| |
| (1) |
INTRODUCTION |
| |
|
| |
This Statement is adopted as the Privacy
Policy (Customers) Statement ("Statement") of The Bank of
East Asia, Limited and its subsidiaries ("Group"). The purpose
of this Statement is to establish the terms and conditions of the
Group's compliance with the provisions of the Personal Data (Privacy)
Ordinance ("Ordinance") and implementation of the guidelines
thereon issued by Hong Kong Association of Banks. This Statement shall
only apply to members of the Group which are engaged in banking business
and other financial services and such members do not establish a separate
Privacy Policy Statement. |
| |
|
| (2) |
APPOINTMENTS OF OFFICERS |
| |
|
| |
Individual Data Protection Officers ("IDPOs")
have been appointed for every branch, department and subsidiary in
the Group under the supervision of the Group Data Protection Officer
("GDPO") who is responsible for co-ordinating and overseeing
compliance with the Ordinance and these terms and conditions. |
| |
|
| |
(a) |
The functions of the GDPO are:- |
| |
|
| |
(i) |
to develop internal policies and procedures
regarding data protection to ensure compliance with the Ordinance
and any relevant terms and conditions, to keep such internal policies
and procedures under constant review making amendments in the light
of experience and the specific requirements of the Group's business
and to ensure that such internal policies and procedures are properly
distributed to and understood by all IDPOs and other relevant persons
within the Group; |
| |
(ii) |
to develop forms for use by customers in
relation to data access requests, data correction requests and requests
to the Group to refrain from using personal data for direct marketing; |
| |
(iii) |
to develop and institute training programmes
for IDPOs to ensure their knowledge of the basic provisions of the
Ordinance, these terms and conditions and internal policies and procedures
regarding data protection; |
| |
(iv) |
to receive all data access
requests, all data correction requests and request to the Group to
refrain from using personal data for direct marketing; |
| |
(v) |
to decide whether a data access
request or a data correction request should be complied with; |
| |
(vi) |
to communicate all data access requests
and data correction requests which the GDPO has decided should be
complied with to the relevant IDPO, to monitor the preparation of
responses to the data access request or data correction request and
to ensure that they are provided to enable data access requests and
data correction requests to be complied with within the appropriate
time limits; |
| |
(vii) |
to be available to resolve
any difficulties encountered by an IDPO in relation to compliance
with the Ordinance; |
| |
(viii) |
to be responsible for ensuring that the
content of a request to the Group to refrain from using personal data
for direct marketing is communicated to all persons both within and
outside the Group who may be using such personal data for direct marketing; |
| |
(ix) |
to maintain records of any prescribed information
which may be requested by the Privacy Commissioner for Personal Data
(the "Privacy Commissioner") and to be responsible for communicating
such information to the Privacy Commissioner on request or when required
under the Ordinance; |
| |
(x) |
to maintain the Log Book required to be
maintained under the Ordinance, to be responsible for all entries
made in that Log Book and to maintain correspondences files in respect
of all internal and external correspondences relating to the functions
of the GDPO; |
| |
(xi) |
to be responsible for the receipt and handling
of complaints received from data subjects or the Privacy Commissioner,
to investigate such complaints, to respond to such complaints and
following the substantiation of any complaint to take any action to
amend the internal policies and procedures regarding data protection
to avoid such complaints arising in the future; |
| |
(xii) |
to have such other functions
as the Group considers appropriate to ensure compliance with the Ordinance
or these terms and conditions. |
| |
|
| |
The Group may appoint an Alternate Data
Protection Officer who will assume duty when for whatever reason the
GDPO is unavailable. |
| |
|
|
| |
The IDPOs have primary responsibility vis-a-vis
customers of ensuring compliance by the Group with the provisions
of the Ordinance and these terms and conditions. |
| |
|
|
| |
(b) |
The functions of an IDPO are: |
| |
|
|
| |
(i) |
to ensure that the collection
and supply and use of personal data is in accordance with the Ordinance
and these terms and conditions; |
| |
(ii) |
to ensure that the Group's policies and
procedures regarding data protection are complied with and in particular
to conduct periodical reviews of all personal data of customers for
which he is responsible and to correct any personal data which he
finds to be inaccurate and to erase any personal data which requires
erasure pursuant to the terms and conditions; |
| |
(iii) |
to communicate all data access requests,
data correction requests, requests to the Group to refrain from using
personal data for direct marketing and complaints regarding personal
data matters to the GDPO and to assist the GDPO in dealing with any
such requests or complaints; |
| |
(iv) |
whereto debit and collect all fees due
to the Group for compliance with any data access request and to deal
with all enquiries or complaints in respect of such fees; and |
| |
(v) |
to have such other functions
as the Group considers appropriate to ensure compliance with the Ordinance
or these terms and conditions. |
| |
|
|
| |
(c) |
Communications between GDPO and IDPOs |
| |
|
| |
All communications between the GDPO and
the IDPOs shall be in writing, be dated and shall require an acknowledgment.
