- Powered by Yip Tse & Tang, Solicitors & Notaries 葉謝鄧律師行

Code of Practice on Consumer Credit Data
Prepare personal information collection (“PIC”) statements

Enforcement Notice

The Ordinance consists of six distinctive data privacy principles which in effect are laws on data protection. However, violation of a principle (for example a bank accessing your credit records from a CRA for direct marketing) is not a criminal offence. Violation only triggers the Privacy Commissioner's power to issue an enforcement notice against the offending data user. Investigations into data violations take place before an enforcement notice is issued.

Under section 50(1) of the Ordinance, the Commissioner has the discretionary power to serve on the party complained against an enforcement notice if one of the following conditions is satisfied:

1 The party is found to be contravening a requirement of the Ordinance; or

2 The party is found to have contravened such a requirement in circumstances that make it likely that the contravention will be repeated.

According to the usual practice adopted by PCO, where a contravention is found to have occurred but is not continuing, whether the Commissioner considers it likely for the contravention to be repeated in the future may depend on factors including:

1 whether the contravention found was a first-time or repeated contravention, accidental or deliberate;

2 whether the party complained against is willing to prepare a written undertaking to the Commissioner regarding improvement to its future conduct in such form as the Commissioner deems fit; or

3 whether the party complained against has shown remorse during the course of the investigation by co-operating fully with the PCO, taking appropriate remedial actions, etc.

An enforcement notice is therefore essentially is a warning that tells the offending party that it must comply with the principles of the Ordinance. Continued failure to comply with an enforcement notice makes the violation a criminal offence that can lead to criminal prosecution. So if a bank was mishandling your credit data, and it was issued with an enforcement notice and still failed to cease using your records for direct marketing, it would be committing a criminal offense and prosecution would proceed.