Victoria’s public transport authority has been found to have breached privacy laws after releasing a dataset containing 15 million partially redacted public transport passenger details online.

The Office of the Victorian Information Commission (OVIC) today released its investigation [pdf] into the release of the data from Melbourne’s contactless smartcard ticketing system, myki.

The investigation found Public Transport Victoria - which has now become part of the Department of Transport – had breached the state’s Privacy and Data Protection Act 2014 by exposing myki user’s histories.

The dataset, which contained 1.8 billion records of touch-on and touch-off activity from 15 million myki cards between June 2015 and June 2018, was released by Public Transport Victoria in July last year.

Disclosure of the dataset had been requested by the Department of Premier and Cabinet for use in the 2018 Melbourne Datathon, an annual competition where participants compete to find innovative uses for datasets.

In deciding to release the dataset, PTV said it undertook “steps to de-identify the dataset before public release, as well as “consider any associated privacy risks”.

But during the competition, concerns were raised with a public sector representative that “the dataset could be used to identify individuals” and OVIC was subsequently notified on 14 September.

The dataset was also located online by academics Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague from the University of Melbourne, who also raised concerns with the privacy commissioner in September.

In a separate report [pdf], the academics detail how they were able use the dataset to re-identify themselves and complete strangers, including a member of the Victorian Parliament, with “ease” from two or three touch events.

OVIC commenced its investigation in October 2018 after its privacy and data protection deputy commissioner deemed PTV had breached the state’s information privacy principles.

The deputy commissioner found “flaws in the process followed by PTV in de-identifying the dataset”, which had largely been done by replacing the internal card ID number with a different generated value.

In a statement, Information Commission Sven Bluemmel said that failure to de-identify had undermined privacy protections, despite acknowledging that the age of the dataset meant the risk to individuals was now much lower.

““Although the initiative was well-intentioned, failures in governance and risk management undermined the protection of privacy,” he said.

“Your public transport history can contain a wealth of information about your private life. It reveals your patterns of movement or behavior, where you go and who you associate with.”

A compliance notice has been issued the Department of Transport requesting it to strengthen its policies and procedures, including around data governance.

OVIC said although the Department of Transport “does not accept the ... findings”, it has committed to implementing the actions.

The botched release bares some resemblance to the publication of supposedly de-identified claims data by the federal Health department in 2016, which was also found to be re-identifiable.