The Hong Kong Privacy Commissioner's Office (PCO) published the Octopus investigation report yesterday (18 October 2010). Whilst the PCO's findings on Octopus are based on the facts of that case, its recommendations impact all data users.

PCO concludes that Octopus contravened data protection principles (DPP) - DPP1(1), DPP1(3) and DPP3

  1. Octopus collected excessive personal data, namely, the members' identification number (HKID Card/Passport/Birth Certificate) - in contravention of DPP1(1);

  2. Octopus failed to take all reasonably practicable steps to inform the members of the classes of transferees of their personal data having regard to the small print of the relevant wording on the application form, and its failure to identify the transferees with a reasonable degree of certainty (wording like "any person who is under a duty of confidentiality to Octopus" was found to be too liberal and vague and thus inadequate) - in contravention of DPP1(3); and

  3. Octopus sold the members' personal data to third parties for monetary gains without members' express consent - in contravention of DPP3.

Implications of PCO's recommendations

PCO expressly recognises direct marketing as a normal business activity serving both data users and the consumers. PCO has no intention to restrain or curb direct marketing activities. In making recommendations, PCO is mindful of the need to (i) give practical guidance to data users on how to comply with the requirements under the Personal Data (Privacy) Ordinance (PDPO) in conducting direct marketing activities and (ii) better protect general public's data privacy.

PCO's recommendations focus mainly on collection and transfer of consumer personal data to unrelated third parties with the ultimate purpose of using them for direct marketing. These recommendations have far-reaching implications on data users. Key recommendations include:

  1. The HKSAR Government will soon put forth legislative proposals to amend the PDPO. The public and relevant parties should seriously debate and resolve:

    1. with respect to collection and use of data for direct marketing purposes, whether to replace the existing "opt-out" right of individuals under the PDPO by the "opt-in" right - PCO favours measures and controls moving in the direction of "opt-in";
    2. whether and how controls and penalties should be increased to ensure data users act according to the authorisation given by individuals - PCO favours greater controls and heavier penalties;
    3. whether and how new legislative safeguards should be introduced to regulate sale of personal data for direct marketing purposes (including making such sale without the individuals' express consent a criminal offence) - PCO favours new legislative provisions to regulate such sale; and
    4. whether the enforcement power of PCO under the PDPO should be strengthened to further enhance data privacy protection - PCO favours greater enforcement power;

  2. Data users should make personal information collection statements (PICS) more reader-friendly by using simple language, appropriate font size, highlights, key words and contrasts. Data users should present PICS in a conspicuous manner and offer help desk or enquiry service to help individuals understand the contents of the PICS;

  3. Data users should avoid liberal and vague terms in describing the purposes of use and classes of transferees of personal data. Data users should use language which will make it practicable for individuals to ascertain with a reasonable degree of certainty how their data will be used and shared;

  4. Data users should obtain individuals' express and voluntary consent before selling their data to third parties for monetary gains;

  5. Data users that possess a dominant position vis-a-vis individuals should not exploit their position in the collection and use of personal data. They should be mindful of their dominant position and exercise great care to ensure compliance of the requirements under the PDPO;

  6. Individuals should have the right to elect standard benefits only and confine collection and use of their data for purposes of enjoying those benefits, and declining collection and use of data for enjoying additional benefits or other purposes;

  7. Data users should not collect excessive data and should not collect sensitive data such as HKID Card number if less sensitive data would serve the objective. Data users should comply with the PCO's Code of Practice on the Identity Card Number and other Personal Identifiers in handling sensitive personal identifiers; and

  8. In addition to reiterating its existing requirements on cross-marketing activities, PCO recommends that data users should not allow their business partners to represent themselves as the data user in making marketing approaches to individuals.

On the same date of publishing the Report, PCO issued the "Guidance on the Collection and use of Personal Data in Direct Marketing". It replaces the existing Guidelines on Cold-Calling and Guidance Note on Cross-Marketing Activities.

Balancing legitimate commercial activities and data privacy protection

The Octopus incident focuses public's attention on use of personal data for direct marketing. When used appropriately, direct marketing and cross marketing activities can benefit consumers as well as business operators. As alluded in the PCO's Report, it is important to balance legitimate commercial activities and consumer data privacy protection. In particular, before imposing criminal liability, great care should be given to target specific, serious, intentional and culpable acts which should be clearly identified and defined under the PDPO. It is imperative that legislative changes reflect the balance and refrain from unintended interference with normal, legitimate commercial activities.

HKMA commissions audit on Octopus Cards Limited

Octopus Cards Limited (OCL) is a deposit-taking company supervised by the Hong Kong Monetary Authority (HKMA). OCL is required by HKMA under section 59(2) of the Banking Ordinance to submit an independent auditor report on the assessment of OCL's processes and practices for handling Octopus cardholders' data. HKMA published auditor's interim findings yesterday (18 October 2010). HKMA has sent a copy of the interim report to PCO and will consider necessary follow-up action after the final report is available. HKMA will require OCL to implement auditor's recommendations and monitor its progress in liaison with PCO. HKMA will also liaise with the banking industry to ensure that banks and other authorised institutions will follow the latest standards set by PCO.

For inquiries related to this Legal Update, please contact:

Sara Or (

On Yee Tam (

Learn more about our Hong Kong office, Banking & Finance, Company Secretarial, Corporate Governance, Employment & Benefits, Financial Services Regulatory & Enforcement, Investment Management, Health Care, Hospitality & Leisure and Insurance & Reinsurance practices.