Victoria's PTV breached Privacy Act over myki: OVIC

By Dylan Bushell-Embling
Friday, 16 August, 2019

Victoria's PTV breached Privacy Act over myki: OVIC

The Office of the Victorian Information Commissioner (OVIC) has rebuked Public Transport Victoria (PTV) and the Department of Premier and Cabinet for exposing re-identifiable information on the travel history of nearly 15.2 million myki public transport cards.

The Commissioner has found PTV to be in breach of the Privacy and Data Protection Act following the investigation of an incident involving the publication of the complete travel history of the 15.2 million myki cards for a three-year period ending in June 2018.

The travel data, amounting to around 1.8 billion touch on and touch off records across the cards, was provided by the Department of Premier and Cabinet to Data Science Melbourne for use in its Datathon competition for finding innovative uses for public sector data.

The information was released without the requirement for participants to sign a non-disclosure agreement, and participants were told they could “do what [they] like with the data”. One participant republished the dataset in full online, where it remained for several months.

While steps were made to de-identify the data, these have proven to be insufficient, the investigation found.

Researchers from the University of Melbourne have demonstrated that it is possible to use the exposed data to identify the travel records of individual myki card users.

The researchers were able to identify their own travel records using just two exact trip dates and times, to identify co-travellers’ records using just a single co-travelling event, and to identify the records of a complete stranger — a Victorian politician — using only his Twitter history.

The researchers notified the OVIC of their findings, which prompted a formal investigation. During the course of the investigation, data experts from the CSIRO’s Data61 likewise found that personal information could be obtained from the data without expert skills or resources.

“Our research found that when two myki card scans are known by time and stop location, more than three in five of those pairs of scans are unique and therefore more likely to be personally identifiable,” Data61 Data Privacy Team Leader Dr Paul Tyler said.

“So-called ’de-identified’ data can still carry re-identification risk especially in linked transactional data.”

Neither PTV’s parent agency the Department of Transport or the Department of Premier and Cabinet have accepted the OVIC’s finding that the release of the data constituted a breach of the Privacy Act. But both agencies agreed to work with the OVIC to implement the reforms recommended in its report.

Image credit: ©Rafael Ben-Ari/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Palo Alto issues critical fix for firewall OS

Palo Alto Networks has issued a critical security update for PAN-OS following the discovery of...

Govt commits $1.35bn to fight foreign cyber threats

The federal government has announced a $1.35bn investment program aimed at enhancing...

Industry reaction to cyber attacks on Australia

Security experts warn that the major cyber attack targeting Australian government departments and...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd