Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Public Transport Systems: MyWay audit

Territory and Municipal Services Directorate

Final audit report
Information privacy principles audit
Section 27(1)(h) Privacy Act 1988

Audit undertaken: February 2012
Draft report issued: October 2012
Final report issued: June 2013

Part 1 — Introduction

Background

1.1 A Memorandum of Understanding (MoU) exists between the Commonwealth of Australia and the Australian Capital Territory (ACT) Government for the provision of privacy services in relation to ACT Government Agencies.

1.2 In accordance with the MoU, the Office of the Australian Information Commissioner (the OAIC) conducted an audit under section 27(1)(h) of the Privacy Act 1988 (Cth) (Privacy Act) of the MyWay section (MyWay) of Public Transport Systems (PTS). PTS forms part of the ACT Territory and Municipal Services' Directorate (ACT TAMS).

Back to Contents

Part 2 — Description of audit

Purpose

2.1 The purpose of the audit was to assess whether ACT TAMS is maintaining its records of personal information in accordance with the Information Privacy Principles (IPPs) contained in section 14 of the Privacy Act. Specifically, the audit involved an appraisal of MyWay's policies and processes in handling personal information with the introduction of its new stored value travel card. The term 'stored value card' generally refers to a card on which funds or data are physically stored. This differs from a prepaid debit card (PDC) in that PDCs are usually issued in the name of the individual account holder, whereas stored value cards are generally anonymous in nature.

Overview

2.2 TAMS is responsible for the management and maintenance of public bus services in the ACT, specifically ACTION bus services.

2.3 In March 2011, ACT TAMS introduced the MyWay Travel Card (MWTC), for ACTION buses. The card operates as a bus ticket, which may be 'topped up' by using BPAY, paying via credit card online/by telephone, or by attending a MyWay recharge agent shopfront.[1]

2.4 MyWay cards can be ordered online on the MyWay website, or purchased from MyWay Recharge Agents,[2] Canberra Connect Shopfronts[3] and MyWay Centres.

2.5 One of the features of the stored value card is the user's ability to register the card. Registration can be completed online, over the phone or in person. This involves an application process where users disclose specified categories of personal information.

2.6 For standard adult users (standard users), the registration process is optional and users who do not register are not identifiable. However for users holding a concession status, such as students, seniors and income support recipients, registration of their MWTC is mandatory.

Scope

2.7 The scope of this audit is limited to MyWay's handling of personal information where users may be identifiable; that is for registered users of the MWTC.

2.8 As such, this audit focussed on:

  • the MWTC registration process and MyWay's collection of user information as part of this process
  • policy and procedures governing MyWay's handling of user information
  • collection and handling of user information by third party agents
  • access and use by third parties, of personal information held by MyWay
  • general record keeping by MyWay.

Timing and location

2.9 The auditors conducted the audit on 23 and 24 February 2012, at the MyWay Business Systems office (MyWay office), located corner of Cohen and Nettlefold streets, Belconnen ACT 2617.

Information obtained during the audit

2.10 MyWay provided the following documents, prior to the commencement of the audit:

  • MyWay's current organisational chart
  • Standard Operating Procedure (SOP) documents relating to MyWay transaction processes used within the business unit and by third party agents
  • MyWay System architecture design
  • A customer link to privacy information which was available at the time of the audit on the MyWay website. These customer links have since been de-commissioned by MyWay and replaced with an updated site.[4]

Opinion

2.11 The auditors' observed that MyWay generally maintained its records of personal information according to IPPs in the Privacy Act.

2.12 However, the auditors identified certain privacy risks in the maintenance of records of personal information under the IPPs. The OAIC has therefore provided recommendations to assist MyWay in addressing these risks.

2.13 In addition, the auditors have offered a number of best privacy practice suggestions surrounding the handling of user information generally, to support MyWay in meeting its privacy obligations at the highest level.

Follow up review

2.14 A follow up review may be undertaken after six months has elapsed from the date of the final report or as indicated by the Assistant Commissioner, Regulation and Strategy.

Reporting

2.15 Final reports of audits of ACT, Australian and Norfolk Island government agencies commenced after 1 July 2002 are generally published on the Office of the Australian Information Commissioner's website, available at www.oaic.gov.au.

2.16 Information Privacy Principle audit findings and recommendations that are considered relevant to good privacy practice across the public sector are also generally discussed in our annual report.

Back to Contents

Part 3 — Audit issues

The following findings and best privacy practice suggestions relate to the auditors' consideration of MyWay's handling of user information at the time of the audit, in accordance with the Privacy Act.

The IPPs are produced in full in Appendix A.

IPPs 1–3 Issues: Collection of personal information

IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector's functions and activities and necessary or directly related to that purpose.

IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.

IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.

Observations

Physical collection processes (registration)

3.1 MyWay collects identifying and other information, as part of its registration process via a number of different channels.

MyWay Centres

3.2 All users may register in person at either of the two MyWay Centres located in Belconnen or the City Centre. Registration is optional for standard users, but mandatory for concession holders such as students, seniors and income support (Centrelink benefit) recipients.

3.3 At the time of the audit, MyWay's Privacy Policy outlined:

  • how MyWay collects customer information
  • how MyWay will use and disclose customer information
  • to whom MyWay makes disclosures of customer information
  • MyWay's handling practices when updating customer information and when individuals visit the MyWay website
  • security practices.
Third party agents

3.4 MyWay also works in collaboration with third party agents, which operate as collection points for user registration information. These collection points include:

  • Canberra Connect shopfronts, for all registrants except students of participating high schools and colleges
  • ACT public libraries and Council on the Ageing (COTA), for ACT seniors
  • tertiary agents on University of Canberra (UC) and Australia National University (ANU) campuses for attending students
  • various recharge agents.

3.5 At audit, MyWay informed auditors that hard copy forms collected by third parties are collected on a weekly basis by an ACT Government courier service and delivered to the MyWay office. Once there, the forms are processed and relevant data is entered into MyWay's SmarTrack system. As such, while there is a temporary collection of hard copy data by third party agents, no personal information appears to be stored by them for more than a week. Forms are dropped off at the MyWay office at 9.30am daily.

3.6 This process does not apply to:

  • COTA, which collects and stores seniors information after co-branded seniors/MWTCs are issued. MyWay outlets and ACT public libraries act as collection points for seniors information, which is then sent on to COTA via internal mail
  • five participating high schools/colleges, namely Daramalan College, Marist College, Canberra High School, Gungahlin College and Covenant College, which operate as autonomous MWTC registration providers. Details of the participating schools' collection processes are discussed in this section under the 'Concession users - Students' subheading.

Virtual collection processes

Online registration

3.7 In addition to registering in person, standard users have the option to register online and most students can register their initial applications online.

