myki Privacy Policy This privacy policy relates specifically to the myki ticketing system. In addition, PTV has a general privacy policy (which covers handing of personal information in contexts other than myki). Both policies are available on PTV s website (www.ptv.vic.gov.au) and in hard copy, on request. Privacy issues and myki PTV recognises that under the myki ticketing system, PTV is the custodian of personal information relating to individuals who travel using myki. PTV is committed to respecting the privacy of customers. As well as complying with applicable laws, PTV seeks to give customers choice and control over the way their personal information is collected and used. The myki ticketing system is delivered on PTV s behalf by third party contractors. PTV ensures that arrangements with these contractors include appropriate privacy obligations. PTV also takes responsibility for trying to resolve any privacy complaints that involve the actions of its contractors. Collection of personal information PTV collects personal information necessary for the operation of the ticketing system, for dealing with enquiries or complaints related to ticketing and for marketing or promotions related to ticketing and public transport. Personal information may be collected via forms, the website, the call centre, a PTV Hub customer service centre or through myki retailers or devices. The personal information that PTV collects under the myki ticketing system is also collected for the purposes of other public transport authorities the Department and contractors, agents and delegates of the Department and PTV, including public transport operators. This is in effect a joint collection. The Department is also subject to the Privacy and Data Protection Act, but is separately responsible for compliance and its policies may not be the same as PTV s. PTV collects only as much personal information as is necessary for the operation of the myki ticketing system, and allows customers to transact anonymously where practicable. No personal information is collected from customers who buy or use myki cards unless they choose to register their myki, or they are in one of the concession categories where registration is required. However, some information may be required about the method of payment and/or delivery of the myki. Personal information is only held for as long as it is required for operational purposes, or as required by law. Once the information is no longer needed for customer service or legal reasons, it will be irreversibly de-identified (by having any personally identifying information removed). This de-identified information may then be used, indefinitely, for transport planning purposes. Collection of health information In some instances, PTV s functions of administering travel passes may involve collection of health information. Such information is collected with express consent of the customer, for the purpose of processing and managing applications for specific travel passes. This information is stored separately from the myki ticketing system information (travel history, payments, etc.). Data quality PTV has an operational interest in any information it holds being accurate, complete and up to date and this coincides with its responsibilities under IPP3 (Data quality). PTV seeks to ensure that it meets the data quality principle in four ways: Ref: DOC/14/35146 Page 1 of 8
by collecting personal information about its customers primarily directly from them, and only from third parties with the customer s knowledge by encouraging myki customers to keep their personal details up to date, offering easy update options through the call centre, PTV Hub customer service centres and website through technical standards for the operation of ticketing and other computer systems that collect and process information about travel, other transactions and payments by ensuring that individuals are able to access and correct the personal information that PTV holds about them on request. Where PTV obtains personal information from third parties (e.g. information about eligibility for concessions from source agencies), the relevant agreements with these third parties will specifically address data quality issues (see also Concession myki on page 4). Information in the myki ticketing system Each myki smartcard has a number, referred to as the Primary Account Number (PAN). This number in itself does not convey any information about the myki customer. The PAN is stored on the myki smartcard chip and is also printed on the myki smartcard. It is used in routine communications with customers, such as through the call centre. For myki ticketing system purposes, details of the transactions performed with each myki smartcard will be contained in a central card usage database. Information on the use of myki smartcards is uploaded periodically to the central card usage database. This information is retained in a way that can be linked to the customer (if registered) for as long as it is reasonably needed to answer queries from the customer, to reconcile any payments involving other retail agents (merchants) and for legal reasons. Some information is required by law to be kept for up to seven years. A cardholder (registered or unregistered) can check their recent myki usage data by presenting their card at a stand-alone enquiry machine (called a myki check ) and myki vending machines. Some retail agents (or partners) are contracted under the myki ticketing system to provide customer service functions at the cardholder s request (including viewing and / or printing the myki card usage data and balance details if requested by the customer). Privacy protection in the myki ticketing system Privacy protection is