Copies of all such communications shall be retained by the Group for
a period considered by the Group to be appropriate given its obligations
under the Ordinance. |
| |
|
| (3) |
COLLECTION OF PERSONAL DATA |
| |
| |
The methods of collecting personal data
from customers will include the following:- |
| |
| |
(a) |
personal data provided by customers in
response to a request from the Group; |
| |
|
| |
(b) |
personal data provided by customers in
the ordinary course of the continuation of the banking relationship
including but without limitation the recording of telephone conversations
between customers and the Group; |
| |
|
| |
(c) |
personal data provided by a
referee in response to a request by the Group for a customer to provide
a reference; |
| |
| |
(d) |
personal data provided by any credit reference
agency in the ordinary course of business; |
| |
| |
(e) |
personal data provided by a debt collection
agency following a request to the debt collection agency to assist
with the collection of a debt due from a customer to the Bank; and |
| |
| |
(f) |
personal data which is in the
public domain including any personal data available at any registry
which is open for public inspection. |
| |
|
|
| |
The Group may include other methods or
may amend the above in the light of experience and the specific nature
of its business. |
| |
|
|
| |
In the course of collecting personal data,
the Group will provide all customers with a Personal Information Collection
Statement ("PIC Statement") (Appendix A) informing them
of the purpose of collection, parties to whom the data may be transferred,
their rights to access and correct the data, and other relevant information.
Where there is an ongoing process of collecting personal data, the
PIC Statement will be provided to customers at intervals not exceeding
12 months. |
| |
|
|
| (4) |
COLLECTION OF PERSONAL DATA OUTSIDE THE
BANK PREMISES |
| |
|
|
| |
The Group has specified basic requirements
for handling the collection of personal data outside the bank premises,
i.e. General Guidelines for Handling the Collection of Personal
Data Outside the Bank Premises, for those departments, branches
and business units which are involved in promotion activities outside
the bank premises. The General Guidelines are also applicable to the
activities of promotion agencies and part-time workers who collect
personal data on behalf of the Bank during promotion activities outside
the bank premises. |
| |
|
|
| (5) |
COLLECTION OF PERSONAL DATA ON-LINE |
| |
|
|
| |
When collecting personal data on-line (e.g.
