Critics dismiss 'small step' as Octopus vows to safeguard privacy of card users' data

PUBLISHED : Tuesday, 29 June, 2010, 12:00am
UPDATED : Tuesday, 29 June, 2010, 12:00am

Amid growing privacy concerns, the Octopus Card company says it will stop storing card holders' ID numbers on their personalised cards.

The policy, dismissed by some critics as only a 'small step forward', was announced yesterday after a study into the company's privacy policy indicated that it could freely transfer card holders' personal data to its business partners.

The study, by the political grouping New Forum, also highlighted the little-known policy that card holders are responsible for financial losses arising from a lost Octopus card for six hours after they report losing the card.

In a statement last night, the company said it was 'standing practice' that the user's name, date of birth and ID card number are stored on a personalised Octopus card. 'To enhance the level of privacy protection for the public, from [the fourth quarter of] 2010, ID card numbers will no longer be stored on [personalised cards] or products,' it said.

The 2 million holders of personalised cards must contact the company if they wanted their cards stripped of the information, a spokesman said.

As for the need to take six hours to void a card, the company said Octopus cards work in an offline mode, unlike credit cards. That's why 'it takes time to send files separately to all frontline processors to stop the use of the lost Octopus,' it said.

New Forum board member Tang Wing-chun said removing ID card numbers was an inadequate way of addressing privacy concerns. 'It is a small step forward. But it still does not stop the company from handing over a card holder's personal data to its business partners,' he said.

The company says on its webpage that the personal data collected includes the holder's name, contact details, identification type and number, age and date of birth, card number and Octopus usage data.

The data may be used for, among other purposes, 'marketing of goods and/or services by us, our subsidiaries, our affiliates or any of our selected business partners'.

With more than 11 million transactions a day valued at over HK$100 million, Octopus is said to be the world's most used smart card system. Octopus Cards Ltd says it has issued more than 20 million cards since they were launched in 1997.

But a study by New Forum indicated that many people do not fully understand the liabilities they may be subject to. Of 1,004 card users polled, only 3 per cent knew they would be held responsible for losses for six hours after reporting their card lost.

Over 90 per cent of users said they were unaware of the company's personal data policy.

After being told some of the clauses, as many as 90.2 per cent of the respondents said the policy was unfair.

A spokesman for the privacy commissioner's office said it was aware of the concerns and a study is being conducted to look into the potential privacy issues of the Octopus card system.