Jump to: content or main navigation
Our myki Privacy Policy explains how we manage the myki information we collect. It includes details about how you can check that we're managing your myki information in line with Victorian laws.
In our policy, we:
At the end of the policy, we define all the key terms and abbreviations that we use in it.
This privacy policy relates specifically to the myki ticketing system. In addition, PTV has a general information privacy policy (which covers handing of personal information in contexts other than myki).
Privacy issues and myki
PTV recognises that under the myki ticketing system, PTV is the custodian of personal information relating to individuals who travel using myki. PTV is committed to respecting the privacy of customers. As well as complying with applicable laws, PTV seeks to give customers choice and control over the way their personal information is collected and used. Registration of a myki card is voluntary. PTV does not require collection of personal information from a customer when you purchase a myki card.
The myki ticketing system is delivered on PTV’s behalf by third party contractors. PTV or contractors engaged by PTV may contact you for a survey, e.g. customer satisfaction, to help improve its products and services, including in relation to ticketing, travel and passenger experience generally. PTV ensures that arrangements with these contractors include appropriate privacy and confidentiality obligations. PTV also takes responsibility for trying to resolve any privacy concerns or complaints that involve the actions of its contractors.
PTV collects personal information necessary for the operation of the ticketing system, for dealing with enquiries or complaints related to ticketing and for marketing or promotions related to ticketing and public transport. Personal information may be collected through forms, the website, the call centre, a PTV Hub customer service centre or myki retailers or devices.
The personal information that PTV collects under the myki ticketing system is also collected for the purposes of other public transport authorities – the Department of Transport ("the Department") and contractors, agents and delegates of the Department and PTV, including public transport operators. This is in effect a joint collection. The Department is also subject to the Privacy and Data Protection Act 2014, but is separately responsible for compliance and its policies may not be the same as PTV’s.
PTV collects only as much personal information as is necessary for the operation of the myki ticketing system and allows customers to transact anonymously where practicable. No personal information is collected from customers who buy or use myki cards unless they choose to register their myki, or they are in one of the concession categories where registration is required. However, some information may be required about the method of payment and/or delivery of the myki.
In accordance with the Victorian Fares and Ticketing Manual of 28 March 2019 (Manual), setting out conditions that have been determined under section 220D(1) of the Transport (Compliance and Miscellaneous) Act 1983, Ticketing in Victoria depends on which service a customer uses:
Information is collected to understand, diagnose and to support data driven decision making around the public transport network including:
PTV may collect a person’s credit card information to process a payment to PTV. Credit card information collected by PTV will be held in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is a set of requirements for enhancing payment account data security, including requirements for secure network and systems, cardholder data protection, vulnerability management program, access control measures, network monitoring and testing and information security policies.
Personal information is only held for as long as it is required for operational purposes, or as required by law. Once the information is no longer needed for customer service or legal reasons, it will be irreversibly ‘de-identified’ (by having any personally identifying information removed). This de-identified information may then be used, indefinitely, for transport planning purposes.
Collection of health information
In some instances, PTV’s functions of administering travel passes may involve collection of health information. Such information is collected with express consent of the customer, for the purpose of processing and managing applications for specific travel passes. This information is stored separately from the myki ticketing system information (travel history, payments, etc).
PTV has an operational interest in any information it holds being accurate, complete and up to date and this coincides with its responsibilities under IPP3 (Data quality).
PTV seeks to ensure that it meets the data quality principle in the following ways:
Where PTV obtains personal information from third parties (e.g. information about eligibility for concessions from source agencies), the relevant agreements with these third parties will specifically address data quality issues (see also 'Concession myki' section below).
Each myki smartcard has a number, referred to as the Primary Account Number (PAN). This number in itself does not convey any information about the myki customer. The PAN is stored on the myki smartcard chip and is also printed on the myki smartcard. It is used in routine communications with customers, such as through the call centre.
For myki ticketing system purposes, details of the transactions performed with each myki smartcard will be contained in a central card usage database.
Information on the use of myki smartcards is uploaded periodically to the central card usage database. This information is retained in a way that can be linked to the customer (if registered) for as long as it is reasonably needed to answer queries from the customer, to reconcile any payments involving other retail agents (merchants) and for legal reasons. Some information is required by law to be kept for up to seven years.