3.8 MyWay uploads customer information to blank cards supplied by Western Australian company Monitor WA. Monitor WA handles this personal information for the purpose of uploading customer data to the SmarTrack system.

3.9 Monitor WA has contractual obligations in line with the ACT Government privacy statement.

3.10 The personal information collected by MyWay is uploaded to MyWay's 'SmarTrack' system, while de-identified commuter information is uploaded to its 'Merit' database for statistical analysis.

3.11 Downer EDI is the systems administrator, which hosts MyWay's SmarTrack and Merit data servers. These servers are located in Sydney, while EDI support is stationed in Perth. MyWay informed auditors that as a contracted service provider (CSP), Downer EDI is aware that any data held by them is ACT Government property. The SmarTrack and Merit systems are discussed in more detail under the 'Storage and Security ' section of this audit report.

Smartcard readers

3.12 All ACTION buses are fitted with Smartcard readers which allow passengers to 'tag on' and 'tag off' using their MWTCs.

3.13 Information from these readers is electronically transferred to SmarTrack and Merit databases. MyWay advised auditors that buses communicate wirelessly and download the information collected, between 12.30am and 4am daily.

3.14 Only relevant information is collected by each database, for example:

  • information such as the customer registration number, funds available on the card and tag on/tag off data (i.e., time and geographical data) is communicated to the SmarTrack system
  • de-identified travel information such as loading distribution and tag-on/tag-off location data, is communicated to the Merit database.

Registering a MyWay travel card

Standard users

3.15 For standard users, information collected as part of the initial registration process includes:

  • given and family names
  • full address
  • date of birth
  • card number.

The registrant is also asked to supply a secret question and answer, for use as a password for security purposes. They may provide a contact phone number, but are not obliged to do so.

3.16 The application form for standard users also includes:

  • a tick box directing applicants to view MyWay's Privacy Policy
  • a notice statement addressing the requirements of IPP 2 ('privacy notice A'[5])
Concession users

3.17 In addition to the personal information collected from a standard user, concession holders must also provide information relevant to their concessional status. This ensures that ACTION buses is not penalised as a result of the discounted rate of the fare and can recover the shortfall from the relevant government area.

3.18 The auditors were informed that MyWay's processes differ for each separate concession holder category. Consequently, this audit report will separately address the collection processes for each category. These categories are students, seniors and benefit/ pension recipients ('other concession holders')

Students
Primary and High School Students

3.19 MyWay informed auditors that students aged 15 years and older are required to provide identification supporting their full-time student status, failing which they are charged full fare on ACTION buses.

3.20 For the purposes of obtaining a concession status, however, all ACT based students using an MWTC must register their details with MyWay.

3.21 Students visiting from interstate may also register their details with MyWay and obtain a student concession MWTC. The expiry date for these cards is set at 31 March of the year following activation.

3.22 Information collected when registering a student concession MWTC, includes, in addition to standard user information:

  • the student's educational institution
  • student ID number

3.23 At the time of the audit, the ACT Government Transport for Canberra webpage stated that processes for applying for a student (primary or high school) MyWay card included:

  • attending a MyWay Centre or recharge agent, or
  • completing a student application form online.

3.24 At the time of the audit, hard copy application forms for primary and high school students could be downloaded from the former MyWay website and submitted in person. The auditors noted:

  • these forms included a Parental Declaration and Consent box
  • the form clearly advised applicants that all concession MyWay cards must be registered and sought a password from these applicants, for registration purposes
  • however, the hard copy form did not appear to meet MyWay's notice obligations under IPP 2, nor did it refer applicants to MyWay's Privacy Policy as an alternative
  • there was no age threshold listed on this form, however the form did specify use by primary/secondary students. Further, MyWay advised auditors that the provision of a student concession status is linked to school attendance and possession of a student ID, rather than age requirements.

3.25 Third party agents involved in the collection of hard copy forms may request to sight the student's ID card as proof of concession status.

3.26 School students could also apply for their student MWTC online at the time of the audit.

3.27 The audits noted that MyWay's online form did not include a Parental Declaration and Consent box. Further, the online form did not include a notification advising applicants that registration of their concession MyWay card is mandatory.

3.28 The auditors noted, however, that the online application form for a student concession MWTC did provide applicants with an IPP 2 notice statement ('privacy notice A' as recorded above).

3.29 The online application form also included a tick box which prompts applicants to read MyWay's Privacy Policy.

3.30 The five participating high schools and colleges (participating schools) issue a co-branded student/MWTC to their students with a photograph. Each student must nominate a parent or guardian to provide relevant information. Each school manages the images it collects within IDCapture and transfers the data direct to Monitor WA. A parental consent must be signed for each student.

3.31 As outlined above, auditors were advised that Monitor WA has contractual obligations in line with the ACT Government privacy statement.

3.32 Auditors were also informed at audit that MyWay's current MoU with participating schools is silent on the issue of privacy. This raised potential issues surrounding these schools' notice requirements when collecting personal information and uncertainty as to whether any notice provided reflected MyWay's own privacy policy.

3.33 MyWay informed auditors that all students of participating schools are currently advised to contact their school, should they wish to apply for an MWTC.

Tertiary students

3.34 MyWay advised auditors that student concession cards are available to tertiary students, either:

  • through a tertiary agent located at the University of Canberra or the Australian National University
  • by attending a MyWay Centre
  • by completing an online tertiary student application form.

3.35 The online form for student concession MWTCs may be used by primary, secondary and tertiary students.

3.36 The hard copy application form for tertiary students could be downloaded from the MyWay website at the time of the audit and submitted in person, however this form is only required from tertiary students who do not possess a current valid photographic student ID card. Students who have a full time student ID card need not complete this form.

3.37 This form differs from the online form in that it requests additional data from tertiary students, such as:

  • evidence of enrolment, including having the student's educational institution date, sign and stamp the document and provide a course completion date
  • a passport size photograph and a certified copy of photo ID, such as a driver's licence or passport.

3.38 The tertiary 'hard copy' form does not:

  • advise applicants that registration of their concession MWTC is mandatory, nor does it seek a password for this purpose
  • provide tertiary students with an IPP 2 notice about the collection of their personal information
  • prompt applicants to read MyWay's Privacy Policy.
Seniors

3.39 MyWay advised auditors that ACT based seniors over the age of 60 are eligible for a reduced rate MWTC. ACT seniors aged 75 and over receive free travel privileges, however the over 75s 'Gold card' is not categorised as an MWTC.

3.40 Auditors were informed that until the MWTC was introduced, seniors were issued Seniors Cards by the Council of the Ageing (COTA); however, MyWay and COTA were collaborating to provide seniors with a co-branded Seniors/ MWTC.

