Octopus escapes penalty for selling data
Octopus Holdings has escaped punishment for the excessive collection and unauthorised sale of cardholders' personal data despite being found by the privacy watchdog to have deceived members of its rewards scheme.
The Office of the Privacy Commissioner said yesterday the smart-card issuer had violated three data protection principles, including collecting more data than needed to verify its customers' identity and selling it for monetary gain.
But it said that instead of issuing an enforcement notice, it had accepted an undertaking from Octopus that it would within two months destroy and erase its members' identity card numbers and birth dates from its data base.
Commissioner Allan Chiang Yam-wang said he did not personally think the outcome was adequate 'but this is the current provision under the ordinance'.
'The members of the [Octopus reward] programme were deceived,' Chiang said, commenting on the investigation's finding that members had received calls from agents for insurance company Cigna purporting to be on behalf of Octopus, after the insurer had obtained their data.
The office's chief legal counsel, Brenda Kwok, said an enforcement notice - under which a company can face a range of penalties including fines and jail - could be issued only if it was likely that a contravention would continue, but Octopus had stopped the practice.
The commissioner cannot launch prosecutions directly but can refer a case to the police.
Lawmakers said the lack of a penalty revealed the inadequacy of the privacy laws.
Concern about the handling of personal data by Octopus and other companies that collect it began mounting in March after disclosures that Octopus had been passing - and as it later emerged selling - its members' data to third parties.
The commissioner found that the personal data of more than one million Octopus cardholders had been sold to business partners for HK$44 million without the cardholders' consent in the five years from 2006.
In the full report of the investigation released yesterday, Octopus was found to have contravened three data protection principles.
First, it had collected excessive personal data such as identity card number, passport number, month and year of birth, for the purpose of customer authentication.
It was also found to have failed to take all reasonably practicable steps to ensure that the applicants were explicitly informed of the classes of persons to whom the data might be transferred.
It had shared members' personal data with business partners Cigna, CPP, Cimigo, MIL and TNS for monetary gains without their consent.
Octopus was liable for the contraventions, the report said.
In its undertaking, Octopus has promised to produce a certificate issued by an independent third party to certify that the data had been destroyed.
Its five business partners have also been called on to submit independent reports, certifying that all personal data sold to them has been completely erased and destroyed.
Lawmaker Wong Kwok-hing said he was extremely disappointed by the outcome.
'I don't think the privacy commissioner fully exercised his rights to issue an enforcement notice,' Wong said.
As suspected deception was revealed in the report, he said the police should investigate.
Lawmaker James To Kun-sun said the lack of a penalty despite confirmed contraventions would encourage other companies to continue the practice.
The Monetary Authority, meanwhile, published an interim report on the Octopus card affair conducted by Deloitte, which made recommendations on the control in collection, storage and retention of customers' personal data.
Octopus said it noted the privacy commissioner and Monetary Authority investigation results and would respond today.