Banks rapped for selling personal data

PUBLISHED : Tuesday, 21 June, 2011, 12:00am
UPDATED : Tuesday, 21 June, 2011, 12:00am


Four banks sold tens of thousands of customers' personal data to insurance or marketing companies without their agreement, the privacy commissioner disclosed yesterday.

The offenders were Citibank, Fubon Bank, Industrial and Commercial Bank of China (Asia), and Wing Hang Bank. The data included the clients' names, addresses, phone numbers, sex and birthdays.

The report did not say how much the banks made or how many customers were affected in all.

Fubon Bank admitted it had disclosed personal data of at least 33,000 clients to an insurance firm. ICBC Asia said it sold the information of 17,500 clients.

The four banks argued they had included a clause in their forms to inform clients that their personal data could be used for other marketing purposes. But the commissioner, who initiated the investigation after receiving customer complaints, said there was no prescribed consent and the terms were not clearly explained.

In the ICBC Asia case, a customer complained she repeatedly received calls from telemarketers although she had asked the bank to stop using her number for direct marketing.

All four banks eventually rectified the situation and promised full compliance with the privacy practice in the future.

Allan Chiang Yam-wang, the privacy commissioner, expressed disappointment that banks had not learned from the lessons of the Octopus privacy-for-sale scandal last year and were still 'less forthcoming in following the good privacy practice'.

Octopus Cards sold the personal information of millions of its clients to the company's business partners. It denied this at first but later admitted making HK$44 million. An inquiry by the privacy commission found some of the company's business partners had resold the information.

The government proposed tightening the privacy law but refused to give the commissioner more power to investigate and prosecute.

Chiang said: 'There has been an increasing number of complaints after the Octopus incident. I hope that businesses can manage the collection and use of personal data in a more proactive and serious manner.'

In the first five months of the year the commission received 459 complaints about the abuse of personal information, compared with 389 in the same period last year.

Chiang said the commission would now make it a regular practice to announce the names of organisations that fail to protect clients' privacy as required.

'We trust the practice of naming data users will invoke the sanction and discipline of public scrutiny. In turn, it will serve to encourage complaint behaviour by concerned data users and related parties.'

In a recent check of the credit card application forms of 10 selected banks, the commission found that none had provided a separate check box for clients to opt out from sales of their personal data to third parties.

Only half provided telephone hotlines for customers to inquire about their data; the rest only provided an address or fax number. The 10 banks did not include the four involved in the commission's inquiry.