3.41 MyWay informed auditors that in order to receive a new co-branded MyWay/ Seniors card, users must complete an application form and provide, in addition to the standard user information:

  • proof of ACT residence
  • proof of age.

3.42 According to MyWay's former website, ACT residents with existing Seniors Cards could exchange them for a Seniors/MWTC by visiting COTA, any one of the ACT Public Libraries, Canberra Connect Shopfronts and MyWay Centres. This also required completion of a seniors MyWay application form.

3.43 Auditors note that while MyWay SOP documents MW-0013 and MW-0014 refer to an 'application for a Seniors MyWay card', the form was not available on the former MyWay website as this process is managed by COTA. Consequently, the OAIC has not considered the contents of this application form.

Interstate seniors

3.44 Auditors did note however, that a 'hard copy' application form allowing interstate seniors to apply for an MWTC was available on MyWay's former website. This form could be lodged by applicants at one of the MyWay Centres, where in addition to collecting standard user information, applicants were also required to provide:

  • identification (form not specified)
  • an interstate seniors card.

3.45 The interstate seniors application form also included:

  • a customer declaration and consent section where interstate seniors sign a declaration confirming they hold a valid interstate seniors card and that they understand the reasons for registration and consent to the use of their personal information
  • a 'privacy notice' section (privacy notice B[6]), drafted to address MyWay's IPP 2 notice requirements
  • the interstate seniors form did not require a password from applicants for registration purposes.
Other concession users

3.46 At the time of the audit MyWay concession cards were also available to other concession holders, such as:

  • Pensioner Concession card holders (Centrelink and DVA)
  • Health Care card holders (Centrelink)
  • Gold Card holders (DVA).

3.47 When completing the application for a concession MyWay card, the applicant was required to provide the standard user information, as well as:

  • a customer reference number (CRN)
  • concession entitlement category (e.g., health care, aged pension)
  • concession entitlement expiry date.

3.48 A 'hard copy' application form for a Concession MyWay card was available on MyWay's former website. This form:

  • did not include an IPP 2 notice section or refer applicants to MyWay's Privacy Policy
  • did not require any form of identification from the applicant except concession information
  • did seek a password from the applicant for the purpose of registration, but did not inform users that registration is mandatory.

3.49 Auditors also note that this application form sought consent from customers to have their data matched with Centrelink/DVA records as required, to confirm that the status of their concession entitlement was current (i.e. not expired or falsified).

Collection — financial transactions and customer service matters

Financial transactions

3.50 MyWay may collect financial information for the purpose of enabling users to add funds to their MWTC.

3.51 Users must add funds to their MWTC before they can use them. There are various ways to achieve this, for example funds can be paid:

  • in person
  • by telephone
  • online
  • using BPAY
  • through a direct debit (Autoload) facility.

3.52 According to the former MyWay website 'in person' transactions could be completed by either attending a MyWay Centre, Canberra Connect shopfront or recharge agent. Users could either pay in cash or by EFTPOS/credit card.

3.53 MyWay advised auditors that over the phone and online 'top ups' could be completed by calling MyWay directly or logging on to this website. As part of this process, MyWay collected credit card information from users.

3.54 MyWay advised auditors that all banking and financial information is managed by the Commonwealth Bank. This issue is discussed further under the 'Storage and Security' section of this report.

3.55 Users can also 'top up' their MWTCs through BPay or 'Autoload'.

3.56 BPay transactions are processed through a customer's online banking provider. MyWay advised that no personal information is retained as part of this process.

3.57 Autoload forms could be downloaded from MyWay's former website and/or picked up from a MyWay agent or Canberra Connect shopfront. Applicants must also submit the form to a MyWay agent or Canberra Connect shopfront, which means financial information is collected as part of this process.

3.58 Storage and retention periods for the hard copy forms MyWay collects is further discussed in the 'Storage and Security' section of this report.

Customer service matters

3.59 MyWay and Canberra Connect also collect personal information for the purpose of addressing customer complaints and queries raised by MyWay users.

3.60 At the time of the audit, customers could complete a 'feedback'[7] form online through the MyWay website, or call MyWay/Canberra Connect for queries and complaints.

Online collection

3.61 Customers completing the feedback form may provide personal information such as a first and last name, email address and preferred contact number and nominate whether or not they wish to receive a response to their feedback.

3.62 Auditors note, however, that there is also an option to provide anonymous feedback, which requires no disclosure of personal information by the customer. Customers who submit anonymous feedback are advised, however, that the ability to respond to their complaint is limited.

3.63 Auditors further note that the link to the online feedback form directs users to the Canberra Connect website, as Canberra Connect is the unit which manages public feedback about ACT government services.

3.64 The administrative team at Canberra Connect manages both the ACTION website and the abovementioned feedback system, provided by 'RightNow' technologies. Storage and accesses to information collected by these systems is further discussed in the IPP 4 and IPP 6 sections of this report.

3.65 At the time of the audit, customers who choose to submit personal information through the online feedback system were not provided with notice of collection of their information, in accordance with IPP 2 requirements.

Over the phone collection

3.66 Both MyWay and Canberra Connect staff may collect customer information over the phone for the purpose of managing customer feedback or addressing MWTC issues.

3.67 Auditors were provided with a copy of the script given to Canberra Connect staff for use as an IPP 2 notice to customers who disclose personal information over the phone. While this script complies with MyWay's IPP 2 obligations, MyWay has also informed auditors that an updated version of the script was to be available in March 2013.

Findings

3.68 Auditors recognise that MyWay generally only collects necessary information from applicants as part of its registration process.

3.69 Auditors found, however, that at the time of the audit, there were inconsistencies in MyWay's application forms/registration processes, in reference to:

  • MyWay's implementation of a secret question and answer process. Auditors note that this is a valuable verification tool. Auditors have been informed that all registered MWTC's have secret Q and A processes, however some are automatically implemented on application and are consequently not included in the auditee's application form.
  • notification by MyWay that registration is mandatory - while MyWay advises certain MWTC concession applicants that registration is mandatory, it omits this information in some application forms
  • IPP 2 'privacy' notices provided by MyWay as part of the application/ registration process :
    • while some of the application forms include a privacy notice, these statements tend to differ across forms (please refer to wording for privacy notices A, B and C)
    • in the hard copy primary and secondary school form, the hard copy tertiary form and the hard copy concession form (Centrelink/DVA) there is no privacy notice statement included.

3.70 Auditors found that information collected by third parties, including recharge agents, Canberra Connect shopfronts and ACT public libraries, is generally stored for a week or less and no personal information is retained by them beyond this period.

