Octopus Holdings has escaped punishment for the excessive collection and unauthorised sale of cardholders' personal data despite being found by the privacy watchdog to have deceived members of its rewards scheme.
The Office of the Privacy Commissioner said yesterday the smart-card issuer had violated three data protection principles, including collecting more data than needed to verify its customers' identity and selling it for monetary gain.
But it said that instead of issuing an enforcement notice, it had accepted an undertaking from Octopus that it would within two months destroy and erase its members' identity card numbers and birth dates from its data base.
Commissioner Allan Chiang Yam-wang said he did not personally think the outcome was adequate 'but this is the current provision under the ordinance'.
'The members of the [Octopus reward] programme were deceived,' Chiang said, commenting on the investigation's finding that members had received calls from agents for insurance company Cigna purporting to be on behalf of Octopus, after the insurer had obtained their data.
The office's chief legal counsel, Brenda Kwok, said an enforcement notice - under which a company can face a range of penalties including fines and jail - could be issued only if it was likely that a contravention would continue, but Octopus had stopped the practice.