The latest developments in Hong Kong’s personal data regulation could have significant impacts for the consumer banking and finance industry. This alert identifies ten practical ways that financial institutions can strengthen their privacy terms now.
In October 2010, the Hong Kong Privacy Commissioner for Personal Data (PCPD) issued a report on its investigation into the Octopus data sharing scandal (Report) and a new guideline on the collection and use of personal data in direct marketing (Guideline). This closely follows the PCPD’s enforcement action against Wing Lung Bank Limited for a breach of Hong Kong’s disclosure restrictions, which was upheld by the Administrative Appeals Board in August 2010 (Wing Lung Bank Case).
These developments are fortifying the rules on privacy, even before the Hong Kong Government’s current consultation process on the Personal Data (Privacy) Ordinance has finished. In many cases, they are providing a much narrower interpretation of the rules than previously expected.
Privacy issues are also receiving substantial media and regulatory attention. Several SFC and HKMA circulars have been issued (including one on 28 October 2010 by the SFC) publicising the recent developments. Bad publicity is especially problematic for the consumer banking and finance industry, which relies on relationships with individuals, and the perception of fair treatment, transparency, good governance and security.
The following summarises some key messages from the Report, Guideline and Wing Lung Bank Case for financial institutions operating in Hong Kong.
1. Use a distinct privacy statement
Privacy terms should be in a conspicuous, stand-alone privacy statement. They should not be hidden within the main body of customer terms, buried in fine print or designed in a way that discourages customers from reading them.
2. Address your customers’ expectations
Greater care is required when dealing with individuals than companies. This means taking a conservative approach to personal data management, by:
considering what a reasonable person in your customers’ position might expect about how their personal data could be used;
taking particular care to explain any other ways you want to use that data; and
giving customers a genuine opportunity to protect their constitutional and statutory rights to privacy.
For example, the Guidelines recognise that a bank may use customers’ personal data for marketing financial and insurance products. Marketing other types of products must be explained clearly.
3. Distinguish mandatory and voluntary information
The collection of data cannot be excessive. Customers must be informed that it is voluntary to provide any data that is not strictly required for a particular service.
For example, the Code of Banking Practice prohibits banks from refusing basic banking services if the customer does not agree to the use of that information for marketing services.
Banks should therefore:
explain to customers what information is mandatory for basic banking services (and other types of relevant services) and what is voluntary;
use a simple method to distinguish the different types of information (for example, mandatory information can be identified in the form of asterisks on the application form); and
consider whether less sensitive information could be used for a particular purpose.
Similar principles apply to other financial institutions.
Of course, financial institutions have greater know-your-customer requirements than other companies, and therefore a broader mandate to collect personal data. However, restraint is still required. For example, onward disclosure must be controlled - usually, only a customer’s name and telephone number should be transferred for cross-marketing purposes.
4. Be specific
Be as specific as possible about:
how you need to use customers’ personal data to conduct your business; and
who you need to disclose it to.
Customers need a “reasonable degree of certainty” about how their personal data may be used and the classes of persons to whom it could be transferred. Specificity is also a requirement under the Code of Banking Practice.
Each class must be defined by its distinctive features. For example:
The possibility of customers being approached by other businesses needs special attention. Similarly, financial institutions should expect that transferring personal data to foreign tax authorities is particularly sensitive and must be described explicitly.
5. Use ‘catch-all’ provisions with caution
If you envisage a particular type of disclosure, say it.
Loose terms such as “other persons considered appropriate from time to time” and “other related purposes” are interpreted narrowly and are disliked by the regulators. Even if ‘catch-all’ provisions are drafted well, they are difficult to rely on for reputational reasons.
6. Provide options
The law does not require taking an “opt-in” approach - where customers signal their positive consent to a particular type of disclosure (for example, by ticking a box). Instead, customers have a statutory right to withdraw consent from certain uses of their information and must be given an opportunity to “opt-out” of direct marketing.
However, providing options to customers offers strong evidence that they are aware of particular types of disclosure. This is essential to enforcing broad or unusual privacy terms.
For example, the Guidelines say that customers should have a “practicable” opportunity to refuse the disclosure of personal data for direct marketing purposes that are unrelated to the services they would expect to receive from you. A “bundled consent” approach (where customers either agree to, or refuse, all the privacy terms) does not satisfy this requirement.
7. Check the font size
Privacy terms should be printed in a size that is “easy and clear to read” for a person with normal eyesight. Fine print is unlikely to be enforceable, even if the terms are technically perfect.
Font size also ties into other visual factors such as layout, colour and style. These factors would be familiar to financial institutions - for example, the SFC Code of Conduct contains several provisions relating to the prominence of disclosure.
8. Use plain language
If it cannot be said simply, assume your customers will not understand it.
The privacy statement should:
use simple language that a reasonable person in your customers’ position can understand;
contain short sentences, rather than convoluted phrases;
use meaningful headings (such as “Purposes for collecting your data”);
keep legal and technical terms to a minimum; and
be easy to navigate and quick to read.
Words will be given their ordinary meaning and, in the case of uncertainty, they will usually be interpreted in your customers’ favour.
Plain language is gradually being adopted by the Hong Kong financial industry in consumer terms and conditions. This is primarily being driven by product disclosure standards and requirements imposed by other jurisdictions in which financial institutions operate. It is already required by the Code of Banking Practice.
9. Avoid cross-referencing
The privacy statement should be self-contained. Cross-referencing and defined terms should be kept to a minimum.
10. Keep a paper trail
Time is of the essence for a privacy statement. This is because a type of use that is not disclosed at the time of collecting a customer’s personal data will normally require their (signed) express written consent.
Many financial institutions require customers to expressly acknowledge and agree to the privacy statement on the customer application form (which the customer signs). This is helpful. To complete the paper trail, all documents provided to a customer should be logged. In particular, records should show:
the documents provided to the customer;
which version was used; and
when the documents were provided.
Opt-out lists must also be kept up-to-date and communicated to relevant parties.
It is possible that the Octopus and Wing Lung Bank cases will be appealed. However, the latest consultation document on the Personal Data (Privacy) Ordinance was issued on the same day as the Report and echoes many of the same points. Public sentiment on privacy issues has also intensified.
The Privacy Commissioner is currently investigating four banks. As is evident from the Report, the Privacy Commissioner’s powers are limited. Penalties can only be imposed if an enforcement notice issued by the Privacy Commissioner is not followed. This means that taking proactive steps now to conform to the new standards can have a material impact on the way that past behaviour is treated.
We recommend that our clients:
consider making a submission in response to the current consultation process and monitor its progress at the Constitutional and Mainland Affairs Bureau;
prepare an implementation plan to ensure that relevant policies and procedures are updated; and
preview their privacy terms, cross-marketing contracts and outsourcing arrangements as soon as possible.