provided either as a design feature or incidentally by the following features of the myki ticketing system. This list is a summary only; detailed explanations are available in later sections. Unregistered myki cards are available for most customers. (Eligibility for some types of concessions does require registration.) Customers have the option of holding multiple myki smartcards. Limited personal non-identifying information is required to be stored on the myki smartcard chip, for example, a code indicating the customer s entitlement to concession discounts ((for example, for student or senior concession) so that the correct concession fare is calculated. The usage data stored temporarily on the card includes a short transaction history (i.e. touchon/off data, or top-up transactions). Registration details and payment details are kept in separate databases, with limits and conditions on linkage. Holders of full fare and most concession myki smartcards may choose to register their myki and have their name printed on the myki smartcard at the time they apply. (Some personalisation requirements are mandatory for specific concession customers.) Ref: DOC/14/35146 Page 2 of 8
There are limits on who can access the information on the myki smartcard chips, how they can access it, when, and for what purpose. Database access is auditable and traceable. The system allows for specified data retention periods. Unregistered myki If a customer chooses not to register their myki, the system will still retain usage data (eg trips taken and payment history), linked to the myki card number (the card s PAN). This is not personal information as PTV does not have the ability to link it to an individual. PTV will not provide myki usage data to unregistered card holders as PTV is not able to confirm the individual s identity and ensure the information is only released to the rightful card holder. PTV may provide usage data from an unregistered myki to law enforcement agencies, where this is appropriate and permitted under privacy laws. This may include travel history and payment records, but will not include any personal information. Registered myki PTV promotes the benefits of registration to potential customers. For example, registration gives a customer the ability to use auto top-up and the security of balance protection if the card is reported as lost or stolen. Customers who register their myki need to provide a name, postal address and phone number (provision of email address is required if registering your myki via the myki website). myki customers choosing to register full fare, seniors, concession (general) or child myki smartcards can nominate to have their name printed on the face of their myki smartcard when applying (a nominal fee may apply). Registration and printing of a name and a photo (in some cases, a name only) is mandatory for some myki concession customers. Registered myki customers are allocated an account number in the Customer Relationship Management database. The account number is used for administrative purposes only and is not used in routine communications with customers. Registered myki smartcard usage data is treated as personal information and as such the usage data will be managed as per the guidelines of the Privacy and Data Protection Act, even though the personal details will be held in a separate Customer Relationship Management database as PTV will have the ability to link them via the myki smartcard number. Registered account holders wishing to check the usage data for a myki in their account can do this by logging into their myki website account or by contacting the call centre. Registered account holders contacting the call centre will be required to confirm their identification. Identity is verified for outbound calls. When contacting a registered account holder the call centre asks the card holder a series of questions to confirm their identity. myki customers personal information may be used for purposes related to ticketing and transport services (e.g. informing customers of myki payment options, or transport service updates). Personal information may be used for non-transport-related marketing; however customers are given the choice of opting-out of receiving any such material. Even if personal information were used for such purposes, it would not be disclosed to commercial organisations. Ref: DOC/14/35146 Page 3 of 8
Concession myki The distinction between different categories of concession entitlement are electronically encoded on the myki smartcard chip, and some have a visually distinctive design showing the specific type of concession entitlement, such as a name and/or, photo (e.g. child myki or free travel pass myki cards). These design distinctions are required for both administrative and enforcement purposes. When concession customers pass through gates on the public transport network, a distinctive light showing up on the device may indicate their concession status. Disclosure of information about the myki customer as a consequence of the everyday use of the myki smartcard is therefore limited. Some concession myki smartcards have a photograph of the cardholder printed on the face of the smartcard to aid checks by authorised officers and assist in preventing misuse of the entitlement to concession travel. Where a photograph is required, no details of the photo or image are recorded on the myki smartcard chip. No copy or record of the image is kept once the myki smartcard is printed, unless the customer has expressly requested that an additional photo is stored in the myki ticketing system back office. Photos for free travel pass myki cardholders and student concession cardholders are managed (and retained) by the PTV Hub in accordance