Octopus cards limited is the operator of the Octopus rechargeable contactless smart card used in an electronic payment system in Hong Kong. It is a wholly owned subsidiary of Octopus Holdings Limited. It was established under the name of “ Creative Star” by the major transportation companies in Hong Kong, Octopus Cards Limited is the operator of the Octopus System and the issuer of Octopus. The Octopus card was introduced in 1997 with the aim of providing a simple way to pay fares on public transport in Hong Kong. Octopus then extended its reach into simple micropayments for purchases in retail outlets and a simple way for cardholders to gain access to buildings and schools and to identify themselves. In January 2002, it was renamed Octopus Cards Limited from Creative Star. Prompted by the business expansion of the Octopus card, Octopus Holdings Limited was formed in 2005 after a company restructure and Octopus Cards Limited became a wholly-owned subsidiary of the new company.
The system handles an average 11 million financial transactions each day. The Government holds a 20 per cent share of Octopus Holdings Pty. The majority shareholder is the central transit authority, the MTR, with a 57 per cent stake.
The issue and its origin
Octopus came into the spotlight in June, after a public survey revealed that more than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services. The survey results were picked up by then Privacy Commissioner Roderick Woo, who launched an investigation. Woo has since been replaced by new Commissioner, Mr. Allan Chiang Yam-wang, who took office in August.
While still in office, Woo pushed for greater protection of private data, urging the government to introduce stringent regulations for the technologically-infected metropolis. In September 2009 Woo recommended more than 50 amendments to the current privacy bill in a document known as the Personal Data Review.
Among the recommendations was a clause that would curb “ irresponsible dissemination of leaked personal data.”
Post this, according to local press reports, Octopus has been paid HK$44 million over the last four and a half years by six companies, including Cigna Worldwide Life Insurance, for data that was used for marketing.
Octopus chief executive Prudence Chan initially denied that data had been sold but she has since backtracked in the face of fierce criticism from Hong Kong’s privacy commissioner Roderick Woo, who had launched an investigation.
Later Chan admitted that the situation was not handled well. That what they said (earlier) didn’t fully reflect the truth, and for that they apologize to the Hong Kong public. She said the company has suspended all such marketing partnerships in a bid to “ regain public confidence.”
The Concerned Parties
The parties involved in the controversey were:
Octopus Cards Limited, for disclosing the personal data.
Privacy commissioner Roderick Woo, whose main concern was how u can lawfully deal with the protection of personal data.
The Six companies to which the information was disclosed to. This includes Cigna Worldwide Insurance Hong Kong which participates in the Octopus Rewards program, with which customer information is shared to offer special insurance plans.
And most importantly the ignorant users of the cards whose privacy was breached.
The Ethical Issues Arrising Out Of The Controversy
One focus was whether people who provided their data were informed about the use of their information when collecting their data. Around 10% of the Octopus cards in issuance have personal data attached to them, allowing them to collect reward points, for instance, and providing security if they are lost. In addition, personalized Octopus cards are used for access control at some prominent office buildings and apartment complexes.
Octopus said some of its client data, such as contact information, were sold on to insurers, for instance, who used the information to target policy sales. On average, according to Octopus’s CEO Chan, 1. 97 million cardholders had their data passed since 2006, and each cardholder was contacted by direct marketers on average 1. 7 times.
The penalty for such privacy breach, currently, is a fine of a few thousand HK dollars, which is an insufficient deterrent for large multi-million enterprises. For them a few HK dollors is wirth when the profit derived by selling of such personal data is far more. The penalty represents a miniscule amount for a large multinational.
There has only been one case of monetary penalty due to privacy infringement. This indicates that little attention has been paid to sensitive data handling, considering that privacy breaches have been on the rise in Hong Kong. The current laws in Hong Kong fail to protect citizens and leave them exposed to information abuse.
Very poor managerial skills are shown in respect to business ethics and ethical behaviour as such due to the privacy infringement.
Actions Post The Controversy
The Octopus data leak has sparked public outrage over privacy laws in Hong Kong, with many voicing concern that their private information is being exposed and there are few laws to protect them.
In Hong Kong, because of the amount of customers’ money that Octopus handles, the company is regulated by the Hong Kong Monetary Authority, the city’s banking regulator, as a deposit-taking institution.
The HKMA has asked Octopus to appoint an independent auditor to look at its practices and consider whether the sharing of personal information was lawful.
Roderick Woo recommended making such actions an offence “ if a person obtains personal data without the consent of the data user and discloses the personal data so obtained for profits or malicious purposes.”
The majority shareholder of Octopus is MTR whose own majority shareholder is the Hong Kong SAR Government. Octopus should be regarded as a public corporation (not just because it is publicly listed) and as such, the SAR Government should not, and cannot, escape from responsibility concerning supervision and monitoring of business ethics of the company.
Recent news tells that the CEO has resigned amid intense criticisms over her handling of data privacy issues at the company, which last week admitted to selling personal data of nearly two million customers.
The Office of the Privacy Commissioner for Personal Data, Hong Kong, held a public hearing on July 26 on the Cigna-Octopus issue.
The commissioner also served summonses on the people in charge of Octopus Holdings, Octopus Rewards, Cigna and Card Protection Plan.
MTR Corp has apologized again for the privacy scandal involving Octopus Cards.
MTRC chief executive Chow Chung-kong vowed the smart card operator will never again sell any personal information.
