In response to media reports on the 12 investigations on the Octopus group of companies carried out by the Office of the Privacy Commissioner for Personal Data (“the PCPD”) since 2004, the PCPD wishes to make the following statement.
1. Since 2004, the PCPD has completed 12 cases which involved the Octopus group of companies.
2. Of these 12 cases, 9 were not related to the Octopus Rewards Programme (“the Program”). 4 cases related to the time before the launch date of the Program, November 2005.
3. Of the 12 cases, 3 were related to the Program.
4. According to the gazetted Complaint Handling Policy of the PCPD, upon receipt of a complaint, the PCPD will contact the complainant and the party complained against for preliminary enquiry to see whether the case can be resolved without a formal investigation. Normally, the PCPD, through mediation, will explain the requirements of the Personal Data (Privacy) Ordinance (“the Ordinance”) to the data user involved and request it to take remedial action. If the data user has taken remedial action and the complainant is satisfied, the case is then fully settled. The data user concerned will also be issued a warning or given advice and recommendations. Under the circumstances, the Commissioner will not commence a formal investigation under section 38 of the Ordinance. The PCPD will inform the complainant of the decision not to proceed with a formal investigation and the reasons for the decision.
Regarding the 3 cases involving the Program, the PCPD has handled them properly based on the facts of the case and within the scope of the complaint under the Complaint Handling Policy. There was no cogent evidence that made it apparent that the Octopus group of companies had sold customers’ personal data to third parties for profits.
5. The latest investigation was the first of its kind carried out against the Octopus Rewards Limited and its holding company, the Octopus Holdings Limited with respect to the sale of personal data for profits pursuant to section 38 of the Ordinance. The difference between this investigation and the above-mentioned 3 cases was that the PCPD this time got information from an individual claiming to be a former employee of CIGNA Worldwide Life Insurance Company Limited (“CIGNA”) saying that 2.4 million members’ personal data in the Program were sold to CIGNA for profits. In view of the huge amount of personal data involved and the seriousness of the alleged contravention under the Ordinance, the PCPD initiated a formal investigation under section 38 of the Ordinance.
6. To effectively utilize the limited resources, the PCPD has to adopt the “Selective to be Effective” approach. It cannot carry out formal investigation under section 38 of the Ordinance for all the enquiries and complaint cases received. For investigations carried out pursuant to section 38, the PCPD has to deploy substantial resources. Relevant work includes summoning of witnesses, conducting public hearings, taking statements from parties involved, examining relevant documents, inspection at premises of the parties being investigated, etc. For example, during the two and a half month investigation period of the recent completed case, the PCPD has allocated one third of its investigation officers just for the case.
7. The PCPD emphasizes that it handles each case according to the individual facts of the case and the specific scope of the complaint. The PCPD will not at the same time examine all other work procedures of the party complained against to ensure that they comply with the requirements under the Ordinance. It is the basic duty of individual organizations to ensure that all their business activities comply with the requirements under the Ordinance. The PCPD cannot take over this duty from them. In this regard, the PCPD is pleased to note that the Octopus group of companies will take measures to comply with PCPD’s stipulated requirements and improve the protection of personal data privacy in compliance with other Data Protection Principles.