Octopus sold personal data of customers for HK$44m

PUBLISHED : Tuesday, 27 July, 2010, 12:00am
UPDATED : Tuesday, 27 July, 2010, 12:00am

Two weeks after it denied selling the personal data of cardholders to third parties, the Octopus Card issuer said yesterday it had made HK$44 million in the past 41/2 years by selling the data.

Making the disclosure at a special hearing conducted by the privacy commissioner, Octopus Holdings chief executive Prudence Chan Bik-wah said she wished to 'sincerely apologise' to affected cardholders.

A lawmaker who has vowed to launch a Legislative Council inquiry called on her to resign.

Chan said that since the Octopus Rewards scheme - operated by two subsidiaries, Octopus Rewards and Octopus Connect - was launched 41/2 years ago, it had sold the data of 1.97 million customers to its six partners in the scheme. As a result each cardholder had been contacted on average 1.7 times.

'The revenue received amounted to HK$44 million, which is 31 per cent of the HK$140 million total revenue of the two companies combined in that period,' Chan said. But taking into account investment and operating expenses the two had reported a combined loss of more than HK$30 million, she said.

Unionist lawmaker Wong Kwok-hing, calling on Chan to step down, said: 'Obviously, what she says now contradicts what she said earlier this month in a press conference her company convened.

'Cheating the public is a very serious matter and the legislature must not just sit back.'

Wong said the privacy commission's investigation focused only on privacy concerns. 'For the Legislative Council, we shall look into the sale of Hong Kong people's personal data by a company that is controlled by a public utility.'

Wong said it was not a criminal offence for Octopus to sell the personal information of customers without their consent, but customers could consider suing the company for compensation in civil proceedings.

According to the Personal Data (Privacy) Ordinance, any person who obstructs, hinders or resists the privacy commissioner in performing his function, or makes a false statement to mislead the commissioner, commits an offence subject to a maximum penalty of a HK$10,000 fine and six months' imprisonment.

Chan said at a press conference on July 7 that the company did not sell the data and did not pass on clients' data without their permission, which was obtained when they signed up for the rewards scheme.

Yesterday, she was asked by Wilson Lee, principal investigator of the Office of the Privacy Commissioner, whether the company had passed the credit card numbers of cardholders to one of its partners, Card Protection Plan (CPP). She replied only that no customers had given permission for this to be done before 2005.

Octopus Cards is wholly owned by Octopus Holdings, whose shareholders are the major transport operators in Hong Kong, with the Mass Transit Railway Corporation the biggest at 57.4 per cent.

A corporation spokesman said Octopus was an independent company, 'but as a shareholder, MTRC believes Octopus Holdings should deal with the issue seriously and co-operate with the statutory body to help ease public concerns'.

Richard Tsoi Yiu-cheong, of the Coalition to Monitor Public Transport and Utilities, echoed Wong's views, saying it was unimaginable that such a senior person of a company could mislead the public. He called for legislation to regulate Octopus, which he described as 'no different from a public utility'.

A total of 2.4 million Octopus cardholders joined the reward scheme. Of the original partners only two, insurance company Cigna and CPP, remain.

Chan said the data passed to the partners included names; partial identity card numbers; partial date of birth, including year and month; mailing address without block and floor details; occupation; gender; range of salary; and spending on the reward scheme.

The inquiry heard that the list was given to Cigna in an encrypted CD-ROM. Lee said Cigna used the data to make marketing phone calls using a script that described them as Octopus Rewards representatives.

Privacy Commissioner Roderick Woo Bun put it to the chief executive of Cigna, Edward Kopp, who gave evidence yesterday, that the public 'might be misled if they received a call from Cigna but were told they were being called by Octopus'.

Kopp said he could not answer this, adding that the telemarketers were its permanent staff and also disclosed they were calling from Cigna. He said the personal data they obtained from Octopus was subject to restricted access by its staff.

The US-based corporation would delete the data 'regularly and completely', Kopp said.

Octopus received income on personal data it gave to Cigna under an agreement signed in March last year.

Legco's financial affairs panel will discuss the issue today.