The company should not collect and disclose excessive personal data, said Privacy Commissioner for Personal Data Roderick Woo.
Talking about Octopus Rewards Limited, the Privacy Commissioner said it should be stated clearly where the collection of particular items of information is optional, and pointed out collecting customers' names and card numbers should be enough for awarding basic rewards.
According to the government's news site, Mr Woo recommended the following to Octopus:
* the company should assess the adequacy of privacy protection its business partner offers before entering into any arrangement on personal data transferral, and where appropriate, consider having a professional third party make a privacy impact assessment;
* a professional third party verify erasure of personal data the business partner holds;
* conducting regular compliance audits on the implementation of data protection measures the business partner takes; and,
* specifying in the agreement with the business partner that data transfer to any place outside Hong Kong is strictly prohibited.
"The applicant should be given an informed choice to authorise their personal data to be used for direct marketing purposes," he said.
Do you know more about this story? Contact us anonymously through this link.