A new case challenging the design of a public transport ticketing system on privacy grounds has broad implications for any organisation which collects personal information, especially in this age of Big Data.
In 2016, an unrepresented NSW resident, Nigel Waters,* launched a legal challenge to the collection of data about his physical movements by Transport for NSW (TfNSW). After two years of legal arguments, Mr Waters has won his case, with the NSW Civil and Administrative Tribunal finding in February 2018 that the design of the Opal Card system breached the privacy obligations of NSW law, by over-collecting passengers’ personal information. The implications of this case will be profound.
First, some background. The Opal Card, like the Oyster card in London and the Octopus card in Hong Kong, is a contactless smartcard used across different modes of public transport. Launched on a limited scale in 2012, it now covers greater Sydney and surrounding regions, and offers a single ticket with integrated fares across ferries, buses, trains and light rail. Passengers store value on the card, from which fares are then deducted.
The Opal Card comes in four types:
- Adult (aka Opal Card, coloured black) for adults who pay full-fare
- Child/Youth (aka Green Opal Card) for children who pay half-fare
- Concession (aka Silver Opal Card) for people entitled to a half-fare concession rate by virtue of being tertiary students, unemployed, or one of a number of other concession categories, and
- Senior/Pensioner (aka Gold Opal Card) for seniors, aged and disability pensioners and some other categories of individuals, who pay a flat $2.50 per day of use.
However only Adult and Green Opal Cards can be purchased and used anonymously. Registration of the passenger’s card is optional for children and full-fare-paying adults, but compulsory for Silver and Gold passengers.
Registration of a card means that the card itself is linked to an identifiable individual. For passengers, the benefits of registration include being able to top-up the stored value automatically, or to cancel the card and retrieve its stored value if the physical card is damaged, lost or stolen. For TfNSW, which operates the system, the benefits of registration include being able to ensure that people entitled to concessions can only have one valid card issued at a time, and that the cards of passengers whose entitlement to a concession has expired can be remotely cancelled or suspended. (On-going entitlement is routinely checked by TfNSW in a data-matching process, for example verifying with Centrelink whether people are still on unemployment benefits, and with universities to check whether students are still enrolled full-time.)
Mr Waters did not object to the collection of information about his identity. Nor did he object to the processes by which he had to initially demonstrate his eligibility to claim the seniors’ entitlement to the Gold concession rate. Importantly, he also did not object to any requirement to demonstrate his entitlement to the seniors’ discount whenever he was travelling, such as if challenged by a ticket inspector; or to the process by which his on-going entitlement is periodically verified by data-matching with the issuer of Seniors cards.
But what Mr Waters did object to was the by-product of registration – the creation of a record of his physical movements when using public transport, linked to his identity via the Card number. (The physical movements of all cards are tracked and the data can be easily interrogated; but only if the card is registered can TfNSW link that card’s use back to the identifiable individual assumed to be using that card.)
In other words, the complainant objected to the fact that some passengers could choose to use public transport anonymously – i.e. without their physical movements as identifiable individuals being tracked by an arm of the State Government – but others could not.
He brought his challenge by alleging that TfNSW was in breach of Information Protection Principle 1 in the Privacy and Personal Information Protection Act 1998 (NSW), which requires:
(1) A public sector agency must not collect personal information unless:
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b) the collection of the information is reasonably necessary for that purpose.
(2) A public sector agency must not collect personal information by any unlawful means.
The critical phrase tested in this case was “reasonably necessary for that purpose”.
TfNSW had characterised the reason for compulsory registration of Silver and Gold cards as to manage cases of fraudulent claiming of concession fares. The question was therefore whether the collection of data about passengers’ physical movements, in an identifiable form, was “reasonably necessary for that purpose”.
And after 50 pages, the Tribunal concluded no: the collection of the travel history data is not reasonably necessary for a fraud-prevention purpose:
“there seems little basis for the collection of the travel information for the stated purpose of enforcement/eligibility for the entitlement to the concession card”.
The Tribunal found that TfNSW had therefore breached IPP 1 in its design of the Opal Card system, and ordered TfNSW to stop collecting Mr Waters’ travel history data.
The Tribunal also found that while it could not order the same outcome directly for all other Gold Opal Card customers (because Mr Waters did not have standing to make a claim in relation to the personal information of anyone other than himself), it also noted that its findings as to the breach of IPP 1 “would be applicable to persons who wished to avail themselves of an unregistered card”. In other words, the Tribunal is saying that because every other Gold Opal Card customer could make the same privacy complaint as Mr Waters and receive the same outcome, TfNSW may as well assume that the Tribunal’s orders apply to all Gold Opal Card customers. (Although not mentioned, one would expect the same outcome would also apply for Silver Opal Card customers.)
