myki Privacy Policy - Public Transport Victoria

1. Introduction: Privacy issues and new technology1.1 PTV recognises that under the new ticketing system it is the custodian of considerablepersonal information relating to people who travel using myki. PTV is committed torespecting the privacy of public transport customers. 2 As well as complying with theapplicable laws, PTV seeks to give customers the maximum possible choice and controlover the way their personal information is collected and used.2. Information privacy law2.1 PTV is the Public Transport Development Authority, a statutory authority established in 2011under the Transport Integration Act 2010. PTV is subject to the Information Privacy Act 3 butnot to the Privacy Act 1988 (Cwlth).2.2 The Information Privacy Act also applies to any contractors regarding their provision ofservices to PTV in relation to the new ticketing system on the basis of PTV specifying theseobligations in the service provider contracts. 4 PTV will ensure that any contracts clearlydetail the appropriate privacy obligations. PTV will, however, stand behind these contractualprovisions and take responsibility for seeking to resolve any privacy complaints that involvethe actions of its contractors.2.3 The prime contractor for the new ticketing system is Kamco (Keane Australia MicropaymentConsortium Pty Limited). Unless expressly varied, references in this policy to ‘contractors’refer to Kamco, its partners and any subcontractors.2.4 Contractors may have separate but similar obligations under the private sector provisions ofthe Privacy Act 1988 (Cwlth) regarding any personal information they control themselves.However, the Information Privacy Act prevails in relation to information handled under aState contract. 52.5 PTV is also subject to the Surveillance Devices Act 1999 (Vic) (refer to section 5.21 of thispolicy).2.6 The personal information to be collected by PTV under the new ticketing system is alsocollected for the purposes of other public transport authorities – the Department of Transportand contractors, agents and delegates of the department and PTV, including publictransport operators. This is in effect a joint collection. The Department of Transport is alsosubject to the Information Privacy Act, but is separately responsible for compliance and itspolicies may not be the same as PTV’s.3. Personal information in the new ticketing system3.1 The new ticketing system, myki, will initially be used as payment for travel on publictransport. The myki smartcard also has the capability to be used in the future as a payment2 This policy relates only to the privacy of members of the public (primarily public transport customers) under the newticketing system. Separate policies apply to PTV’s handling of personal information about its staff, agents andcontractors.3 S.9(1)(c), Information Privacy Act4 S.9(1)(j) and s.17, Information Privacy Act5 By virtue of the exemption in s.7B(5) of the Privacy Act 1988 (Cwlth), unless the service provider adopts a code ofpractice under the Privacy Act 1988 (Cwlth) and is also, consequentially, expressly exempted from the InformationPrivacy Act by a Victorian law.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 4 of 18

method for other transit-related purchases (such as bike lockers) or for micropayments(i.e. small value purchases such as newspapers or drinks). Use of this capability is a policydecision for government in the future. The priority is to get myki operating as Victoria's newticketing system.3.2 Under the new ticketing system, most tickets on participating public transport will take theform of myki ‘smartcards’ – plastic cards containing a computer ‘chip’ which store ‘value’ (inthe form of myki money or a myki pass – defined in the ‘Glossary and abbreviations’section), limited transaction history and a concession code required so that the correct fareis calculated. The chip can be read at a short distance when touching on to a variety ofsmartcard readers installed in and around the public transport system.3.3 Customers will have two options when using a myki smartcard. They will be able to loadperiodical tickets similar to previous Metcard tickets (in the form of a myki pass) or they canchoose to load monetary value onto the myki money facility on the myki smartcard. mykimoney can be used to buy travel on public transport (and potentially, in the future, othergoods or services – see section 11).3.4 Customers will be able to register their myki, which will involve supplying some personaldetails to PTV as the issuing authority. However, most categories of myki cardholders willbe able to buy and use an anonymous myki. Use of an anonymous myki means foregoingsome customer service benefits that registration provides (for example, balance protection).3.5 Registration will not necessarily imply personalisation of the myki (printing of personaldetails on the face of the card). Personalisation with a name printed on the myki will be anoption for full fare, registered mykis and for most registered concession mykis (if requestedat the time of application).3.6 Several categories of concession cardholders are eligible for discounted travel on publictransport in Victoria. Most concession customers will be able to obtain an anonymousconcession myki smartcard. However, some concession cardholders are required to haveregistered mykis and for those mykis to be personalised (with their name, or their name andphoto), depending on the category of concession entitlement. 63.7 Concession customers who are entitled to free travel on public transport must obtain aregistered free travel pass myki to access their free travel entitlement. 7 Free travel passmykis are personalised with both a name and a photo. These customers may also wish tobuy an anonymous full fare myki smartcard3.8 For new ticketing system purposes, details of the transactions performed with each mykismartcard will be contained in a central card usage database.3.9 For those customers who are registered, PTV will have the capability to link myki smartcardusage history data with customer registration data to form a record of individuals’ travelpatterns.3.10 The myki smartcard usage history will be personal information under the Information PrivacyAct, even though the personal details will be held in a separate Customer RelationshipManagement database – as PTV will have the ability to link them via the myki smartcardnumber.6 See the Victorian Fares and Ticketing Manual (myki) for more information on registration requirements7 Under the new ticketing system, free travel passes are managed by PTV.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 5 of 18

