#privacy: Public Transport Victoria in breach of privacy laws

In July 2019, Public Transport Victoria (PTV) released a dataset that exposed the travel history of more than 15 million myki cards.

The dataset also leaked  1.8 billion travel records of myki public transport users between the period June 2015 and June 2018. 

The dataset contained records of the touch on and touch off data, such as date, time and location where people used their myki as well as card identifier, card type and more. A total of 15,184,336 myki cards were exposed. 

The dataset had been released as part of the Data Science Melbourne event, and according to the department, the data had been anonymised. However, it was discovered that individuals were able to re-identify themselves and their travel history for the three years exposed. 

In a report by the Office of the Victorian Information Commissioner (OVIC), it wrote: “The dataset contains a wealth of information about the travel movements of Victorians, which was disclosed with no effective controls in place to guard against re-identification.”

Lead researcher, Chris Culnane, stated that the data release was “shocking”. 

“That is a significant concern because you obviously have a lot of information about yourself, so finding your own card is easy but finding someone else’s card from maybe one or potentially two events, you can then identify cards for people you travelled once with for a night out or for work and identify their travel patterns for a three-year period.”

Researchers went a step further and were able to identify a Victorian Labor MP, Anthony Carbines’ entire travel history for the last three years, by combining the data and his tweets about using public transport. 

The report by the OVIC, found that the department had breached the Victorian Privacy and Data Protection Act by releasing the data set, and failing to address the possibility that the data set could easily be re-identified. 

“Your public transport history can contain a wealth of information about your private life,” commissioner Sven Bluemmel said in a statement. “It reveals your patterns of movement or behaviour, where you go and who you associate with.”

“This is information that I believe Victorians expect to be well-protected.”

OVIC have issued a compliance notice to the Department of Transport, whereby policies around the release of data need to be developed and should be assessed for its impact on privacy.

Failure to comply with the notice, will result in a $99,132 and $495,600 for individuals and organisations respectively.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/