3.71 Where personal information is collected by a participating school, university or by COTA, this usually occurs for the purpose of issuing a co-branded card and retention of this information is necessary to fulfil the third party's primary purpose of collection.

3.72 Auditors note that at the time of the audit, MyWay had not been informed whether participating schools' privacy policies and privacy notices, if any, reflected MyWay's own policy.

3.73 Auditors also note that individuals should be provided with a notice, in keeping with MyWay's obligations under IPP 2, when information is collected by MyWay and its agents over the phone or through an online feedback system.

Recommendations

3.74 The OAIC recommends that MyWay create a standardised template for its registration forms, which includes:

  • a statement on all concession forms notifying applicants that concession MWTCs must be registered
  • consistent privacy notices on all application forms, addressing MyWay's IPP 2 requirements. In drafting this notice, MyWay may wish to use the format adopted in privacy notice B, while including all the information covered in privacy notice C. Please refer to IPP 2 and ensure all elements of this principle are addressed.

3.75 MyWay and Canberra Connect call centre staff should also ensure that customers are made aware of the relevant information under IPP 2 when collecting data over the phone or through Canberra Connect's online feedback system.

Best privacy practice suggestions

3.76 MyWay may wish to verify that participating schools are providing students with the required (IPP2) privacy notice information when collecting information and ensure that this notice is consistent with MyWay's own privacy policy.

IPP 4 Issues: Storage and security of personal information

IPP 4(a) provides that a record-keeper who has possession or control of a record that contains personal information shall ensure the record is reasonably protected against loss, against unauthorised access, use, modification or disclosure, and against other misuse.

IPP 4(b) provides that if it is necessary for the record to be given to a person in connection with the provision of a service to the agency, everything reasonably within the agency's power should be done to prevent unauthorised use or disclosure of the information contained in the record.

Observations

Physical storage and security processes
MyWay office

3.77 A range of physical security measures are in place at the MyWay office in Belconnen. These measures were noted by the OAIC auditors while on location and are outlined below.

3.78 Premises are locked from the outside and visitors are unable to enter, unless accompanied by an ACTION/ MyWay staff member. Auditors were also provided with high visibility safety vests, which indicated their status as visitors.

3.79 While there were no sign in/sign out procedures, auditors were accompanied by MyWay staff at all times, except during lunch, while on the premises.

3.80 Other ACTION staff members working in the same building gain access to the premises through a swipe card system.

3.81 Auditors also observed that there always appeared to be at least one staff member present in the office and within proximity of documents containing personal information during business hours, thus reducing the risk of personal information being improperly accessed.

3.82 As outlined in the 'Collection' section of this report, application forms are delivered by courier at 9.30am each morning. Auditors observed that hard copy application forms including default fare (standard adult user), interstate seniors, replacement, concession, seniors, standard registration, feedback and autoload forms were positioned in piles on top of a filing cabinet, within easy access of MyWay staff members.

3.83 Auditors observed, during the audit, that three staff members appeared to be employed in the MyWay office in Belconnen. All three staff members had legitimate access to the personal information collected by MyWay, so unauthorised accesses of this information by MyWay staff members in the Belconnen office were unlikely.

3.84 That being said, the risk that ACTION staff members not employed by MyWay could access customer information, is a conceivable one. This is because certain MyWay and ACTION processes are co-located, with no further security barriers between these two business units once inside the building.

3.85 MyWay staff advised auditors that forms are stored in locked filing cabinets at the end of each day. The key was entrusted to a staff member who takes it home and brings it in the next day.

3.86 Once MyWay has transferred the required information from these forms to the relevant database, the forms are stored:

  • in separate locked storage facilities located within the office, or
  • in archive boxes.

3.87 MyWay also advised auditors that it might move offices to co-locate with the Canberra Connect (Managed Services) team, situated in Macarthur House within the Central TAMS directorate. MyWay stated, however, that it would be sourcing secure storage facilities for its records prior to making the move.

3.88 MyWay advised auditors that it retains financial information for seven years, in accordance with Territory Records (Records Disposal Schedule – Financial Management Records) Approval 2011 (No 1).

3.89 The OAIC understands that mail outs from MyWay to customers are only carried out for the purpose of sending out MWTCs and no personal information is included as part of this correspondence.

MyWay centres

3.90 Similar to the MyWay office, the two MyWay centres, located in Belconnen and the city centre collect customer information and issue MWTCs.

3.91 Auditors were advised that MyWay centre staff who collect hard copy application forms will enter customer data onto the SmartTrack system and then store application forms on location.

Third party agents

3.92 As previously outlined, auditors were informed by MyWay that application forms collected by third party agents are picked up by government courier and delivered to the MyWay business unit at 9.30am each morning.

3.93 As such it appears that user information is not stored for an extensive period of time by most third parties and consequently the security risks to customer information are minimal.

3.94 Auditors did not audit facilities operated by recharge agents, Canberra Connect shopfronts, ACT public libraries and tertiary agents at UC and ANU where physical forms are stored before dispatch to MyWay.

3.95 MyWay advised, however, that agents collect the paperwork on MyWay's behalf with the stipulation that they must treat this information in the same manner as the ACT Government. This is a condition of their contract of engagement.

3.96 MyWay also advised that the Canberra Connect call centre which fields enquiries on MyWay's behalf at Macarthur House, does not use or collect paper records. As such there is no requirement for a security protocol for physical records at this site.

3.97 In addition, auditors observed that entry onto the premises of the Canberra Connect floor at Macarthur House is protected by a sign- in/sign-out procedure. Auditors were also asked to wait in the building foyer and were accompanied onto the floor by a Canberra Connect staff member.

3.98 On location, auditors were asked to sign a 'Confidentiality and Privacy Agreement' document stating that:

  • they would 'take all reasonable steps to ensure that all Personal Information, Information about Communications and Confidential information is kept in the Strictest Confidence'
  • they would not 'access, use, modify, disclose or retain' any personal or confidential information
  • they would 'at all times comply with the policies and procedures adopted by the [Australian Capital] Territory'.
IT storage and security processes
SmarTrack and Merit

3.99 As outlined in the 'Collection' section of this report, information collected from MyWay users is stored by MyWay in two main databases, namely:

  • SmarTrack
  • Merit.

3.100 These systems are administered by and in the custody of Downer EDI while the information itself is the property of the ACT Government. MyWay advised auditors that while Downer EDI maintains custody of the information, they do not have control of it.

3.101 SmarTrack is the customer information database through which the MWTC number links to a customer information record. MyWay registrations are processed and authenticated through SmarTrack.

3.102 Information stored on the SmarTrack system includes all customer registration information including secret questions and answers (passwords).