Importantly, the Tribunal found that “some action must be taken … to make the system compliant”. While the Tribunal didn’t say exactly how the Opal Card system should be re-designed, it recommended the agency take legal, privacy and IT design advice, and look at equivalent systems in Queensland, Victoria and Hong Kong.
There were some interesting twists and turns along the way as this case developed over the past two years, which illustrate a number of important points about the maturation of privacy law and practice.
Whether the data was ‘personal information’
The Tribunal made short shrift of this argument. The Tribunal noted the full Federal Court’s view, which was contrary to that expressed in the earlier AAT case, that information can be ‘about’ more than one thing. In any case the Tribunal found that “the travel information was more about CNS* than about the card. There was no purpose attached to the card information … that was not about CNS”.
TfNSW also argued that because the card registration data is held separately from the travel data, with the former being held by TfNSW in the ‘PAS database’ and the latter in the ‘Opal database’ which is managed by a contracted third party, and because the two datasets were not routinely linked and did not offer a ‘live tracking’ function, Mr Waters’ identity was not apparent or reasonably ascertainable from the travel data ‘by itself’, and thus did not meet the definition of ‘personal information’.
Again the Tribunal rejected this argument. The Tribunal noted that regardless of whether or not TfNSW routinely links the two datasets, the fact remains that they are linkable, by virtue of the card number being present in both, and data is linked between the two by TfNSW in order to respond to requests from either law enforcement agencies, or from customers themselves, including by customer online queries.
The Tribunal found that information about “the tapping on and off at various locations was information about CNS, as his identity could be ascertained”. Thus the Tribunal concluded that the travel history was ‘personal information’ covered by the IPPs.
Yet another nail in the ‘notice and consent’ coffin
The Tribunal rejected this argument, on two grounds. First, because ‘consent’ does not provide an exemption to IPP 1. In other words, whether or not an individual consents to, agrees with, is lukewarm about or violently objects to, the collection of their personal information is entirely irrelevant to IPP 1, which is about whether or not the collection is both lawful and ‘reasonably necessary’.
Second, the Tribunal noted that in any case, the notion of ‘consent’ in privacy law, such as might be relied upon as the basis for later secondary uses or disclosures of personal information, is predicated on “whether an individual acts in a purely voluntary manner”, compared with “something more akin to a lack of choice”.
While these later observations were only obiter comments by the Tribunal, they provide yet another example of the futility of the US-driven approach to privacy protection, which is to pretend that everything will be tickety-boo so long as you bury the detail about what you are planning to do with people’s data in privacy policies and notices, and make your customers ‘agree’ to them as part of your standard terms and conditions.
That’s not how privacy law works in Australia, and it’s not how privacy law works in most of the rest of the world. The GDPR, the new European privacy law commencing in May, will claim the credit for the coming revolution in how ‘consent’ is managed, but it’s the same position as we have had here for decades. Australian privacy case law, and guidance on the meaning of ‘consent’ from Privacy Commissioners both state and federal, has been consistent on this point, but Australian privacy law just doesn’t get the kind of airplay that the GDPR does.
Implications for Big Data
Much of the value of Big Data is built on our digital breadcrumbs – the digital traces we leave behind as we go about our day-to-day activities like travelling to work, buying goods, using social media or searching the web.
But if an organisation does not have a sound reason for collecting those breadcrumbs – in other words, if collecting our data is not reasonably necessary for the primary purpose for which we were transacting in the first place (getting on a bus, buying a pair of shoes, chatting to our friends on Facebook) – then it might not be able to lawfully collect it at all.
It’s right up there as privacy principle number 1 here in NSW: don’t collect personal information unless you really, truly need it for your primary purpose. And yet this most fundamental of privacy principles is so often ignored.
Ultimately, the impact of this case is to place organisations everywhere on fair warning: ignore the Collection Limitation rule (known in other jurisdictions as Data Minimisation) at your peril.
The importance of Privacy by Design
For years, advocates of the idea of Privacy by Design have asserted that it is better to design privacy in from the start, and to have pro-privacy settings as the default, than to try and retro-fit a system later.
The Opal Card system design is the perfect illustration of the wisdom of that theory. As the Tribunal said in this case, the collection of the travel history data in an identifiable form was just a by-product of the system design:
“The respondent has never strongly submitted that it desires the travel history of the Gold Opal card holders, merely it would appear that this is a necessary attendant function intertwined with the technology … In some ways the movement history function … is an unintended or unnecessary functionality that the respondent has no view about. Whilst the respondent clearly argued that travel history is useful to law enforcement situations (where authorised), significantly much of that travel history involves unregistered cards which cannot (via the Opal technology alone) be matched to any individuals.”
