This article is about the leakage of data of the Octopus card company. In 2010 , Octopus sold the information of their clients to 6 companies for promotion and made a profit of 44 million Hong Kong dollars over 4. 5 years . In view of the case of Octopus case, this article will go through three part to study it : technical aspect, ethical aspect and legal aspect.
It will also suggest feasible suggestions. The dis-honest company led a leakage of personal data: Octopus Card Company Introduction of Octopus card company According to the statistics, 95% of those between the ages of 16 and 65 have an Octopus and Octopus processes over 12 million transactions a day.
The card is accepted by more than 100 transportation service providers and 160 retailers, including 7-Eleven, Starbucks, and Park & Shop. It can also be used at pay phones, photo booths, and parking garages. This reveals that the octopus is commonly and widely used.
Also implied that the leakage of personal data influences a lot of people.
Technical Issue In terms of technical Issue, Octopus card is a rechargeable contactless stored value smart card used widely in transportation and retail business. How can it transfer the money without contact? It is because it used the technique of Radio Frequency Identification (RFID). We will go into deeper of the RFID. RFID is the use of a wireless non-contact system that uses radio-frequency electromagnetic fields to transfer data from a tag attached to an object, for the purposes of automatic identification and tracking.
The Octopus card requires no battery and are powered and read at short ranges via magnetic fields (electromagnetic induction).
The tag contains electronically stored information which can be read from up to several meters (yards) away. Unlike a bar code, the tag does not need to be within line of sight of the reader and may be embedded in the tracked object. RFID tags are also used in many industries. An RFID tag attached to an automobile during production can be used to track its progress through the assembly line.
Pharmaceuticals can be tracked through warehouses. Livestock and pets may have tags injected, allowing positive identification of the animal. Ethical Issue In terms of the ethical issue, there are a few points we would like to discuss. Firstly it is whether there is too much personal information required in the client agreement. The Octopus Company was questioned about if the personal information required on the client agreement was too much. The complainer claimed that the necessary information required by the scheme is actually just name and Octopus card number.
Also, the client agreement was not user-friendly, because the text was too small, almost unreadable and the whole statement is too long and clumsy. But on the other hand, nowadays Hong Kong citizen are easily give out their information without knowing how the information will be used. The awareness of protection their personal data is too weak. It’s always customers’ duty to read the whole statement no matter how not user-friendly it is because it should be themselves to protect their own privacy. Legal Issue The Octopus Card Company has actually sued the Personal Data (Privacy) Ordinance.
The company collected excessive personal data for the purpose of customer authentication and it failed to take all reasonably practicable steps to ensure that the applicants were explicitly informed of the classes of persons to whom the data may be transferred. Also, the company shared member’s personal data with third parties for monetary gains without their consent. The provision of data for monetary gain was not expressly stated in the Terms and Condition. This incident has actually highlighted the inadequacies of the present Ordinance as public expectation in data privacy raises, especially those in conjunction with business activities.
Therefore, the government has amended the ordinance in 2012 to protect data users’ right. Six data protection principles: Principle 1 – purpose and manner of collection of personal data Principle 2 – accuracy and duration of retention of personal data Principle 3 – use of personal data Principle 4 – security of personal data Principle 5 – information to be generally available Principle 6 – access to personal data DPP1 and DPP3 are violated. Since the octopus company sold the data of their clients, the purpose of collection of personal data is different from what the pubic thought about.
Also, there is no direct related to octopus system when the data is used. Therefore, use of personal data is also violated. Suggestion There are four suggestions which can help protecting personal data. First and foremost, due to the little attention to protect their own information of the citizen, the government should educate the citizen to build up the idea of protecting personal data. Second, improvements can be made in the security and privacy systems of companies to ensure low unintended data leakage. Third, government should make the rule stricter and clearer in order not to let the companies escape the law.
Forth, set up a department to investigate among the all the companies to check whether there is similar issue happened. In conclusion, it is a fact that once our personal data has been leaked, it is not possible to stop the spreading of the data. It is both, companies, government and citizens’ responsibilities to protect our personal data.