Government must stop loopholes

OCTOPUS has made money by selling itscustomers' personal data. The affair hassnowballed. Because of what has beenrevealed, some citizens are apprehensive that thepersonal data of about four million citizens in Octopus'spossession may be improperly used. There areloopholes in the Personal Data (Privacy) Ordinance.Citizens have reason to wonder if any other businesshas made money by selling personal data.

Octopus has announced it will appoint acommittee to look into the affair. Not independent ofOctopus, the committee cannot possibly seemcredible. The Hong Kong Monetary Authority, whichsupervises Octopus, has said it has asked thecompany to have an independent auditor look into theaffair and required that it publish the auditor's findings.One may say the move is aimed at rectifying Octopus'smistakes.

Apart from seeing that the truth of the Octopusaffair will come out as soon as possible, thegovernment should seize the opportunity to reviewpersonal data collection with a view to stoppingloopholes. From what has become clear in theOctopus affair, the government should at least do thefollowing three things.

(1) Our investigative reporters have discoveredfour major store chains' points cards pose the dangerof personal data being leaked. It is stated in their termsand conditions that personal data may be transferredto any other person under a duty of confidentiality tothe card issuer. Privacy clauses do not appear in alltheir handouts or forms. To peruse them, applicantsmust visit their websites. There is a clause saying aperson's data may be used for marketing even if hiscard has been cancelled. There is no clause that saysdata will not be transferred to third parties.

The government should look at those terms andconditions and list clear restrictions on businesses'collection of their customers' personal data.Furthermore, it should be laid down that no citizen'spersonal data should be used for marketing purposesunless he has indicated his consent in his applicationform.

(2) During a hearing, Privacy CommissionerRoderick Woo, narrowing his eyes, perused a copy ofthe Octopus Rewards registration form through amagnifying glass. He did so jokingly to show the manyclauses were in such small print that few people wouldperuse them, still less senior citizens. It was notyesterday that businesses began to have contractualdocuments to be filled in and signed by their customersprinted in extremely small print. That is long-standingpractice. The government should lay down rules tomake sure that such documents are easy to read.

(3) The Privacy Commissioner has

unprecedentedly exercised his statutory power to call apublic hearing on the Octopus affair. Though he seemsto have thrown his weight about, he is actually atoothless tiger. At the hearing, Privacy CommissionerRoderick Woo asked Octopus Chief ExecutivePrudence Chan to explain things but to no avail, andshe refused to surrender documents. In investigating acompany's possible breach of the personal Data(Privacy) Ordinance, the Commissioner may not evenmanage to obtain documents unless the companycooperates. It can thus be imagined how effectivelycitizens' privacy is protected. It is the government'stask to decide how to turn the Privacy Commissionerinto a tiger that has teeth.

Yesterday Roderick Woo revealed a bank hadsold the data of 200,000 of its customers to directmarketers. He has made a ruling on the case, and thebank has appealed. Clearly, it is quite common forcompanies in possession of large quantities ofpersonal data to sell them for profit. The governmenthas a duty to end the privacy crisis triggered by theOctopus affair so that citizens need not fear theirprivacy is not protected.

明報社評2010.07.28

八達通暴露私隱漏洞政府須堵塞保障市民

八達通出賣客戶資料賺錢事件，事態如滾雪球般愈滾愈大，從目前已經顯露的情况，單是八達通坐擁約400萬客戶資料，是否使用恰當，市民忐忑不安；而基於私隱法例漏洞，還有沒有其他機構出賣客戶資料以牟財？市民有合理疑問。

八達通宣布自行組織了一個委員會，調查事件，自己人查自己人，根本無公信力；職司監管八達通的金管局，表示已要求八達通公司外聘審計師進行調查，結果要向公衆公布，此舉可視為金管局糾正八達通偏頗的做法。

除了盡快釐清八達通事態真相，政府應趁機會全面檢視這類收集市民資料的做法，堵塞漏洞。從八達通事件所披露情况，起碼有3 方面值得檢討改善。

（1）本報記者追訪發現，除了八達通，目前四大連鎖店的積分卡也隱藏泄私隱陷阱，這四張卡的條款都列明可把個人資料轉移給「商戶或有保密責任人士」，有申請者所填寫表格及單張，並無私隱條款，要申請者自行上網查看，有條款更言明取消卡後，有關資料仍然可以繼續作促銷之用，亦沒提及資料不會轉移給第三者。

所以，經此一事，有關這些公司與客戶簽訂的合約條文，政府應該研究予以明確規定，商號收集客戶資料要有一定限制；另外，要讓市民在填寫表格時，除非主動選擇接受，否則個人私隱資料不得作促銷活動之用。

（2）吳斌在聆訊時，當場拿出放大鏡，瞇着眼細看八達通日日賞登記表格，藉此諷刺條款的字又小又多，認為市民、特別是長者不可能仔細閱讀。關於一些公司要客戶填寫、簽署的一些合約文件，刻意把條款印得密麻麻的情况，由來已久，並非始於今日。政府就此亦應作相關規定，以方便市民閱讀為大前提。

（3）今次個人私隱專員根據法例所賦予權力，公開聆訊八達通事件，其實是破天荒做法，雖然私隱專員「大發神威」，實質上仍然只是「無牙老虎」。例如在聆訊中，吳斌要求八達通行政總裁陳碧鏵解釋的事項，往往不得要領，她也不肯交出資料。由此可見，關於追查是否違反私隱條例，若有關公司不合作，主管其事的私隱專員，連文件也拿不到，保障市民私隱的成效就可想而知了。如何使私隱專員成為「有牙老虎」，是政府強化其職能的課題。

昨日，吳斌透露有銀行把20 萬客戶資料傳送出去，進行直銷活動，他已就此裁決，銀行亦進行上訴。由此看來，擁有大批市民私隱資料的公司、商號，出售客戶資料賺錢的做法，相當普遍。政府有責任弭平這次由八達通引發的「私隱危機」，使市民免卻私隱不保之憂。

Glossary

apprehensive /?aprI'hensIv/uneasily fearful.credible /'kredIb(?)l/worthy of belief.throw one's weight aboutIf you throw your weight about, you use yourposition of authority or power in an aggressiveway.