3.11 PTV will also collect and hold personal information in relation to some enquiries from thepublic about the new ticketing system and in relation to promotional and marketingactivities. 84. Privacy protection in the new ticketing system4.1 Privacy protection will be provided either as a design feature or incidentally by the followingfeatures of the new ticketing system. This list is a summary only, with more detailedexplanations in later sections.• myki offers the option of anonymous full fare, seniors mykis, child mykis and mostconcession mykis.• Customers have the option of holding multiple myki smartcards.• Limited personal non-identifying information is required to be stored on the mykismartcard chip – for example a code indicating the customer’s entitlement toconcession discounts so that the correct concession fare is calculated.• The usage history stored temporarily on the card includes a short transaction history(i.e. touch-on/off data, or top-up transactions). Registration details and payment detailswill be kept in separate databases, with limits and conditions on linkage.• There is no ‘meaning’ in the myki smartcard number (primary account number (PAN)),i.e. it does not tell you anything about the cardholder.• Holders of full fare and most concession myki smartcards may choose to register theirmyki and have their name printed on the myki smartcard at the time they apply. (Somepersonalisation requirements are mandatory for specific concession customers – seesections 6.1-6.2 of this document).• There are limits on who can access the information on the myki smartcard chips, howthey can access it, when, and for what purpose.• There is auditability and traceability of database access.• The system allows for specified data retention periods.4.2 The way PTV will ensure compliance with the information privacy principles of theInformation Privacy Act is set out below. In many cases, PTV’s policy goes beyond thelegally required level of compliance and offers additional privacy protection.5. Collection of personal information (Information PrivacyPrinciple 1)5.1 PTV will routinely collect personal information necessary for the operation of the ticketingsystem. Some personal information may also be collected from individuals making enquiriesor complaints.5.2 No personal information will be collected from customers who buy or use mykis unless theychoose to register their myki, or they are in one of the concession categories whereregistration is required. However, some information may be required about the method of8People making enquiries will generally be able to do so anonymously, but may choose to volunteer personalinformation (which may be recorded with the individual’s consent), to assist in (call centre or operational staff, forexample) resolving their enquiry.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 6 of 18

