It seems every week we’re learning of a new online privacy breach. The latest (as I write this) is the ‘accidental’ release of Myki user travel data. The Victorian Department of Transport released over 18 billion records relating to travel by more than 15 million users on public transport in Victoria over a three-year period, believing that they had anonymised the data sufficiently to protect people’s privacy.

Sadly, it proved this was not the case, and researchers were not only able to identify themselves based on the data, but also a number of individuals unknown to them, including a sitting Victorian state politician. They were able to be identified by combining the data in the release with other public data — in the case of the Victorian politician, tweets he had sent whilst on public transport.

The Victorian Information Commissioner raised concerns, stating that he believes that public transport data should be well protected.

But it seems the only thing worse than a data breach is a responsible party who denies they’ve done the wrong thing. In this case, the Victorian Department of Transport believes it did nothing wrong, and that the dataset didn’t contain personal information. It seems, at best, that the concept of ‘personal information’ needs better definition, and at worst, that the Department has been negligent in their care of data.


This could, if they don’t enact required changes to their data management processes and policies, land them with a $495,000 fine from the Office of the Victorian Information Commissioner.

Whilst this is a massive breach, it’s far from the only one that has happened recently… and even small breaches can result in significant fines being issued by relevant government agencies. If you’re responsible for managing personal data, I urge you to consider attending our Privacy Breakfast Briefing in October — you’ll hear from experts in the field on what your obligations are, and how to ensure that you’re meeting them. For full details of the event, please click here.