The Opal Card system could – and should – have been designed differently from the start. (Indeed, as part of his case Mr Waters sought to bring forward evidence not only about how public transport ticketing systems work in other jurisdictions in more privacy-protective ways, but also about the political promises made years ago, early on in the Opal Card’s design that the system would allow anonymity for all passengers; and how the former NSW Privacy Commissioner’s criticisms of the later design had been ignored.)
For organisations still not convinced of the need to properly consider privacy in the design of their systems, right from the start, this case might be the wake-up call they need. Otherwise watch out: when the GDPR commences in May, organisations which offer their goods or services to (or monitor the behaviour of) people in the European Union will be subject to an updated privacy law, which requires organisations to practice ‘data protection by design’. The penalties for non-compliance are significant.
Where to next for the Opal Card system?
As mentioned above, the Tribunal found that TfNSW has to do something to “make the system compliant”. This doesn’t mean free public transport for everyone, or undermining the means by which fares are accurately deducted from Opal cards. It doesn’t mean dismantling the entire concession card system, or changing the rules about the compulsory registration of Silver and Gold cards, or giving up on enforcing rules around verifying on-going entitlements to concessions. But it does mean that TfNSW will need to re-design its processes well enough, to stop collecting the travel history data, in an identifiable form, of those customers who do not wish that data to be collected.
The key will be to irretrievably break the nexus between a card’s trip data and the identity of the card holder. If the trip data exists in complete isolation from any reasonable means of identifying who was likely using that particular card, it will no longer be ‘personal information’, and thus IPP 1 will not apply.
Without knowing exactly how the databases are constructed, I imagine that one potential solution would be to assign a new, randomly generated identifier for each card number in the ‘Opal database’, and then strip out the original card number. Such a mechanism would need to ensure that the new identifier could not be reverse-engineered back to the original card number, and that the new identifier could not be guessed or re-generated by entering the original card number (which would still held with identity details as part of the customer profile in the separate ‘PAS database’), which would rule out a simple hashing algorithm. This still would not guarantee perfect anonymity, because geolocation data is highly identifying on its own. That is, the patterns illustrated by an individual’s movements could of themselves allow disambiguation of an individual, and thus further steps such as applying differential privacy might also be needed to achieve true anonymity; but this is an existing problem even for those customers with unregistered cards.
Who this mechanism should be applied to would be the next question. If you applied it to all card holders, this would disadvantage those customers who want to be able to cancel their card and redeem its stored value if their card is damaged, lost or stolen. (Note that for those customers who wish to save and interrogate their travel history – for example, to query whether they have been charged correctly, or to claim the cost of trips that are work expenses – this can be done now even on unregistered cards simply by querying the card number.) Removing the nexus to identity for all customers would also make the data far less valuable to law enforcement; a tempting prospect for a privacy advocate, but in NSW politics unlikely to pass muster.
If you applied this mechanism only to customers who want anonymity, then the question is which setting should be the default. Should having your travel history recorded in an identifiable form be opt-in or opt-out? If the collection was to be based on consent, I would say it would have to be opt-in. But given that ‘consent’ is not a way of avoiding IPP 1’s requirements that the collection be ‘reasonably necessary’ for a lawful purpose, what is instead needed is a framing of the purpose of collecting travel history data, to give it a purpose, as distinct from collecting the identity-related and concession-entitlement data.
If you frame the rationale for collecting trip data in an identifiable form as ‘to provide an added-value service to customers at their own choice’, then the collection could be argued as ‘reasonably necessary’, but only for those customers who want their movements tracked. (If you frame it as ‘because we want to create a surveillance state in which the Government can tell where everybody is’ … well, then you might have less of a problem with the ‘reasonably necessary’ part of IPP 1, but suddenly run into problems with the ‘lawful purpose that is directly related to a function or activity of the agency’ part of IPP 1. Not to mention some potential public push-back.)
My view is that passengers entitled to a concession fare should be entitled to the same choice as full-fare-paying customers already enjoy, which is being able choose anonymity. The most privacy-protective stance would be to design the system to be opt-in, with no data collection about travel history (in an identifiable form) as the default setting.
Offering all passengers, no matter how much they pay for their public transport, the option to travel about this fair city without an arm of Government knowing where they are is what the Government originally said it would do. It’s what the Privacy Commissioner told them to do. And now, thanks to one unrepresented but determined senior citizen, it’s what the Tribunal has said they must do, in order to comply with the law.
I look forward to Transport for NSW now just getting on with it.
* A few days after I first wrote this blog, the published Tribunal case was de-anonymised. Where the complainant had previously been known simply as ‘CNS’, which was the name I used in the original version of this blog, on 12 March the Tribunal altered the judgment, at the request of the complainant, to show his real name. On 13 March I edited this blog to reflect that change. Nigel Waters is a long-time privacy advocate and privacy professional.
Photograph (c) Anna Johnston