payment and/or delivery of the myki. This will satisfy Information Privacy Principle (IPP) 1(Collection of personal information) and IPP8 (Anonymity, where practicable).5.3 Payment information, where required, will be no different from that involved in buying anyother goods or services and, in most cases – for example where payment is by cash, creditcard or debit card – will not be stored by PTV. Where customers decide to establish an ‘autotop-up’ facility (i.e. by specifying a set amount to be directly debited from their nominatedbank account each time the balance falls below a set threshold) some financial details willbe stored in a separate part of the Customer Relationship Management database.Registration5.4 Customers who are required to register their myki, or choose to, will need to provide a nameand at least one means of contact. 9 Some concession customers may be required toprovide personal information which can be verified for the purpose of their specificconcession entitlement (see section 5.7). Apart from demonstrating proof of concessionentitlement, there will be no particular integrity standards for contact details, and holderswill, for example, be able to use any address, although it is in their own interests to bereadily contactable and for there to be no dispute over their identity if a card is lost or stolen.Those registering will be able to choose whether to give a telephone number, mailingaddress or an email address as an additional means of contact (at least one of these will berequired).Concessions5.5 Many individuals will be entitled to concession travel, and some individuals will be eligiblefor more than one class of concession. Concessions may involve discounts, free travel oncertain days or, potentially, other benefits. Entitlement for concession travel and theresulting benefits are determined by government, although consultation with PTV would beexpected on any proposed changes.5.6 While some concessions will remain in effect indefinitely once issued (such as those forseniors), others will depend on the person’s status (such as students) and will thereforeexpire in due course.5.7 Registration as a concession customer will involve the applicant providing information abouttheir eligibility for discounted fares on public transport and acknowledging that PTV mayverify their personal information with relevant source agencies. Future verificationarrangements may involve automated data-matching with source databases. 10 If thisproceeds, there will be written agreements with source agencies to cover data qualitystandards and procedures if verification indicates a lack of eligibility. 115.8 Eligibility verification arrangements will vary with the type of concession. Some will requireevidence of eligibility to be produced at the point of application for a concession mykismartcard at a range of staffed locations on the public transport network. (Concession9 Registration confers certain benefits – for example, the ability to use auto top-up and the security of balance protectionif the customer reports their myki as lost or stolen (subject to certain conditions). PTV promotes the benefits ofregistration to potential customers.10 Centrelink already has such an arrangement with other agencies.11 Some source agencies may independently require compliance with data-matching guidelines; for example, Centrelinkand the Commonwealth Department of Veterans’ Affairs have adopted the federal Privacy Commissioner’s guidelines(The use of data matching in Commonwealth administration – Guidelines,1998).Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 7 of 18

management partners may be engaged in the future to assist in selling new ticketing systemproducts and this may include the requirement to verify evidence of concession eligibility atthe point of sale.)5.9 The distinction between different categories of concession entitlement will be electronicallyencoded on the myki smartcard chip, and some will also have a visually distinctive designshowing the specific type of concession entitlement, such as a name and/or, photo (e.g.child myki or free travel pass mykis). These design distinctions are required for bothadministrative and enforcement purposes. When concession customers enter the gates onthe public transport network, a distinctive light will also indicate their concession status.Disclosure of information about the myki customer as a consequence of the everyday use ofthe myki smartcard is therefore limited. As the myki smartcard is contactless, 12 there will beno routine requirement to show or display the myki smartcard, in normal use. 13Photographs5.10 Some concession myki smartcards will have a photograph of the cardholder printed on theface of the smartcard, to aid checks by authorised officers and assist in preventing misuseof the entitlement to concession travel.5.11 Where a photograph is required, no details of the photo or image are recorded on the mykismartcard chip. No copy or record of the image will be kept once the myki smartcard hasbeen printed, unless the customer has expressly requested that an additional photo isstored in the new ticketing system back office.Smartcard and cardholder numbers5.12 Each myki smartcard will have a number. This number in itself will not convey anyinformation about the myki customer. The myki smartcard number (known as a PAN) will bestored on the myki smartcard chip and will also be printed on the myki smartcard. It will beused in routine communications with customers, such as through the call centre.5.13 Registered myki customers will be allocated an account number in the CustomerRelationship Management database. The account number will be used for administrativepurposes only and will not be used in routine communications with customers.5.14 An account holder may also manage a myki smartcard on behalf of another cardholder (forexample, a child’s myki could be managed by a parent or guardian). In this case, the PANnumbers of all myki smartcards being managed by that account holder will be linked withinthe Customer Relationship Management database, and the account holder will have theright to access registration details and card usage information for all linked cardholders.5.15 myki smartcard numbers will not be ‘unique identifiers’ as defined in the Information PrivacyAct and are therefore not subject to the additional requirement of IPP7. Customer accountnumbers will be ‘unique identifiers’ but are justified on the basis of the requirements ofefficient ticketing administration.12 ‘Contactless’ smartcard technology is defined in the ‘Glossary and abbreviations’ section of this document.13 myki smartcards can be electronically read through some material, so they may not need not be removed fromwallets, purses or pockets in normal use. However, PTV will promote that customers ‘touch’ their card to devices tomaximise the likelihood of a quick and successful transaction and minimise interference from other smartcard chipssuch as those commonly found on credit cards.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 8 of 18

