Paper for the
Legco Panel on Financial Affairs
Personal Data Privacy of Bank Customers

Introduction

This paper provides an update to Members on the actions taken by the Government on the issue of confidentiality of customer information kept by authorized institutions.

Background

2. On 1 April 1996, Members considered papers number PL 961 and 1161/95-96, which set out the legal position of the duty of confidentiality of authorized institutions and also the actions taken by the Hong Kong Monetary Authority (HKMA) in this respect. Members have asked for an update of the position.

3. To recap on the legal framework, Data Protection Principle 3 of the Personal Data (Privacy) Ordinance stipulates that -

4. “Personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than -

  1. the purpose for which the data were to be used at the time of the collection of the data; or
  2. a purpose directly related to such purpose.”

5. If data are disclosed to third parties for purpose(s) of or directly related to the purpose of their initial collection, the question of whether there is consent is not relevant. Otherwise, prescribed consent, which means a subsisting explicit and voluntary consent of the data subject, will be required.

6. The issues of -

  1. whether data were disclosed to third parties for purpose(s) of or directly related to the purpose of their initial collection; and
  2. where (a) is not the case, whether an explicit consent has been given voluntarily by the data subject.

are questions of fact which need to be established on a case by case basis.

7. Under section 12 of the Ordinance, the Privacy Commissioner may issue or approve Codes of Practice to provide practical guidance on the application and observance of the requirements under the Ordinance. Such Codes will facilitate the interpretation and compliance with the Ordinance. The Privacy Commissioner has been appointed by the Governor and his appointment will commence on 1 August 1996. The Personal Data (Privacy) Ordinance is expected to commence before the end of 1996.

8. In addition to the statutory provisions, it has been well established under the common law that authorized institutions have a duty of confidentiality to their customers. There are four exceptions under the common law under which institutions are allowed to disclose information to third parties. These are -

  1. where a bank is legally compelled to do so;
  2. where there is a duty to the public to disclose;
  3. where the interests of a bank require disclosure; and
  4. where disclosure is made at the request, or with the consent, of the customer.

9. The common law exceptions to the duty of confidentiality also apply in Hong Kong although the statutory provisions of the Personal Data (Privacy) Ordinance will prevail over them to the extent of any inconsistencies.

Update on Actions Taken

10. The HKMA has not issued any specific guidelines on customer confidentiality. However, banks have a legal obligation under the common law to safeguard customer information, and this will be reinforced by the Personal Data (Privacy) Ordinance when it comes into operation. In this relation, the HKMA issued a letter on 23 February 1996 to authorized institutions drawing their attention to the enactment of the Personal Data (Privacy) Ordinance and asking them to review and revise, if necessary, their policies and practices to ensure that they will at all times comply with the provisions of the Ordinance upon its commencement.

11. Confidentiality of customer information is also an important aspect to be covered by the Code of Banking Practice currently being prepared by a Working Group comprising representatives from the HKMA and the industry Associations. There is also a section on terms and conditions (including their variation) in the Code which will address the concern about the action taken by some banks to change their terms and conditions regarding disclosure of customer information.

12. The Working Group has already drawn up a detailed outline of the Code, which has been issued to the industry Associations, the Consumer Council and other interested parties for comments. Taking account of these comments, the working group will proceed to preparing the draft Code. The working group will consult the concerned parties, including the new Privacy Commissioner, before finalising the relevant parts of the Code. The Code is expected to be completed by the end of 1996.

13. To address the public concern about the issues of personal referees and debt collection agencies, the Working Group has advanced its work in preparing these two chapters of the Code, which is expected to be issued around early August in advance of the rest of the Code. Among other things, institutions are required to ask applicants for banking services to confirm that they have obtained the prior consent of the referees for their names to be used. Institutions are also required not to pass information about referees or third parties other than debtors or guarantors to their debt collection agencies. This should allay concerns about disclosure of information of referees by institutions to debt collection agencies and substantially reduce the problem of harassment to referees and third parties, which comprises the majority of complaints that the HKMA has received through its complaint hotline.

Recent Concerns

14. There have been concerns raised about the outsourcing of data processing operations by authorized institutions and its implications for data confidentiality. Outsourcing generally involve the processing of customer information by a third party service provider, but it should be noted that such operations cover only the management of the hardware and data processing, and not the data itself. Customer data may be held on the computer system managed by the service provider, but the provider should not have unrestricted access to that data.

15. To ensure that such outsourcing arrangements will not compromise the integrity of customer information, the HKMA issued a letter on 3 July 1996 to all locally incorporated institutions (copy at Annex 1) emphasising the need for institutions to introduce adequate controls to safeguard the confidentiality of customer information. Institutions which intend to outsource their data processing operations are also required to discuss their plans with the HKMA in advance and to satisfy the HKMA that there are adequate systems of controls in place before they proceed with such plans.

16. There have also been recent concerns about a couple of cases of accidental disclosure of customer information by authorized institutions. The HKMA has investigated these incidents and found that they represent lapses in control rather than systemic weaknesses. The HKMA has already requested the institutions concerned to tighten up their control systems. The HKMA has also made it clear that any customer complaints in this respect should be thoroughly investigated and that any weaknesses in the institutions’ systems, if found, should be rectified. In the HKMA’s view, there is no evidence to suggest that outsourcing data processing will increase the chance of customer confidentiality being breached. However, HKMA will continue to monitor this very closely.

The Way Forward

17. The Working Group will continue its work in drafting the Code of Banking Practice, which will include specific chapters on the issues of the practice of banks in varying terms and conditions and their duty of confidentiality. As noted above, the Code is expected to be completed by the end of 1996.

Hong Kong Monetary Authority
July 1996

Last Updated on 18 Aug, 1998