This popped up last week:
Botched myki data release breached privacy laws
Semi-redacted data from 15 million cards published online.
Victoria’s public transport authority has been found to have breached privacy laws after releasing a dataset containing 15 million partially redacted public transport passenger details online.
The Office of the Victorian Information Commission (OVIC) today released its investigation [pdf] into the release of the dataset pertaining to Melbourne’s contactless smartcard ticketing system Myki.
The investigation found the release had breached the state’s Privacy and Data Protection Act 2014 by exposing myki user’s histories and called for stronger privacy protections for open data releases.
The dataset, which contained 1.8 billion records of touch-on and touch-off activity from 15 million myki cards over a three year period between June 2015 and June 2018, was released by Public Transport Victoria in July 2018.
Disclosure of the dataset had been requested by the Department of Premier and Cabinet for use in the 2018 Melbourne Datathon, an annual competition where participants compete to find innovative uses for datasets.
In deciding to release the dataset, PTV - which has now become part of the Department of Transport – said it undertook “steps to de-identify the dataset before public release, as well as “consider any associated privacy risks”.
But during the competition, concerns were raised with a public sector representative that “the dataset could be used to identify individuals” and OVIC was subsequently notified on 14 September.
The dataset was also located online by academics from the University of Melbourne, including cryptographic researcher Dr Vanessa Teague, who also raised concerns with OVIC in September.
In a separate report [pdf], the academics detail how they were able use the dataset to re-identify themselves and complete strangers with “ease” from two or three touch events.
There is a good deal more here:
Further coverage is found here:
Myki data release could attract $500,000 fine
Lucas Baird Reporter
Aug 15, 2019 — 12.58pm
Public Transport Victoria could be fined almost $500,000 after publishing a dataset that left the identities of thousands of commuters and their travel patterns discoverable.
The potential fine is the result of a months-long investigation into the breach, which was conducted by the Office of the Victorian Information Commissioner.
And OVIC has now slapped the government body with a Compliance Notice, its most potent tool under Victorian privacy laws.
The notice requires Public Transport Victoria to undertake four specified actions by 2021 or pay a $495,660 fine.
The body – which governs the state's train, tram, and bus networks – must now develop new data release policies and procedures, implement a data governance program, train its staff in the new regimes and make regular reports to the regulator.
These demands and the full investigation were made public as part of a report into the event on Thursday.
The report was about the release of travel data contained on 15 million myki cards in July last year as part of the Melbourne Datathon.
While Public Transport Victoria claimed it had de-identified the data, academics at the University of Melbourne found they could still identify individuals and their travel patterns.
The dataset was published with the best intentions, said information commissioner Sven Bluemmel, yet the reams of information in it compromised this intent.
Lots more found here:
https://www.afr.com/technology/myki-data-release-found-to-have-breached-privacy-laws-20190815-p52hbo
You would have thought that by now all those thinking of releasing data sets would ask the team at the University of Melbourne to give them the OK each time by now. Without that I would not trust any Government as far as I could throw them and I believe you should do the same.
The bottom line is that these agencies are not anywhere near as smart as they think they are!
David.
1 comment:
With data flying between GP practices and PHN is persist of this PIPIQ datasets will be found all over the place. Remember th Utopia episode when they promote people to the communication team? Well they have returned as data governance specialists and general managers.
Post a Comment