Top retailer ticked off by privacy commissioner over data lapses
After a year-long investigation commissioner finds some companies have been too free and easy with their customers' personal details
One of the city's biggest retailers has been rapped on the knuckles by the privacy watchdog for putting at risk the personal details of 1.6 million customers who signed up for its loyalty programmes.
An investigation by the Privacy Commissioner found that the customers of ParknShop supermarkets and Watsons health and beauty products retailer were asked to supply too much personal data, including their ID number and date of birth.
In a stern statement, commissioner Allan Chiang Yam-wang criticised the A. S. Watson Group, which owns both chains, for "a lack of sensitivity to privacy and data protection". He also slammed it for being "evasive and slow" in responding to inquiries during the investigation.
Yesterday the commissioner released his report after more than a year investigating the A. S. Watson Moneyback card, the Fun Fun Card run by the China Resources Vanguard supermarkets, and the Mann Card run by Dairy Farm through its Mannings chain, Watsons' rival.
The Mann Card has 400,000 members, and the Fun Fun Card 180,000 members.
The commissioner said the Moneyback card contained one clause that permitted the transfer of personal data to Hutchison Whampoa Group for its marketing of goods and services.
A. S. Watson is a retail arm of Hutchison Whampoa, which in turn is part of tycoon Li Ka-shing's Cheung Kong Group.
"This causes grave concerns for privacy," said Chiang, "The Hutchison Whampoa Group has about 300 principal subsidiaries and they operate a very wide range of businesses.
He said A. S. Watson made some revisions during the investigation, like using bigger fonts for the application form to make the terms easier to read. But he described such revisions as a "half-hearted exercise".
The inquiry found no evidence that any of the retailers had transferred or sold customers' personal data to third parties.
Chiang was also satisfied that both Dairy Farm and Vanguard had taken adequate steps to rectify their contraventions after revising their application forms and erasing the ID numbers and birth years previously collected.
However, he issued an enforcement order on A S Watson, giving it two months to erase the partial ID numbers of members it has collected and six weeks to revise the programme's terms and conditions.
A. S. Watson said it would consider appealing. "We do not agree we are contravening or have contravened any requirement under the [privacy law]. We have fully co-operated with the [privacy commissioner] and actively responded to their enquiries in timely manner. We are disappointed [with] the allegations of the [ commissioner]."