Privacy Commissioner’s Report Affirms ZA Bank’s Customer Data Protection Measuresby Fintech News Hong Kong October 12, 2023
ZA Bank was granted a virtual banking license by the Hong Kong Monetary Authority in March 2019 and became operational in March 2020.
The inspection found that ZA Bank has generally complied with the requirements of the Personal Data (Privacy) Ordinance (PDPO) in the handling of customers’ personal data.
PCPD noted that ZA Bank took measures such as implementing a paperless office, conducting drill exercises to prevent the threat of phishing attacks and promoting a culture of privacy in the workplace.
However, the PCPD also made some recommendations for ZA Bank to further strengthen the protection of its customers’ personal data.
This includes strengthening the management of its data processors, enhancing the monitoring capabilities of the data loss prevention system, and limiting the time for staff to access customers’ personal data.
Ada Chung Lai-ling, the Privacy Commissioner said,
“Consequent upon the development of fintech in Hong Kong, there are currently eight virtual banks which offer innovative financial services to the public.
I hope that the findings and recommendations of this inspection will not only assist ZA Bank to further strengthen the protection of its customers’ personal data, ensure data security and prevent data breach incidents, but also serve as a reference to other virtual banks in complying with the requirements of the PDPO.”
ZA Bank issued a statement saying that “customer privacy is always at the heart of its operations, and the PCPD’s report reaffirms its longstanding strategy to protect customer data”.
The digital bank added that it will implement the PCPD’s recommendations to further strengthen the protection of its customers’ personal data.
Calvin Ng, Alternate Chief Executive of ZA Bank said,
“The PCPD’s report is positive and commends us for complying with the requirements of the PDPO to manage customers’ personal data.
Our measures include: establishing a Personal Data Privacy Management Programme, appointing a dedicated Data Protection Officer, implementing a ‘Phishing Attack Drill Exercise’, and promoting a culture of privacy in the workplace, etc.”