Privacy expert said the agency should not be sharing its passengers’ info and police must get a warrant first.
|Report an Error|
Share via Email
Metrolinx spokesperson Anne Marie Aikins said that the agency, which operates the Presto system used by the TTC and 10 other transit agencies in Ontario, has always complied with privacy legislation.
But she acknowledged that there could be ways to improve its protocol around giving the data of its passengers to law enforcement.
“We know that privacy and the protection of personal information are highly important to our customers and we share that concern,” said Aikins.
“We felt it was important to conduct a thorough review and consultation to balance the need to protect the privacy of our customers and our efforts as a good community partner.”
The proposed changes, which Metrolinx intends to post online next week for public consultation, reflect largely recommendations made by experts who warned that the existing policy could lead to violations of transit users’ privacy.
According to Aikins, the proposals include: changing the written information provided to Presto users to explicitly state under what circumstances Metrolinx will share private information with law enforcement; requiring police officers to get their supervisors to sign off on requests for cardholders’ information; notifying cardholders when police have asked for their information, and tracking and publishing annual statistics about how many requests the agency received and how it responded.
Aikins said Metrolinx came up with the proposed reforms after a review that included examining the privacy policies of other transit agencies, telecommunications companies and financial institutions.
Former three-term Ontario privacy commissioner Ann Cavoukian said that the proposed reforms are “an improvement, but they don’t go far enough.”
She said her main concern was that the reforms stop short of requiring police to provide a warrant to obtain Presto users’ information.
While exceptions should be made in emergencies, such as missing persons cases, in all other instances “you need judicial oversight,” said Cavoukian, who is now the distinguished expert-in-residence at Ryerson University’s Privacy by Design Centre of Excellence.
“You shouldn’t be giving customers’ personal information . . . to law enforcement unless there is a legitimate case. And if there is a legitimate case, you go to a judge and you get a warrant.”
The agency couldn’t immediately provide updated statistics about how many requests for Presto users’ information it has received from law enforcement.
However, Torstar reported in June that, since the start of the year, the agency had received 26 requests for Presto usage data, which show where and when a passenger taps their fare card as part of a transit trip. The agency has said that it doesn’t share any other information that it collects from Presto users, such as email addresses, phone numbers, or financial details.
The agency granted 12 of the 26 requests. Six of them were related to criminal investigations, and six were missing persons cases.
In only two cases did police produce a warrant.
In the 14 instances where requests weren’t granted, Metrolinx either turned down the application or it was withdrawn by police.
At the time, the agency said that it did not always notify users police had asked for their data.
The public will now have a chance to provide feedback about the potential reforms. Metrolinx also plans to consult with privacy experts, academics, law enforcement, and representatives from other transit agencies. The agency is expected to report back on potential changes to its privacy protocol at its December board meeting. After receiving input from the board, it will report to the provincial Information and Privacy Commissioner.
Roughly 3 million transit riders in Ontario now use Presto, according to Metrolinx. The TTC intends to complete its move to the fare-card system sometime next year, and phase out older forms of payment such as tickets and tokens.
More on Metronews.ca