A presentation by the Chief Executive of Dublin Bus titled “Energy and Carbon: The Race to Zero” was recently shared widely on LinkedIn. In it, Ray Coyne, the CEO of the public transport system set out his vision for the “sustainable Dublin of the future” with new hybrid vehicles, free fares for children under 18, and an eventual move to “Account Based Ticketing” (ABT). With similar ABT systems proving popular in cities like London, Singapore, and Melbourne, how can Dublin Bus implement ABT for public transport users in Ireland while managing concerns for data protection and privacy?
What is Account Based Ticketing?
Account Based Ticketing (ABT) is a “ticketless” way of allowing people to travel on public transport. The technology enables customers to use contactless cards, mobile phones, wearables, and other RFID enabled devices like student IDs and passports to make a journey. The passenger taps their card or device or scans a secure token linked to an account in the ABT database and the fare is automatically calculated based on a number of factors such as user profile, location, and amount of taps during a time window. The passenger’s account is charged the fare post-journey.
Benefits for Passengers and Providers
With ABT, passengers no longer need to buy a ticket in advance or understand fares before traveling. Due to the way ABT fares are calculated post-journey, this also provides the transit authority the option to implement fare capping and best fare finding rules. Instead of charging customers for every journey they take, ABT calculates the best fare the customer could have pre-purchased and allocates this fare to the passenger as they travel and caps their cost. This makes public transport more attractive by allowing for more flexible travel behaviour. Passengers can hop on and hop off and change transport modes without worrying about being overcharged for their trips.
The technology could also increase efficiency for Dublin Bus. According to Barry Dorgan, Head of Ticketing Systems at the National Transport Authority, the payment process at bus stops is responsible for the majority of bus delays after traffic congestion. In Ireland payment by cash is still common, slowing down the boarding time. Even with Leap Card, the complexity of stages means a large percentage of passengers have to interact with the driver, with resultant delays at bus stops.
The flexibility of ABT may also help passengers adjust to planned changes with the rollout of BusConnects, where familiar, but often circuitous, bus services will be replaced with “high frequency” spines and feeder routes–requiring passengers to make transfers along their journey. Traveling the same distance using two buses (instead of one) would not incur any additional charge to the passenger using ABT.
Privacy and Data Protection
While Privacy and Data Protection are sometimes used interchangeably, in the EU they are two separate laws with different implications for an agency like Dublin Bus looking to implement ABT technology. Data Protection means the protection of individuals with regard to the collection and use of their personal data. Personal data is any information relating to an identified or identifiable individual–regardless of whether the information is private, professional, or even publicly available. The General Data Protection Regulation and the Data Protection Act 2018 regulates data protection for data subjects, in this case bus passengers, in Ireland.
Privacy means an individual’s right to maintain control over and be free from intrusion into their private life, family life, home and communications. In the Irish context, the sources of privacy law are Bunreacht na hEireann, the European Convention on Human Rights, the EU Charter of Fundamental Rights, and the ePrivacy Directive. Protection of the customer’s privacy is an ethical requirement of confidentiality, and a low level of protection not only could be punished as a violation of law but would damage customer acceptance according to the European Commission’s Expert Group on Urban Intelligent Transport Systems.
With approximately 325,000 passengers using Dublin Bus every day, the move to Account Based Ticketing would make Dublin Bus one of the largest controllers of personal information in the State. The GDPR principles provide guidance on how to process that personal information lawfully, fairly, and transparently. By identifying the lawful bases for which the data is being stored and used, the controller retains only what is essential to deliver the service (minimisation) and to comply with national law. For example, information from the contactless bank card should be stored in back office only for the amount of time needed to accurately calculate and charge the journey fare.
There is flexibility within the GDPR to facilitate Controllers using or processing personal data to achieve other aims than service delivery and compliance. ABT systems have the potential to generate vast amounts of valuable data for decision-makers planning more efficient models of moving people in and out of cities. The lawful basis for that processing for Dublin Bus is provided under Article 6(1)(e) GDPR performing a task in the “public interest”–the provision of a public transport service. In Ireland, this Official Authority is vested in Dublin Bus to perform this task under Section 22 of the Transport Act 1950.
The passenger may also consent to further processing of their personal information for marketing purposes. As per Article 4(11) this consent must be specific and informed and an affirmative action, which could be captured using a mobile application connected to the ABT.
Data Protection by Design and Default
The obligations Dublin Bus has to facilitate passengers exercising their rights under GDPR means it would be extremely difficult to implement ABT successfully without making data protection principles the foundations of the system design. At its core, ABT is a system of surveillance, and the capabilities of that technology must be strictly controlled to prevent adverse effects on passengers. Unfettered, ABT could identify when we’re running late for an important meeting, or working a 12 step recovery program at an addiction centre, and target us with mobile ads when we are most vulnerable to their messaging.
Article 35 of GDPR requires controllers, like Dublin Bus, to carry out a Data Protection Impact Assessment to identify and mitigate such risks associated with using a new technology solution, and to consult with the Data Protection Commissioner before commencing any processing. Privacy Enhancing Technologies should also be employed alongside Data Protection by Default and Design to safeguard passengers’ privacy and protect their personal data.
Automated, and Human
Systems like Account Based Ticketing offer significant potential advantages for passengers, including choice, flexibility, and faster journeys. However, such initiatives should always be accompanied by sufficient attention to the legal, technical and organisational challenges it will present. Our work on the newly funded Horizon 2020 TRIPS project will examine these legal, data protection and ethical issues with specific attention to enabling both passenger benefits, next-generation transport and robust protections for passenger’s privacy and personal data. For more information on how Trilateral can meet your organisation’s data governance and data protection needs please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.