Octopus privacy protection to be probed
The Octopus card's broad reach has made it a popular way to pay transit fares and shop at retail chains in the city - and soon in Shenzhen as well.
Nineteen out of 20 Hongkongers have the smart card, and more than two million hold a personalised one.
But the Octopus's many tentacles allow it to collect a broad range of data about its users' day-to-day activities, and that has prompted the privacy watchdog to investigate how the company behind it handles their personal information.
Privacy Commissioner Roderick Woo Bun said his office would look into the Octopus card system after it spotted potential privacy issues, especially with personalised cards.
With more than 11 million transactions a day, valued at over HK$100 million, Octopus is said to be the world's most used smart card system.
Octopus Cards Ltd says it has issued more than 20 million cards since they were launched in 1997.
Woo said yesterday: 'We are more concerned about the collection of personal data and their applications, as well as the sharing of the information. We would like to know if there are any measures by the company to ensure the information will be properly protected and destroyed.'
He said his office had not received too many complaints about Octopus cards in the past.
'Sometimes, people feel the convenience of the card outweighs the potential risks. Sometimes, they may not be aware of the potential risks at all,' Woo said.
He said the operator could easily profile the daily life of a personalised card holder - where he usually shops, when he usually takes public transport and where he usually goes.
The company says on its webpage that the personal data collected includes the holder's name, contact details, identification type and number, age and date of birth, card number and 'your Octopus usage data'.
The data may be used, according to the firm's personal data policy, for, among other purposes, 'marketing of goods and/or services by us, our subsidiaries, our affiliates or any of our selected business partners'.
'We, our subsidiaries, our affiliates or any of our selected business partners may need to carry out matching procedure [sic] ... to enable us to better understand your characteristics and to provide other services better tailored to your needs (such as offering special birthday promotions to you) to assist us in selecting goods and services that are likely to be of interest to you and to establish whether you already have a relationship with our selected business partners' as well as 'other related purposes', it goes on to say.
That is essentially a catch-all for any scenario.
The company said in a statement: 'To ensure our customers are protected, our conditions of issue also states that data held by Octopus will be kept confidential. Policies and procedures of personal data protection are put in place to ensure the confidentiality of such data.'
Woo's office will soon find out if those procedures do the job.
the privacy commissioner