Octopus and privacy

AN Octopus card contains information on itsholder's rides and purchases. Much sensitiveinformation is stored in a personalisedOctopus card - its holder's name, identity card numberand even credit card number. Octopus cards are likeelectronic identity cards and tracking devices. It is aconcern whether their holders' privacy is protected.Yesterday, Privacy Commissioner Roderick Woo madeit clear that his office would investigate on its owninitiative whether Octopus Card Limited had violatedthe Personal Data (Privacy) Ordinance in handling itscustomers' personal data.

As such data have much to do with huge businessinterests, the public have long harboured worry. At anobscure spot in the right lower part of the company'shome page a link called "personal data policy" can befound. There one may access a long document insmall print that is about what the company does withpersonal data. According to this document, thepurposes for which card holders' personal data may beused include "designing new or improving existingservices provided by us, our subsidiaries and ouraffiliates for customers' use" and "marketing of goodsand/or services by us, our subsidiaries, our affiliates orany of our selected business partners". We do notthink many Octopus card holders have perused thatstatement. But what do those expressions mean?Would Octopus Cards Limited sell card holders'

personal data to its "selected business partners"? Inwhat circumstances would it do so? How does itprotect card holders' privacy? The public are full ofdoubts and suspicions.

Octopus Cards Limited is not an ordinary privatecompany. It was jointly set up by the MTR Corp,KCRC, KMB, City-Bus and the Hong Kong andYaumatei Ferry in 1994. It expanded into the retailsector in 2000, when the Hong Kong MonetaryAuthority issued it with a deposit taking companylicence. Now Octopus is very much a symbol of HongKong. Octopus Cards Limited is essentially one ofHong Kong's leading public utility company.

The company, which has a very special status,holds important personal data of Hong Kong people. Itmust tell the public in detail how it protects itscustomers' privacy. It must not keep citizens in thedark or just deal with this matter casually. It does notdo just to issue a statement saying it "strictly complieswith the requirements of the ordinance and protects itscustomers' right to privacy" as it did yesterday.

It is indeed a major technological feat Hong Konghas achieved that Octopus cards have becomepopular. Octopus cards make life much moreconvenient in the SAR. They save people the troubleof keeping or giving change. The technology is indeedwell worth introducing to other places. Nevertheless,technology is a double-edged sword. If Octopus dataare misused, Hong Kong people's privacy will beviolated. It is hoped that Octopus Cards Limited willcooperate with investigators of the Office of the PrivacyCommissioner and tell them on its own initiative how itprotects card holders' privacy. If it does so, Hong Kongpeople's doubts will be dispelled, and they will beparticularly proud when Octopus cards are used in allparts of China and even other parts of the world.

八達通儲存敏感個人資料應主動配合私隱專員調查

八達通不單記錄了持卡人乘坐交通工具及購物的資料，個人八達通帳戶更包括了姓名、身分證號碼甚至信用卡帳戶等敏感個人資料，猶如個人電子身分證及追蹤器，客戶私隱有否獲得保障備受關注。個人資料私隱專員吳斌昨日表明，將主動調查八達通公司處理客戶資料時有否違反《私隱條例》。

由於資料庫涉及龐大的商業利益，早已引起公眾質疑。在八達通公司網頁右下角一個不起眼的位置，可找到一個名為「個人資料聲明」的連結，內附一份數頁長、文字密麻麻的文件，列明八達通公司如何處理個人資料，當中提及「持有人的個人資料可作下列用途」，其中兩項是「設計本公司、其附屬公司及聯屬公司供客戶使用而提供的新服務」，以及「推廣本公司、其附屬公司、聯屬公司或任何選定商務伙伴的貨品及╱或服務」。這份聲明相信絕大部分八達通持有人都沒有詳細閱讀過，但這些字句到底意味什麼？八達通公司會否把持卡人的資料出售予其他「選定商務伙伴」？在什麼情况下會出售？持卡人的私隱又受到什麼保障？公眾仍是滿腹疑團。

八達通並非一家普通私人機構，1994 年由地鐵、九鐵、九巴、城巴和香港小輪共同組成，2000 年更獲金管局簽發「接受存款公司」牌照，正式進軍零售業。如今八達通已經猶如香港的代表。八達通根本就是一家香港重點公共事業。

這家有獨特地位的公司，持有港人重要的個人資料，公司如何保障客戶的個人私隱，必須詳細交代，不能黑箱作業、馬虎了事，更絕非如昨日般發出聲明強調「嚴格奉行法例之要求，保障客戶私隱之權利」，就能交差。

八達通的成功普及，確實是香港的一項重要科技成就，為港人生活帶來極大方便，免卻了輔幣找贖之苦，極有向外推廣的價值；但科技是雙刃刀，若使用不當，將賠上港人私隱被侵的代價。若八達通公司能主動配合私隱專員的調查，主動交代如何保障卡主的私隱，讓公眾釋疑，日後八達通能在全中國甚至其他國家「一卡通行」時，港人定將倍感光榮。

Glossary

on one's own initiative

If you do something on your own initiative, youdo it without anyone telling you to do it.

in the dark

knowing nothing (about something).double-edged sword

something that has both advantages and disadvantages.