3.103 MyWay uses the term 'superuser' to describe those users who have full access to the SmarTrack system.

3.104 SmarTrack users comprise three discrete units:

  • the MyWay administration office
  • Canberra Connect shopfronts and call centre
  • one ACTION staff member in the Lost Property Office.

3.105 SmarTrack users are able to access data through a Citrix server, however this access requires an ACT Government authorised login. Only government employees may gain authorisation to use the system and this access is limited according to the role of the user.

3.106 ACTION staff, for example (with the exception of the staff member in the Lost Property Office) generally only have access to GPS reporter, a device which tracks the movements of ACTION buses and to the Merit database, which includes de-identified travel information only.

3.107 MyWay said that both SmarTrack and Merit systems include a logon and are password protected.

3.108 The Managed Services Team within the Canberra Connect office responds to MyWay and ACTION related enquiries and has access to the SmarTrack system. This includes access to personal information but not to Autoload information, as this is only available to MyWay staff. Any enquiries about Autoload processes are also escalated to the MyWay Team only.

3.109 Auditors were advised at audit that MyWay arranges access to the SmarTrack system for Canberra Connect staff nominated to work on the Managed Services Team. Any enquiry about a misuse of personal information can be traced back to the date of the enquiry and to the staff member who fielded the enquiry through the event logs on the system.

3.110 Auditors were advised at the time of the audit, that no complaints had been received in this respect at the time of the audit.

3.111 Auditors were also advised at audit that MyWay intended to run an audit report every three months against Canberra Connect records to verify if any misuse of personal information has occurred. Should MyWay detect any misuse of its systems, it would open an investigation into the matter.

Right Now

3.112 As outlined in the 'Collection' section of this report, the ACTION website and RightNow system is managed by the administrative team in the Canberra Connect office.

3.113 The RightNow database is a web interface, which allows it to collect information directly from the public, including feedback about MyWay, through the 'ACT Government feedback' page [8].

3.114 Canberra Connect advised that access to this system is profile-specific and a permission set may be generated to suit each user's requirements.

3.115 Access is restricted only to those who are authorised to use the system. At the time of the audit, the only users to whom full access was available were located in the Administrative Team, which has the role of Branch Coordinator. This role includes sorting through each enquiry and allocating it to the appropriate team.

3.116 All MyWay related feedback is allocated to the Managed Services Team in charge of ACTION and MyWay enquiries and no-one outside this team can access this data or the personal information attached to it.

3.117 In addition, if customers provide contact information as part of their feedback, a profile is automatically created for them, which is password-enabled to ensure use by the customer and no-one else.

3.118 Canberra Connect informed auditors that while there is a possibility of human error, emails are generally pre-sorted under the relevant 'heading' for example 'MyWay' and the chances of unauthorised accesses occurring are slim.

3.119 Where feedback is received, addressing a number of separate areas of ACT Government, and a contact number is provided the team with full access will contact the enquirer and refer them to the correct respondent/s. The feedback is provided anonymously - enquirers are warned that the ability to respond to complaints may be limited.

Online security processes

3.120 Registered MyWay users are also able to access their customer information online, as part of the MyWay service. This is discussed in more detail in the IPP 6 section of this report.

3.121 To ensure the security of customer information, registered users must provide a password, which is delivered in a 'secret question and answer' format.

3.122 The password enabled account can then be viewed by registered users.

3.123 Secret question and answer options generally provided to registered users include:

  • mother's maiden name
  • favourite place
  • name of first pet / pet's name
  • place of birth
  • favourite colour.

3.124 The auditors note, however, that the MyWay website directs seniors to use their birth date (DD/MM/YYYY) as their password and students of participating schools to use their suburb and postcode as a password (e.g. gordon2906).

3.125 This form of password is relatively weak. If a student concession or seniors card is stolen by someone who knows the owner, that person may be able to easily decipher the user's password and check the user's account details.

3.126 The auditors acknowledge, however, that this issue can be countered if the registered user requests that their card be 'hot-listed' as soon as they become aware of the loss of the card.

'Over the phone' security processes

3.127 Registered users have the option of using MyWay/Canberra Connect's call centre facilities instead of its online services, to access their own personal information. This is also discussed in the IPP 6 section of this report.

3.128 The verification process for over the phone transactions includes confirmation of the registered user's secret question and answer, as well as checking other personal information (address, date of birth etc).

3.129 Users may use these phone facilities to advise MyWay or Canberra Connect of damage to or the loss of their MWTC. Call Centre staff will verify a caller's identity prior to hot-listing a card.

3.130 We note that both MyWay and Canberra Connect call centre staff are provided with training in the area of fielding customer calls.

3.131 It was unclear at the time of audit whether staff training included a dedicated privacy training module.

Data security and storage

3.132 In addition to the physical and IT security measures discussed above, use of the term 'data security' by the auditors also covers the security protocols/processes implemented by an entity to protect personal information 'in transit', that is any personal information that travels to or from MyWay offices and any storage devices such as USB keys, which are used to carry and store the information.

3.133 Personal information in transit between third party agents and MyWay is conveyed by ACT Government courier, a secure method of transportation.

3.134 Beyond this, ACT TAMS advised that staff do not take MyWay work home.

3.135 However, all ACTION buses electronically transfer user information to SmarTrack and Merit databases between 12.30am and 4am daily.

3.136 Since this information is communicated and downloaded wirelessly, the daily data transfer is carried out in a secure manner, with no human accesses occurring in transit.

Findings

3.137 Auditors note that both the MyWay office in Belconnen and the Canberra Connect office at Macarthur House have excellent physical security processes in place to prevent unauthorised persons from entering their business premises, thus protecting the customer information held on location.

3.138 MyWay staff informed auditors of their intention to co-locate with Canberra Connect staff at Macarthur House in the near future. Auditors note with approval that the physical security measures at Macarthur House will therefore extend to MyWay when the co-location occurs.

3.139 Auditors also endorse Canberra Connect's practice of having visitors sign a form advising them of their responsibilities vis-à-vis the personal and confidential information they may be privy to during a visit.

3.140 Auditors note that as the MyWay office was co-located with other ACTION staff at the time of audit, it may be important to reinforce the security measures inside those premises.

3.141 Further, it is important that adequate physical security processes are in place at both MyWay Centres for personal information stored there, as these locations deal with a large amount of human traffic on a daily basis.

3.142 Auditors note with approval that MyWay has an enforced Records Disposal Schedule under which it retains information for no more than seven years.

3.143 Auditors observed that physical records are also collected and stored short or long term, by third party agents. Auditors note with approval that these agents are contractually bound to treat data in the same manner as the ACT Government.

