We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

Privacy Commissioner Releases Findings on Investigations into Hong Kong Retail Banks

01 March 2012

On 15 December 2011, the Privacy Commissioner for Personal Data ("Commissioner") published his final findings on investigations into the collection, retention and transfer of personal data by a number of retail banks in Hong Kong, launched in August 2010 (the "Investigations"). 

In a related media statement, the Commissioner emphasised the need for banks to observe the data protection obligations mandated under the current legislative regime and under relevant guidelines (such as the Guidance on the Collection and Use of Personal Data in Direct Marketing, issued by the Commissioner in October 2010), throughout the entire life cycle of personal data management, from collection to destruction.

Following the Investigations, the Commissioner carried out a compliance check by examining the practices of 19 retail banks.  Of the 19 banks, the Commissioner found that 9 banks requested information relating to customers' "education level" and "marital status" upon their application for a bank account, although this information was generally used for marketing purposes. The Commissioner's view on this practice was that banks need to clearly indicate at the time of / before collection of such personal data, that the provision of these items of information is optional.

The Commissioner also reiterated that the transfer of customers' personal data for direct marketing in return for monetary gain (whether direct or indirect, such as a share in the revenue generated from sales resulting from direct marketing) could only be carried out where there has been prior notification to data subjects of the classes of transferees and, under the current data protection law, explicit and voluntary consent has been obtained from the relevant data subjects (amendments to the provisions relating to direct marketing, amongst other things, under the current Personal Data (Privacy) Ordinance are expected to come into force later this year or early 2013). 

As for the retention of personal data, such as bankruptcy data relating to customers, the Commissioner acknowledged that such information was relevant to banks, for instance in the management of credit risks and assistance to trustees in bankruptcy to preserve / seize assets, but emphasised that such data should not be retained beyond 8 years. The Commissioner commented that a bankruptcy order by law enables bankrupts to regain control over their financial affairs after 4 to 8 years from the commencement of bankruptcy. Retention of such data beyond 8 years would thus be considered excessive.


Gabriela Kennedy (Partner), Hogan Lovells, Hong Kong, gabriela.kennedy@hoganlovells.com, Heidi Gleeson (Registered Foreign Lawyer), Hogan Lovells, Hong Kong, heidi.gleeson@hoganlovells.com and Valerie Fung (Trainee), Hogan Lovells, Hong Kong, valerie.fung@hoganlovells.com

Cybersecurity in the Health Sector

The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...

02 May 2016
Loading data