Octopus excuse has no leg to stand on

Hong Kong people surely lead in using smart cards. The Octopus card has become so popular it has become an essential part of life here.

But it is also exactly because of the card's wide use that the issuing company should be held to the highest standards in protecting cardholders' personal data.

In the business world, a client database is valuable and can be sold for a handsome sum. As a private company in nature, Octopus Holdings may be tempted to explore all possible ways to increase revenues. Also, the market has speculated that Octopus, given its profitability, is a candidate for stock listing.

If not for the scandal developing around the company's sale of a large quantity of personal data to at least one business partner, I think SAR people would be proud of the product's success.

There are similar smart cards elsewhere, such as the Oyster card in London, and Transcard, commonly called Shenzhen Tong, in the mainland.

However, Octopus is by far more developed than others in applications. It's no longer limited to transportation, but is increasingly used in shopping as a friendly alternative to cash. In recent years, it has also served as an entry pass for buildings. As the scope of application widens, so does the range of personal information stored.

The Octopus Rewards - a redeem reward scheme run by a subsidiary - is a glaring example.

Compulsory fields in the registration form include gender, English name, Octopus card number, Hong Kong identity number, birth date, e-mail address, phone number, and the street and district of the holder's home address. I would say that's a lot of details.

As Octopus chief executive Prudence Chan Pik-wah disclosed earlier, some 2.4 million cardholders have provided such information to register for the rewards scheme. It was on the same occasion that Chan sought to assure her firm wouldn't divulge customers' data to third parties.

Throughout the media session, Chan and other company staff were evasive as to whether it had already sold holders' personal data to business partners. So it was most unfortunate to hear yesterday that it had in fact sold a large amount of the data to an insurance firm participating in the rewards scheme.

Why was Octopus evasive in the first place? Why couldn't Chan be frank rather than going to great lengths to assure cardholders that their personal data were in safe hands? There is a host of questions begging answers.

Clearly, it's a bad example of crisis management to wait until the truth is uncovered by investigative reporters.

There is the old saying that it's impossible to wrap fire in paper. It's merely wishful thinking to believe otherwise.

Could the situation have been different if Octopus admitted selling the data in the first place, and told the public the situation had been remedied since then?

It will be best for Octopus to diffuse the saga by telling the truth, the whole truth, and nothing but the truth.