3.144 Auditors observed that staff accesses to SmarTrack, Merit and Right Now systems by MyWay, ACTION and Canberra Connect staff are tightly controlled and that there are reasonable IT security and audit processes in place to protect electronic records from misuse, in accordance with both IPP 4(a) and IPP 4(b) of the Privacy Act.

3.145 Auditors also note with approval the staff training provided to both MyWay and Canberra Connect staff, in the implementation of database and over the phone processes, although it was unclear at the time of audit whether this included a dedicated privacy training module.

3.146 Auditors note the importance of having password protected accounts for registered users. Auditors also consider a secret question and answer format to be a useful 'over the phone' verification tool when users forget their passwords.

3.147 In addition, auditors note that MyWay provides a facility for the immediate de-commissioning of a MyWay card in case of theft, damage or loss.

3.148 However, auditors also noted at audit that password options for seniors and students of participating schools appeared to be restricted to date of birth information for seniors and Suburb/Postcode information for participating school students.

3.149 Auditors note with approval that MyWay appears to have robust measures in place to ensure the security of data in transit, including use of Government courier services, not taking data home and the use of wireless transfers of information, instead of portable devices, which can get lost or misplaced.

Recommendations

3.150 Auditors recommend that MyWay staff at the Belconnen site ensure their personal offices are locked or that paper records are stored in secure filing cabinets and computers locked, whenever the office is vacant. This should help protect user information from unauthorised access by ACTION staff members.

3.151 Auditors also recommend that MyWay Centres implement similar security measures and ensure they have secure storage facilities for the paper records they retain.

Best privacy practice suggestions

3.152 Auditors suggest the auditee may wish to familiarise itself further with COTA and participating schools' privacy practices and policies, to ensure information is being handled by them in a manner that is consistent with the IPPs and MyWay's own privacy policy and security practices.

3.153 Auditors also suggest that MyWay may wish to extend its secret question and answer procedure to seniors and students of participating schools.

3.154 If privacy training is not currently offered as part of MyWay and Canberra Connect's induction process, auditors suggest the implementation of this activity.

IPP 6 Issues — Access to records containing personal information

IPP6 says where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide access.

Observations

Access

3.155 MyWay only holds the personal information of registered MyWay users.

3.156 Access to this information by the user is largely made available by logging on to their MyWay account.

3.157 Where a registered user has forgotten their password they may contact MyWay or Canberra Connect call centres to obtain the password.

3.158 MyWay has also advised that applications can be made for access to the travel behaviour information stored on the Merit database, however as MyWay has stated that this is de-identified information, individual travel information is presumably unavailable.

3.159 Information which can be accessed by registered users from their account includes:

  • current status of card
  • current balance
  • last 250 transactions on card.

3.160 In addition, users may apply to MyWay for a historical account of all previous card transactions.

3.161 For access or modifications to other personal information held by MyWay, users must contact MyWay or Canberra Connect call centres and submit to the verification process outlined in the IPP 4 section of this report. This is confirmed in MyWay's privacy policy.

Findings

3.162 The auditors note with approval that MyWay and Canberra Connect have effective processes in place to provide users with access to their personal information, while being mindful of the security of the personal information they hold.

3.163 The auditors found no privacy issues in terms of MyWay's maintenance of records under IPP 6.

Recommendations

3.164 The auditors have made no privacy recommendations to the auditee for this part of the audit.

Best privacy practice suggestions

3.165 The auditors have made no best privacy practice suggestions to the auditee for this part of the audit.

IPPs 7 and 8 Issues — Alteration of records containing personal information and Accuracy of personal information used

IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading.

Where, despite an individual's request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual's request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Data quality of records

3.166 At the time of the audit, MyWay's obligation to take reasonable steps to ensure that personal information it holds is accurate, up-to-date and complete was largely addressed by applicants' direct submission of personal information to MyWay or its nominated third party agents.

3.167 Where registration is completed online, the responsibility to provide accurate data lies with the applicant.

Keeping records up to date

3.168 Personal details such as the applicant's name, address details and contact number can be verified by users and immediately updated by contacting MyWay or the Canberra Connect call centre.

3.169 MyWay and Canberra Connect will generally update personal information at the request of the user, as long as the said user is able to verify their identity by correctly answering the secret question and providing further verifiable data, such as their date of birth or address details.

3.170 However, there can be a delay in updating customer details in reference to:

  • MWTC 'top ups'
  • registration details generally
  • seniors card details.

3.171 Card top ups can take between 3-5 days to transfer to user accounts so financial information is not always up to date, however users are informed of this delay through their MyWay account.

3.172 Cash transactions are automatically updated on user accounts.

3.173 The MyWay website also notifies seniors that MWTCs are registered by COTA and card details take between 7 to 10 working days to be updated once an application form is submitted. MyWay advised auditors that the delay occurs because forms take some time to reach COTA in the internal mail.

Verifying accuracy

3.174 As outlined above, users may verify the accuracy of their records and update them if required, by contacting MyWay or the Canberra Connect call centre.

3.175 Further, MyWay collects a certain amount of identification information to ensure the accuracy of the information in its possession. This information includes:

  • primary and secondary proof of identity documents, as well as proof of residence documents
  • proof of age for seniors
  • student numbers for students
  • customer reference numbers for other concession users.

3.176 In addition to referring to official proof of identity, proof of residence and proof of age documents to ensure the accuracy of its records, MyWay may also contact Centrelink, DVA and relevant schools and universities to confirm the authenticity of the concession status sought by applicants.

3.177 At the time of the audit, MyWay advised that since it was not in possession of all student number information from schools, it would theoretically be possible for students to create a student concession account by using dummy data.

Staff Training

3.178 Only select MyWay and Canberra Connect personnel are authorised to record new or updated customer details in the SmarTrack database. These employees are trained in the correct use of the system.

3.179 Auditors were informed that Canberra Connect staff fielding MyWay and ACTION related calls are trained over a four month period to provide the public with appropriate customer service.

3.180 MyWay staff are trained separately in the use of the SmarTrack system and MWTC related calls are diverted only to authorised SmarTrack users.

Findings

3.181 Auditors note that the accuracy of data collected by MyWay is strongly linked to user disclosure of accurate personal information and the ability of the user to access, correct and update their personal information. These processes are effective in ensuring that the personal information is accurate, up to date and complete.

3.182 Auditors also observed that the processes implemented to keep information up to date and to verify the accuracy of data provided are thorough and effective.

3.183 That being said, there appears to be a delay in updating certain information. While these processes would benefit from further improvement, auditors note with approval that MyWay has taken steps to notify customers of these delays on their website.

Recommendations

3.184 The auditors have made no privacy recommendations to the auditee for this part of the audit.

Best privacy practice suggestions

3.185 MyWay may wish to streamline its processes to reduce the delay in updating customer information. However, this suggestion is conditional on MyWay's operational requirements and MyWay's financial limitations.

