Information Commissioner investigates breach of myki users’ privacy

August 15, 2019

Compliance notice issued against Public Transport Victoria

Victoria’s Information Commissioner has published a report on an investigation into the release of myki data by Public Transport Victoria (PTV), which is now part of the Department of Transport. The report includes recommendations that call for stronger privacy protections for open data releases.

The investigation conducted by the Office of the Victorian Information Commissioner (OVIC) found that PTV breached the Privacy and Data Protection Act 2014 by releasing data that exposed myki users’ travel histories.

In July 2018, PTV released a large dataset which it claimed to have de-identified, containing information from 15 million myki cards to support a datathon event. The dataset recorded 1.8 billion myki ‘tap on’ and ‘tap off’ events between July 2015 and June 2018.

“Although the initiative was well-intentioned, failures in governance and risk management undermined the protection of privacy” Information Commissioner Sven Bluemmel said.

In September 2018, academics from the University of Melbourne notified OVIC that they located the dataset online and identified the travel histories of themselves and of others. OVIC then commenced an investigation into PTV’s release of the data in October 2018.

“Your public transport history can contain a wealth of information about your private life. It reveals your patterns of movement or behavior, where you go and who you associate with” Commissioner Bluemmel said. “This is information that I believe Victorians expect to be well-protected.”

Data experts at CSIRO’s Data61 were consulted on technical aspects of the investigation. CSIRO’s Data61 found personal information could be obtained from the PTV dataset without expert skills or resources.

“Our research found that when two myki card scans are known by time and stop location, more than three in five of those pairs of scans are unique and therefore more likely to be personally identifiable” said Dr Paul Tyler, Data Privacy Team Leader at CSIRO’s Data61. “So-called ’de-identified’ data can still carry re-identification risk especially in linked transactional data”

OVIC’s investigation found that PTV failed to address the possibility that individuals in the dataset could be re-identified by combining information in the dataset with information from other sources such as social media.

While the report indicates information could have been re-identified at the time the data set was released, the risk to individual myki card holders is now much lower. This is due to the time-bounded nature of the dataset and the limitations on travel history searches that can be undertaken on registered myki cards.

OVIC has issued the Department of Transport with a compliance notice requiring it to strengthen policies and procedures, data governance, training and reporting. The Department of Transport does not accept the Commissioner’s finding that the release of the myki dataset breached myki users’ privacy. However, the Department has committed to implementing the actions set out in the compliance notice.

“I welcome the Department of Transport’s commitment to implement the compliance notice and recommendations” Commissioner Bluemmel said. “The report and recommendations will support the responsible use of data to inform policy and service delivery for the benefit of all Victorians, while still respecting their right to privacy.”

For further background please read:

For media enquiries contact:

Simone Martin
t: (03) 8684 7585
e: simone.martin@ovic.vic.gov.au

For enquiries about privacy in Victoria contact us at:

t: 1300 006 842
e: enquiries@ovic.vic.gov.au