Victoria’s Information Commissioner Sven Bluemmel has published an investigation report into the release of myki data by Public Transport Victoria (PTV) and has called for stronger privacy protections and training across the public sector.
The investigation conducted by the Office of the Victorian Information Commissioner (OVIC) found that PTV — in the Department of Transport portfolio — breached the Privacy and Data Protection Act 2014 by releasing data that exposed myki users’ travel histories.
PTV released a large data set that it claimed to have de-identified July last year for a datathon event, containing information from 15 million myki cards over the course of three years.
Bluemmel said that while PTV was “well-intentioned”, its failures in governance “undermined the protection of privacy”.
Academics from the University of Melbourne notified OVIC in September 2018 that they had located the data set online and were able to identify the travel histories of themselves and of others, prompting OVIC to investigate.
OVIC consulted with data experts at CSIRO’s Data61, who found personal information could be obtained from the PTV dataset without expert skills or resources.
“Our research found that when two myki card scans are known by time and stop location, more than three in five of those pairs of scans are unique and therefore more likely to be personally identifiable,” Dr Paul Tyler, Data Privacy Team Leader said.
Bluemmel noted that Victorians would expect that where they go and who they associate with be protected.
PTV “failed to address the possibility that individuals in the dataset could be re-identified by combining information in the data set with information from other sources such as social media”, OVIC found.
OVIC added that the risk to individual myki card holders is now much lower, due to the time-bounded nature of the data set and the limitations on travel history searches that can be undertaken on registered myki cards.
The Information Commissioner’s office issued the Department of Transport with a compliance notice requiring it to strengthen policies and procedures, data governance, training, and reporting.
The Department of Transport rejected the Commissioner’s finding that the release of the data set breached myki users’ privacy. However, it committed to implementing the actions set out in the compliance notice, which Bluemmel welcomed.
“The report and recommendations will support the responsible use of data to inform policy and service delivery for the benefit of all Victorians, while still respecting their right to privacy,” he said.
OVIC made seven recommendations to the Department of Transport on developing and documenting better data policies and procedures, a data governance program, training, and reporting.
They also suggested an uplift in data capability and internal data governance processes across the Victorian Public Sector.
“OVIC recommends a training program be developed and delivered over the next two years to increase data literacy at executive levels in the Victorian public service generally,” the report states.
“The Victorian government should develop a whole of public sector process for publishing open data where public data includes unit level information relating to individuals or their behaviour.
“This process could be developed as part of the ongoing review of the DataVic Access Policy Review being conducted by the Department of Premier and Cabinet.”
Like Transport, the DPC did not accept OVIC’s findings, but agreed to “work closely with OVIC” to implement the report recommendations.