HONG KONG - Hong Kong's privacy watchdog on Monday scolded four banks for releasing customers' personal data to third parties, accusing three of them of selling the information.
The four banks – Citibank, ICBC, Fubon Bank and Wing Hang Bank – had all released customers' personal data, while Citibank, ICBC and Fubon Bank also used the information for financial gain, Hong Kong's privacy chief said.
"(I am) disappointed that the banks are less than forthcoming in following good privacy practices," Allan Chiang, the city's privacy commissioner for personal data, told reporters after releasing the results of a probe into the firms.
"We trust that the practice of naming data users will invoke the sanction and discipline of public scrutiny. In turn, it will serve to encourage compliant behaviour by data users concerned," he added.
Fubon Bank admitted to disclosing the personal data of 33,000 customers to an unnamed insurance company, while ICBC had also sold information about 17,000 customers to an insurance firm, the watchdog said.
"We have stopped disclosing our customers' personal data to a third party since August last year, and we have no plans of doing so in the future," a Fubon Bank spokeswoman told AFP on Monday.
"We will continue to follow guidelines issued by the privacy commissioner to protect the privacy of our customers," she added.
A Citibank spokesman said: "Citibank takes the safeguarding of clients' information seriously and data privacy is a top priority for Citi.
"The issues raised in this report have been addressed by Citibank since last year. As a socially responsible corporation in Hong Kong, we understand the public concern on the data privacy issue."
ICBC and Wing Hang could not be immediately reached for comment.
The commission said the banks' data collection forms used small font sizes and vague terms about how customers' personal information would be used.
The personal data was sold without customers' consent, while in one case ICBC staff ignored a client's written request that the information not be transferred to a third party.
Details of the privacy breaches, which occurred in 2008 and 2009, came after a high-profile scandal last year saw pioneering e-payment operator Octopus Holdings admit to selling two million customers' personal data.
The firm's chief executive resigned after admitting to the privacy breach.
Citibank, Fubon and ICBC wrote the commission to promise the breaches would not be repeated, it said.
The commission cited Hong Kong's weak privacy laws as a major concern, noting that "there is a big room for improvement" with an 18 per cent jump in the number of complaints about privacy breaches so far this year over 2010.
Under Hong Kong law, the sale of personal data for profit without the subject's consent is not a criminal offence.