via Internet), the Group shall follow the relevant guidelines issued
by the Privacy Commissioner from time to time. |
| |
|
| |
In the course of collecting personal data
through Group web sites, the Group will provide individuals with a
PIC Statement (Appendix A) informing them of the purpose of data collection,
parties to whom the data may be transferred, their rights to access
and correct the data, and other relevant information. |
| |
|
|
| |
Customers are informed of the following
practices in relation to personal data:- |
| |
|
|
| |
(a) |
Security |
| |
|
|
| |
|
The Group will follow strict standards
of security and confidentiality to protect any information customers
provide to the Group. Encryption technology is employed for sensitive
data transmission on the Internet to protect customers' privacy. |
| |
|
| |
|
Whenever other organisations are hired
to provide support services, they will be required to conform to the
Ordinance. |
| |
|
|
| |
(b) |
Cookies |
| |
|
|
| |
|
Cookies are small pieces of data transmitted
from a web server to a web browser. Cookie data is stored on a local
hard drive such that the web server can later read back the cookie
data from a web browser. This is useful for allowing a website to
maintain information on a particular user. |
| |
|
| |
|
Cookies are designed to be read only by
the website that provides them. Cookies cannot be used to obtain data
from a user's hard drive, get a user's e-mail address or gather a
user's sensitive information. |
| |
|
| |
|
As cookies record the browsing
preference and relay that information back to the web server on subsequent
visits to the web server, there are some common uses of cookies. For
example, cookies are widely used in on-line ordering systems for storing
users' choice of items. Users can get their selected items some time
later, even if they have disconnected the session. In addition, the
cookie data which indicates user's preference for a particular site
can be used for site personalisation and targeted marketing. |
| |
| |
|
The Group will only use cookies as a session
identifier and will not store user's sensitive information in the
cookies. Once a session is established, all the communications will
use the cookie to identify a user. The cookie will expire once the
session is closed. If users try to disable cookies from their web
browsers, they will not be able to access our Internet banking services. |
| |
| |
(c) |
Accuracy |
| |
| |
|
Personal data provided to the Group through
an on-line facility, once submitted, cannot be deleted, corrected
or updated on-line. If deletion, correction and updates are required,
users should approach relevant Group members, departments or branches. |
| |
|
| |
(d) |
Retention |
| |
|
| |
|
The personal data collected on-line will
be transferred to relevant members of the Group, departments or branches
for processing. Personal data will be retained in the website normally
for a period of not longer than six months. |
| |
| |
(e) |
Minors |
| |
| |
|
In general, no personal data will be collected
from minors under the age of 13 without the consent of a person with
parental responsibility for the individual. |
| |
| |
(f) |
Disclosure |
| |
|
|
| |
|
No customer information will be disclosed
to any external organisations unless the Group has previously informed
the customer in disclosures or agreements, or has been authorized
by the customer, or is required to do so by law. |
| |
|
|
| |
|
The Group will always maintain control
over the confidentiality of customer information. The Group may, however,
facilitate offers to customers from reputable third party companies.
Such companies are prohibited to retain any customer information unless
the customer has specifically expressed interest in their products
or services. |
| |
|
|
| |
An E-Privacy Policy (Customers)
Statement (Appendix B) is posted on the homepage of the website of
The Bank of East Asia where it may be accessed by the individuals.
Group Members maintaining separate web sites should also post appropriate
Privacy Policy Statements on the homepage of such websites which may
be accessed by individuals utilising such sites. |
| |
|
|
| (6) |
KINDS OF PERSONAL DATA HELD BY THE GROUP |
| |
|
|
| |
Personal data held by the Group regarding
customers may include the following:- |
| |
|
|
| |
(a) |
name and address, occupation, contact details,
date of birth and nationality of customers and spouses of customers
and their identity card and/or passport numbers and place and date
of issue thereof; |
| |
|
| |
(b) |
current employer, nature of
position, annual salary and other benefits of customers and spouses
of customers; |
| |
|
|
| |
(c) |
details of properties, assets or investments
held by customers and their spouses; |
| |
|
|
| |
(d) |
details of all other assets
or liabilities (actual or contingent) of customers and their spouses; |
| |
|
|
| |
(e) |
information obtained by the
Group in the ordinary course of the continuation of the banking relationship; |
| |
|
|
| |
(f) |
