LegCo Paper No. CB(2)2645/96-97
Ref : CB2/PL/IP

LegCo Panel on Information Policy

Minutes of Meeting
held on Friday, 9 May 1997 at 10:30 am
in Conference Room B of the Legislative Council Building

Members Present :

    Hon Emily LAU Wai-hing (Chairman)
    Hon Andrew CHENG Kar-foo
    Hon LEUNG Yiu-chung
    Hon Bruce LIU Sing-lee
    Hon Lawrence YUM Sin-ling

Member Absent :

    Hon Mrs Elizabeth WONG, CBE, ISO, JP

Public Officers Attending :

Item III
Mr Stephen LAU
Privacy Commissioner for Personal Data
Deputy Privacy Commissioner for Personal Data

Clerk in Attendance :

Mrs Anna LO
Chief Assistant Secretary (2) 2

Staff in Attendance :

Ms Christine LIU
Senior Assistant Secretary (2) 8

I. Confirmation of minutes of meeting held on 27 February 1997 and matters arising

(LegCo Paper No. CB(2)1942/96-97)

The minutes of meeting held on 27 February 1997 were confirmed.

II. Date and items for discussion for next meeting

(Paper No. CB(2)2169/96-97 (01))

Members agreed that the next meeting would be held on Friday, 6 June 1997 at 10:30am to continue discussion on ‘Development of Information Superhighway and Internet in Hong Kong’.

III. Personal Data (Privacy) Ordinance (Cap 486)

(a) Draft Code of Practice on Personal Data Privacy -

Consumer Credit Reference Services

(Paper No. CB(2)2169/96-97 (03))

Consumer Credit Reference Services

At the invitation of the Chairman, Privacy Commissioner for Personal Data (Privacy Commissioner) briefed members on the Consumer Credit Reference Services.

Members raised the following questions -

  1. whether there was a centralised Consumer Credit Reference Agency (CCRA);
  2. whether the credit reports issued by CCRA were free of charge. A member quoted a complaint where a patient had to pay over $10,000 for photocopies of his medical record; and
  3. whether there were objective criteria in refusing an application for credit.

Privacy Commissioner replied that -

  1. the Hong Kong Monetary Authority was at the moment conducting consultations on the setting up of a centralised CCRA especially in the area of credit card applications. Regardless of the future structure of the CCRA, the major concern of the Privacy Commissioner Office (PCO) was whether the agency would comply with the Code of Practice in the execution of its services;
  2. When an individual requested access to information of an organisation, the organisation had a right under the law to charge a fee though the fee should not be excessive. If any member of the public considered that the fee was unreasonable, he could lodge a complaint to the PCO. In some cases, he understood that higher fees might be charged to cover the costs involved, e.g. the scanning photographic films of hospitals; and
  3. Companies could refuse credit applications according to their own commercial principles. Since Hong Kong did not yet have legislation on fair trade practices, members of the public could approach the Consumer Council if they considered that the refusal of their application was unfair. Should the companies act in an unreasonable way, he believed that they would be subject to public pressure.

In response, a member further commented that -

  1. as integrity of information was important in the consumer credit reference services, an agency would try to be centralised or join with others to gather more information. If that was the case, he considered that they should follow the six data protection principles as laid down in the Code of Practice and that there should be more detailed guidelines for exchange and sharing of information; and
  2. on the refusal of credit, there should be objective and reasonable criteria in screening the applications. The PCO should help set a policy whereby people would be refused credit only when they exceeded a certain loan ratio.

Privacy Commissioner explained that as the Personal Data (Privacy) Ordinance was a newly introduced legislation, the PCO had to adopt a step-by-step approach in encouraging the institutions to comply with the data protection principles. In fact, the Hong Kong Association of Banks, the Hong Kong Monetary Authority and the Consumer Council were all working hard with PCO in that direction. As regards the question of fairness, he considered that it would be difficult to draw a balance. However, he agreed that there should be certain rules for the companies to adhere to, if possible.

Consumer Credit Reference Agencies

A member asked whether public record informaton on debt judgements or bankruptcy might be used in other areas such as the granting of credit cards. Privacy Commissioner replied that in Hong Kong, there had already been a major CCRA which was formed by a number of banks operating together to provide service in that area. The present Code of Practice, he clarified, was for individual credit applications only; and business credit would fall outside the scope of concern in this consultation paper.

As to an enquiry from a member on whether it would be necessary for personal particulars such as address, ID number and even the date of birth of the borrowers to be kept by the CCRA, Deputy Privacy Commissioner explained that a correspondence address was necessary so that the credit provider, if the debt was in default, could trace the borrower. On the other hand, a name by itself might sometimes be ambiguous to identify a person. So, an ID card number would be necessary to avoid the risk of confusing persons and mixing up records. He considered that it was simply a question of striking a balance between the privacy interests of the individual and the needs of credit providers to make reasonably informed lending decisions so as to avoid a high level of defaults, which would result in a higher cost of obtaining credit.

Privacy Commissioner added that in the most ideal case, no institution should possess personal information. Should such information need to be kept, a strike of balance had to be struck. As the present Code of Practice was still under consultation, he would welcome suggestions on how to establish an effective system whereby minimum personal data would need to be kept without affecting the operation of an institution.

