in evidence in proceedings brought in relation to an alleged contravention of a requirement under the PDPO. For instance, data that reveals a default in payment for over 60 days should not be retained for more than five years, beginning either from the date of final settlement of the amount in default or from the date of the borrower’s discharge from bankruptcy, whichever is earlier.
6 See section 2(1) of the PDPO
7 See paragraph 31 of the Report (Executive Summary)