Supplementary Question on Legislative Council Meeting Q5 – Leakage of personal data by commercial organizations

Q5 Leakage of personal data by commercial organizations

MR CHAN CHUN-YING (in Cantonese):

Deputy President, as regards the leakage of customer data by TransUnion, some people are of the view that it was caused by the business model adopted by the company. May I ask the Secretary: Apart from the institution concerned, in what way can the regulator step in and make certain adjustments under existing laws if, upon completion of the investigation, it is ascertained that the problem lies in the business model of the institution concerned?

SECRETARY FOR CONSTITUTIONAL AND MAINLAND AFFAIRS (in Cantonese):

Deputy President, I thank Mr CHAN for his supplementary question. As I have pointed out in my analysis just now, the entire incident involves two aspects. First, it concerns the protection of privacy in the handling of personal data; second, it concerns industry regulation since we need to consider which approach to take in respect of personal credit risk management.

Regarding the current situation, as pointed out in my main reply, the current approach was established in the early 1990s, under which credit providers manage the overall credit risk through placing the information in the web platform operated by TransUnion.

From a regulatory point of view, HKMA is the regulatory authority of banks while TransUnion operates as a commercial organization. As far as the incident is concerned, it is necessary for the banks to examine their contractual agreements with TransUnion or the collaborating CRAs and see if they can ensure proper handling and protection of personal credit data; moreover, in what ways do CRAs establish business relationships with the third parties that offer web platforms? Is transfer of information involved? Are their business relationships recognized by law? All of these matters require detailed study.

Lastly, Mr CHAN enquired if the business model or the approach of overall regulation is appropriate, and whether any improvements need to be made. I believe the Financial Services and the Treasury Bureau as well as HKMA will also examine the outcomes of the investigation into the incident and follow up on various issues involved. As a matter of fact, even though similar regulatory systems of other places in the world may have differences, they all take the protection of personal privacy and financial regulation into account. Therefore, institutions involved in the two aspects will have their own roles to play.