Informed choice: Privacy Commissioner for Personal Data Roderick Woo suggests ways for Octopus to improve customer privacy protection.

Privacy Commissioner for Personal Data Roderick Woo has urged Octopus to better protect customers' personal information, noting collecting their names and card numbers is sufficient for giving them basic rewards.

Briefing the media on his interim investigation report on Octopus Rewards Limited, Mr Woo said the company should not collect and disclose excessive personal data. It should state clearly where the collection of particular items of information is optional.

On the use of privacy data, he suggested the print characters in any contract be of a font size reasonably readable by customers without optical aids. The scope to whom the personal data can be transferred should also be reasonably specific.

"The applicant should be given an informed choice to authorise their personal data to be used for direct marketing purposes. Consent should be expressed and not be deemed given," Mr Woo said.

He recommended:

* the company should assess the adequacy of privacy protection its business partner offers before entering into any arrangement on personal data transferral, and where appropriate, consider having a professional third party make a privacy impact assessment;

* a professional third party verify erasure of personal data the business partner holds;

* conducting regular compliance audits on the implementation of data protection measures the business partner takes; and,

* specifying in the agreement with the business partner that data transfer to any place outside Hong Kong is strictly prohibited.