A cardholder (registered or unregistered) can check their recent myki usage data by presenting their card at a stand-alone enquiry machine (called a ‘myki check’) and myki vending machines. Some retail agents (or partners) are contracted under the myki ticketing system to provide customer service functions at the cardholder’s request (including viewing and/or printing the myki card usage data and balance details if requested by the customer).
Privacy protection is provided either as a design feature or incidentally by the following features of the myki ticketing system. This list is a summary only; detailed explanations are available in later sections.
If a customer chooses not to register their myki, the system will still retain usage data (eg trips taken and payment history), linked to the myki card number (the card’s PAN). This is not personal information as PTV does not have the ability to link it to an individual.
PTV will not provide myki usage data to unregistered card holders as PTV is not able to confirm the individual’s identity and ensure the information is only released to the rightful card holder. PTV may provide usage data from an unregistered myki to law enforcement agencies, where this is appropriate and permitted under privacy laws. This may include travel history and payment records, but will not include any personal information.
PTV promotes the benefits of registration to potential customers. For example, registration gives a customer the ability to use Auto Top-Up and the security of balance protection if the card is reported as lost or stolen.
Customers who register their myki need to provide a name, postal address and phone number (provision of email address is required if registering your myki via the myki website).
myki customers choosing to register full fare, seniors, concession (general) or child myki smartcards can nominate to have their name printed on the face of their myki smartcard when applying (a nominal fee may apply). Registration and printing of a name and a photo (in some cases, a name only) is mandatory for some myki concession customers.
Registered myki customers are allocated an account number in the Customer Relationship Management database. The account number is used for administrative purposes only and is not used in routine communications with customers.
Registered myki smartcard usage data is treated as personal information and as such the usage data is managed in accordance with this policy.
Registered account holders wishing to check the usage data for a myki in their account can do this by logging into their myki website account or by contacting the call centre. Registered account holders contacting the call centre will be required to confirm their identification. Identity is verified for outbound calls. When contacting a registered account holder the call centre asks the card holder a series of questions to confirm their identity.
myki customers’ personal information may be used for purposes related to ticketing and transport services (e.g. informing customers of myki payment options, or transport service updates).
Personal information may be used for non-transport-related marketing; any survey or marketing is voluntary. Customers are given the choice of ‘opting-out’ of receiving any such material. Even if personal information were used for such purposes, it would not be disclosed to commercial organisations for other purposes other than for or on behalf of PTV and for the purpose of performing their contract obligations under their contract with PTV.
Concession myki
The distinction between different categories of concession entitlement are electronically encoded on the myki smartcard chip, and some have a visually distinctive design showing the specific type of concession entitlement, such as a name and/or, photo (e.g. Child myki or free travel pass myki cards). These design distinctions are required for both administrative and enforcement purposes. When concession customers pass through gates on the public transport network, a distinctive light showing up on the device may indicate their concession status. Disclosure of information about the myki customer as a consequence of the everyday use of the myki smartcard is therefore limited.
Some concession myki smartcards have a photograph of the cardholder printed on the face of the smartcard to aid checks by Authorised Officers and assist in preventing misuse of the entitlement to concession travel.
Where a photograph is required, no details of the photo or image are recorded on the myki smartcard chip. No copy or record of the image is kept once the myki smartcard is printed, unless the customer has expressly requested that an additional photo is stored in the myki ticketing system back office. Photos for free travel pass myki cardholders and student concession cardholders are managed (and retained) by the PTV Hub in accordance with the PTV Privacy Policy and/or by Metro or V/Line in accordance with their respective privacy policies.
Use and disclosure of personal information by PTV will be in accordance with this policy, privacy law and Information Privacy Principle 2 dealing with use and disclosure of personal information.
Public transport operators will handle some personal information for processing concession applications and for enforcement and complaint resolution. Public transport operators may also obtain aggregate (de-identified) information from PTV for planning and management purposes.