IPP 10 and 11 Issues: Limits on the use and disclosure of personal information

IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.

IPP 10.2 provides that, where personal information is used under IPP 10.1(d), the exception about lawful uses, the record keeper shall include in the record containing that information a note of the use.

IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.

IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e), the exception about disclosures for the enforcement of the criminal law etc, the record keeper shall include in the record containing that information a note of the disclosure.

IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them.

Observations

Use for the purpose of collection

3.186 The auditors found no evidence to suggest that MyWay is using the personal information it holds for any purpose other than providing a stored value travel card for use on ACTION buses.

3.187 However, MyWay staff advised that it also intends on making use of
de-identified commuter information to facilitate event management on ACTION buses. This may eventually include a marketing tool to alert customers to upcoming events of interest.

Disclosure of user information
Law enforcement

3.188 MyWay informed auditors at audit that it discloses user information under specific circumstances, such as for law enforcement purposes.

3.189 MyWay also advised that all requests for information must be submitted directly to one of the two managers of the MyWay project.

3.190 While there was no central position for requests going through the Australian Federal Police (AFP) at the time of the audit, MyWay advised that requests coming from the AFP must be submitted in writing, on the AFP letterhead, for authentication purposes.

3.191 MyWay has also advised that it is in the process of putting together a pro forma document, to be completed by law enforcement as an official request form.

3.192 Requests from law enforcement may include:

  • tracking the travel behaviour of suspicious individuals
  • lost child or runaway child situations.

3.193 In addition to the above, CCTV footage on ACTION buses could be disclosed to the AFP for law enforcement purposes at the time of the audit.

3.194 In the case of a request to track the travel behaviour of a missing or runaway child, MyWay will contact the child's parents/guardians prior to processing the request.

Other third party disclosures

3.195 As outlined previously, MyWay user information is also disclosed to various third parties, such as COTA, participating schools and Monitor WA, for the purpose of providing users with co-branded cards.

3.196 Disclosures also occur in the process of authenticating concession user details, when MyWay data is matched with Centrelink and DVA records to verify the validity of a concession claim.

3.197 MyWay provides users with information about potential disclosures in its privacy policy, hence the importance of providing these users with notice on collection, or of referring them to the MyWay privacy policy.

Findings

3.198 Auditors note that MyWay generally uses customer information for the purpose of collection, being to provide users with a stored value travel card which addresses their needs.

3.199 While MyWay had not streamlined its verification processes at the time of audit, auditors acknowledge that MyWay is taking the necessary precautions to establish that requests for customer information are genuinely for law enforcement purposes.

3.200 Auditors note with approval MyWay appears to disclose information to other third parties in accordance with its primary purpose of collection.

Recommendations

3.201 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

Best privacy practice suggestions

3.202 In accordance with IPP 11.1(e) of the Privacy Act, the disclosure of commuter information for law enforcement purposes will be exempt where reasonably necessary. That said, it would be good privacy practice for MyWay to formalise its processes around the disclosure of personal information for law enforcement purposes, to further ensure records are maintained in accordance with IPP 11.2.

Back to Contents

Part 4 — Summary of recommendations

IPPs 1-3 Issues: Collection of personal information

4.1 Auditors recommend that MyWay create a standardised template for its registration forms, which includes:

  • a statement on all concession forms notifying applicants that concession MWTCs must be registered
  • consistent privacy notices on all application forms, addressing MyWay's IPP 2 requirements. In drafting this notice, MyWay may wish to use the format adopted in privacy notice B, while including all the information covered in privacy notice C. Please refer to IPP 2 and ensure all elements of this principle are addressed.

Auditee response

The auditee accepted this recommendation and made the following comment:

The updates to all procedures, forms and web information will be completed by May 2013.

4.2 Auditors recommend that MyWay and Canberra Connect call centre staff provide customers with IPP 2 notice information when collecting data over the phone.

Auditee response

The auditee accepted this recommendation and made the following comment:

MyWay is negotiating the inclusion of an IPP 2 notice on all required forms and websites handled by CanberraConnect.

IPP 4 Issues: Storage and security of personal information

4.3 Auditors recommend that MyWay staff at the Belconnen office ensure their personal offices are locked or that paper records are stored in secure filing cabinets and computers locked, whenever the office is vacant. This should help protect user information from unauthorised access by ACTION staff members.

Auditee response

The auditee accepted in part this recommendation and made the following comment:

MyWay has completed its move to Macarthur House and is therefore no longer located at the Belconnen office. However, MyWay notes that record security at these new premises is similar to the processes previously in place at the Belconnen office. MyWay agrees with the recommendation made by the OAIC on this issue.

4.4 Auditors recommend that MyWay Centres implement similar security measures and ensure they have secure storage facilities for the paper records they retain.

Auditee response

The auditee accepted this recommendation and made no further comment on this issue.

IPP 6 Issues: Access to records containing personal information

4.5 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

IPPs 7 and 8 Issues: Alteration of records containing personal information and accuracy of personal information used

4.6 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

IPP 10 and 11 Issues: Limits on the use and disclosure of personal information

4.7 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

Back to Contents

Part 5 — Summary of best privacy practice suggestions

IPPs 1–3 Issues: Collection of personal information

5.1 Auditors suggest that MyWay consult with participating schools to ensure they provide students with the required (IPP 2) privacy notice information when collecting information and that this notice is consistent with MyWay's own privacy policy.

Auditee response

The auditee accepted this suggestion and made the following comment:

MyWay is in the process of reviewing a form to be provided to students of participating schools. These forms are to include an updated IPP 2 notice consistent with the updated notice to be provided on MyWay forms.

IPP 4 Issues: Storage and security of personal information

5.2 Auditors suggest the auditee familiarise itself further with COTA and participating schools' privacy practices and policies, to ensure information is being handled by them in a manner that is consistent with the IPPs and MyWay's own privacy policy and security practices.

Auditee response

The auditee accepted this suggestion and made the following comment:

A review of the provision of combined student Id and MyWay cards is underway. If the program is continued, the MOU's between the Territory and the participating schools will be modified to clarify how personal information collected by school on behalf of MyWay is managed.

COTA process and pathways for update of personal information held by MyWay are also being reviewed. If there is a shortfall in compliance with the IPPs in the collection process, the control methods for handling personal information will be modified, and the MOU between COTA and the Territory amended to reflect this.

Both these processes are expected to be complete by the end of 2013.

5.3 Auditors also suggest that MyWay may wish to extend its standard secret question and answer procedure to seniors and students of participating schools.

