Recent hacks into the customer databases of a telecommunications company and travel agencies have put the spotlight on how companies retain customer data and may lead to a revamp of data protection law in Hong Kong. These developments have far-reaching implications for insurers, who in the course of providing insurance services to the public, collect and process large amounts of personal data relating to existing, prospective and former customers.
HK Broadband Data Breach
Hong Kong Broadband Network, the second largest fixed-line residential broadband provider in Hong Kong, revealed a few weeks ago that an inactive customer database on an active server had been accessed without its authorization. Private information of some 380,000 former and existing customers was potentially compromised in the hack, including their names, ID card numbers, home addresses, telephone numbers and credit card details. The personal information dated back to 2012 and included information of customers who had not been active since 2012. It later came to light that the compromised inactive database was not encrypted, unlike other active databases maintained by the company.
With the fallout from the hack, including extensive media reports and initiation of a compliance review by Hong Kong’s Privacy Commissioner for Personal Data, the company announced that it would purge the data of 900,000 former customers and reduce its information retention period on past customers from seven years to six months. In this regard, Hong Kong Broadband admitted that it had mistakenly applied its 7-year rule for retention of business records to customer information as well. Going forward, the company indicated that it will not only shorten its data retention period for past customers but also change the way existing customer information is stored. In particular, Hong Kong ID card numbers and credit card numbers held in customer databases would have some digits deleted to make the information less attractive to hackers.
Implications for Insurers
Currently, Hong Kong’s Personal Data (Privacy) Ordinance, which has been in force since 1996, does not definitively state how long data users should keep personal data. Data Protection Principle 2(2) merely provides that personal data should not be kept “longer than is necessary for the fulfillment of the purpose (for which the data was to be used)”. However, Privacy Commissioner Stephen Wong has indicated that he is satisfied with the remedial actions to be taken by Hong Kong Broadband. A 2004 case arising from a complaint to the Privacy Commissioner by an unsuccessful insurance applicant regarding retention of his application data by the insurer is also instructive.
In that case, an investigation by the Office of the Privacy Commissioner for Personal Data (“PCPD”) found that the insurer’s practice was to retain personal data of unsuccessful insurance applicants for an indefinite period of time. In support of this practice, the insurer cited legal requirements for keeping books of accounts and the need to maintain a record in case of future applications, inquiries, potential litigation and complaints. The Commissioner at the time found however that those reasons did not justify the indefinite retention of personal data where money transactions (e.g. involving the payment of premiums) were not involved. In such cases, the Commissioner determined that a retention period of 2 years would suffice for the purposes stated. Even where money transactions were involved, the retention period should be limited to 7 years (the period prescribed in applicable ordinances for keeping books of account). The PCPD served an enforcement notice on the insurer requiring it to erase any data which had been kept for longer than the periods prescribed, pursuant to which the insurer erased more than 7000 records.
Of course, each case has to be considered on its own facts. However, indiscriminate retention of personal data, or blanket retention of personal data for 7 years (or other arbitrary period), will be hard to justify if a complaint is made to the PCPD. Insurers would be well advised to establish a considered policy in relation to their and their agents’ retention and use of data which takes into account the nature of the customer (e.g. existing or former policyholder or unsuccessful applicant) and factors which may justify a longer or shorter retention period.
This is all the more important given that the Privacy Commissioner has indicated that he will review the Personal Data (Privacy) Ordinance to see if it affords enough protection in light of recent data leaks and global trends, including the adoption of a new data protection framework under General Data Protection Regulation (GDPR) in the EU from May 25, 2018. GDPR significantly enhances the data privacy rights of individuals in the EU, including the “right to be forgotten” – or demand erasure of personal data which is “no longer necessary in relation to the purposes for which they were collected”, subject to limited exceptions where retention of the data is required by law or justified in the public interest etc. With the global trend to enhance the data privacy rights of individuals, it will be incumbent on insurers to achieve a deeper understanding of the various purposes for which personal data are kept or processed, since different retention periods may apply according to such purposes. For example, personal data which may not justifiably be retained/used for marketing purposes may nevertheless be retained/used to comply with legal or accounting requirements. Thus, insurers will have to be able to classify data appropriately and have the systems capability to flexibly remove data from certain applications while keeping it for others.