PTV and its contractors use/disclose personal information for managing and improving public transport ticketing and supporting products and services. This includes the purposes outlined in this policy, to perform its statutory functions and exercise its powers under the Transport Integration Act 2010, for contacting you to share information about our products and services, disruptions on the network, provide you with refund where applicable, ask if you would like to participate in customer satisfaction or other surveys to improve our products and services. Participation in a survey conducted by or on behalf of PTV is voluntary.
Ticketing enforcement
PTV is not responsible for enforcing ticketing compliance or managing public transport fare evasion. This is a function established by the Transport (Compliance and Miscellaneous) Act 1983 and Regulations under that Act and is the operational responsibility of the Department.
Using a hand-held device, Authorised Officers are able to read the myki Money balance, myki Pass status, concession status and recent transaction history from a smartcard. If required, they can combine this information with personal details obtained directly from the cardholder in support of the generation of a report of non-compliance (to be provided to the Department for further action). The Department, not PTV, is responsible for issuing infringement notices.
The Department has access to PTV’s registration and smartcard history databases in order to investigate or prosecute alleged offences under the Transport (Compliance and Miscellaneous) Act 1983 or Regulations. This falls within the exceptions to IPP2 related to investigation and prosecution of criminal offences.
Apart from disclosures connected with administration of public transport and Transport (Compliance and Miscellaneous) Act 1983 enforcement, PTV only provides personal information about myki customers to other third parties, including law enforcement agencies, in the following circumstances (which are all in accordance with privacy law and IPP2):
PTV has ‘myki - PTV guidelines for disclosure of personal information to law enforcement bodies’. These guidelines set out both the detailed criteria and the procedures for disclosure of personal information by PTV and its contractors or agents to third parties for purposes other than myki ticketing system operations or enforcement of the Transport (Compliance and Miscellaneous) Act 1983. These guidelines apply the requirements of privacy law to any disclosure of personal information.
Disclosure outside Victoria
It is very unlikely that PTV will disclose any personal information to someone outside Victoria except to individuals who wish to access their own personal information or law enforcement agencies as discussed above. If this is required at any time, PTV will ensure that it meets the additional requirements of IPP9 (Transborder data flows).
Irrespective of whether your Personal Information or Health Information is stored electronically or in hard copy form, PTV will take reasonable steps to protect it from misuse and loss and unauthorised access, modification or disclosure.
Credit card information collected by PTV will be held in accordance with the requirements of PCI-DSS.
PTV will also take reasonable steps to destroy or permanently de-identify your Personal Information or Health Information if it is no longer needed for the purpose (or a related purpose) for which it was initially collected, unless, in the case of Personal Information, it is subject to the Public Records Act 1973, in which case it will be retained or disposed of in accordance with that legislation.
PTV will take reasonable steps to ensure that Personal Information we collect is accurate, complete and up to date. Registered myki customers can update their information either online or contacting the call centre.
Access by an individual to all personal information about them held by PTV is available on request free of charge, subject to appropriate evidence of identity and to certain exceptions set out in the Privacy and Data Protection Act 2014 and Freedom of Information Act 1982. PTV reserves the right to make a reasonable charge for routine provision of information, such as regular account statements.
For more information, call 1800 800 007.
PTV Privacy Officer
If a person believes that their Personal or Health Information has been used by PTV in a manner contrary to the PDP Act or Health Records Act 2001 (Vic), they may contact the PTV Privacy Officer:
By phone: call 1800 800 007 By email: ptvprivacy@ptv.vic.gov.au By post: PO Box 4724, Melbourne VIC 3000
Health Complaints Commissioner
Complaints about any use of a person’s Health Information which is believed to be contrary to the Health Records Act 2001 (Vic) can be made with the Health Complaints Commissioner. You can find more information about submitting complaints in respect of Health Information on theHealth Complaints Commissioner website.
Victorian Information Commissioner
People can also contact the Victorian Information Commissioner for more information or to raise certain complaints about privacy matters and regulation in Victoria. You can find more information on the Office of the Victorian Information Commissioner website.
Review
This document is reviewed regularly and at least once every two years.
Glossary and abbreviations
Note: the definitions below are provided with a view to understanding terms used in this privacy policy. For legal purposes (including ticketing enforcement), definitions in the Victorian Fares and Ticketing Manual (myki) apply.