星期三, 6月 01, 2011

Octopus card scandal

In Hong Kong, almost everyone has at least one Octopus card (on average each person possess two cards!), which is a rechargeable contactless stored value smart card using the RFID technology. It is widely used in Hong Kong because it brings a lot of convenience to the people for shopping, eating in restaurants, taking class attendance in almost all the high schools of HK etc…and almost all public transportation (especially for the mass transit system (MTR)). Each card has a built-in microchip containing an electronic purse which can actually calculate and store all the information regarding the holders’ transaction details. It is also recognised internationally and wins many prestigious awards. Many companies from different regions and countries visited Octopus Company (which is mainly owned by MTR company of HK) to learn the advanced technology and management of Octopus system. While Octopus cards can be purchased anonymously for cash, over 2.4 million customers have registered for the widely adopted Octopus Rewards program with their personal information, according to the information posted in its website.

However, such a “giant” and “prestigious” company suddenly became a controversial target in this July (2010) when it was disclosed by a local media that the management of the Octopus company has been selling nearly 2 million customers’ private data to merchants since 2006. The Octopus company made a total revenue of HK$44 million by selling these customer’s personal data.

The Octopus controversy, the company's CEO first denies that clients' personal data has been sold to third parties for direct marketing. With further investigation by local legislators, she admitted that her earlier denial was erroneous because she did not have critical information when she issued her first denial. She later revealed that Octopus had made HK$44 million in revenue selling information on 1.97 million customers to six companies during the past 4.5 years.

As CEO of the company and the person who might well initiate such deals, she should have had full knowledge of the business. Through her public denial when confronted by the media and legislators who pressed serious concerns on behalf of the public, she has shown a lack of honesty, lack of business ethics, and lack of social responsibility.

Under the pressure of all the medium (newspaper, TV, radio etc.) and the direct intervention of the local government, the MTR board (which owns 57% of share of Octopus company) apologized to the public for “inconsistencies and errors in public communications made by Octopus management.” The octopus management team has decided to donate all the money earned by selling the privacy to merchants to charity.

However, the people responsible involved in this scandal will not face any lawsuit because there are not any existing privacy laws to regulate this kind of scandal (which might be a bit surprising). Octopus’ privacy policy explicitly states that customer data may be used by “any of [Octopus'] selected business partners” for marketing and Octopus asks for information irrelevant to the card’s operation). Therefore the public has urged to form the legislature to set up the laws/rules to forbid the sale of personal information immediately. The public is outraged at being lied to and outraged that the company has denied selling information for years.

So please discuss what you learned from such example. And what social responsibility, business ethics, and privacy responsibility should a large corporation have? How can regulation of companies such as Octopus, with strong government support, be achieved without these companies failing to comply with the rules themselves? Should local privacy law be revised and regulatory control over Octopus be strengthened concerning supervision and monitoring of business ethics of the business giants? How?


Example 1:

When i was child, I still use my coins and run to the LTR station. Then being hurry to buy ticket because i was going to miss a class. Since Octopus was established, i begin to take a contract with it and have a great convenience for my transportation. Of course, i still didn't know what privacy is.

Now, when i see the news talking that the company of Octopus will sell their customers including me and my parents, the personal information. I feel a bit horrible. Sometimes, personal information is not too important for me, but it does not mean that the company should sell our personal information and the important point is they denies that.

To be honest, the deal is already noted that the personal information maybe used by other partners of Octopus. That can be the residents problem that we never see the policy to purchase Octopus with private data. Moreover, it just making the advertisement always phone us, and still not make us a critical lost i think. Why we don't see the policy and information of every deal detail? If the information for us is really important, we should beware for this even more.

About the CEO, she should admitted that her denial earlier. In the business, the important thing is honest. Honest also is the major thing of social responsibility and business ethics. If a person lies just once, no one will trust him again, like he dig a hole in his honest. The hole can't be fixed forever. When he lies more, there will be more holes. However, the CEO of Octopus company can admitted her false earlier, instead of after it become a scandal and too late.

The customers has lack of knowledge for their privacy and Octopus’ privacy policy explicitly states that customer data may be used. It exactly is legal for their personal data being used, but the customers has not enough knowledge so they look like being lies. The problem is, the company use that to make the great amount revenue and the revenue is just for the company themselves. So i think it is not moral and unfair for the customers. Customers can't sense their important information should not be given to company.

The resident especially children doesn't know what privacy is yet. However, the government can promote the education about the privacy for the student, remind that i didn't know what privacy is when i still was a child. So there should be some education for child, teach them what information themselves should not be issued to strangers, make stronger about the privacy education. Let them always remember these rules until they become independent. So that they will have a better defence with their privacy, which maybe more important than their money. Although Octopus card's fee is low, customers may lose more money when their important information is given to others.

Octopus does a false event, but i still would like to use it. It is too convenience in our life and sometimes we will be given back our money because of many discount (e.g. MTR student 50% fee). Without this card, transportation and other things will be more costly and trouble.