Collection of information from use of the myki smartcard5.16 Details of a cardholder’s use of a myki to travel on public transport will be collected (forexample, the trip origin, destination, date and time). Use of myki money to buy other goodsor services (if implemented in the future) would result in capture of a 'merchant' identifier,which if combined with other information held by PTV, could convey limited informationabout the location and/or the general nature of the transaction. The number of usagetransactions stored on the myki smartcard chip will be limited to the last 10 touch-on/touchofftransactions, the last five products added to the myki and the last five payment/top-uptransactions. This transaction data will be held temporarily in various new ticketing systemdevices before being uploaded periodically to PTV’s central card usage database (see‘Glossary and abbreviations’ section) for the purposes described in section 6.3.5.17 The myki smartcards will be ‘contactless’ and are designed to be read within a fewmillimetres of an authorised myki smartcard reading device. There is a technical limit to thedistance at which a myki smartcard can be read. 14 Security measures including encryptionwill allow only authorised devices to read the myki smartcards.5.18 Even if it were possible to read the myki smartcard chip without authorisation, no personallyidentifiable information would be obtained. If the myki is a personalised myki with a nameand/or photo (for example, a free travel pass), then a person obtaining unauthorised accessto information on the smartcard chip – who was also in possession of the myki smartcarditself – could link these details. However, only a limited amount of usage information will beheld on the myki smartcard chip (as described in section 5.16).5.19 Some retail agents (or partners) are contracted under the new ticketing system to providecomprehensive retail support for customers across Victoria. Services carried out by retailagents include providing myki money balance or card usage details at the cardholder’srequest, and potentially accepting the myki smartcard for payment (should this beimplemented in the future). 15 This means the retail agent will read the myki smartcard chipfor the purpose of payment processing, subsequent reconciliation and settlement. Retailagents will not be required to record the myki smartcard number, or other details, for anyother purposes.No routine collection of ‘sensitive’ information5.20 PTV’s role in administering the new ticketing system will not require the routine collection ofany personal information in the categories specifically defined in the Information Privacy Actas ‘sensitive’; therefore, the additional controls in IPP10 (Sensitive information) do not applyto this activity. Some sensitive information may be volunteered by individuals in the contextof enquiries or complaints, in which case the ‘express consent’ basis of IPP10 would apply.5.21 Compliance with the Surveillance Devices Act 1999 (Vic) will be through implied consent ofmyki customers, who will be made aware of the way the ticketing system operates.14 Up to 50mm15 See 3.1 for other uses of mykiPrivacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 9 of 18

6. Use and disclosure of personal information (IPP2)Personalisation – information on the face of the myki smartcard6.1 myki customers choosing to register full fare, seniors, concession (general) or child mykismartcards will be able to ask to have their name printed on the face of their myki smartcardwhen applying (a nominal fee may apply). Registration and printing of a name and a photo(in some cases, a name only) is mandatory for some myki concession customers. Havingthe option of myki smartcards without names (or photos) reduces the potential for the mykismartcard to be requested by third parties as ‘evidence of identity’. This also reduces thepotential for ‘function creep’ (the gradual expansion of uses to purposes beyond the originalmyki scope).6.2 There is a possibility that other organisations may be interested in contracting with PTV forthe myki smartcards to perform other functions. This may involve the myki smartcardscarrying information relating to other products (see section 11 below), but may also justinvolve the myki smartcards displaying some affiliation. 16 If this option is pursued, furtherconsideration will be given to the privacy implications, with a likely quarantining of personalinformation in separate databases, with strict access controls.Information in the card usage database6.3 Information on the use of myki smartcards will be uploaded periodically to a central cardusage database. This information will be retained in a way that can be linked to thecustomer (if registered) for as long as it is reasonably needed to answer queries from thecustomer to reconcile any payments involving other retail agents (merchants) and for legalreasons. Some information is required by law to be kept for up to seven years.6.4 Once the information is no longer needed for customer service or legal reasons, it isproposed that it be irreversibly ‘de-identified’ (by having any personally identifyinginformation removed). This de-identified information may then be used, indefinitely, fortransport planning purposes.6.5 Public transport operators will handle some personal information for processing concessionapplications and for enforcement and complaint resolution. Public transport operators mayalso obtain aggregate (de-identified) information from PTV for planning and managementpurposes. Retail agents processing transactions made using a myki smartcard will have noneed for personally identifiable information.6.6 If personal information is to be used for non-transport-related marketing (e.g. informingcustomers of special offers or additional services), customers will be given the choice of‘opting-out’ of receiving any such material. Even if personal information were used for suchpurposes, it would not be disclosed to commercial organisations.Enforcement6.7 PTV is not responsible for enforcing ticketing compliance. This is a function established bythe Transport (Compliance and Miscellaneous) Act 1983 (Transport Act) and Regulations16 Examples would be a sports club or commercial business.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 10 of 18