with the PTV Privacy Policy and/or by Metro or V/Line in accordance with their respective privacy policies. Use and disclosure of personal information All use and disclosure of personal information by PTV will be in accordance with the Privacy and Data Protection Act, particularly IPP2 (Use and disclosure of personal information). Public transport operators will handle some personal information for processing concession applications and for enforcement and complaint resolution. Public transport operators may also obtain aggregate (de-identified) information from PTV for planning and management purposes. Ticketing enforcement PTV is not responsible for enforcing ticketing compliance or managing public transport fare evasion. This is a function established by the Transport Act and Regulations under that Act and is the operational responsibility of the Department. Using a hand held device, Authorised Officers are able to read the myki money balance, myki pass status, concession status and recent transaction history from a smartcard. If required, they can combine this information with personal details obtained directly from the cardholder in support of the generation of a report of non-compliance (to be provided to the Department for further action). The Department, not PTV, is responsible for issuing infringement notices. The Department has access to PTV s registration and smartcard history databases in order to investigate or prosecute alleged offences under the Transport Act or Regulations. This falls within the exceptions to IPP2 related to investigation and prosecution of criminal offences. Access by other third parties Apart from disclosures connected with administration of public transport and Transport Act enforcement, PTV only provides personal information about myki customers to other third parties, including law enforcement agencies, in the following circumstances (which are all in accordance with privacy law and IPP2): where PTV is required to do so by law, for example, in response to a warrant or subpoena Ref: DOC/14/35146 Page 4 of 8
where PTV reasonably believes that the disclosure is necessary to lessen or prevent a serious and imminent threat to the life, health, safety or welfare or a serious threat to public health, safety or welfare where disclosure is necessary for the purposes of complaint handling, such as disclosure to the Public Transport Ombudsman or the Commissioner for Privacy and Data Protection. where the disclosure is requested in writing by the individual concerned where an authorised police officer certifies in writing that the disclosure is reasonably necessary for the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of law imposing a penalty or sanction in connection with investigating or reporting suspected unlawful activity detected by PTV or its contractors in exceptional circumstances to intelligence agencies; the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS). PTV has myki - PTV guidelines for disclosure of personal information to law enforcement bodies. These guidelines set out both the detailed criteria and the procedures for disclosure of personal information by PTV and its contractors or agents to third parties for purposes other than myki ticketing system operations or enforcement of the Transport Act. These guidelines apply the requirements of privacy law to any disclosure of personal information. Disclosure outside Victoria It is very unlikely that PTV will disclose any personal information to someone outside Victoria except to individuals who wish to access their own personal information or law enforcement agencies as discussed above. If this is required at any time, PTV will ensure that it meets the additional requirements of IPP9 (Transborder data flows). Data Security and Destruction Irrespective of whether your Personal Information or Health Information is stored electronically or in hard copy form, PTV will take reasonable steps to protect it from misuse and loss and unauthorised access, modification or disclosure. PTV will also take reasonable steps to destroy or permanently de-identify your Personal Information or Health Information if it is no longer needed for the purpose (or a related purpose) for which it was initially collected, unless, in the case of Personal Information, it is subject to the Public Records Act 1973, in which case it will be retained or disposed of in accordance with that legislation. Access and correction PTV will take reasonable steps to ensure that Personal Information we collect is accurate, complete and up to date. Registered myki customers can update their information either online or contacting the call centre. Access by an individual to all personal information about them held by PTV is available on request free of charge, subject to appropriate evidence of identity and to certain exceptions set out in the Privacy and Data Protection Act and Freedom of Information Act. PTV reserves the right to make a reasonable charge for routine provision of information, such as regular account statements. For further information, contact the PTV call centre on 1800 800 007. Ref: DOC/14/35146 Page 5 of 8
Complaints If a person believes that their Personal or Health Information has been collected or used by PTV in a manner contrary to privacy law, they may contact PTV Information Privacy Officer. PTV Information Privacy Officer PO Box 4724 Melbourne VIC 3001. Telephone: 1800 800 007. Email: ptvprivacy@ptv.vic.gov.au Complaints about any use of a person s Health Information which is believed to be contrary to the Health Records Act 2001 (Vic) can be made with the Health Services Commissioner. Information for submitting complaints in respect of Health Information is available at www.health.vic.gov.au/hsc. Health Services Commissioner Level 26 570 Bourke Street Melbourne VIC 3000 Telephone: 1300 582 113 Facsimile: (03) 9032 3111 Email: hsc@health.vic.gov.au People can also contact the Victorian Commissioner for Privacy and Data Protection for more information or to raise certain complaints about privacy matters and regulation in Victoria. Privacy and Data Protection Victoria Level 6 121 Exhibition Street Melbourne Victoria 3000 GPO Box 5057 Melbourne VIC 3001 Telephone: 1300 666 444 Facsimile: 1300 666 445 Email: enquiries@privacy.vic.gov.au Ref: DOC/14/35146 Page 6 of 8
