Press Releases

LCQ13: Protection of personal data

     Following is a question by the Hon Cheung Hok Ming and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in the Legislative Council today (November 26):

Question:

     Some members of the public have relayed to me that due to unauthorised use of their residential addresses by others to apply for credit cards, some debt collection agencies (DCAs) hired by financial institutions visited their homes to recover debts, and such harassment did not stop even though they had reported their cases to the Police. In this connection, will the Government inform this Council:

(a) of the current measures to protect the above victims;

(b) whether it has assessed if card-issuing institutions have contravened the Personal Data (Privacy) Ordinance (Cap. 486) by disclosing the personal data to the DCAs they hired without the authorisation or consent of the data subjects; if it has assessed that there is no contravention, of the measures to protect the privacy of the data subjects; and

(c) as the Law Reform Commission (LRC) recommended in its Report on Stalking released on October 30, 2000 that the pursuit of a course of conduct amounting to harassment should be criminalised, of the progress and results of the studies conducted by the Constitutional and Mainland Affairs Bureau on the recommendation?

Reply:

President,

(a) A person who wrongfully obtained and used another person's address in application for credit card may be guilty of fraud under Section 16A of the Theft Ordinance (Cap. 210), or guilty of obtaining pecuniary advantage by deception under Section 18 of Cap. 210; and may on conviction be liable to imprisonment of up to 14 years and 10 years respectively.

     Section 23.3 of the Code of Banking Practice, issued jointly by the Hong Kong Association of Banks and the Deposit-Taking Companies Association, specifies that "card issuers should satisfy themselves about the identity of a person applying for a card and provide the applicant with details of the identification needed". The module of the Supervisory Policy Manual of the Hong Kong Monetary Authority (HKMA) on the management of credit card business also provides authorised institutions (AIs) with, amongst other things, guidance on verification of documentation and fraud control. The guidance includes the following aspects:

(i) valid documents for verification of the identity (including address proof) of new customers should be obtained;

(ii) The AIs that process credit card applications through mail should put in place sufficient safeguards to prevent the use of stolen information (e.g. theft of ID cards) for getting applications approved; and

(iii) the risk of credit card misuse may be reduced by introducing measures to prevent application fraud (e.g. through thorough checks on applicants, including name and address verification, and restricted access to and controls over alteration of customer information).

     In addition, the Code of Banking Practice requires the AIs to prohibit the DCAs they employ from collecting debts by harrassment or other improper tactics. If the AIs are aware of any improper practices of their DCAs, they should consider terminating their relationship with that agency. The HKMA monitors compliance of the AIs with the Code as part of its regular supervision.

     A number of statutory provisions are in place to combat harassment (such as blackmail, criminal intimidation, criminal damage and common assault). Victims are encouraged to report the case to the Hong Kong Police Force. The Police will carry out investigation upon receipt of the report, and initiate arrest and prosecution where there is sufficient evidence.

(b) In accordance with Data Protection Principle (DPP) 1 of the Personal Data (Privacy) Ordinance (PDPO) (Cap. 486), credit card-issuing institutions are required to inform credit card applicants before or upon issuance of the credit card the purpose for which their personal data may be used. The DPP 3 provides that personal data shall not, without the prescribed consent of the data subject, be used for any purpose other than the original purpose of collection or a directly related purpose. If the disclosure of personal data to the DCAs is within or directly related to the original purpose of collection of data by the card-issuing institution, such disclosure will not contravene the PDPO.

(c) LRC Report on Stalking proposed the introduction of anti-stalking legislation, which renders the pursuit of a course of conduct causing another person alarm or distress a criminal offence and a civil wrong. We are assessing the implications of the LRC recommendations in consultation with relevant bureaux and departments and in the light of the latest overseas development. The LRC proposal has attracted much concern among interested parties in the community. Some aspects of the proposal are controversial. In particular, media associations have expressed concern that the proposal might undermine press freedom. We need to reconcile the differences and balance the legitimate interests of the parties concerned. Upon completion of the assessment, we will consult the relevant parties on the LRC recommendations with a view to reaching a general consensus within the community on the way forward.

Ends/Wednesday, November 26, 2008