PCPD - Investigation Report – Octopus Rewards Program

Investigation Report – Octopus Rewards Program

1.    The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Allan Chiang published today (18 October) a report (“the Report”) on the results of an investigation carried out pursuant to section 38(b) of the Personal Data (Privacy) Ordinance (“the Ordinance”) regarding the collection and use of customers’ personal data under the Octopus Rewards Programme (“the Program”) run by Octopus Rewards Limited (“ORL”), a company wholly owned by Octopus Holdings Limited (“OHL”).

2.    The Program is a customer loyalty programme operated by ORL in collaboration with its business partners. Customers benefit from (i) redemption of goods and services from these partners with “Reward Dollars” earned from purchases made upon presentation of their registered Octopus cards; and (ii) direct marketing offers from the same or different partners of ORL.

Background

3.    Since late March 2010, there had been mounting public concerns about the handling of personal data by the Octopus group of companies. Some members of the Program operated by ORL expressed concerns about their personal data being transferred to third parties for direct marketing purposes without their knowledge or consent.

4.    On 9 July 2010, an individual claiming to be a former employee of one of ORL’s business partners, CIGNA Worldwide Life Insurance Company Limited (“CIGNA”), reported to the press and the Office of the Privacy Commissioner for Personal Data (“this Office”) that ORL had sold its customers’ personal data of the Program to CIGNA for direct marketing purposes.

5.    ORL admitted to the public on 20 July 2010 that it had transferred customers’ personal data to CIGNA and another business partner, Card Protection Plan Limited (“CPP”).

6.    In view of the seriousness of the allegations, the Commissioner commenced investigations against OHL and ORL on 22 July 2010 to ascertain whether there had been contraventions of the requirements under the Ordinance.

The investigation

7.    The Commissioner conducted a public hearing on 26 July 2010 to take oral evidence from the Chief Executive Officer of OHL (also a director of ORL), the Chief Executive Officer of CIGNA and the Authorized Representative of CCP.

8.    The Commissioner had considered written replies and documentary evidence from OHL, ORL, CIGNA and CCP as well as public announcements and written responses made by OHL and ORL to the Panel on Financial Affairs of the Legislative Council (“the Panel”). He had also reviewed documents made available to the Panel for inspection and records of Board meetings of OHL.

The Commissioner’s findings and decisions

9.    Upon completion of the investigations, the Commissioner found that the Program is designed as a customer rewards scheme whereby customers benefit from redemption of goods and services as well as direct marketing offers. The purposes of collection under the Program are therefore lawful. However, he also found that ORL had, in the processes of collection and use of personal data, contravened Data Protection Principles (“DPP”) 1 (1), DPP1(3) and DPP3:

DPP1(1) –

9.1 ORL collected excessive personal data, namely, Hong Kong identity card number / passport number / birth certificate number as well as month and year of birth, for the purpose of customer authentication.

9.2 ORL could have achieved the same purpose by using other less privacy-intrusive data (such as telephone numbers and home addresses) which it had also collected.

DPP1(3) –

9.3 ORL failed to take all reasonably practicable steps to ensure that the customers applying for enrolment in the Program were explicitly informed of the classes of persons to whom the data may be transferred.

9.4 The Personal Information Collection Statement (“PICS”) was printed in unreasonably small fonts (about 1mm X 1mm for English and 2mm X 2mm for Chinese).

9.5 The PICS provides for the customer’s deemed consent for ORL to transfer or disclose personal data held by ORL to “any person” who is under a duty of confidentiality to ORL including its subsidiaries, its affiliates and its business partners, whether within or outside Hong Kong. In effect, ORL has not given customers a reasonable degree of certainty as to who could have the use of the data. The discretion rests entirely with ORL.

DPP3 –

9.6 ORL shared customers’ personal data with five business partners for monetary gains without customers’ prescribed consent.

9.7 The transactions involved were in essence sale of personal data. Although sale of personal data by ORL is not prohibited by the Ordinance, it cannot be regarded as the original purpose of data collection or as a directly related purpose. The average customer would have expected the Program as a customer loyalty exercise but not as an arrangement for ORL to sell his/her personal data for monetary gains. The sale for profit is not stated in the PICS of the Program as a purpose of data collection. As such, customer’s signature on the Program Registration Form agreeing to the PICS cannot constitute his explicit and voluntary consent to the sale of personal data.