information as to credit standing provided
by a referee, credit reference agency or debt collection agency in
connection with a request to collect a debt due from any customer
to the Group; and |
| |
|
|
| |
(g) |
information which is in the public domain. |
| |
|
|
| |
The Group may hold other kinds of personal
data which it needs in the light of experience and the specific nature
of its business. |
| |
|
| (7) |
PURPOSES THE PERSONAL DATA ARE USED |
| |
|
| |
(a) |
It is necessary for customers to supply
the Group with data in collection with the opening or continuation
of accounts and the establishment or continuation of banking facilities
or provision of banking and other financial services. |
| |
| |
(b) |
Failure to supply such data may result
in the Group being unable to open or continue accounts or establish
or continue banking facilities or provide banking and other financial
services. |
| |
| |
(c) |
It is also the case that data are collected
from customers in the ordinary course of the continuation of the banking
and other financial relationship, for example, when customers write
cheques or deposit money. |
| |
| |
(d) |
The purposes for which data relating to
a customer may be used are as follows:- |
| |
|
| |
(i) |
the daily operation of the
services and credit facilities provided to customers; |
| |
(ii) |
conducting credit checks at the time of application
for credit and at the time of regular or special reviews which normally
will take place one or more times each year; |
| |
(iii) |
creating and maintaining the Group's credit
scoring models; |
| |
(iv) |
assisting other financial institutions to conduct credit
checks and collect debts; |
| |
(v) |
ensuring ongoing credit worthiness of customers; |
| |
(vi) |
designing financial services or related products for
customers' use; |
| |
(vii) |
marketing financial services or related products; |
| |
(viii) |
determining the amounts owed to or by customers; |
| |
(ix) |
collection of amounts outstanding from
customers and those providing security for customers' obligations; |
| |
(x) |
meeting the requirements to
make disclosure under the requirements of any law binding on the Group
or any of its branches; |
| |
(xi) |
enabling an actual or proposed assignee
of the Group, or participants or sub-participants of the Group's rights
in respect of the customer to evaluate the transaction intended to
be the subject of the assignment, participation or sub-participation;
and |
| |
(xii) |
purposes relating thereto. |
| |
|
|
| (8) |
PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED |
| |
|
|
| |
Data held by the Group relating to a customer
will be kept confidential but the Group may provide such information
to the following parties for the purposes set out in paragraph (7):- |
| |
|
|
| |
(a) |
any agent, contractor or third party service
provider who provides administrative, telecommunications, computer,
payment or securities clearing or other services to the Group in connection
with the operation of its business; |
| |
|
|
| |
(b) |
any other person under a duty
of confidentiality to the Group including a group company of the Group
which has undertaken to keep such information confidential; |
| |
|
|
| |
(c) |
the drawee bank providing a copy of a paid
cheque (which may contain information about the payee) to the drawer; |
| |
|
|
| |
(d) |
credit reference agencies, and, in the
event of default, to debt collection agencies; |
| |
|
|
| |
(e) |
any person to whom the Group
is under an obligation to make disclosure under the requirements of
any law binding on the Group or any of its branches; and |
| |
|
|
| |
(f) |
any actual or proposed assignee
of the Group or participant or sub-participant or transferee of the
Group's rights in respect of the customer. |
| |
| (9) |
SHARING AND USE OF CONSUMER
CREDIT DATA THROUGH A CREDIT REFERENCE AGENCY |
| |
|
|
| |
The Group has adopted procedures and standards,
i.e. Policy and General Guidelines on the Sharing and Use of Consumer
Credit Data through a Credit Reference Agency, to be observed
by relevant departments, branches and business units in relation to
the sharing and use of consumer credit data through a credit reference
agency. |
| |
|
|
| |
The Group may have obtained a credit report
on the customer from a credit reference agency in considering any
application for credit. In the event the customer wishes to access
the credit report, the Group will advise the contact details of the
relevant credit reference agency. |
| |
| (10) |
DIRECT MARKETING |
| |
|
|
| |
It is the policy of the Group that when
using the personal data obtained from any sources for conducting direct
marketing by means of the following means, the Group shall, on the
first occasion on which it so uses those personal data, inform persons
that they may, without charge, request the Group to cease to using
their data for direct marketing purposes: |
| |
|
|
| |
(a) |
information or goods sent to any person by mail, facsimile
transmission, electronic mail, or other similar means of communication,
