Victoria's PTV breached Privacy Act over myki: OVIC
The Office of the Victorian Information Commissioner (OVIC) has rebuked Public Transport Victoria (PTV) and the Department of Premier and Cabinet for exposing re-identifiable information on the travel history of nearly 15.2 million myki public transport cards.
The Commissioner has found PTV to be in breach of the Privacy and Data Protection Act following the investigation of an incident involving the publication of the complete travel history of the 15.2 million myki cards for a three-year period ending in June 2018.
The travel data, amounting to around 1.8 billion touch on and touch off records across the cards, was provided by the Department of Premier and Cabinet to Data Science Melbourne for use in its Datathon competition for finding innovative uses for public sector data.
The information was released without the requirement for participants to sign a non-disclosure agreement, and participants were told they could “do what [they] like with the data”. One participant republished the dataset in full online, where it remained for several months.
While steps were made to de-identify the data, these have proven to be insufficient, the investigation found.
Researchers from the University of Melbourne have demonstrated that it is possible to use the exposed data to identify the travel records of individual myki card users.
The researchers were able to identify their own travel records using just two exact trip dates and times, to identify co-travellers’ records using just a single co-travelling event, and to identify the records of a complete stranger — a Victorian politician — using only his Twitter history.
The researchers notified the OVIC of their findings, which prompted a formal investigation. During the course of the investigation, data experts from the CSIRO’s Data61 likewise found that personal information could be obtained from the data without expert skills or resources.
“Our research found that when two myki card scans are known by time and stop location, more than three in five of those pairs of scans are unique and therefore more likely to be personally identifiable,” Data61 Data Privacy Team Leader Dr Paul Tyler said.
“So-called ’de-identified’ data can still carry re-identification risk especially in linked transactional data.”
Neither PTV’s parent agency the Department of Transport or the Department of Premier and Cabinet have accepted the OVIC’s finding that the release of the data constituted a breach of the Privacy Act. But both agencies agreed to work with the OVIC to implement the reforms recommended in its report.
Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.