Glossary and abbreviations Note: the definitions below are provided with a view to understanding terms used in this privacy policy. For legal purposes (including ticketing enforcement), definitions in the Victorian Fares and Ticketing Manual (myki) apply. Term account holder authorised officer auto top-up back office cardholder central card usage database concession myki customer Customer Relationship Management database Department fare payment device Fares and Ticketing Manual (myki) Freedom of Information Act Free travel pass hand held device Definition The person who has applied to manage one or more myki cards, which will be registered under their name; an account holder may or may not be a cardholder. For the purpose of section 221A and 221AB of the Transport (Compliance and Miscellaneous) Act 1983 (Vic) and the Regulations, an authorised officer is a person responsible for providing customer service, checking tickets and reporting fare evasion offences to the Department of Transport, Planning and Local Infrastructure. The automatic loading of value to a myki based on pre-conditions specified by the customer; the funds will be automatically debited from the customer s nominated bank account or credit card. The central location from which the myki ticketing system data is managed. Means in the case of an unregistered myki card, the person to whom a myki card is issued or who otherwise acquires a myki card and for a registered myki card, a person nominated as the cardholder by the account holder. This is the Transport Payment Processing System database containing all card usage data for operation of the myki ticketing system. A long-life smartcard programmed with the relevant concession entitlement permitting the purchase of a myki pass or use of myki money at discounted concession rates; some concession myki cards will be registered and personalised, with a name and a photo or a name only. A passenger who holds a valid myki. A database which records and updates customer profile information for NTS customers. Department of Transport, Planning and Local Infrastructure. Device to which myki cards are presented on the start and end of a trip (or portion of a trip) to touch on and touch off. The device calculates and deducts the correct fare for travel on the myki. The Victorian Fares and Ticketing Manual (myki) (available via www.ptv.vic.gov.au; see the fares & tickets section). Freedom of Information Act 1982 (Vic). Refer to the Victorian Fares and Ticketing Manual (myki) for information. Portable device used to read myki cards for information, load value to myki cards. IPP (Information Privacy Principle) myki money myki pass IPPs are ten privacy principles established under the Privacy and Data Protection Act, which form the basis of managing personal information. These are IPP1: Collection of personal information, IPP2: Use and disclosure of personal information, IPP3: Data quality, IPP4: Data security, IPP5: Openness, IPP6: Access and correction, IPP7: Unique identifiers, IPP8: Anonymity, IPP9: Transborder data flows, IPP10: Sensitive information. Electronic/stored value balance held on a myki, for use as defined by PTV. Periodical product which can be loaded by the customer onto their myki for specific zones and a Ref: DOC/14/35146 Page 7 of 8
myki smartcard number PAN personal information personalisation Privacy and Data Protection Act privacy law PTV registration retail agent/partner source agencies touch-off touch-on chosen number of days required for travel. An identification number, known as the primary account number (PAN) attributed to each myki, uniquely identifying each myki smartcard. Primary account number. As defined in the Privacy and Data Protection Act. The physical personalisation of a myki, involving adding a cardholder s photo and/or cardholder s name. Privacy and Data Protection Act 2014 (Vic). The Privacy and Data Protection Act and the IPPs; and the Health Records Act 2001 (Vic) and the Health Privacy Principles set out in that Act. Public Transport Victoria, the operating name of the Public Transport Development Authority. The process by which a myki is linked to an identifiable customer (account holder and cardholder). Individual retail agents or retail partners will provide an identifiable retail network across Victoria, to support implementation of the myki ticketing system. An agency that provides relevant customer data to PTV for the purposes of verifying a person s concession entitlement. The presentation of a myki to a fare payment device at the end of a journey or section of a journey when exiting a mode of transport or the public transport network. The presentation of a myki to a fare payment device at the start of a journey or section of a journey (e.g. when passing through gates to enter a station platform or when boarding a tram or bus). Transport Act Transport (Compliance and Miscellaneous) Act 1983. usage data website Data related to the use of a myki smartcard and stored in myki ticketing system back-office databases (e.g. data regarding purchasing, top-ups, touch-ons). References to the website are to www.ptv.vic.gov.au. Ref: DOC/14/35146 Page 8 of 8