The three-year travel history of a Victorian politician was able to be identified after the state government released the supposedly “de-identified” data of more than 15m myki public transport users in a breach of privacy laws.

In July 2018, Public Transport Victoria (now the Department of Transport) released a dataset containing 1.8bn travel records for 15.1m myki public transport users for the period between June 2015 and June 2018.

The data contained the touch on and touch off data such as time and date and location where people used their myki either jumping on a tram or train or bus around the state.

Major breach found in biometrics system used by banks, UK police and defence firms Read more

The data was released as part of the Data Science Melbourne event, and the department had said it had anonymised the data, meaning people could not be identified in the sets of data.

But researchers at the University of Melbourne discovered that by checking their own myki history online, they were able to match up their travel times with the data on file, and then had a complete set of their entire travel history for the three-year period on that card.

“As soon as we had two events, there was only one possible match, which is our card,” Dr Chris Culnane told Guardian Australia.

The researchers, led by Culnane, were also then able to identify their co-travellers, merely because they had tapped on at close to the same time and at the same location as them. Once that identification was made, they were able to view that person’s entire public transport travel history for the three-year period.

“That is a significant concern because you obviously have a lot of information about yourself, so finding your own card is easy but finding someone else’s card from maybe one or potentially two events, you can then identify cards for people you travelled once with for a night out or for work and identify their travel patterns for a three-year period,” Culnane said.

The researchers then went a step further to identify a politician. The data set included data on the card type – including concession cards for police and politicians. There are far fewer politician cards than other cards, meaning it would have been easier to identify politicians. There are 424 state parliamentarian travel passes but very few of those passes go to outer metro areas.

Using his tweets, with his permission, the researchers were able to identify Victorian MP Anthony Carbines due to his travel from Rosanna train station, near his electorate office.

Anthony Carbines MP (@ACarbinesMP) 🙌 See you about 05.24AM tomorrow at Rosanna to catch the first train to town. Well done all. Thanks for hanging in there. Massive construction effort. Single track gone. Two level crossings gone. The trains! The trains! The trains are coming! 👏 pic.twitter.com/kk2Cj3ey9T

The Department of Premier and Cabinet contacted the AFP and Victoria police about this, but said the risk for police and politicians was minimal.

Culnane said it would be fairly easy for anyone to find their own data, but said the risk was mitigated because people can only check their previous six months of travel on the myki website, meaning there isn’t any crossover in data with the data published by the department last year. However, that did not mean people could not identify themselves.

“You’re still going to have sufficient information about the broad times that you travelled and some of the additional analysis we did showed you’d need more points if you had a less exact time, [but] you are probably going to know that information anyway.”

The Office of the Victorian Information Commissioner (Ovic) found in a report on the incident released on Thursday the department had breached the Victorian Privacy and Data Protection Act by releasing the data set, and had failed to address the possibility the data could have been re-identified.

“Your public transport history can contain a wealth of information about your private life,” commissioner Sven Bluemmel said in a statement. “It reveals your patterns of movement or behaviour, where you go and who you associate with.

“This is information that I believe Victorians expect to be well-protected.”

But the Department of Transport had disagreed with Bluemmel’s assessment. PTV claimed the data was not personal information. PTV argued that the information was not about individuals but their myki cards, and myki cards could be shared by multiple people, meaning it was not information about an individual on a specific card.

Culnane said knowing where a person was travelling, and the people they were travelling with and at what time revealed a lot of personal information.

“To suggest it’s information about the card and not the person is a little bit unusual.”

Ovic issued the Department of Transport with a compliance notice to develop policies around the release of data and how that should be assessed for its impact on privacy.

Failure to comply with the notice is a $99,132 fine for individuals and $495,660 for organisations.

Culnane said there needed to be an open discussion around governments releasing supposedly de-identified data as part of its open government push.

“There’s been enough evidence now that the de-identification of this kind of transactional information just doesn’t work,” he said. “It’s just far too unique about how we behave.

“[Open data] was supposed to be about government, so we were going to increase transparency about government operations, but a lot of what is being released is data about the people and population.

“We are adding transparency to the people but not to the government.”