Businesses should think of how to use consumers' data properly, ex-British watchdog urges

Local businesses should draw up their own ways of managing data collected from customers to maximise the value of the materials without running afoul of a privacy breach, a former British regulator of information rights says.

While the "big data" can spell ample business opportunities, a company must be careful not to antagonise consumers when tapping into their private data, or it may risk a strong backlash that can destroy its hard-earned reputation, Richard Thomas says.

“Personal information can be a great asset, but it can also be a toxic liability,” Thomas, who was British information commissioner between 2002 and 2009, told the South China Morning Post in an exclusive interview.

He also warns that changes in technology means consumers are leaving electronic footprints every time they surf the internet, send an e-mail, make a call or shop with credit cards.

“The ability to monitor people’s activities, their behaviours, their preferences and their relationship gives incredible power if they get into the wrong hands.”

Thomas was referring to the 2012 scandal of US retailer Target, which guessed – with great accuracy – which shoppers were pregnant by singling out those who were buying more unscented lotions and health supplements.

The chain sent them coupons for baby products, triggering a strong public reaction, especially in cases where people failed to conceive or lost the baby.

“Just because technology means something can be done does not mean it should be done,” Thomas said.

In recent years, Hong Kong has seen its fair share of the wrongful collection and use of personal data, involving the Hospital Authority, the police, smart-card operator Octopus and health club California Fitness.

On January 23, the city’s Office of the Privacy Commissioner for Personal Data said the number of complaints and enquiries recorded last year rose 48 per cent and 27 per cent, respectively, from 2012. More than three-quarters of the 1,792 complaints were made against private organisations. Thomas says the biggest challenge for businesses is in understanding the right balance.

“In the same way you don’t want to deliver faulty or damaged goods, or you don’t want to provide a service which is defective, you have to handle people’s personal information seriously,” he said.

In Europe, most corporations now have their own privacy programmes that set out how data is collected and handled, he says.

The mechanism ensures they do not collect inappropriate or excessive information. Some companies also hire data protection officers, he says.

In August, Hong Kong’s privacy watchdog put a stop to smartphone application Do No Evil, which made it convenient for users to search an individual’s bankruptcy history and any legal actions he was involved in. More than two million records were available in the database.

Thomas says he believes similar action would have been taken in Europe and Britain.

The privacy commissioner’s office concluded that the app breached the law as it used the information, with no consent obtained, for a purpose other than why it was first collected.

But the information technology industry says the office’s decision unduly restricted the use of public information.

Thomas cautioned: “There is a very big difference between a database which is available to the public at large and information which is available just to businesses where some of the limitation can be explained.”

For example, he says, a law firm that needs the information to mount legal action can justify its use.

“But if it is just a smartphone application where everybody has access to the information, even though that was in the public domain, then I think there is still some legitimate data protection concerns,” he says.