The Results After
As CEO of the company and the person who might well initiate such deals, Chan should have had full knowledge of the business. Through her public denial when confronted by the media and legislators who pressed serious concerns on behalf of the public, she has shown the ugliest side of corporate management, namely, a lack of honesty, lack of business ethics, and lack of social responsibility. Business educators at local universities teaching aspiring corporate executives ought to use her case as an example of poor business ethics; and of what the local corporate community should avoid if Hong Kong is going to continue to be a world city of business.
So far the public is still skeptical about the ‘ truth’ revealed by Ms Chan. Questions remain as to whether the information so far disclosed is only the tip of the iceberg concerning the misuse of clients’ personal data for the company’s profit. Was the management of the company, including the board of directors, fully aware of the unethical nature of the practice or were they misled by the CEO and her staff? The Privacy Commissioner is yet to report on the incident, and probably even if the finding shows the company did not violate the current privacy law of Hong Kong, legislators should revise the law to increase protection of the privacy of Hong Kong citizens. Legislators also should provide for penalties to deter purposeful violation of privacy by businesses and government organizations.
The Octopus controversy highlights a heightened sense of public awareness for privacy rights. While criticizing the conduct of Octopus for selling cardholder data, a wider issue has been raised as to whether the public’s demands have gone beyond existing rules and regulations.
More significantly, the company has a market monopoly over electronic money in Hong Kong. The system handles an average of 11 million financial transactions per day and affects many aspects of the daily life and work of Hong Kong citizens and firms. It should not be left to the discretion of management, who might lack commitment to business ethics and respect for legal regulations despite their high salaries and impressive educational qualifications. Octopus should be tightly supervised and monitored like the big banks in Hong Kong. Given the present trend of market and technology development, electronic money and the electronic payment system has a great prospect of exponential expansion over the coming years. The monopoly of Octopus will not be on a small scale nor will Octopus be one of the many ordinary deposit-taking institutions that are presently registered as being under the Hong Kong Monetary Authority. The government and the public need to have tight control to avoid not just the misuse of personal data of a huge number of local citizens but also the potential danger that the management might create financial risks to the company and the local community resulting from its blind pursuit of maximized profits.
Following the disclosure of the information exchange between Cigna and Octopus for marketing purposes, the board of Octopus Holdings Ltd. said on July 25 that on recommendation of its special committee on data privacy, the company and all its subsidiaries will no longer participate in any future activities that require the provision of customer personal data to merchant partners for marketing purposes.
The company added Octopus Rewards is actively working with Cigna and Card Protection Plan Ltd. toward the early termination of their cooperation agreements, which include the provision of certain customers’ personal data for marketing purposes. This move is aimed at alleviating customer and public concerns on personal data handling.
There are various confidentiality requirements in Hong Kong for insurers and insurance intermediaries to observe with respect to client information, which covers insurers, insurance agents and insurance brokers.
For insurers in Hong Kong, the Code on Conduct for Insurers provides that the collection of personal data by insurers and all personal data collected by an insurer is subject to the Personal Data Ordinance.
Insurers should ensure that their employees and insurance agents are aware of their obligations under the ordinance, which also requires insurers take all reasonable steps to seek to ensure that insurance agents keep client information confidential, according to the OCI.
For insurance agents, the Code of Practice for the Administration of Insurance Agents provides that agents treat all information supplied by a potential policyholder as confidential and comply at all times with the provisions of the Personal Data Ordinance when dealing with personal data provided by potential or current policyholders, noted the regulator.
Under Hong Kong insurance regulations, insurance brokers are also required not to disclose any information acquired from his client except with the written consent of the client or in matters related to the administration of the concerned insurance contract.
These issues were highlighted and made known only after the occurrence of the event, which should not have been the case.
Actions To Be Taken
An incident as this makes us aware of the various issues faced in a world of competition and profit run business. For this the following actions need to be taken to avoid further breach of privacy.
Privacy laws should be strengthened to compel companies to be more forthcoming and transparent on how and to whom they distribute personal data.
This goes to the public’s right to know. For example, all telemarketers should be required to disclose the source of the person’s personal data.
To put the users minds at ease, the best way forward is to terminate all activities that involve the provision of customers’ personal data to merchant partners for marketing purposes.
The government should completely review the regulations. At the same time only reviewing is not beneficial. Actions should be taken to stop this event from happening again.
The the government to not take summer break; start working [to investigate] as soon as possible.
Large companies change the methods of data collection, calling for a more transparent process.
If there arises a need to disclose personal information to a third party, the user should be duely informed of the same and the data collected should be disclosed only after he gives his consent.
Local legislators together with the privacy commission should find out the complete truth concerning the sale of the personal data of Octopus clients and whether there have been violations of existing privacy law.
The majority owner of the company should also act in good faith, apologizing to the public by returning the 44 million dollar profits, either to the Octopus card holders or to local charity.
Conclusion
Privacy breach is appaling as it damages the confidence of the users. No matter how efficiently a system works privacy issues have to be handled with care. Falling off the “ track” and being insensitive about privacy protection has to be avoided. For this appropriate regulations and follow ups have to be conducted by the government, the auditors and the company itself. The stated actions if acted upon will be a stepping stone towards the containment of such malpractices undertaken by big companies. This in turn may help us users to have a reason to trust these companies once again.