A NSW tribunal has found that the state's Opal card, a contactless smart card used on public transport in the state, breaches the privacy of pensioners.
A legal case was brought forward against Transport for NSW (TfNSW) by Nigel Waters of the Australian Privacy Foundation in 2016, who wanted the ability to travel anonymously. Waters argued that as a user of a gold Opal card, he should have the option to travel with the card without his travel movements being linked to his identity.
Unlike standard Adult Opal cards, it is mandatory for users of the gold Opal for pensioners and silver Opal for concessions to be registered online and have their card linked to identifiable information such as name and address. TfNSW has said that this decision was made to help manage cases of individuals who fraudulently claim a concession.
After two years, NSW Civil and Administrative Tribunal (NCAT) ruled in favour of Waters last month, saying the design of the Opal card system breaches privacy obligations of NSW law. It agreed that travel information is not reasonably necessary and that Opal card users should have the option of using an unregistered card.
NCAT also pointed towards Queensland, Victoria, and Hong Kong's ticketing systems as a means for NSW to ensure the Opal system complies with the state's Privacy and Personal Information Protection (PPIP) Act 1998.
"This is a big win for privacy rights in NSW," said Waters. "It clearly raises the bar for all NSW government agencies to apply 'privacy by design' principles to complex new data-driven systems."
The Australian Privacy Foundation has now called on Transport for NSW to disconnect identity details from travel records "so all residents in NSW have their privacy rights respected".
"You shouldn't have to put up with being potentially spied on as you travel just because you verify your eligibility for a concession," said David Vaile, chair of the foundation.
Opal requires commuters to "tap on" when beginning a trip via bus, train, light rail, and ferry, and "tap off" when they reach their destination on services in Sydney and surrounding suburbs.
Registered Opal cards provide an "activity statement" that displays travel data including location and top-up amounts over the last 18 months. TfNSW says on its website that this is used to monitor the user's travel history and check business travel history "for tax purposes".
The NCAT ruling could have a big impact on the way an organisation collects and uses personal data, especially in the "age of big data", according to Salinger Privacy's Anna Johnston.
"When the GDPR commences in May, organisations which offer their goods or services to (or monitor the behaviour of) people in the European Union will be subject to an updated privacy law, which requires organisations to practice 'data protection by design'," she said.
"Much of the value of big data is built on our digital breadcrumbs -- the digital traces we leave behind as we go about our day-to-day activities like travelling to work, buying goods, using social media or searching the web.
"But if an organisation does not have a sound reason for collecting those breadcrumbs -- in other words, if collecting our data is not reasonably necessary for the primary purpose for which we were transacting in the first place (getting on a bus, buying a pair of shoes, chatting to our friends on Facebook) -- then it might not be able to lawfully collect it at all."
TfNSW has also been embroiled in a legal battle with a biohacker called Meow-Ludo Disco Gamma Meow-Meow. In 2017, Meow-Meow embedded the chip from an Opal card into his hand so he could wave his hand to pay a fare.
PREVIOUS AND RELATED COVERAGE
Visa and American Express customers can use their card to 'tap on and off' Sydney Ferries and the L1 Dulwich Hill Light Rail in lieu of an Opal card.
Commuters around the country will soon be able to pay via credit cards and smartphones, with a flurry of announcements being made over the weekend.
Commuters in Sydney can possibly look forward to paying with their own bank account in lieu of Opal, a payments industry veteran has claimed.
The state's transport authority has published a two-week snapshot of data pulled from the Opal smartcard ticketing system.
DIY genetic engineering is about to explode (TechRepublic)
Implanting RFID chips under your skin is so 2017. Modifying your own DNA is where it's at now, and the ethical questions are only just beginning to be asked.