where the information or goods are addressed to a specific person
or specific persons by name; or |
| |
|
| |
(b) |
telephone calls made to specific persons. |
| |
| |
If direct marketing is conducted by means
of (a) above, a Direct Marketing Approaches Opt-out Choice form (Appendix
C) will be enclosed or an appropriate column will be printed on the
application form for completion by the individual who opts not to
receiving future direct marketing approaches from the Group. Upon
receipt of a completed Opt-out Choice form or an opt-out request as
indicated on the application form, IDPOs should inform the GDPO who
will update the Group opt-out list as a result of which no further
direct marketing activities will be conducted by the Group on the
basis of that personal data. |
| |
|
| |
If the direct marketing is conducted by
means of (b) above, the person who makes the calls on behalf of the
Group should inform the GDPO who will update the Group opt-out list
in respect of the individuals who do not want their personal data
to be used for direct marketing purposes. |
| |
|
| |
Each branch/department/subsidiary may keep
its own opt-out list as a substitute for the Group opt-out list provided
that:- |
| |
|
| |
(a) |
there is a clear division in the category
of customers served by each branch/department/ subsidiary without
any overlapping; |
| |
|
| |
(b) |
the staff of one branch/department/subsidiary
are strictly prohibited from making cold-calling approaches to the
category of customers served by another branch/department/subsidiary;
and |
| |
|
| |
(c) |
any opt-out notified by an
individual to the head office of the Bank is forwarded promptly to
the relevant branch/department/subsidiary for inclusion in its opt-out
list. |
| |
|
|
| |
The Group has specified basic operation
requirements for conducting direct marketing under the Group's Privacy
Policy, i.e. General Guidelines for Conducting Direct Marketing, for
those departments, branches and business units which are involved
in conducting direct marketing activities. The General Guidelines
are also applicable to the mailing agency who conducts direct marketing
activities on behalf of the Bank. |
| |
|
|
| (11) |
SECURITY OF PERSONAL DATA |
| |
|
|
| |
All personal data should be kept in secure
files or computer retrieval systems to which access may only be gained
under the supervision of an IDPO responsible for the customer. |
| |
|
|
| |
It is the policy of the Group
to ensure an appropriate level of protection for personal data in
order to prevent unauthorised access, processing or other use of that
data, commensurate with the sensitivity of the data and the harm that
would be caused by unauthorised access to that data. It is the practice
of the Group to achieve appropriate levels of security protection
by restricting physical access to data by providing secure storage
facilities, and incorporating security measures into equipment in
which data is held. Measures are taken to ensure the integrity, prudence,
and competence of persons having access to personal data. Data is
only transmitted, by secure means. |
| |
|
|
| (12) |
ACCURACY OF PERSONAL DATA |
| |
|
|
| |
It is the policy of the Group to ensure
accuracy of all personal data collected and processed by the Group.
Appropriate procedures are implemented to provide for all personal
data to be regularly checked and updated to ensure that it is reasonably
accurate having regard to the purposes for which that data is used.
In so far as personal data held by the Group consists of statements
of opinion, all reasonably practicable steps are taken to ensure that
any facts cited in support of such statements of opinion are correct. |
| |
|
|
| (13) |
ERASURE OF PERSONAL DATA |
| |
|
|
| |
(a) |
In the case of a relationship
between a customer and the Group which is continuing, personal data
relating to the customer will be erased in the following circumstances: |
| |
|
|
| |
(i) |
when the IDPO responsible for
the customer becomes aware that the personal data are inaccurate or
out of date; |
| |
(ii) |
if the personal data consist
of credit information received from a referee, credit reference agency
or debt collection agency, when the Group decides that it is no longer
relying on that information; |
| |
(iii) |
if the personal data were acquired by the
Group solely in connection with facilities or banking services which
the Group has not decided to extend to the customer, within a brief
period following such decision determined by the Group to be appropriate;
and |
| |
(iv) |
if the personal data consist of a tape
recording of a telephone conversation between the customer and the
Group, after the expiry of a brief period decided upon by the Group
from the date that the recording takes place. |
| |
|
|
| |
(b) |
In the case of a relationship between a
customer and the Group which has come to an end with all obligations
of the customer to the Group or vice versa having been paid or satisfied
the personal data relating to the customer will be erased in the following
