Opal card users get anonymous option - with a catch

Privacy concerns about Sydney's Opal card are finally being addressed, but issues remain.
 
Learn more
 
 
 
 
 

01.Opal cards and your privacy

Opal cards privacy envelope stamped confidential

Transport for NSW has announced that unregistered Opal cards, allowing anonymous travel on Sydney’s public transport network using the Opal system, will now be available at select Sydney train stations at pop-up kiosks. But they'll only be available on certain days, and not from regular ticket windows.

The kiosks will be open on Mondays and Tuesdays until the end of September and are located at Ashfield, Bankstown, Blacktown, Bondi Junction, Burwood, Campsie, Central, Chatswood, Circular Quay, Edgecliff, Epping, Hornsby, Hurstville, Kings Cross, Lidcombe, Liverpool, Macquarie University, Martin Place, Newtown, North Sydney, Parramatta, Penrith, Redfern, Rockdale, St Leonards, Strathfield, Town Hall and Wynyard stations.

The introduction of the anonymous cards follows an announcement from the NSW Greens that they have referred the Opal card privacy policy to the state's Information and Privacy Commission.

Privacy concerns

One issue with the Opal cards is the amount and type of personal information captured when travelling on public transport, including when and where a user has travelled, and the provision of that information without obtaining express consent to third parties. 

The government operators of smartcards in Brisbane, Sydney and Melbourne all say they may provide personal information to law enforcement officials upon request – in some cases without a warrant. And it’s not just police who may request access to information, but reportedly also agencies such as Centrelink, the Australian Taxation Office and local councils.

Travel card systems in other states allow users to easily choose an unregistered card (not connected to an account containing identifiable personal information), offering some privacy protection. However, Sydney’s Opal scheme lags behind, with customers forced into using registered cards, unless they’re able to get to one of the newly installed, temporary pop-up kiosks. 

The worrying terms and conditions of Sydney's Opal card

Those who buy an Opal card online or over the phone must accept the Opal privacy policy, which contains some dubious clauses: 
  • The operator may disclose personal information or travel history to a law enforcement agency that is necessary for law enforcement purposes, for the investigation of an offence, for the enforcement of criminal law or to assist in locating a missing person.
  • Opal reserves the right to make disclosures to relevant authorities where the use of the Opal ticketing system raises a suspicion that an offence under any law may have been or may be committed.

The NSW Greens are seeking an urgent intervention to allow Opal users to opt out of having their information shared.

Brisbane’s Go card and privacy issues

Brisbane's Go card hit the headlines in July 2010, when it was reported that operator TransLink provided police with the personal travel data of customers – and not just those who were suspects in an offence, but also those who may have been witnesses.

The Qld Information Commissioner announced a review into the handling of personal information and TransLink’s disclosure to the police. The review found:

  • Requests for Go Card information made before the start of the review were not handled in accordance with the requirements of the Information Privacy Act on a number of occasions.
  • In most cases when TransLink disclosed information, it did not have sufficient information to satisfy itself under the Information Privacy Act that the disclosure was necessary. 

The Commissioner was satisfied with the improvements the Queensland Police Service and TransLink made to their processes after the start of the review, and made a further seven recommendations that were supported by the police and TransLink.

Melbourne’s Myki card

As with the Go card and Opal privacy policies, police don’t need to apply to a court for access to a Myki customer's private information – they simply need to request it in writing. It has been claimed that Myki’s operator, the Transport Ticketing Authority (TTA), has increasingly been handing over customer data to police.

Myki users can choose not register their cards, and it’s been reported that about half of all customers take this option.

Adelaide’s Metrocard

The Metrocard can be used registered or unregistered. The card ’s terms and conditions are very clear about the difference between both options when it comes to privacy and the information recorded and stored. However, as with other states, the privacy policy states that “Authorised disclosure of Personal Information may be required for law enforcement purposes”. A written request must come from South Australia police, and the executive director of the Public Transport Services Division must both formally approve the request and authorise the release of the information sent.

Perth’s SmartRider card

The SmartRider can be used registered or unregistered, but it appears to have broader terms around disclosure. The Transperth website’s privacy statement says "Transperth’s Digital Information Services will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to legislative requirements or comply other with legal process; (b) protect and defend the rights or property of Transperth; and, (c) protect the personal safety of users of Transperth Website, or the public."

Transport smartcards and security risks

Apart from access to information by law enforcement officials, there are other concerns around privacy and transport smartcards.

Security

Databases held by the smart transport card operators are large and valuable – tempting fodder for hackers. The transport operators may have top-notch security in place to protect the data, but as examples of several high profile data breaches over recent years have shown, security systems and software are vulnerable.

Third-party mobile apps and websites

The Myki, Opal and Go card websites all warn customers against using unofficial and unapproved third-party mobile apps designed to work with their smartcards. They also warn against allowing third-party websites to log into or access their personal account on the smartcard websites.

What is a public transport smartcard?

Sydney arrived late on the travel card scene, with the Opal introduced in 2014 – seven years after Perth, six years after Brisbane, five years after Melbourne, and two years behind Adelaide. It's still being rolled out across the various transport modes, with full implementation expected by the end of this year.

Public transport smartcards:

  • Consolidate different types of transport onto one payment system, so users don't have to buy separate tickets for a bus and a train, for example.
  • Allow easy or automated top-ups.
  • Offer a travel history and tax invoices.
  • May offer bonuses such as free travel.
 
 

 

Sign up to our free
e-Newsletter

Receive FREE email updates of our latest tests, consumer news and CHOICE marketing promotions.

 
Your say - Choice voice

Make a Comment

Members – Sign in on the top right to contribute to comments