iTnews

Botched myki data release breached privacy laws

By Justin Hendry on Aug 15, 2019 12:18PM
Botched myki data release breached privacy laws

Semi-redacted data from 15 million cards published online.

Victoria’s public transport authority has been found to have breached privacy laws after releasing a dataset containing 15 million partially redacted public transport passenger details online.

The Office of the Victorian Information Commission (OVIC) today released its investigation [pdf] into the release of the data from Melbourne’s contactless smartcard ticketing system, myki.

The investigation found Public Transport Victoria - which has now become part of the Department of Transport – had breached the state’s Privacy and Data Protection Act 2014 by exposing myki user’s histories.

The dataset, which contained 1.8 billion records of touch-on and touch-off activity from 15 million myki cards between June 2015 and June 2018, was released by Public Transport Victoria in July last year.

Disclosure of the dataset had been requested by the Department of Premier and Cabinet for use in the 2018 Melbourne Datathon, an annual competition where participants compete to find innovative uses for datasets.

In deciding to release the dataset, PTV said it undertook “steps to de-identify the dataset before public release, as well as “consider any associated privacy risks”.

But during the competition, concerns were raised with a public sector representative that “the dataset could be used to identify individuals” and OVIC was subsequently notified on 14 September.

The dataset was also located online by academics Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague from the University of Melbourne, who also raised concerns with the privacy commissioner in September.

In a separate report [pdf], the academics detail how they were able use the dataset to re-identify themselves and complete strangers, including a member of the Victorian Parliament, with “ease” from two or three touch events.

OVIC commenced its investigation in October 2018 after its privacy and data protection deputy commissioner deemed PTV had breached the state’s information privacy principles.

The deputy commissioner found “flaws in the process followed by PTV in de-identifying the dataset”, which had largely been done by replacing the internal card ID number with a different generated value.

In a statement, Information Commission Sven Bluemmel said that failure to de-identify had undermined privacy protections, despite acknowledging that the age of the dataset meant the risk to individuals was now much lower.

““Although the initiative was well-intentioned, failures in governance and risk management undermined the protection of privacy,” he said.

“Your public transport history can contain a wealth of information about your private life.  It reveals your patterns of movement or behavior, where you go and who you associate with.”

A compliance notice has been issued the Department of Transport requesting it to strengthen its policies and procedures, including around data governance.

OVIC said although the Department of Transport “does not accept the ... findings”, it has committed to implementing the actions.

The botched release bares some resemblance to the publication of supposedly de-identified claims data by the federal Health department in 2016, which was also found to be re-identifiable.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
governmentit myki ovic privacy security transportit victoria

Partner Content

One way SD-WAN can save business leaders' time
Partner Content One way SD-WAN can save business leaders' time
Beat the DDoS blackmails in 2021
Promoted Content Beat the DDoS blackmails in 2021
Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
Promoted Content Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
COVID puts agile IT under the microscope
Promoted Content COVID puts agile IT under the microscope

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Justin Hendry
Aug 15 2019
12:18PM
0 Comments

Related Articles

  • Victorian primary schools neglect privacy in software choices
  • Queensland next to upload photos to national face matching database
  • Transport for NSW data stolen in Accellion breach
  • DTA cops pushback over proposed digital ID charge model
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.