under that Act and is the operational responsibility of the Department of Transport. 17Employees of the public transport operators who are designated as authorised officersunder the Transport Act operate under that Act and rules set by the Department ofTransport. Authorised officers exercise powers under the Transport Act to requestinformation from public transport customers.6.8 Using a hand held device, authorised officers will be able to read the myki money balance,myki pass status, recent transaction history and concession status from a smartcard. Ifrequired, they could combine this information with personal details obtained directly from thecardholder in support of the generation of a report of non-compliance (to be provided to theDepartment of Transport for further action). Authorised officers will have limited access toPTV’s databases at depots – for the sole purpose of investigating alleged offences. TheDepartment of Transport, not PTV, is responsible for issuing infringement notices.6.9 The Department of Transport will have access to PTV’s registration and smartcard historydatabases in order to investigate or prosecute alleged offences under the Transport Act orRegulations – this falls within the exceptions to IPP2, since it is ‘required or authorised by orunder law’. 18 A protocol between the Department of Transport and PTV will govern use ofdata for this purpose.Access by other third parties6.10 Apart from disclosures connected with administration of the new ticketing system andTransport Act enforcement, PTV will only provide personal information about mykicustomers to other third parties, including law enforcement agencies, in the followingcircumstances:• where PTV is required to do so by law, e.g. in response to a warrant or subpoena• where PTV reasonably believes that the disclosure is necessary to lessen or prevent aserious threat to the life, health, safety or welfare of one or more people• where disclosure is necessary for the purposes of complaint handling, such asdisclosure to the Public Transport Ombudsman or the Privacy Commissioner (seesections 12.1 and 13.2)• where the disclosure is requested in writing by the individual concerned• where an authorised police officer certifies in writing that the disclosure is reasonablynecessary for the enforcement of the criminal law• in connection with investigating or reporting suspected unlawful activity detected byPTV or its contractors• in exceptional circumstances – to intelligence agencies; the Australian SecurityIntelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS)6.11 PTV has ‘myki - Guidelines for Disclosure of Personal Information by Public TransportVictoria’, available on request. These guidelines set out both the detailed criteria and theprocedures for disclosure of personal information by PTV and its contractors or agents to17 Victoria Police members work with the Department of Transport regarding Transport Act enforcement. Theseparagraphs (6.7-6.9) apply to police as well as authorised officers. Access to information by police for other purposesis covered by paragraphs 6.10 and 6.11.18 Information Privacy Principle 2.1(f)Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 11 of 18

