- of its customers and build a positive image of compliance with laws and regulations.
Appointing Data Protection Officer(s)
- The Commissioner recommends that the operators of the credit database appoint a data protection officer to be responsible for overseeing compliance with the requirements under the Ordinance and implementing the aforementioned "Personal Data Privacy Management Programme", who should regularly report to management. A data protection officer shall also enhance staff awareness of personal data privacy protection, ensure the implementation of any personal data protection policies, and develop a culture of respecting and protecting personal data privacy.
Appointing an Independent Compliance Auditor
- The Commissioner recommends as a good practice that credit reference agencies engage an independent compliance auditor to conduct regular compliance audits on the mechanism and means of providing credit reference services including assessing the security of the credit data held in their databases and whether the measures they have taken to protect the security of borrowers' credit data are adequate.
Adopting Strict Penalties for Contravention
- In the present case, the Commissioner considers that the punishment by Softmedia of merely suspending the contravening money lending companies from using the TE Credit Reference System for a few days was inadequate.
- As money lending companies require the use of the data in the credit database as reference before approving loan applications, the Commissioner considers that any companies in contravention should not be lightly allowed to continue to use the TE Credit Reference System. Apart from limiting the number of periods or times they can access the credit databases, other penalties (for example, increasing the access fee or fines, etc.) should be considered, and the operators of the credit databases should, depending on the circumstances, consider terminating the access rights of the relevant money lending companies.
14
