The HKMA has developed a new financial data infrastructure called the Connected Data Initiative (CDI) to provide a single point of access for banks and other sources of commercial data. This will enable more efficient financial intermediation in the banking system and enhance Hong Kong’s financial inclusion. The CDI will also promote a stronger ecosystem for fintech innovation in Hong Kong.
In order to make the CDI a success, it is important that all parties involved in its implementation understand their roles and responsibilities. Several factors need to be taken into account, including the types of data that will be shared and how this information is protected. In addition, the HKMA needs to ensure that the underlying system is capable of supporting CDI. This will require a significant investment of time and money, but it is a vital step towards the success of this project.
A major concern is the potential impact of a CDI on privacy, especially as it relates to personal data. The current law defines personal data as data that identifies or can be reasonably associated with an individual. This includes data such as a person’s name, identity number, location data, online identifiers and factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity. This definition is quite broad, and it could result in a wide range of activities being considered as requiring a data protection licence.
There are a few ways to limit the amount of personal data that is collected and used for marketing purposes. For example, it is important to only collect data that is relevant and necessary for the intended purpose. In addition, it is important to keep the data secure and only share it with individuals who have a legitimate need for it. This is to avoid data being abused for marketing purposes or being misused in other ways.
Moreover, it is important to comply with other data protection principles, such as not publicly displaying an individual’s name and HKID number together. This is particularly relevant when it comes to a staff card, which often exhibits the person’s name, photograph, company name and employee number. In addition, the PDPO requires that such personal data is not made available to anyone outside of the organization and only to those who need it for the performance of their duties.
The PDPO provides that an individual can ask the data user to delete their personal data, or to restrict its use, at any time. The individual can also request the data user to inform them of what information has been collected, and to correct any inaccurate information. The data user is required to provide this information within 30 days of receiving the request. In addition, the data user must notify the individual if they are processing their personal data outside of Hong Kong. This may include a data controller who uses a cloud service or has no physical presence in Hong Kong.