third parties for purposes other than new ticketing system operations or enforcement of theTransport Act.Disclosure outside Victoria6.12 It is very unlikely that any personal information will be disclosed by PTV to someone outsideVictoria except to customers or people who raise complaints or feedback with PTV. If otherdisclosures outside Victoria are required at any time, PTV will ensure that it meets theadditional requirements of IPP9 (Transborder data flows).Legal basis of use and disclosure6.13 All uses and disclosures will be according to IPP2 (Use and disclosure of personalinformation), relying on one of the exceptions to that principle.7. Data quality (IPP3)7.1 PTV has an operational interest in any information it holds being accurate, complete and upto date and this coincides with its responsibilities under IPP3 (Data quality).7.2 PTV will seek to ensure that it meets the data quality principle in four ways:• by collecting personal information about its customers primarily directly from them, andonly from third parties with the customers’ knowledge• by encouraging myki customers to keep their personal details up to date, with easyupdate facilities through the call centre and website• through rigorous technical standards for the operation of ticketing and other computersystems that collect and process information about travel, other transactions andpayments• by ensuring that individuals are able to access and correct the personal information thatPTV holds about them on request (refer to section 10 below).7.3 Where PTV obtains personal information from third parties – information about eligibility forconcessions from source agencies, for instance – the relevant agreements will specificallyaddress data quality issues (see also Concessions in section 5 above).8. Security (IPP4)8.1 PTV will ensure that the personal information it holds is protected by appropriate securitymeasures, including regarding computer systems, communications and physical assets –supported by clear and enforceable confidentiality rules for staff and contractors.8.2 The new ticketing system makes use of cryptographic procedures to ensure that the datastored on a myki smartcard chip is secure. A myki smartcard will only allow access orchanges to its stored data if appropriate security conditions are met. A device (for example,a fare payment device) will only be able to read a myki smartcard if both the device and thePrivacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 12 of 18

myki smartcard have correct and registered security keys 19 (similar to a credit or debit cardat an ATM or EFTPOS device).8.3 Personal information will only be held for as long as it is required for operational purposes,or as required by law.8.4 Registered account holders wishing to check the usage information for a myki in theiraccount can do this by logging into their myki website account (by entering their usernameand password) or by contacting the call centre. When contacting the call centre registeredaccount holders will be asked a series of questions to confirm their identity.8.5 When the call centre contacts a registered account holder the card holder will be asked aseries of questions to confirm their identity.9. Openness (transparency) (IPP5)9.1 This privacy policy is one important way in which PTV complies with IPP5 (Openness) andalso forms part of its broader communications and public information strategies. While thefull policy is available both in hard copy, on request, and through the myki website, there isalso a more concise privacy statement on the website – acting as a summary andintroduction to the full policy, and also specifically addressing the collection of informationthrough the website itself. 209.2 Appropriate privacy notices are also provided wherever and however personal information iscollected, such as on application forms for myki smartcards or for direct debit arrangements.10. Access and correction (IPP6)10.1 When a cardholder ‘touches off’ the public transport system, the device will displayinformation about the charge levied for that trip and the outstanding balance of myki moneyor the myki pass on the cardholder's myki smartcard. The information is no longer displayedwhen cardholders remove their card from the reader. myki cardholders will also be able touse devices at specific locations to read information held on the myki smartcard chip, suchas recent trip history, debits or credits.10.2 Registered account holders wishing to check the usage information for a myki in theiraccount can do this by logging into their myki website account (by entering their usernameand password) or by contacting the call centre. Registered account holders contacting thecall centre will be required to confirm their identity (for further information, see section 8.4).A cardholder (registered or anonymous) can check their recent myki usage information bypresenting their card at blue myki check devices and myki vending machines located atselected train stations, tram platform stops and bus interchanges, and at staffed stationticket offices. Some retail agents (or partners) will also be contracted under the newticketing system, to provide customer service functions at the cardholder’s request(including viewing, and printing, the myki card usage and balance details if requested by thecustomer (for more information, see section 5.19).19 Security keys authenticate (electronically) a valid myki to a valid myki device and vice versa. They are also used tofacilitate secure transfer of information between a myki card and a device.20 PTV will follow the advice given by the Office of the Victorian Privacy Commissioner on its website,(www.privacy.vic.gov.au), in Website privacy: Guidelines for the Victorian Public Sector May 2004.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 13 of 18

