A technology company which holds data on 180,000 borrowers was found to have breached privacy laws after a user reported that eight moneylending companies had reviewed his credit data without his consent, according to the city’s privacy watchdog.
The Office of the Privacy Commissioner for Personal Data (PCPD) said on Thursday that Softmedia Technology Company (Softmedia), which operates the TE Credit Reference System, failed to implement appropriate security measures to manage access to the system, contravening the Personal Data (Privacy) Ordinance.
The PCPD sent Softmedia enforcement notices on Wednesday.
The TE System, set up in 2016, is a platform providing borrowers’ credit data for moneylenders to refer to. The system is currently used by 680 moneylending companies and contains data on 180,000 borrowers.
The PCPD started investigating when a complainant reported that his credit data in the TE System was accessed several times by eight moneylending companies without his knowledge or consent.
Different moneylenders would upload data to the TE System including identity card numbers, the amount of loans applied for and records of late repayment.
According to the PCPD, Softmedia said that it had signed the usage agreements with moneylenders, which had to gain the consent of the borrowers before checking their credit data.
Credit data reviewed without consent
But none of the eight moneylenders could provide a proof of authorisation from the complainant to check his credit data.
The PCPD found that moneylenders only had to pay HK$2 each time to gain an unlimited check on a borrower within five days. Softmedia would not review the proofs of consent provided by the moneylenders and allowed them to use passwords with only low security levels.
It said Softmedia failed to implement appropriate security measures to protect personal data from unauthorised access, processing or use, contravening the principle in the ordinance on the security of personal data.
Softmedia also did not actively delete credit data and there were many cases in which credit data still existed five years after the borrower had completed repayment, contravening the ordinance on keeping personal data longer than necessary.
“We have issued enforcement notice to the company in question, directing them to remedy the contraventions and also to prevent the occurrence of similar contraventions in the future,” said the Privacy Commissioner for Personal Data Ada Chung.
“In particular, we ask them to delete the credit data and this involves over 50,000 credit data of those borrowers who had paid their loans more than five years ago.”
Chung said that the operations of credit reference platforms are currently not regulated by any financial industry-related legislation. She called for regulation which may include legislation, guidelines or licensing systems.
Online shopping system
Aside from the investigation of the TE system, the PCPD also reviewed the privacy policies and settings of ten online shopping platforms, including HKTVmall, Taobao, Carousell, JD.COM and eBay.
JD.COM was found not to provide options to users to indicate whether they accept advertising or promotional messages. Chung said her office would follow up to see whether JD.COM had used personal data of users without consent.
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.