Octopus Group Chief Executive Prudence Chan's botched handling of the Octopus fiasco to cover up selling customers' personal data has come as an eye-opener to the Hong Kong public.

Following an initial vehement denial, yielding to public outcry she finally came clean with the truth: the Octopus card issuer had sold the personal data of nearly 2 million customers to six business partners for HK$44 million over the past four years. In other words, cardholders' private data has become a cash-cow for Octopus without their knowledge. It also explains why every day we are hassled by all sorts of junk callers who seem to get hold of our information.

Needless to say this shocking revelation has angered the company's 4 million cardholders, who would naturally feel betrayed and in fear that their personal data may be misused. What makes matters worse is Chan's seeming lies about the sell-out and her further attempt to evade responsibility by quibbling over the actual meaning of "selling". According to her, selling meant directly selling the data instead of signed contracts with other business organizations.

Her lame explanation will serve as nothing but an insult to our intelligence. What is more disturbing is her refusal to surrender documents concerning Octopus' dealings with the six companies in question. We do not know how much truth is still swept under the carpet and whether the contract terms will allow those six companies to sell or transfer the cardholders' data to other parties. Neither do we know how much more Octopus had been gaining from this lucrative sale before 2006.

The horrid practices behind this fiasco are not only about ever-increasing harassments from junk callers, but also the possibility that our data will be misused by fraudsters leading to more crimes. There are also loopholes in the existing regulatory and supervision mechanism, especially when the MTR Corporation, the biggest Octopus shareholder and which in turn is majority-owned by the government, appeared to be turning a blind eye to the personal-data transactions.

According to Chan, MTR's board of directors who also sit on the board of Octopus, were informed of those transactions. Meanwhile, MTR Corp's spokesperson said the company had questioned the legitimacy of the data sale but that Octopus had insisted such a practice was legal. However, such an unsatisfying reply will only raise public doubts on the role and function of the MTR Corp. As a major shareholder of Octopus, the public would not just expect the MTR Corp to rubber stamp any decisions made by Octopus and it is common sense that selling customers' personal data is at least unethical, if not entirely illegal.

In fact, in order to get away with the law, it is very common that customers are required to sign a statement with terms and conditions in such small print that one would need a magnifying glass to be able to read the words. It would not be surprising if at the end of the day, Octopus is found not to have breached the Personal Data (Privacy) Ordinance. Even if it is found flouting the law, what the Privacy Commissioner can do is no more than to issue a warning and only repeat offenders would face a maximum penalty of a fine of HK$50,000 and two years' imprisonment. It is no wonder that outgoing Privacy Commissioner Roderick Woo called himself a toothless tiger.

It is high time for the government to plug the loopholes and give more power to the Privacy Commissioner by amending the law, as well as to strengthen the governance of Octopus by reshuffling its senior management. In the long run, the government may consider introducing competition in the market. Last but not least, it would be best for Octopus to donate the HK$44 million to charity to restore public trust.

The author is a current affairs commentator.

(HK Edition 07/30/2010 page2)