Auditee response

The auditee accepted in part this suggestion and made the following comment:

While the ability to change the Question - Answer sequence is not available in current application forms, users are provided with the option to vary the sequence, once the card is registered.

5.4 If privacy training is not currently offered as part of MyWay and Canberra Connect's induction process, auditors suggest the implementation of this activity.

Auditee response

The auditee accepted in part this suggestion and made the following comment:

At the time of the audit, MyWay did have a privacy training program in place, although this program required further development. MyWay has been working consistently, post-audit, to improve the privacy training it provides to both MyWay and Canberra Connect staff.

MyWay has now finalised these processes. A general privacy awareness training program on good record keeping practices has been developed and rolled out and MyWay intends to deliver this training twice a year, with one session taking place during Privacy Awareness Week. In addition, the Governance Branch will facilitate targeted privacy training sessions, where appropriate, to meet specific line area needs.

IPP 6 Issues: Access to records containing personal information

5.5 The auditors have made no best privacy practice suggestions to the auditee for this part of the privacy performance assessment.

IPPs 7 and 8 Issues: Alteration of records containing personal information and accuracy of personal information used

5.6 Auditors suggest that MyWay streamline its processes to reduce the delay in updating customer information, noting however, that this suggestion is conditional on MyWay's operational requirements and any financial limitations.

Auditee response

The auditee accepted in part this suggestion and made the following comment:

Personal information held by MyWay is easily and quickly able to be modified and corrected when an error is discovered. Users of the system are able to notify MyWay over the telephone, in person, in writing and via online feedback forms when errors in personal information held by MyWay are discovered, and can be modified by authorised customer service representatives that have access to Smartrack, the database that holds this information.

Additionally any modification of these personal records is logged and able to be investigated if changes have been made without authorisation.

A new privacy statement for the MyWay system is due to be published by the end of June 2013 which also clarifies and commits MyWay to modification of personal records held in a timely manner.

IPP 10 and 11 Issues: Limits on the use and disclosure of personal information

5.7 Auditors suggest that MyWay formalise its processes around the disclosure of personal information for law enforcement purposes.

Auditee response

The auditee accepted in part this suggestion and made the following comment:

Since the audit MyWay has taken steps to request legal advice from the ACT Government Solicitor in reference to this issue. These steps include:
  • a template form for officers to complete when requesting information
  • general guidance regarding the impact of AFP requests for information
  • clarification on the privacy impact of these requests.

Back to Contents

Appendix A — Information Privacy Principles

Principle 1 — Manner and purpose of collection of personal information

  1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:
    1. the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
    2. the collection of the information is necessary for or directly related to that purpose.
  2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 — Solicitation of personal information from individual concerned

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

  1. the purpose for which the information is being collected;
  2. if the collection of the information is authorised or required by or under law – the fact that the collection of the information is so authorised or required; and
  3. any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

Principle 3 — Solicitation of personal information generally

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector:

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

  1. the information collected is relevant to that purpose and is up to date and complete; and
  2. the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 — Storage and security of personal information

A record keeper who has possession or control of a record that contains personal information shall ensure:

  1. that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
  2. that if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the power of the record keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 — Information relating to records kept by record keeper

  1. A record keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
    1. whether the record keeper has possession or control of any records that contain personal information; and
    2. if the record keeper has possession or control of a record that contains such information:
      1. the nature of that information;
      2. the main purposes for which that information is used; and
      3. the steps that the person should take if the person wishes to obtain access to the record.
  2. A record keeper is not required under clause 1 of this Principle to give a person information if the record keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.
  3. A record keeper shall maintain a record setting out:
    1. the nature of the records of personal information kept by or on behalf of the record keeper;
    2. the purpose for which each type of record is kept;
    3. the classes of individuals about whom records are kept;
    4. the period for which each type of record is kept;
    5. the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
    6. the steps that should be taken by persons wishing to obtain access to that information.
  4. A record keeper shall:
    1. make the record maintained under clause 3 of this Principle available for inspection by members of the public; and
    2. give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6 — Access to records containing personal information

Where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 — Alteration of records containing personal information

  1. A record keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:
    1. is accurate; and
    2. is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.
  2. The obligation imposed on a record keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.
  3. Where:
    1. the record keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and
    2. no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8 — Record keeper to check accuracy etc of personal information before use

A record keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 — Personal information to be used only for relevant purposes

A record keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 — Limits on use of personal information

  1. A record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:
    1. the individual concerned has consented to use of the information for that other purpose;
    2. the record keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;
    3. use of the information for that other purpose is required or authorised by or under law;
    4. use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or
    5. the purpose for which the information is used is directly related to the purpose for which the information was obtained.
  2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record keeper shall include in the record containing that information a note of that use.

Principle 11 — Limits on disclosure of personal information

  1. A record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
    1. the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;
    2. the individual concerned has consented to the disclosure;
    3. the record keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;
    4. the disclosure is required or authorised by or under law; or
    5. the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.
  2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record keeper shall include in the record containing that information a note of the disclosure.
  3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Back to Contents

Footnotes

[1] These include the City MyWay Centre and the Belconnen MyWay Centre.

[2] There are 18 recharge agents, which deliver these services across the ACT.

[3] These include the Belconnen, Woden, Dickson and Tuggeranong shopfronts.

[4] MyWay webpage, last viewed 27 March 2013, ACT Government – Transport for Canberra website <www.transport.act.gov.au/catch_a_bus/myway>.

[5] Privacy notice A provides that 'Any personal information will only be used for the purposes of this transaction, and will be disclosed to the relevant area of the ACT Government and to your financial institution to the extent necessary to achieve that purpose. The details of the transaction will be released to you or your financial institution if this transaction is queried, and otherwise will not be disclosed to any third party except in accordance with the Privacy Act 1988 (Cth)'.

[6] Privacy notice B states that 'The ACT Department of Territory and Municipal Services (TAMS) is providing you with this notice to meet its obligations under the Privacy Act 1988 (Commonwealth).

When you complete and submit an Interstate Seniors MyWay Card application form to TAMS, your personal information is collected for the following purposes:

  1. to provide you with an Interstate Seniors MyWayCard;
  2. to help you use your Interstate Seniors MyWay Card, including access to seniors entitlements and travel concessions, or to replace lost or stolen cards; and
  3. to provide you with information and updates about your Interstate Seniors MyWay Card.

TAMS passes on information collected on the application form to its MyWay Ticketing System Service Provider'.

[7] ACT Government Feedback page, last viewed on 27 March 2013, ACT Government website <www.canberraconnect.act.gov.au/app/ask/>.

[8] ACT Government Feedback page, last viewed on 27 March 2013, ACT Government website <www.canberraconnect.act.gov.au/app/ask/>.

Back to Contents