Out-Law News | 14 Oct 2014 | 3:05 pm | 2 min. read
The privacy commissioner in Hong Kong, Allan Chiang, said that it handled 373 data protection complaints about banks in 2013-14, up from 198 cases in 2012-13 and 212 cases the year before. Banks have "been among the top three private sector organisations being complained against", Chiang said.
"Taking into consideration the large customer database maintained by the banking industry and the sensitive nature of the personal financial information involved, we consider it appropriate to publish the guidance note to promote and reinforce the banking industry’s compliance with …[Hong Kong data protection laws] in handling customers’ personal data."
The commissioner's guidance addressed a number of data protection issues that banks must consider (27-page / 396KB PDF), including in relation to marketing activities, the collection of personal data online using 'cookies' and data retention policies.
The guide also revealed that the watchdog received a complaint by a banking customer who was able to access account data belonging to other bank customers when they logged into a new online banking service the bank had launched.
The guidance did not contain any practical case study examples of banks' failure to adhere to data protection rules when transferring personal data outside of Hong Kong. The guidance noted that data transfers by banks were now "a common and essential component of daily banking activities" and set out steps banks should follow to ensure they comply with Hong Kong's rules on personal data transfers.
"The privacy commissioner does not give any examples of complaints relating to the export of customer data, which suggests that this is not a perceived problem in Hong Kong," said Hong Kong-based data protection law expert Peter Bullock of Pinsent Masons, the law firm behind Out-Law.com. "This is interesting given Hong Kong’s small size, the use of China as a back office for an increasing number of Hong Kong lenders, and the general increase in the movement of money internationally."
Bullock said the guide did, though, reveal concerns the privacy commissioner has with banks' handling of customer data access requests.
The privacy commissioner said that banks that conform to good data protection practices stand to gain an advantage over those that do not.
"Privacy-assuring banks will enjoy enhanced customer trust and loyalty, thus creating a win-win-win for the customers, their businesses and the banking industry as a whole," the guide said. The watchdog called on banks to adopt a "privacy strategy" to ensure they address data protection issues across the whole of their business.
"Banks engaging in the collection, holding, processing and use of vast amounts of customer data need to have a corporate-wide privacy strategy which applies in all their business processes and operational procedures," it said. "It is important that they manage customers’ personal data properly throughout its entire life cycle, from collection to disposal and also with due regard to data integrity, use, security and access. This demands establishment and maintenance of robust privacy and risk management programmes with support and commitment from top management."