10.    The Commissioner was satisfied that ORL’s contravening act or practice was committed with OHL’s authority. He therefore concluded that OHL is liable for the contravening act or practice of ORL pursuant to section 65(2) of the Ordinance.

11.    Under an arrangement between ORL and CIGNA, ORL would send a list of Program members to CIGNA and CIGNA’s telemarketers would call these members to sell CIGNA’s insurance products in the name of ORL. In this manner, Program members receiving the marketing calls were not aware that their personal data had already been transferred to CIGNA and they were in fact dealing with CIGNA’s staff. This arrangement had adversely affected members’ right to object in a timely fashion to the data transfer from ORL and to the further collection of their personal data by CIGNA during the direct marketing process. In effect, members of the Program were deceived.

Undertaking obtained from OHL and ORL

12.    Pursuant to Section 50(1) of the Ordinance, the Commissioner may serve an enforcement notice on ORL and OHL if he is of the opinion that ORL and OHL are contravening or have contravened the requirements under the Ordinance and that it is likely to continue or be repeated. The Commissioner considers that a recurrence of the contravention is unlikely and has decided not to serve an enforcement notice for the following reasons.

13.    Firstly, the Commissioner noted:-

(a)    OHL’s confirmation that (i) it and/or its subsidiaries had either ceased or suspended all arrangements with their business partners as regards transfer or sharing of customers’ personal data for monetary gains; and (ii) in those cases of suspension of activities, formal cessation was being actively pursued;
(b)    OHL’s public announcement that it and all its subsidiaries would no longer participate in any further activities that require the provision of customer personal data to merchant partners for marketing purposes.

14.    Secondly, the Commissioner has obtained an undertaking from ORL to the effect that :-

(a)    excessive personal data collected (namely, Hong Kong Identity Card number / Passport number / Birth certificate number; and month and year of birth of customers) will be completely erased and destroyed within 2 months, with completion of the processes certified by an independent professional party;

(b)    customers’ personal data transferred to the 5 business partners concerned for monetary gains will be erased and destroyed within 2 months if they have not been erased;

(c)    the layout and presentation of the PICS will be re-designed to comply with DPP1(3) so that it is readily understandable and easily readable to people with normal eyesight;

(d)    classes of data transferees will be specified by their distinctive features so as to provide a reasonable degree of certainty as to whom the personal data will be transferred; and

(e)    in the event that the personal data of the existing customers were to be transferred to business partners under the Program for monetary gains, express and voluntary consent from the customers must be obtained.

15.    Finally, OHL has confirmed that it shall direct ORL to comply with the latter’s undertaking to the Commissioner.

The Commissioner’s comments

16.    The Commissioner is fully aware that the present investigations are of general public interest because they have implications which relate not only to the handling of personal data of more than two million members under the Program, but also to the practice of many data users and associated parties involved in direct marketing of products and services. He therefore set out his comments and recommendations arising from these investigations for promoting compliance with the provisions of the Ordinance:-

16.1 Compared with businesses and corporations, individuals stand at a relatively subservient position in its dealings with enterprises. It is incumbent upon enterprises not to exploit their dominant position vis-à-vis their customers in the collection and use of personal data. Any irregularities on their part could jeopardize their credibility and damage their reputation disproportionately.

16.2 Under the Ordinance as it now stands, there is no requirement for “opt-in” at the data collection stage as long as the direct marketing purpose is the original or directly related purpose for which the data were to be used at the time of collection. However, the Commissioner considers that “opt-in” definitely affords better data privacy protection for individuals and seems to be in line with public expectation for strengthening regulation in this area. The choice between “opt-in” and “opt-out” should be further debated in the community to reach a consensus.

16.3 Enterprises should not collect excessive personal data. In particular, Hong Kong Identity Card number is sensitive information and extra care should be exercised to ensure its collection is necessary. The Code of Practice on the Identity Card Number and Other Personal Identifiers issued by the Commissioner should be followed.

