Manulife told to change online terms in data row

The authority that oversees Mandatory Provident Fund trustees has told Manulife to change its online terms to make it easier for customers to reject conditions they are not happy with.

This follows complaints from customers who said they were unable to check their accounts without agreeing in advance to a set of conditions including use of their personal data for promotions.

The complaints have also prompted the privacy commissioner to check the insurer's website to see if it is complying with a guideline on personal data collection issued last year after the scandal over the Octopus card company's collection and sale of such data.

Manulife's MPF customers said they had not been able to check their accounts online unless they clicked the 'accept' button to agree with all the terms. These included one enabling Manulife or its associated companies to use customers' personal data 'to promote financial-related products or services ... through intermediaries or direct marketing'.

A Mandatory Provident Fund Schemes Authority spokeswoman said last night it had 'instructed [Manulife] to improve the relevant arrangements to make it more convenient for scheme members to choose whether or not to accept promotional materials'.

Manulife, which has more than one million MPF accounts, said the agreement was amended when a new service was introduced to its website recently but no changes had been made to the privacy section.

It said it had not sold any personal information to third parties for promotional activities.

A Privacy Commission spokeswoman said the office had launched a 'compliance check' on the website.

Commissioner Allan Chiang Yam-wang's guidance note on personal data collection published last year after the Octopus card fiasco, suggesting that instead of a 'bundled consent' in which customers were asked to sign all conditions of service at once, data users should provide a separate space for customers to sign to indicate consent for their data to be used for marketing.

A similar situation was found on fund house Fidelity's website, where customers logging in to their accounts were given only an 'agree' button for a notice with a link to its privacy policy, which suggested customers' data might be passed to its affiliates, intermediaries and service providers for marketing purposes.

A Fidelity spokeswoman said it had not and would not sell customers' personal data to any third party.

A spokeswoman for the Consumer Council said such arrangements would make it inconvenient for customers to access their accounts online and suggested they contact their MPF trustees if they had any doubts.

Democratic Party lawmaker James To Kun-sun said such requirements were legal but absurd.

'If I were the customer, I would need to agree to sell my personal data before I could actually access my personal data. How ridiculous that is,' he said.

To said these financial giants should take the lead in working on data privacy arrangements as society had become more aware of the issue.

In October last year the government proposed tightening the privacy ordinance in light of the Octopus card affair by making sales of personal data a criminal offence, with a maximum penalty of a HK$1 million fine and five years' jail.