A NSW Civil and Administrative Tribunal (NCAT) decision relating to opal cards, has made it clear that care needs to be taken with how much personal information a business collects and how this private information is used.

The decision1:

  • Transport NSW collected the applicant's personal information by tracking the applicant's travel movements and locations where his opal card was topped up.
  • It was determined that the applicant should have a right to stay anonymous and that the collection of his private information was to be limited.
  • Information should only be collected if it is 'reasonably necessary' for the identified purpose. NCAT found that all of the information Transport NSW was collecting was not reasonably necessary for ensuring an opal card user was eligible for that type of opal card.
  • However, this decision was appealed 2. As a result of the appeal it was determined that the collection of the travel data is for the ticketing purpose (calculating and debiting the fare) and this is reasonably necessary for that purpose.
  • Regardless of the outcome of the appeal, this case has made it clear that organisations need to be careful with what information they are collecting as the necessity of it being collected may be challenged.

How does this affect your business?

The rapidly developing world that we live in, particularly in regards to technology, has consequences on individuals but also on businesses. It is essential that businesses review the amount of private information they collect and store, consider whether the business needs all of that information and what they are doing to protect it. Data breaches are now further regulated under the Notifiable Data Breaches Scheme (NDBS).

Businesses should be reviewing their privacy policies to ensure they align with the tightened privacy laws. It is particularly important to consider:

  1. the reasons for data collection;
  2. if the data collected is reasonable necessary for the identified purpose;
  3. the actual data that is needed to fulfil the businesses' objectives;
  4. the processes in place to protect collected information; and
  5. implementing a data breach plan to set out the steps to manage a data breach.


1 Waters v Transport for NSW [2018] NSWCATAD 40.

2Transport for New South Wales v Waters (No 2) [2019] NSWCATAP 96.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.