Case Studies

Search Case Studies

All Areas of Concern

Search Case Studies

All Areas of Concern

Handling customers' data

Trades / Industries:
Areas of Concern:

Cindy worked in a bank credit card centre and was responsible for verifying the personal particulars of credit card applicants. Recently she became engaged to her long-term boyfriend and, as part of their wedding plans, they wished to arrange a banquet befitting the grand occasion. With this in mind, Cindy and her fiancé borrowed  $500,000  from  a  finance  company  but  soon  ran  into  difficulties with regards to the loan repayments.


One day, Cindy's good friend, Fred, called her and invited her to lunch. Fred happened to work for a debt collecting company. Upon learning of her financial predicament, he offered her a "part-time job". It was a fairly undemanding job, he explained. He would provide her with a list of debtors' names every month and all Cindy needed to do was to check the names on the list with the personal information of the cardholders and sent the results to him. Fred offered Cindy a payment of $1,000 for every set of information she could provide to him. As Cindy needed extra money, she readily accepted the offer.

Case Analysis

Bank employees are required to treat their customers' banking affairs as private and confidential.Cindy might violate the Code of Conduct[1] of her bank for releasing customers’ information of her bank to a third party without their consent. Such a disclosure is also strictly prohibited in accordance with the Personal Data (Privacy) Ordinance (PDPO).


Cindy breached Section 9 of the Prevention of Bribery Ordinance by accepting an advantage, i.e. $1,000 for each set of data released to Fred. Fred in turn committed an offence of offering a bribe.




[1] According to HKMA’s Supervisory Policy Manual CG-3, each authorized institute (bank) should develop its own Code of Conduct containing certain minimum conduct requirements which include “no member of staff should release customer information to a third party without written consent from the relevant customer, unless the release complies with the PDPO or he is required or permitted to do so by law.”

Back To Top