Misuse of Personal Data

Use of clients’ personal data for an unauthorised purpose may result in suspension from the securities industry by the Securities and Futures Commission (“SFC”).

On 22 January, 2018, the SFC banned Mr Chan Wai Nun (“Mr. Chan”), a former investment counsellor of a bank (“Bank”), from re-entering the industry for six months from 19 January 2018, pursuant to section 196(1)(iii) of the Securities and Futures Ordinance (“SFO”). The reason is that Mr. Chan transferred a client list to his personal email account and then to the personal email account of his potential new supervisor at a new employer.

Banks and securities dealers will have a new and potentially more effective channel than court proceedings to ensure that their staff do not misuse clients’ personal data (which are the bank’s and dealers’ confidential information and commercial secrets).

Professionals in the securities industry will have a new reason to be careful in their use of clients’ personal data.

The facts

Mr. Chan was an investment counsellor (“IC”) at the Bank, and was registered as a relevant individual of the Bank to carry on Type 1 (dealing in securities) and Type 4 (advising on securities) regulated activities under the SFO.

Mr. Chan tendered his resignation on 29 February 2016. His last day of employment with the Bank was to be 31 March 2016. He was scheduled to join another bank (“New Employer”) as a relationship manager on 1 April 2016.

When Mr. Chan took up his role as an IC, his predecessor passed him a list which contained names, account numbers, telephone numbers, email addresses and figures of old assets under management of about 208 clients of the Bank (“Client List”). The Client List also contained information which appeared to be investments made by the clients or in which the clients were interested, as well information on the credit extended to the clients. Mr. Chan used the Client List for the purposes of carrying out his duties at the Bank.

During an email surveillance on new joiners conducted in March 2016, the New Employer identified an email enclosing the Client List in the email account of an existing staff member and traced the origin of the email to Mr. Chan. That existing staff member was Mr. Chan’s former colleague (“Ex-colleague”) at the Bank and who was designated to be Mr. Chan’s supervisor when he joined the New Employer.

The New Employer initiated an internal investigation and found that:

(a)        on 4 December 2015, Mr. Chan emailed the Client List from his work email account at the Bank to his personal email account;

(b)        on 4 February 2016, about two months before he was due to commence his new employment, Mr. Chan forwarded, from his personal email account, the Client List to the Ex-colleague at the Ex-colleague’s personal email account; and

(c)        on 5 February 2016, the Ex-colleague forwarded the Client List from his personal email account to his work email account at the New Employer.

Mr. Chan’s “arguments”

Mr. Chan admitted liability for misconduct.

He explained that at the time he sent the Client List to the Ex-colleague (who was designated to be his supervisor at the New Employer), he had already secured employment with the New Employer. In sending the Client List to the Ex-colleague, Mr. Chan merely wanted to show that he was capable of building up a client base. He had no intention to poach the Bank’s clients or obtain any benefit.

Subsequently, Mr. Chan confirmed that he had deleted the Client List and all information obtained from the Bank from his personal email account and his personal laptop.

SFC’s conclusion

By transferring the Client List first to his personal email account and then to the Ex-colleague’s personal email account, Mr. Chan was in breach of the Bank’s internal policies, Data Protection Principle 3 in Schedule 1 of the Personal Data (Privacy) Ordinance (“PDPO”), and General Principle 2 (diligence) and paragraph 12.1 of the Code Conduct

Data Protection Principle 3 in Schedule 1 of the PDPO provides that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose, i.e. any purpose other than the purpose for which the data was to be used at the time of the collection of the data or a purpose directly related to such purpose.  “Use” is defined in section 2 of the PDPO to include disclose or transfer personal data.

General Principle 2 (diligence) of the Code of Conduct provides that, in conducting its business activities, a registered person should act with due skill, care, diligence, in the best interests of its clients and the integrity of the market. 

Paragraph 12.1 of the Code of Conduct provides that a registered person should comply with the law, rules, regulations and codes administered or issued by the SFC and the requirements of any regulatory authority which apply to the registered person.

The SFC formed the opinion that Mr. Chan is not a fit and proper person to be registered with the HKMA or licensed by SFC, and banned Mr. Chan from re-entering the industry for six months.

The SFC considered, among other things, that a deterrent message needs to be sent the market.