10.3 PTV is subject to the Victorian Freedom of Information Act 1982 (Freedom of InformationAct) as well as the Information Privacy Act. Both Acts confer a right of access to, andcorrection of, personal information, although the Freedom of Information Act also has widerobjectives.10.4 Where responses to Freedom of Information Act requests from third parties (for the releaseof documents) include ‘personal affairs’ information, PTV will ensure the privacy of theindividuals is protected, using the established Freedom of Information Act processes forediting or, where appropriate, seeking consent for release.10.5 In line with advice from the Victorian Privacy Commissioner PTV has integrated itsprocesses for handling Freedom of Information Act and Information Privacy Act requestsfrom individuals for access to information about them and for corrections relating to thatinformation.10.6 Access by an individual to all personal information about them held by PTV will be availableon request free of charge, subject to appropriate evidence of identity and to certainexceptions set out in the Information Privacy Act and Freedom of Information Act. 2111. Other uses of the smartcard11.1 myki money could be used in the future for the purchase of other goods or services – eithertransport-related, such as bike lockers at or near stations, or unrelated goods and services(e.g. newspapers or soft drinks). As noted in section 3.1, whether this capability is activatedis a policy decision for government and would also be subject to certain regulatoryapprovals. If this is confirmed in the future, other ‘retail agents (or merchants)’ would belicensed to use myki smartcard readers to debit value from the myki smartcards – theywould not have access to any of the transport-related information on the myki smartcard, orto registration or myki smartcard transaction information in PTV’s databases.11.2 The myki smartcard could also provide a platform for other products, as it has the technicalcapacity to hold other information. Other products could include government services suchas library cards, or commercial services such as loyalty programs (separate from any PTVloyalty scheme). If such products were allowed, it is likely to be on the basis of a voluntary‘opt-in’ by customers and there would need to a clear agreement about the extent of anydata sharing and on security to prevent unauthorised sharing.11.3 PTV is committed to further discussion with stakeholders, including the PrivacyCommissioner, before any decision is made to allow other products on the myki smartcards(and if so on what terms) or to allow access to information held by PTV in connection withmyki money payments, other than that required for reconciling payments.12. Monitoring and auditing12.1 PTV’s contractors will maintain audit logs of access to computer systems sufficient tomonitor compliance with access limitations and security. As required by IPP2.2 of theInformation Privacy Act, records will be kept of any use or disclosure for the purpose of lawenforcement etc. (refer to section 6.10 of this policy). PTV will implement routine reportingand periodic reviews to assess compliance and will make its records, and those of its21 PTV reserves the right to make a reasonable charge for routine provision of information, such as regular accountstatements.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 14 of 18

contractors, available as required by any properly authorised external regulator, includingthe Privacy Commissioner, the Public Transport Ombudsman and the VictorianOmbudsman. PTV’s prime contractor, Kamco, is required to conduct an annual audit ofprivacy compliance and report on this to PTV.13. Complaints13.1 PTV will handle complaints about breaches of privacy through the call centre in the firstinstance. Some complaints may involve both privacy and other customer service issues.PTV, with the cooperation of contractors, will endeavour to resolve any privacy complaintsspeedily and efficiently, in a way that both satisfies the complainant and ensures that anysystemic issues are addressed.13.2 Complainants will be advised that they can take a complaint to the Privacy Commissionerand also that they have a right of review by the Victorian Civil and Administrative Tribunal(VCAT) in certain circumstances. PTV will cooperate fully in any investigations orproceedings involving the Privacy Commissioner or VCAT or other regulatory bodies, suchas the Public Transport Ombudsman and the Victorian Ombudsman.14. Training14.1 PTV will include appropriate modules and information on privacy in staff training,newsletters and other outlets, including reminders and updates as the new ticketing systemis progressively developed and implemented.Further informationFor further information, contact the PTV call centre on 1800 800 007 or use the feedback form atptv.vic.gov.au.Privacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 15 of 18

Glossary and abbreviationsNote: the definitions below are provided with a view to understanding terms used in this privacypolicy. For legal purposes (including ticketing enforcement), definitions in the Victorian Fares andTicketing Manual (myki) apply.Termaccount holderATMauthorised officerauto top-upback officebalance protectioncardholdercentral card usagedatabaseConcession mykicontactlesssmartcardcustomercustomer recordCustomerRelationshipManagementdatabasedepartment/thedepartmentEFTPOSDefinitionThe person who has applied to manage one or more myki cards, which will beregistered under their name; an account holder may or may not be a cardholder.automatic teller machineFor the purpose of section 221A and 221AB of the Transport (Compliance andMiscellaneous) Act 1983 (Vic) and the Regulations, an authorised officer is a personresponsible for providing customer service, checking tickets and reporting fareevasion offences to the Department of Transport.The automatic loading of value to a myki based on pre-conditions specified by thecustomer; the funds will be automatically debited from the customer’s nominated bankaccount or credit card.The central location from which the new ticketing system data is managedSee the Victorian Fares and Ticketing Manual (myki)Means in the case of an Anonymous Card, the person to whom a Card is issued orwho otherwise acquires a Card and for a Registered Card, a person nominated as thecardholder by the account holderThis is the Transport Payment Processing System database which contains all cardusage data for operation of the new ticketing system.A ‘long-life’ smartcard programmed with the relevant concession entitlementpermitting the purchase of a myki pass or use of myki money at discountedconcession rates; some concession mykis will be registered and personalised, with aname and a photo or a name only.A long-life smartcard in which the chip communicates with the card reader throughradio frequency identification (RFID) induction technology. These cards require closeproximity to an antenna (approximately 50mm) to complete a transaction.A passenger who holds a valid mykiA record of personal information relating to the customer, held within the customerrelationship management databaseA database which records and updates customer profile information for NTScustomersthe Department of Transportelectronic funds transfer at point of salePrivacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 16 of 18

