THOUSANDS OF motorists who have been using the barrier-free toll on Dublin’s M50 motorway have had their details stored by the toll operator since August 2008, despite concerns it may have breached the Data Protection Act.
The complaint has now been partly resolved with a commitment by the National Roads Authority and the toll operator BetEireFlow Ltd to make certain changes to the system to allow “anonymous” travel.
It has emerged that the details and toll passages of users who opted not to register for either a tag or for video recognition of their vehicle were nonetheless stored on the toll operator’s database under a single account number linked to their vehicle registration plate.
The operator proposed to keep the information on each transaction for a year. The NRA said it did not have a record of how many such users it had on its database, but about a quarter of the 95,000 daily toll trips are by unregistered users.
Following a complaint made by this reporter in May in relation to BetEireFlow’s storage of personal data for an “unregistered” account, the Data Protection Commissioner pursued the matter with the NRA.
It is understood that if a resolution had not been reached in relation to the complaint, the commissioner would have had to consider using his statutory powers of enforcement.
The NRA has now agreed to amend the unregistered payment process to allow motorists find out the balance they owe, without compromising privacy. Once this is in place it intends to reduce the data retention period to six months and further if this becomes feasible.
Motorists will also, within the coming months, be able to opt for “anonymous” travel through the M50 toll, subject to waiving certain rights, such as the right to challenge a transaction once it has been deleted.
The NRA said it is also amenable to considering a new form of tag product, which would include automatic data deletion.
“It’s about 2 per cent of people who would be that concerned about it, but there are plenty of people who don’t want their movements recorded,” said deputy data protection commissioner Gary Davis.
An NRA spokesman said: “Overall it was a very positive engagement because clarity needed to be brought to the matter. This is a first-of-its-type system, the barrier-free system, and operationally, how to execute the consumer’s rights and make sure they are protected is what the NRA was concerned about.”
Road authority to amend its methods
LONG BEFORE the barrier-free tolling system on Dublin's M50 motorway went live in August 2008, the implications for motorists in terms of the storage and the privacy of their data were evident to all involved in the project.
In October 2007, the National Roads Authority approached the Office of the Data Protection Commissioner (ODPC) to discuss the issues associated with the new arrangements.
The commissioner's office noted in its annual report last year that while the project had the "clear objective of improving traffic flows on the M50, the previous model of paying cash at toll booths was at least privacy-friendly, if not the most traffic-friendly option".
While the ODPC was satisfied there was a legal basis for permitting the processing of personal data by a private operator, who must be given access to the State's official vehicle records to collect tolls for the NRA, it was concerned about the extent of the processing of data envisaged.
All traffic movements across the toll plaza are photographed, video-recorded and stored in order to process payment of the due tolls.
But the question was how could the NRA meet its obligations on data protection, and at the same time provide a privacy-friendly service that would allow a law-abiding motorist pay due tolls without having their data stored for longer than necessary?
The ODPC initially sought a 30-day retention period for those who opted not to register. But the NRA, in talks with the commissioner's office, produced extensive information that indicated there were cases where the data needed to be held in order to "unwind" transactions to provide evidence of a motorist's interaction with the toll.
Deputy data protection commissioner and director of investigations, Gary Davis, says there was a need for the operator to be able to record "whether the vehicle you were saying was a family car was in fact a 40-foot truck. That was an issue we hadn't really understood in advance."
A totally open system, whereby a user could telephone with their car registration or enter it online to check their balance posed a particular difficulty.
"A large part of our focus was on the actual recording of vehicles going through, and that being linked with people, ultimately," says Davis.
"If the thing was completely open for you to know that you went across the M50 at 12.30 today and went back across at 13.01, the difficulty is that anybody with your car registration, who wanted to know what you were doing, could actually log in and do that. That has been an inherent problem from the outset," Davis says.
"If you got the car registration of the Taoiseach, for example, all you would need to do would be go on the website and check the details."
It follows that anyone with a mind to - journalists or gardaí for example - could potentially mine such a system for information that should not be available to them.
Davis says there had been no issue with data being held for a period of time where, for example, a prosecution was being taken against a motorist for non-payment of tolls.
"But for law-abiding citizens, who have paid their toll on time, that's not a justification for holding theirs. That was a view we had from the outset."
The NRA says that while it does not have a record of the number of "unregistered" users on its database, about a quarter of the 95,000 daily trips through the tollare by unregistered users.
The Office of the Data Protection Commissioner received a number of complaints in relation to payment of the toll generally, but none on the substantive privacy issue until the one lodged in May, it is understood (see panel).
It is understood that if a satisfactory resolution had not been reached in relation to the complaint, the commissioner would have considered using his statutory power of enforcement against the NRA.
But the roads authority has now produced "substantive" proposals to resolve the issue.
These include a plan to allow motorists opt for "anonymous" travel on the M50, provided they waive certain rights - including the right to challenge a transaction that has already been deleted. This should be in place within a few months.
The commissioner will also work with the NRA to amend the unregistered payment process to allow for the motorist's outstanding balance to be available when they seek to pay a toll, taking account of data protection requirements.
The NRA expects to be able to reduce the data retention period from a year to six months for both registered and unregistered users once this has been implemented. It will consider implementing a shorter retention period if this becomes feasible.
The roads authority also says it is amenable to considering a new form of tag product, which would include the automatic deletion of data, again subject to a waiver of the right to retrospectively challenge a toll payment made by credit card, for example.
Davis says his office is very pleased that an outcome has been achieved whereby data relating to users of the M50 will only be held for a relatively short period.
A spokesman for the NRA says: "Overall it was a very positive engagement because clarity needed to be brought to the matter in question. This is a first-of-its-type system, the barrier-free system, and operationally, how to execute the consumer's rights and make sure they are protected is what the NRA was concerned about. It's great to have clarity on this matter."
AS AN infrequent user of the M50 toll, I had opted not to register either for a tag or for video recognition of my vehicle.
It became apparent following a request to toll operator BetEireFlow Ltd under the Data Protection Acts that extensive personal information, including time-stamped images, was being stored on a central database under a single account number. It was clear that users who had elected not to register vehicle and address details were having them stored anyway.
Despite my argument that BetEireFlow Ltd was, in my view, storing such data in contravention of the spirit of the Data Protection Acts, it refused to delete the personal details or to anonymise transaction information. It insisted a 12-month period for storage of the data was necessary to enable it to confirm when an individual has used the service.
"We believe that this period is necessary to enable us to confirm when an individual has used the service and when they have not, and to adequately deal with the queries and issues which may arise in this regard. We do not consider that it would be appropriate for us to anonymise the data, and we assure you that access to the data is limited to those who need to know it," it wrote on May 7th last.
My complaint to the Data Protection Commissioner - noted with "regret" by BetEireFlow Ltd - was made on May 19th and was ultimately resolved last week after "constructive engagement" between the parties on my specific complaint and on the privacy issue generally.
It is understood that if a satisfactory resolution had not been reached in relation to the complaint, the commissioner would have considered using his statutory power of enforcement in order to get the NRA to comply with the Data Protection Acts.
Meanwhile, following another data protection request recently, it emerged a private clamping company based in Dublin, which had clamped my vehicle in a privately owned carpark, kept personal information for a five-year period. A written response to the firm indicating that I believed this to be a potential breach of the Data Protection Acts resulted in an immediate response indicating that the data would be deleted.