16.4 To ensure that a PICS is effective, it is necessary for data users to take into consideration the following factors:-

(a)    whether the layout of the PICS (including the font size) has been designed so that the PICS is easily readable to individuals with normal eyesight?
(b)    whether the PICS is presented in a conspicuous manner?
(c)    whether the languages used in the PICS is reader friendly?
(d)    whether further assistance from the data user such as help desk or enquiry service is given to enable the data subject to understand the contents of the PICS?

16.5 Data users should not define the purpose of use and class of data transferees in such liberal and vague terms such as “any person who is under a duty of confidentiality” that it would not be practicable for data subjects to ascertain with a reasonable degree of certainty how their personal data could be used and who could have the use of the data.

16.6 If a data user intends to sell its customer data to third parties for monetary gains and this is not the original purpose or directly related purpose for which the data were to be used at the time of data collection, express and voluntary consent from the customers must be sought. The consent may be indicated by a signature to that effect or by ticking a box.

16.7 In cross-marketing, the transferor company should ensure that any customers’ personal data transferred to the partner company are only used for the purpose of carrying out the agreed cross-marketing activities. Typically, the data to be transferred should be confined to contact data, e.g. name, address and telephone number, enabling the partner company to approach the customer. There should be no transfer or disclosure of the customers’ sensitive data such as credit card number and/or Hong Kong Identity Card number to the partner company, unless there are justifications based on direct relevance to the marketing purpose.

16.8 Data users who intend to transfer personal data to third parties for processing should conduct appropriate assessment of the third parties to ensure that they would provide adequate measures to protect the personal data transferred to them. Data users should incorporate terms into the contracts with these parties to ensure that a high standard of data protection will be maintained.

16.9 When personal data of customers are entrusted to a third party for handling, it is recommended good practice that the data user shall undertake compliance audits or reviews regularly to ensure that the transferees of the data have taken appropriate data protection measures in compliance with the Ordinance.

16.10 A data user should not use deceptive or misleading means to collect personal data for direct marketing. An example is where Company A holds itself out to be Company B in promoting the product / service of Company A in circumstances that the called party was misled to believe that it was Company B which was making the direct marketing approach for promoting Company B’s product / service and it was based on such reliance that the called party’s relevant personal data were provided in the course of the transaction.

Concluding remarks

17.    Sale of personal data by ORL for profits was not an isolated incident in Hong Kong. The practice has been adopted by business operators in other industries in conjunction with direct marketing activities. At the time of finalizing the Report, the Commissioner is still investigating into possible contravention of the DPPs under the Ordinance by four banks and three telecommunications operators in relation to the transfer of customers’ personal data to third party business partners.

18.    While ORL has ceased the unauthorized sale of personal data, the public has professed a violent distaste for its past conduct. However, while the Commissioner has found contraventions of DPP1(1), DPP1(3) and DPP3 by OHL and ORL, there are severe restrictions as to what punitive actions the Commissioner can take as a follow up under the Ordinance. Contravention of a DPP by itself is not an offence. This highlights the inadequacies of the present provisions under the Ordinance against the background of rising public expectations to protect personal data privacy.

19.    The Government will put forth a set of legislative proposals on amendments to the Ordinance. The Commissioner appeals to the stakeholders and the general public to engage in the ensuing public discussion which should aim to resolve, among other things, the following:-

(a)    whether and how the controls and penalties should be increased to ensure that data users will act according to the authorization given by data subjects; (The Commissioner is in favour of greater controls and heavier penalties.)
(b)    whether and how new legislative safeguards should be introduced to regulate sale of personal data for direct marketing purposes;
(The Commissioner is in favour of new legislative provisions to regulate such sale activities.) and
(c)    whether the enforcement power of the Commissioner under the Ordinance should be strengthened to further enhance personal data privacy protection. (The Commissioner is in favour of greater enforcement power.)

Access to the full Report

20.    For details of the case background, findings, the Commissioner’s recommendations and other comments, please refer to the Report. The Report is available for download from PCPD’s website (www.pcpd.org.hk), and copies can also be collected at the Commissioner's Office.

Please click here to access the full Report

END