TermDefinitionfare payment device Device to which mykis are presented on the start and end of a trip (or portion of a trip)to touch on and touch off. The device calculates and deducts the correct fare for travelon the myki.Fares and TicketingManual (myki)Freedom ofInformation ActFree travel passFull fare mykihand held deviceInformation PrivacyActIPP (InformationPrivacy Principle)myki moneymyki passmyki smartcardnumberPANperiodical ticketsThe Victorian Fares and Ticketing Manual (myki) (available via www.ptv.vic.gov.au; goto the ‘fares & tickets’ section)Freedom of Information Act 1982 (Vic)Refer to the Victorian Fares and Ticketing Manual (myki) for informationThe ‘long-life’ smartcard using myki money or myki pass for travel, at the full fare(undiscounted) ratePortable device used to read mykis for information, load value to mykisInformation Privacy Act 2000 (Vic)IPPs are 10 privacy principles established under the Information Privacy Act 2000(Vic), which form the basis of managing personal information. These are IPP1:Collection of personal information, IPP2: Use and disclosure of personal information,IPP3: Data quality, IPP4: Data security, IPP5: Openness, IPP6: Access andcorrection, IPP7: Unique identifiers, IPP8: Anonymity, IPP9: Transborder data flows,IPP10: Sensitive information.Electronic/stored value balance held on a myki, for use as defined by PTVPeriodical product which can be loaded by the customer onto their myki for specificzones and a chosen number of days required for travelAn identification number, known as the primary account number (PAN) attributed toeach myki, uniquely identifying each myki smartcardprimary account numberAvailable as myki passes under the new ticketing system (refer to ‘myki pass’ in thisGlossary)personal information As defined in the Information Privacy Act 2000 (Vic)personalisationPINThe physical personalisation of a myki, involving adding a cardholder’s photo and/orcardholder’s namepersonal identification numberPTVreading devicePublic Transport Victoria, the operating name of the Public Transport DevelopmentAuthorityAny device designed to read a myki smartcard for the purposes of topping up mykimoney or purchasing a myki pass, touching on or touching off the public transportnetwork – for example, a fare payment device, card vending machine or retail point ofsale devicePrivacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 17 of 18

TermregistrationDefinitionThe process by which a myki is linked to an identifiable customer (account holder andcardholder)retail agent / partner individual retail agents or retail partners will provide an identifiable retail networkacross Victoria, to support implementation of the new ticketing system.source agenciestouch-offtouch-onTRIMusage data historyVCATwebsiteAn agency that provides relevant customer data to PTV for the purposes of verifying aperson’s concession entitlementThe presentation of a myki to a fare payment device at the end of a journey or sectionof a journey when exiting a mode of transport or the public transport networkThe presentation of a myki to a fare payment device at the start of a journey or sectionof a journey (for example when passing through gates to enter a station platform orwhen boarding a tram or bus)Total Records and Information Management (PTV’s electronic records managementsystem)Data related to the use of a myki smartcard and stored in new ticketing systemback-office databases (for example data regarding purchasing, top-ups, touch-ons)Victorian Civil and Administrative TribunalReferences to the website are to myki.com.auPrivacy Policy January 2013,TRIM Ref: DOC/12/301125 Page 18 of 18