Personal Data Protection in Everyday Commercial Transactions
Picture the scene: You're walking through a shopping mall or leaving your local hypermarket and you see a group of young people at a little booth trying to get you to sign up for a credit card. They're skilled in the art of getting you to stop and listen to them even though you're desperately trying to dodge them and get to the parking lot.
Should you stop? Let alone trust them enough to hand them your IC? Is it as safe as applying at a bank? Well, these are tricky questions to answer because there are many factors that determine if it's safe to apply for a credit card while at a roadshow/booth.
Scenario 1: You're completely safe
First, let's look at the obvious - the scenario where it's safe. Put simply, if the booth is legitimately authorized by the bank and the staff actually work for the bank, then yes it probably is safe to give them your information. There are data protection laws, banking regulations, and SOPs covering this very topic. This involves them securely storing the documents they take copies of, ensuring the chain of custody remains unbroken from the roadshow to their office and that the employment contracts for the roadshow staff have specific stipulations covering data privacy and security.
This also makes some assumptions about nothing going wrong along the way and there are no unscrupulous actors within the teams working at the roadshow. This brings us to the next two scenarios.
Scenario 2: You're only somewhat safe
Now we'll look at the issue of sloppy data collection and storage. How much information do credit card companies really need from you? Some sales teams work the old-fashioned way, taking a photocopy of your IC and following up for income documentation through email. Some would even offer to let you use their roadshow laptop to download copies of your payslips right off your HR portal. While these aren't red flags in terms of the intentions of the sales team, it’s a red flag from a data security perspective. You should never access personal data on an unknown public or shared device.
On the other hand, some sales teams work in a more streamlined way, verifying your identity onsite using your IC and thumbprint scan with a MyKad reader. They also use their systems to check your income levels and credit eligibility using your EPF or CTOS records, without asking you to submit documentation or take photocopies.
While not endorsing either system, as both legitimately exist in the wild, it is clear that the more automated systems make it harder for information to go missing along the way. As a general rule, digital is always better than paper. An important point to note is by digital we are referring to specialized systems, websites, or apps controlled by the bank, and not the sales agents taking photos of your documentation on their personal mobile phone cameras to download at the office later (another data security red flag!)
Scenario 3: You're not safe at all
In this final scenario, we look at the presence of bad-actors. Is the sales booth legitimate in the first place or is it a scam? It might be harder to run a scam operation in a commercial setting like a shopping mall where there's some degree of permission required before setting up. But there certainly might be a risk in public outdoor spaces where no checks have been done on the identity of the people running the booth.
Second, perhaps the booth and staff uniforms are legitimate but the roadshow wasn't authorized by the bank. Perhaps it's actual bank staff who have custody of the roadshow materials and have set up a scam operation on their off day to harvest consumer data to be sold. Are the staff sneaking information off on the side? Are they selling databases of the daily registration information to unscrupulous third parties? These are tougher questions to answer.
What is clear is that in the scope of controlling data security, it gets progressively harder to do as you take each step further away from the bank branch, to the roadshow, to the shopping mall, to the popup counter on the street corner, to the telesales applications done over the phone.
So how do you maximize your chances of staying safe
To sum up - is it as safe as applying at the bank? It depends entirely on whether or not the sales team is following the rules. What we do know is that the rules are supposed to be set up to make it completely safe for you, so you definitely have the law on your side.
You have a right to ask what they’re collecting and how they’ll be storing it - and we recommend, always ask! There's a chance that the staff refuses to answer or don't even know themselves. This is definitely a red flag as it automatically puts you in either scenario 2 or 3. Remember to always be skeptical and ask as many questions as it takes for you to get a sense of comfort before handing over your personal data. Most importantly, trust your gut. If it doesn't feel right then always walk away!