circumstances: |
| |
|
|
| |
(i) |
if the personal data consist of data necessary
to substantiate the amount of the obligations of the customer to the
Group or vice versa or to evidence satisfaction of such obligations,
following a period after the termination of the relationship between
the customer and the Group selected by the Group as being sufficient
to ensure that it has the personal data at any time within which proceedings
may be brought against the Group by the customer after the termination
of the relationship between the customer and the Group; and |
| |
(ii) |
in any other case, a brief period decided
upon by the Group after the termination of the relationship between
the customer and the Group. |
| |
|
|
| |
(c) |
In the case where personal data were acquired
by the Group solely in connection with an application by the customer
for facilities or banking services which the Group has not decided
to extend; the Group will erase the personal data relating to the
customer within a brief period following such decision determined
by the Group to be appropriate. |
| |
|
|
| |
(d) |
Nothing in this paragraph requires the
Group to erase personal data when to do so would be unlawful or when
it is not in the public interest (including historical interest) for
the personal data to be erased. |
| |
|
|
| |
(e) |
Information for marketing or
product design purposes may be kept indefinitely as long as it is
of a statistical nature and does not identify customers. |
| |
| (14) |
DATA ACCESS REQUESTS AND DATA CORRECTION
REQUESTS |
| |
|
| |
It is the policy of the Group to comply
with all data access and correction requests, for all staff to be
familiar with the requirements for assisting individuals to make such
requests, and to process such requests in accordance with the provisions
of the Ordinance. |
| |
|
| |
The Group has implemented
administrative arrangements; i.e. Guidelines on Handling of Data Access
Request and Data Correction Request; for handling data access and
correction requests and has designated the IDPOs in each branch; department
and subsidiary under the supervision and coordination of the GDPO
as having responsibility for dealing with requests of this nature.
IDPOs have the necessary authority to seek responses from those responsible
within the Group for personal data and a system has been implemented
for checking progress in responding to requests in order to ensure
that the time limits prescribed by the Ordinance are complied with. |
| |
|
| |
It is the Group's policy to charge a nominal
fee in respect of a data access request. If a person making a data
access request requires an additional copy of the personal data, the
Group may charge a fee to cover the full administrative and other
costs incurred in supplying that additional copy. |
| |
|
| (15) |
RIGHTS OF INDIVIDUALS |
| |
|
| |
Under and in accordance with
the terms of the Ordinance and the Code of Practice on Consumer Credit
Data approved and issued under the Ordinance, any individual has the
right:- |
| |
|
| |
(i) |
to check whether the Group holds data about
him and of access to such data; |
| |
(ii) |
to require the Group to correct
any data relating to him which is inaccurate; |
| |
(iii) |
to ascertain the Group's policies
and practices in relation to data and to be informed of the kind of
personal data held by the Group; |
| |
(iv) |
to be informed on request which items of
data are routinely disclosed to credit reference agencies or debt
collection agencies, and be provided with further information to enable
the making of a data access and correction request to the relevant
credit agency or debt collection agency; and |
| |
(v) |
in relation to data which has
been provided by the Group to a credit reference agency, to instruct
the Group upon termination of an account by full repayment to make
a request to the credit reference agency to delete such data from
its database, as long as the instruction is given within five years
of termination and at no time did the account have a default of payment
lasting in excess of 60 days within 5 years immediately before account
termination. In the event the account has had a default of payment
lasting in excess of 60 days, the data may be retained by the credit
reference agency until the expiry of 5 years from the date of final
settlement of the amount in default or 5 years from the date of discharge
from a bankruptcy as notified to the Group, whichever is earlier. |
| |
|
|
| (16) |
CONTACTS OF GDPO |
| |
|
|
| |
The person to whom requests for access
to data or correction of data or for information regarding the Group's
Privacy Policy (Customers) Statement and kinds of data held are to
be addressed as follows:- |
| |
|
|
| |
The Group Data Protection Officer |
Telephone: |
2842 3200 |
| |
The Bank of East Asia Group |
Fax: |
2833 6423 |
| |
20th Floor, Bank of East Asia Building
|
Website: |
www.hkbea.com |
| |
l0 Des Voeux Road Central |
|
|
| |
Hong Kong |
|
|
| |
|
|
| |
(Revised by Secretarial Department, August
2003) |
|
