Myki data leak put privacy at risk: report

An investigation into a leak which saw 15 million Victorian commuters’ data supplied to a third party has found privacy laws were breached.

A new report probing a Victorian transport agency’s release of the travel history of millions of its commuters found fundamental data rights had been undermined.

The Office of the Victorian Information Commissioner (OVIC) last Thursday found that Public Transport Victoria breached privacy laws by releasing a dataset containing the identifiable travel information of millions of myki cards – a reusable electronic transport card in Victoria – to a data science event.

The dataset, which recorded 1.8 billion tap on and tap off events between mid-2015 and 2018, was said to have been de-identified. However a handful of commuters were able to locate their travel histories online.

“Although the initiative was well-intentioned, failures in governance and risk management undermined the protection of privacy” Information Commissioner Sven Bluemmel said.

The breach sparked widespread disapproval and prompted an OVIC investigation which found the personal information of commuters, such as patterns of movement and with whom they had associated, could be easily obtained through the data.

“Our research found that when two myki card scans are known by time and stop location, more than three in five of those pairs of scans are unique and therefore more likely to be personally identifiable” said Dr Paul Tyler, Data Privacy Team Leader at CSIRO’s Data61.

“So-called ‘de-identified’ data can still carry re-identification risk especially in linked transactional data.”

Leak undermined privacy

The failure of Public Transport Victoria to consider the risk of re-identification through the combination of the transport data with other information such as social media and the steps taken were “inadequate and not reasonable,” the commission found.

There were flaws in the process of the department in de-identifying the dataset, identifying the risk of re-identification and deciding to provide the dataset to Datathon, according to the report.

The incident illustrates the need for government agencies and departments to rethink the way they de-identify citizens’ data, the report says.

“The report also highlights that some of the assumptions made about data de-identification and release several years ago need to be revisited.

“Where a data set contains unit-level data about individuals, especially where it contains longitudinal unit-level data about behaviour, more recent research indicates such material may not be suitable for open release, even where extensive attempts have been made to de-identify it.”

The commission has handed the Department of Transport a compliance notice requiring it to strengthen internal policies and improve data oversight.

The department did not accept the report’s findings that the data leak breached myki users’ privacy, but has agreed to implement the actions in the compliance notice.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required