PTV breached privacy of myki users: Victorian privacy commission
The identities of millions of commuters were unlawfully leaked as part of a competition, regulator finds.
The identities of millions of Victorian public transport users were unlawfully leaked by Public Transport Victoria as part of a competition, the state’s information commissioner has found.
In July last year PTV released information from 15 million myki cards to the public as part of a “datathon” event, containing 1.8 billion “tap on” and “tap off” records between July 2015 and June 2018.
PTV had claimed the information had been de-identified, but academics from the University of Melbourne were able to use the data to track the travel histories of themselves and others.
Today the state’s data watchdog declared Victoria’s transport department breached privacy laws in releasing the data, which revealed the behaviour and movements of millions of Victorians.
“Although the initiative was well-intentioned, failures in governance and risk management undermined the protection of privacy,” Information Commissioner Sven Bluemmel said.
Most myki users in the dataset could be identified from just a few touch on or touch off events, according to lead researcher Chris Culnane from the University of Melbourne’s School of Computing and Information Systems.
“With just a handful of pieces of information about where someone boards or exits public transport, it’s possible to get an indication of where they live or work, their regular travel patterns, who they travel with, or if they travel alone — for example, children heading home from school alone,” Dr Culnane said.
“Our analysis raises serious privacy, safety and security issues. It’s easy to imagine how information like this could be used by people who might want to cause harm.”
Commissioner Bluemmel said OVIC has issued the Department of Transport with a compliance notice requiring it to strengthen policies and procedures, data governance, training and reporting.
The Department of Transport said it does not accept the Commissioner’s finding that it breached myki users’ privacy, but said in a statement it has committed to implementing the actions set out in the compliance notice.
“I welcome the Department of Transport’s commitment to implement the compliance notice and recommendations” Commissioner Bluemmel said.
“The report and recommendations will support the responsible use of data to inform policy and service delivery for the benefit of all Victorians, while still respecting their right to privacy.”
Add your comment to this story
Telco war erupts: ‘NBN wasting billions on overbuilding its network’
Vodafone owner TPG has slammed government-owned NBN Co for ‘overbuilding’ its network, accusing it of squandering billions in taxpayer funds on an unnecessary rollout.
Richard White hires WiseTech insider as next CEO
WiseTech founder and executive chair Richard White has hired his direct report Zubin Appoo as CEO, almost a year after the billionaire resigned from the top job following allegations he exchanged business advice for sex.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout