The Privacy Commissioner has called on the government to regulate credit reference databases after finding breaches by a Kowloon Bay software company put at risk the personal data of some 180,000 people.
The commissioner's office on Thursday said it has served an enforcement notice on the firm Softmedia, whose credit reference system is used by almost 700 money lenders.
The office launched an investigation into the company after a man complained that several firms had accessed his credit data even though he had not given his consent and had never even applied for loans from them.
The complainant said he was informed about the firms' access to his records by another lender who then asked him whether he had recently experienced severe financial difficulties.
The investigation found that Softmedia gave the money lenders almost unlimited access to borrowers' information for a very low fee and that it didn't monitor access to the database.
Passwords for the system could be weak and didn't have to be changed regularly, meaning former members of staff at the lenders could potentially gain access, the commissioner's office added.
At a press conference, Privacy Commissioner Ada Chung said Softmedia – whose clients also include listed companies and government departments – had violated the Personal Data (Privacy) Ordinance and had been ordered to take a number of steps, including imposing restrictions on access to the database and verifying that the money lenders have permission from borrowers to access their information.
Chung also noted that the company's credit reference system is not regulated by any bank or money lender association, isn't covered by any ordinance related to the finance industry, and doesn't have to comply with a code of practice.
"The situation is far from satisfactory," the commissioner said.
She added that to protect people's privacy, the operation and management of credit reference databases should be regulated or supervised through laws, guidelines, industry codes or licensing systems.
"It is of crucial importance that appropriate penalties should be imposed on wrongdoers, that the privacy of borrowers should be adequately protected, and the security of the database should be properly safeguarded."