The Octopus card issuer had been warned twice but still went ahead with the sale of cardholders' personal data, according to internal documents seen by a lawmaker.
The development came after Standard Chartered yesterday admitted it had used its clients' personal data for marketing of insurance products provided by a third party.
As early as 2003, a year after Octopus started the data business, the Monetary Authority had advised Octopus Holdings not to obtain a separate insurance intermediary licence for the sale of data to insurers.
A consultant had also recommended that the company halt its data business in 2004, said lawmaker James To Kun-sun, who yesterday read records kept by Octopus at a law firm for Legislative Council perusal.
There would be a 'reputation risk of overusing customer information', documents dated 2004 and 2005 quoted a report by consultancy firm McKinsey as saying. McKinsey also noted that significant investment would be needed to develop the data business and it would not be viable.
'The board of Octopus cannot shirk its responsibility. They should have wound up the data business at that point,' he said. Yet in 2007, Octopus continued to sign new contracts selling data, he said.