Example 2:

Hong Kong’s Octopus Holdings Limited sold customers’ personal information to other companies and has been paid HK$44 million since January 2006. It raised a lot of discussions among the society regarding the social responsibility of enterprises. In fact, it is not something new to identify what people need by analyzing the customers’ data and then determine how to market the products. It is widely accepted by customers. However, when enterprises do not take the customer value seriously for a short-term profit, the customers were not likely to continue paying for their products.

In the local corporate culture, most managers of practices have business backgrounds, especially in marketing and promotion. Maximizing profit is their only target and they pay less attention to the public interests. Like the Octopus Holdings Limited, it has a weak customers’ privacy scheme. Opt-out instead of opt-in mechanism is used for their services where customers’ data will be available to others. The company then claims that it is the user’s responsibility to dig for it. The Octopus Holdings Limited sold user's personal information and even not giving them sufficient opportunities to know how their personal data would be used. The company has not promoted human rights protection in the business policies. It obviously violated corporate social responsibility.

Selling customers’ data by the Octopus Holdings Limited is just one of examples showing that customers’ personal data is not well protected by corporates. The case also relates to the control of unsolicited commercial electronic messages, such as faxes, emails, short messages, pre-recorded telephone messages, etc. If the Hong Kong Government can do a deeper research for the cases, it may find that both the Unsolicited Electronic Messages Ordinance enforced by the Office of the Telecommunications Authority and Personal Data (Privacy) Ordinance enforced by the Office of the Privacy Commissioner for Personal Data, Hong Kong have been broken at the same time. Since the enforcement of the two ordinances is co-related, it is advised that the two offices can work together and exchange information.

Octopus is one of the world’s leading smart card payment systems. The public thus has a very high expectation to the Octopus Holdings Limited. After the case, both the customer relationship and trust to the company are damaged. An enterprise should seek for a balance between business and social values. If it takes care about the social responsibility, the image of company and the employers’ sense of belonging will be improved. It will benefit from the situation.


Example 3:

In Hong Kong, many people use Octopus card. We use octopus card everywhere, transportation, convenience shop, fast food shop, etc. Octopus card become an important part of us.

Few years before, Octopus company starting a reward promotion called “Earn and Redeem Reward”. Customers can redeem points by using Octopus card. But while the customers apply for the “Earn and Redeem reward”, they should sign for an agreement, the terms and condition inside contain a few pages of terms, including some terms with 1-1.5mm font. How many of us will read the terms and condition Octopus company state? A public survey revealed that more than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services, reports Bloomberg.

In July, while the Octopus “Earn and Redeem reward” happening occur. The Hong Kong citizens start to pay attention to the privacy problem. This happen tells us that we should pay more attention to protect our personal information and the Hong Kong companies should pay attention to their social responsibility, business ethics and privacy responsibility.

In this case, Octopus Company trying to conceal the information of the terms and conditions, Octopus company only concern to fulfill the privacy law of government but ignore customer’s reception to selling our personal information. This is an action lack of social responsibility and business ethics, makes the customers very disappointed.

In fact, the companies have responsibility to explain the terms and condition to us clearly, and let us know clearly how they will handle our personal information ,because many people will not read the terms themselves, some of them are not able or don’t have enough knowledge to read the terms. For example, they can make the fonts bigger, or explain the terms to us while we sign the contract, to let customers from every ages clearly watch the terms and condition.

As the biggest shareholder of Octopus, Government also to be one's unshirkable responsibility, they take not enough monitor to the company. I think it’s the time for them to revise the local privacy law. Maybe they can revise the law, ensure a readable font size in the terms and condition, or ensure all the companies should monitor by an individual organization, to protecting the privacy information.

In conclusion, Hong Kong companies should make more improvement to their social responsibility, business ethics and privacy responsibility. Many times, we have no choice to choose a service providers, it’s hard for us to decline the contract. So, responsible companies are very important. They should monitor themselves to protect the customer information. A good company will not always face to money, they will concern more about the social responsibility, these action cannot earn much money, but it can improve their business ethics, also can build their brand, the outcome is more great.


Example 4:

In today’s modern society, corporate company should not only concern on the profit of their company but also on business ethics and social responsibility. Company shouldn’t just look at the minimum requirement of the law, the company’s decision will not face any lawsuit or harm to the public, but this might lose the public trust.

Octopus card help to save transaction time for transportations, settle payment of fast-food chain and gives our life more convinience. However such a a “giant” and “prestigious” company suddenly become a big seller by selling our personal information for 4.5 years without our consent.

Although Octopus had stated that the applicant information would be used by “any of [Octopus'] selected business partners”, how many people had awared of this statement or denied to apply such a convenience service due to this reason?

“More than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services”2, reports Bloomberg.
I believe that they hadn’t read through the terms and condition when signing any contract including submit the data for apply service and was caused by the font size, wordings and voluminousness of the statement.

