Company made HK$44m selling private information of card users

Octopus raked in roughly HK$44 million from the sale of personal data of nearly two million users of the city's Octopus smart card over the past four and a half years.

The apparent reversal in the company's position from previous statements that it did not sell user data came under the glare of the public spotlight, as the Chief Executive Officer of Octopus Holdings Limited Prudence Chan was called up before the Privacy Commission for Personal Data Monday to testify at the official investigation of her company's practices.

The investigation seeks to determine what personal data of users was shared and if there had been any breach of the Personal Data (Privacy) Ordinance. Octopus has been accused of misusing personal data by selling consumer data for direct "marketing of goods and/or services" by "selected business partners" and "other purposes" as stated in the company's privacy policy.

According to Chan's testimony, the personal data of 1.97 million customers was sold to merchant "partners", adding the HK$44 million profit made up nearly one-third of the HK$140 million total revenue of Octopus Connect Limited and Octopus Rewards Limited combined, although the two companies reported a loss of more than HK$30 million, she said.

The revelations came on the back of an apology from Chan. "We would like to sincerely apologize for the concerns that the provision of personal data for marketing purpose has caused to our customers and members of the public," she said. She said her company had two remaining merchant partners, both insurance companies, down from six since 2002.

Criticisms about the wording of the card's privacy policy have been gathering momentum, while reports that the personal information of 2.4 million Octopus users had been shared led Octopus Holdings and its subsidiaries to end the company's merchant partner programs for marketing purposes.

Chan said the Company will terminate yet-to-expire cooperation agreements with US-based Cigna and UK-based CCP Group's Card Protection Plan Limited with marketing activities already discontinued.

She said Octopus was contracted to provide the data of 750,000 customers to Cigna while her company would receive commissions if customers bought products from Cigna.

Also appearing Monday, Chief Executive Officer of Cigna Hong Kong Edward Kopp revealed telemarketers were trained and paid by his company but were under instructions to misrepresent themselves as agents of Octopus Rewards Limited, under a cooperation agreement. Privacy Commissioner Roderick Woo Bun queried whether such a portrayal could be misleading to the public.

Kopp also denied his company ever paid Octopus for data, although he admitted commissions paid to Octopus were tied to the amount of customers' data forwarded to his company.

He said his company had independently certified privacy protocols and was given the personal information of about 50,000 Octopus Rewards customers monthly. The information included names, telephone contacts, street addresses without flat or floor numbers, along with the first five digits of the HKID, month and year of birth, gender, occupation and salary range.

He added the data was destroyed at the end of marketing campaigns.

He also said the data would never leave Hong Kong.

Authorized Representative of Card Protection Plan Grace Tsang told the hearing her company had outsourced telemarketing activities and as such had passed on personal data obtained from Octopus.

She said all telemarketers contracted signed non-disclosure agreements and were not allowed to use any recording equipment while working. The telemarketers were provided the names, telephone contacts and genders of the prospects.

Once a week, an employee from CPP would visit the telemarketing office to conduct sales evaluations and ensure records were purged and logged, she said.

She said Octopus was aware of the outsourcing and save for customers' names, all data would be purged after three months, with the remainder purged after half a year.

Speaking after the hearing, Woo said more companies could be called to testify, but added there has not been any scheduled to give evidence.

The Commission is expected to wrap its investigation in two months.

Attending the hearing, Hong Kong Federation of Trade Unions lawmaker Wong Kwok-hing reiterated to reporters that the Legislative Council might use its Powers and Privileges Ordinance to force the company to make full disclosure to give a clear picture how far and how deep the problem was.

China Daily

(HK Edition 07/27/2010 page1)