What is Data privacy for financial institutions? As they manage a lot of personal information about people in their daily operations, banks and other financial institutions in Hong Kong (referred to collectively as “Financial Institutions”) place a high priority on protecting that information. Violations of personal data privacy for financial institutions laws can have serious financial and reputational repercussions.
Financial transactions can now be easily carried out online without a geographical restriction thanks to the acceleration of globalization and technological improvement. Numerous countries are involved in the collection, processing, transport, and storage of personal data. The Personal Data (Privacy) Ordinance’s ramifications will be briefly discussed in this article. In this article, yeuesports.com will discuss what is Data privacy for financial institutions ?
Data privacy and security concerns
Data privacy for financial institutions relates to who has access to the information that individuals supply to organizations with whom they have established business relationships. Financial advisors need specific data to enter into transactions on behalf of clients who have accounts with them, whereas bank employees need certain data to authenticate clients’ identities. Data security issues occur when staff members, security personnel, and other individuals responsible with protecting personal data don’t implement sufficient security protocols.
Guidance note data privacy for financial institutions
Financial Institutions (“Data Users”) are required to develop a corporate-wide privacy strategy that applies to all of their operational processes and business processes to ensure that personal data is handled properly throughout its life cycle during collection, storage, access, use, and transfer.
On the one hand, they should give data subjects a sufficient Personal Information Collection Statement that outlines the purposes for which personal data will be used after collection, whether providing the information is required or voluntary, the penalties for failing to do so, the categories of people to whom the personal data may be transferred or disclosed, and necessary details about the use and/or provision of the personal data. The information gathered must be “fit for purpose,” not excessive, accurate, only kept for the required amount of time, and secure.
Data Users should ensure that staff members are highly vigilant in protecting personal data because they are generally liable for the actions of their employees, agents, and contractors. In order to prevent and identify any loss or leakage of personal data, Data Users should install “layers” of security controls (including both IT and non-IT measures).
Employees should be required to sign a secrecy or confidentiality agreement that acknowledges the operational requirements of the Data User. If the Data User can demonstrate that it has taken preventative measures (such as ongoing training or internal regulations) to avoid violations, it may be able to raise a defense. Relevant PDPO requirements for agents and contractors should be written into the service agreement.
Personal information is defined by the PIPL as data that relates to an identified or identifiable natural person that is recorded electronically or in any other way, excluding data that has been anonymized.
In a manner similar to GDPR, Article 3 of PIPL grants the PRC long-arm jurisdiction over the processing of personal information in the following situations: (1) providing goods or services to natural persons in China; (2) analyzing or evaluating the behavior of natural persons in PRC; and (3) other situations as specified by laws or administrative rules. The seven guiding principles for protecting personal information in China are outlined in Articles 5 to 9: legitimacy, purpose limitation, minimum scope, openness and transparency, accuracy, accountability, and data security.
According to Articles 4, 13, and 14, in order to process personal information (including collection, storage, use, transfer, provision, and disclosure to the public), the individual must give the required consent, which must be granted voluntarily and unambiguously by the person after being fully informed.
It is also noteworthy that the PIPL further categorizes specific categories of personal data as “sensitive information” under articles 28 and 29, in contrast to the approach under the PDPO or GDPR. Sensitive information is defined as any personally identifiable information that, if disclosed or used unlawfully, could seriously jeopardize the safety of an individual or their property. Examples include data on a person’s specific status, religious convictions, biometric features, physical health, financial accounts, location history, and personal information pertaining to minors under the age of 14.
Financial Institutions are only permitted to handle sensitive personal information when it is truly essential and only for those precise purposes. When handling sensitive personal information with an individual’s consent, financial institutions are required to have that person’s separate consent.
Similar to the GDPR, the PIPL likewise imposes severe penalties on anyone who handle personal information. The maximum penalty for violating its requirements is the confiscation of profits made from the unauthorized use of personal information and a fine of RMB 50 million, or 5% of the previous year’s sales.
Conclusion data privacy for financial institutions
Financial Institutions in Hong Kong are advised to regularly review their personal data privacy for financial institutions regime and seek professional legal advice if necessary in order to stay compliant with legal requirements and avert regulatory actions at their source. This is due to the growing regulatory concern over personal data privacy for financial institutions and the extortionate penalty for violation of the worldwide legal requirements that was briefly discussed above.