Recently we had received a lot of advertising phone calls, we cannot clarify if this is related to Octopus or not, but the trend is many companies gain revenue by selling customer’s information to their business partner. If the government still not revising the local privacy law, the problem will get worse.

The goverment has the responsibility to revise the local privacy law to constrain the companies, which have to provide options for applicants to choose if they are willing to accept their personal information will be disclosed to or used by the third party companies. The government should check whether those companies have failed to comply with the rules, and reveal the result to the public in order to enhance the transparency of the companies.

If the company was listed in failing to comply with rules or denies to the public like the CEO of Octopus, its company image will be discredited. It takes times to re-build the public image of Octopus company after the public knew they sold their information, “Octopus must do more than replace its chief executive officer to regain public trust”1, two lawmakers said.

Hong Kong residents lack knowledge for their privacy protection and it is legal for their personal information being used by companies, which the company business operate as opaque system, the residents could not know whether their privacy have been well protected. The government should provide education through programmes and advertisement to elevate how to protect personal information.

The Octopus issue is an alert for people in Hong Kong starting to protect their personal information by read through the statement when signing contract or apply any kind of services.

Octopus did a wrong action and Hong Kong resident had lost their confidence on using octopus, but it is too convinient to our daily life, we will keep using it for transportation but might not go for further extend on other usage.

Now there is a pressing need to revise the privacy law and regulatory control over and strengthened the concerning supervision and monitoring of business ethics, forbid the sale of personal information immediately after revealing Octopus had sold customers’ information. The public is outage and didn’t know whether there are other companies had followed the same track several years ago.

The Octopus data leak has sparked public outrage over privacy laws in Hong Kong, with many voicing concern that their private information is being exposed and there are few laws to protect them.”Currently the highest penalty for privacy infringement is a fine of a few thousand HK dollars, which is an insufficient deterrent for large multi-million enterprises.”3 Dr. Wilson Wong said (Assistant Professor of Politics and Public Administration at the Chinese University of Hong Kong, )
“the current laws fail to protect citizens and leave them exposed to information abuse.”4 Emily Lau said (Member of the Legislative Council)

From my point of view, hopefully the Government can revised the local privacy law before such kind of issue happen again and well protect all resident’s personal information.


1 Bloomberg Businessweek , August 05, 2010

2, 3, 4 Theepochtimes, by Liang Lsui & Sonya Bryskine, August 05, 2010 www.theepochtimes.com/n2/content/view/40410/


Example 5:

For the case of selling customers’ personal data, I believe that the fiasco is just the tip of the iceberg. Although Octopus’ privacy policy clearly states that customer data may be used by “any of [Octopus'] selected business partners” for marketing and Octopus asks for information irrelevant to the card’s operation, how many customers read the personal information statements?

Bloomberg.com found that more than 90 per cent of the respondents in a public survey said they hadn’t read the personal information statements when they provided data to apply for Octopus services. I believe that it is true as the font size of privacy policy in personal information statements is very small, and there are many words in privacy policy.

Certainly, many people will ignore the personal information statements, as font sizes are small and lots of words in there. Moreover, the aged people cannot read the statements well, should staff of octopus explain the details of Octopus’ privacy policy well when customer purchase the octopus card?

I am sure there are cardholders who don’t mind Octopus Company selling their personal data. In fact two companies exchange their customers personal data without make announcement already make customers antipathy.

So that in the future, when I buy any products and services, I will study privacy policy provided clearly to protect myself. In addition, I will also remind people I know to study any statement and policy related with them to avoid any unlucky things happen such as personal data was sold.

Society expects that organizations should provide products and services that are needed and desired by customers. However, people in Hong Kong really feel disappointed about it, as customers do not want to spread of their personal information. Customers provide their personal data because they believe that company needs their information to provide good services. However, Octopus Company did not protect personal data of its customers well, and after sold the personal data, customers will only receive more advertisement from other companies, but services provided by Octopus Company did not improved.

Government may check companies have failing to comply with the rules themselves or not in a fixed period, and show out the result. If a company is in the list of “failing to comply with the rules themselves”, its goodwill should be decrease and net profit will also decrease. Companies will not fail to fulfill with rules themselves, as they need customers’ trust. Moreover, business ethics of company people can understand which company is worth to trust or not.

In addition, government may provide some training course or information through social media to let people understand more how to protect their personal information. Also, government may also let managers of companies to understand how important of social responsibility, business ethics, and privacy responsibility.

Besides, local privacy law should be revised and regulatory control. One of reasons of Octopus Card admits making money selling personal data to third parties is there are not any existing privacy laws to regulate this kind of scandal. The people responsible involved in this scandal will not face any lawsuit. It is because people who purchased Octopus Card must be agreeing that customer data can be used by any of Octopus' selected business partners”. I think that customer should have their right to control the usage of their personal information between company bases on local privacy law.

Be honest, if personal information of managers in Octopus Company were sold or exchanged by another company, will they feel good? I wish local privacy law could be well to protect people in Hong Kong,