Preventing leaks of confidential customer information

Article contributed by special arrangement with the Independent Commission Against Corruption

Gary recently quit his job with a detective agency to join a major bank as a customer service officer. In his new position, he was allowed access to a computer system which held a large amount of personal data about customers, including addresses, telephone numbers and account information.

Gary still kept in touch with Colin, his former boss at the detective agency, who soon realised that the bank's customer database contained a lot of information which could potentially help his own investigative work. Seeing an opportunity, he made a point of building a closer relationship with Gary, invited him out often, and paid for expensive meals and wines. When Gary broke up with his girlfriend, the campaign effectively moved to the next level. Colin took on the role of "counsellor" and arranged visits to pubs, nightclubs and karaoke bars. He was always ready to foot the bill and, unaware of the hidden agenda, Gary felt indebted and that he had a friend he could rely on.

One day, Colin asked for a "small favour". He wanted help with a quick check on some basic personal information about a couple of the bank's clients. There was also passing mention of a cash payment of HK$1,500 for each successful check.

Gary considered the request and could see no immediate problem. He also felt obliged for all the entertainment he had received and thought this would be a way of cementing his friendship with Colin. As it happened, he was also facing some financial problems as a result of a recent string of unsuccessful investments in the stock market. Although, he was fully aware that the bank had a code of conduct, which prohibited the disclosure or improper use of customer information and accepting advantages in relation to the bank's business, Gary finally decided to accept Colin's offer.

He carried out checks of confidential customer data for selected clients and passed this on to Colin via email. At one point, he told himself that, since the system was also accessible by other customer service officers, the data was not really "secret" and that what he was doing would not be easily detected.

However, the matter came to light when a customer, who suspected that his personal information had been leaked without authorisation, lodged a complaint with the bank. This led to the case being reported to the ICAC for a fuller investigation. In the course of this, it became clear that Gary had not only breached the company's internal code of conduct but, in accepting monetary rewards for disclosing client information without authorisation, he had also broken the law. Under Section 9 of the Prevention of Bribery Ordinance, an employee is liable to have committed an offence if he or she accepts advantages in relation to the principal's business, without the latter's permission. As the person who offered an advantage, Colin had also committed an offence under the same ordinance.

Moreover, according to Data Protection Principle 4 under the Personal Data (Privacy) Ordinance (PDPO), the bank should have taken all practicable steps to ensure that any personal data it held was protected against unauthorised access.

In such cases, the Privacy Commissioner for Personal Data may issue an enforcement notice to require remedial action in order to address any contravention. Failure to comply with the notice may then amount to a criminal offence under the PDPO. Thus, it would be good practice for the bank, or any other employer, to have adequate controls in place to protect clients' personal data and safeguard their interests.

For enquiries about this article or corruption prevention advice for private sector companies, please contact the Advisory Services Group of the ICAC's Corruption Prevention Department at (tel) 2526 6363, (fax) 2522 0505 or (e-mail) Our service is free and confidential.

Q&A on steps that management should take
Q1 To prevent employees from misusing or leaking confidential customer information, what measures should the management adopt?
A1 Management should take special note of the following:

(a) Ethics requirements

  • issue a code of conduct to ensure all staff are aware of the company's expectations and standards. Clearly state the company's commitment to ethical practices
  • require staff to sign an undertaking about the protection of customer information and make it clear they will be subject to disciplinary action including dismissal if there are any breaches

    (b) Restricted access

  • classify information according to the degree of confidentiality and sensitivity, and grant access to staff on a "need to know" basis

    (c) Information system safeguards

  • adopt effective security measures, such as using computer password controls and access control software to prevent unauthorised access to confidential information
  • maintain audit trails to continuously track the use or misuse of confidential information by staff

  • Q2 What advice do you give to employees?
    A2 To be a responsible employee and protect yourself from inadvertently breaching the law, you should:
  • fully understand and abide by the relevant laws, especially the Prevention of Bribery Ordinance
  • comply at all times with your company's code of conduct
  • avoid accepting unreasonable, excessive or frequent entertainment from official contacts, which might lead to requests for inappropriate favours that you then found difficult to turn down

  • Taken from Career Times 20 January 2006

    (Last review date: 23 August 2013)

    讚好 CTgoodjobs 專頁,獲取更多求職資訊!

    Disclaimer: The opinions expressed in this article are those of the contributor

    Free Subscription