Debt Collection Agencies

Making reference to the point mentioned in the consultation paper that debt collection agencies should only use the personal data received from a credit provider for collecting debt or for internal reference purposes, members made the following points -

  1. the name of the debt collection agency should be released to the borrower when he applied for credit or when he defaulted payments so that he would know the identity of agency he would encounter if he was in arrears of payment;
  2. if the debt collection agencies infringed personal privacy by posting bills, say, in the public housing estates that somebody was owing them money, what actions could be taken by PCO;
  3. apart from credit providers and insurance companies, whether a borrower could obtain a copy of credit report from the CCRA;
  4. there were worries that debt collection agencies would try every means to get information about the referees from the credit providers and whether there were measures to prevent them from doing so; and
  5. whether PCO had some form of control over the debt collection agencies.

Privacy Commissioner replied that -

  1. they would note down the opinion suggested at para 11 (a);
  2. if personal information was made public in an unnecessary way, PCO would look into the case. They would either issue an enforcement warrant or take enforcement action to prevent the debt collection agencies from disclosing personal data in an inappropriate manner. In this connection, Deputy Privacy Commissioner added that although there were no specific provisions in the Code of Practice, they could use the general data protection principles to take enforcement actions. The present Code of Practice was actually elaborating on the general principles in that it provided some clear and practical distillation of what the principles meant. If there was any area not covered by the Code, they could always fall back to the general principles;
  3. under the law, a borrower was allowed access to and change his personal particulars kept by an institution. The credit providers had procedures to vet whether a person was the borrower;
  4. if a debt collection agency had used dubious means to collect information and disclose it without authority, PCO could issue an enforcement notice to require them to stop the practice. If they did not take the advice, they were breaking the law and would be prosecuted; and
  5. if the referee found that his privacy was infringed upon, they could complain to PCO. As for the measures taken by the debt collection agencies in collecting debts which might be a nuisance to the public, he admitted that it was outside his jurisdiction.

A member opined that it was inappropriate for a credit provider to release the information of a referee to the debt collection agencies as the referee was only acting as a reference for information and was not a guarantor who might have to underwrite the debt. Deputy Privacy Commissioner pointed out that in paras. 3.9 & 3.10 of the consultation paper, it was stipulated that a credit provider should not provide a referee’s personal information (or information about the third parties other than the guarantors) to any debt collection agency. If they did so, PCO would be empowered to issue an enforcement notice to stop it from doing so. As for the debt collection agencies, they were restricted in the use they could make of the information provided by the credit providers. If they went beyond the permitted scope of use, PCO could take enforcement actions against them. In other words, PCO could take action against both parties, i.e the credit provider and the debt collection agency.

In this connection, a member said that there were complaints about debt collection agencies trying to lure family members, relatives, employers or referees to sign some documents authorising them to obtain a credit report from CCRA. Privacy Commissioner replied that if a borrower had absconded, his family members would not be able to authorize debt collection agencies to obtain the credit report from CCRA because nobody except the borrower had the authorization right. In response, the member opined that even the borrower should not be allowed to authorize anyone to get access to the credit report. Privacy Commissioner noted the opinion.

(b) Progress Report on work of Privacy Commissioner’s Office

(Paper No. CB(2)2169/96-97 (02))

Matching procedures

In response to a member’s enquiry on matching procedures, Privacy Commissioner said that the Personal Data (Privacy) Ordinance was brought into force on 20 December 1996, other than sections 30 and 33. The two sections provided for specific control of matching procedures and the transfer of personal data outside Hong Kong respectively. They were delayed because data users required specific guidance on the effect of these provisions and how to comply with them before they were brought into effect. He said that matching procedures had a very specialised definition but simply put, it was the automated comparison of personal data of ten or more individuals collected for different purposes with a view to taking adverse action against one or more of them. Data users were required to apply in advance for consent from the Privacy Commissioner to carry out "matching procedures". Guidance material and the application forms for seeking consent for matching procedures had been issued by PCO. To date, PCO had received twelve applications of which eleven were from the public organisations and one was from the private sector. PCO was at the moment examining the applications and expected the provision on matching procedures to be brought into force in the near future.

In response to a member’s opinion that the names of the applicants should be made known to increase transparency, Privacy Commissioner said that he would consider including them in the PCO’s annual report, if possible.

Transfer of personal data outside Hong Kong

In response to a member, Privacy Commissioner briefed members on the background. He said that PCO was still awaiting the European Commission to issue guidance on the transfer of personal data from its member states. As far as he knew, the working party set up by the European Commission was still working on the methodology to evaluate the level of protection in third countries. Since it would be desirable to follow the European Commission on the implementation of the provision, PCO would closely liaise with the European Commission on the matter and considered that section 33 should not be brought into force pending the outcome of the European Commission’s deliberations. In the meantime, the PCO had issued a set of guidelines on transfer of personal data outside Hong Kong to assist commercial organizations.

Publicity and Promotion

Upon enquiry from a member, Privacy Commissioner said that PCO had installed a telephone hotline (no. 2827 2827) for public enquiries on its work and had also distributed some 250,000 publicity pamphlets. The member further suggested placing advertisement billboards at the train stations and MTR stations. Privacy Commissioner noted the opinion and said that PCO had continued its promotional programme aiming at raising public awareness of the new Ordinance through advertisements on television, radio and other media by the Information Services Department.

The meeting ended at 12:10 pm.

Legislative Council Secretariat
11 June 1997

Last Updated on 20 August 1998