Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

Commissioner by looking at the total loss across the board that would be suffered by the

service operator in this case. Given the large customer base, a small debt per customer

can build up to a very substantial sum. The AAB also considered that if the collection of

HKID numbers was disallowed, Autotoll might be forced to take other measures to

protect their business interests. The measures might include a zero credit policy whereby

customers who failed to top up their accounts in time by mere inadvertence would

suffer and Autotoll might as a result be flooded with complaints of poor customer service.

Other operators would suffer too as they would need to recover payments directly from

the registered vehicle owners (who may or may not be the culpable account holders).

In view of the far reaching implications this might have on Autotoll’s business and in the

interests of the tunnel and toll road operators, the AAB did not assume any right to

interfere with legitimate business operations in the name of data protection. The AAB

also agreed that the nature of the “right, interest or liability” involved was crucial to the

proper operation of the Autotoll electronic toll collection service and was neither

transient nor trivial, hence falling within paragraph 2.3.4.1 of the Code of Practice on the

Identity Card Number and other Personal Identifiers.

5.17

However, it should be stressed that the above AAB decision does not provide a licence

for the collection of HKID numbers by business data users. It must be distinguished from

other situations where data users have failed to demonstrate with concrete evidence

how the collection of unpaid charges goes right to the heart of their business.

Collection of HKID Numbers for Customer Loyalty Programmes

5.18

In the widely reported Octopus card incident

in 2010, the Commissioner found that

Octopus Rewards Limited (“ORL”) had contravened DPP1(1) by collecting HKID

numbers/passport numbers/birth certificate numbers, and month and year of birth from

the subscribers to the Octopus Rewards Programme for the purpose of customer

authentication.

The Octopus Rewards Programme allowed subscribers to earn “reward

dollars” on their Octopus card every time they made a purchase at ORL’s business

partners. Such reward dollars could then be used to redeem certain goods and services

from ORL’s business partners. ORL claimed that the collection of their customers’ data

was necessary for customer authentication as the reward dollars were personal to each

customer. Since an Octopus card could store reward dollars up to a maximum of only

$1,000, the Commissioner found that ORL had failed to justify their claim that the

collection of the HKID number was necessary to safeguard against damage or loss to

ORL, which was more than trivial in the circumstances. Further, since the customer could

be properly identified by his name, address and contact phone number held by ORL,

the collection of HKID numbers was not justified under paragraph 2.3.3.3 of the Code of

Practice on the Identity Card Number and other Personal Identifiers, and was found to

be excessive. The same rationale applied to the collection of the customers’ month and

year of birth, passport number and birth certificate number, which was also found to be

excessive and unjustifiable.

See Investigation Report No. R10-9866, available on the Website: