Ministry issues guidelines for ‘Rav Kav’ data

ACRI says directives fall short on serious privacy infringements involving passengers' personal information.

Israeli buses 390 (photo credit: Marc Israel Sellem)
Israeli buses 390
(photo credit: Marc Israel Sellem)
In the wake of criticism from civil rights groups that new ‘Rav Kav’ bus passes could infringe passenger privacy, the Israeli Law, Information and Technology Authority (ILITA) issued guidelines on Tuesday regulating transport companies’ obligations regarding personal passenger data.
The new Rav Kav “smart cards” replace old paper tickets, and are intended to streamline ticket buying on public transport by acting as a single fare collection system for the country’s various transport providers.
However, civil rights activists have warned that the new system could seriously infringe transport users’ privacy, because of the way the Transport Ministry collects and stores personal passenger information relating to the cards.
To obtain a card, passengers must provide a host of personal details – including name, ID number, age and a digital photograph.
These details, together with detailed data about passengers’ travel patterns, are stored on a Transport Ministry database, which activists say is unmonitored, unregulated and potentially insecure.
The Association for Civil Rights in Israel (ACRI) has slammed the Rav Kav database initiative as “scandalous” and called on the government to put in place guidelines about how the data should be used and stored, in order to protect passengers’ privacy. ILITA head Yoram Hacohen said Tuesday that it has compiled its legal guidelines with reference to the Protection of Privacy Law, after inspections revealed transport operators were collecting “sensitive personal information about passengers.”
Hacohen said ILITA’s guidelines are designed to regulate the conditions according to which transport companies can collect information about public transport users, and serve to clarify public transport operators’ obligations regarding the law in relation to data collected on passengers.
“[The guidelines] reinforce the public’s ability to stand up for its legal rights to privacy,” Hacohen said, adding that ILITA had carried out its work after lengthy negotiations with the Transport Ministry. The guidelines say that transport operators must comply with certain rules regarding data storage and collection, including obtaining passenger consent regarding both data collection and data use.
Transport operators are also forbidden to use passenger data collected via the Rav Kav cards for marketing, and passengers must be offered the option of purchasing ‘anonymous’ cards that do not require them to give personal data.
Further, transport operators may only collect limited information about minors and must first obtain consent from a parent or guardian.
The guidelines also say that all passenger data must be stored in a secure database, and that transport operators must appoint a database manager.
ILITA has also monitored transport operators’ data security procedures to ensure that all data is being maintained according to the Privacy Protection Law, and had carried out an inspection of “a major transport operator” last week, a spokesman for the Justice Ministry said Tuesday – although the ministry did not specify which operator it had audited.
The Transport Ministry is also promoting amendments to the existing Traffic Ordinance legislation, in order to regulate aspects of data collection and Rav Kav use, the Justice Ministry said, referring to a controversial bill proposed in 2010.
Attorney Avner Pinchuk, head of the privacy and information division at ACRI, told The Jerusalem Post on Tuesday that MKs and civil rights activists have criticized that bill, which if approved will empower the transport minister to issue regulations as he sees fit. MKs, including Yariv Levin (Likud) and Uri Maklev (United Torah Judaism), have criticized the Transport Ministry over the issue, and have said the ministry created the Rav Kav database without Knesset approval.
Pinchuk said that the ILITA’s guidelines are a “stopgap measure” that do not go far enough to protect privacy.
The guidelines only concern certain aspects of the data privacy issue, and do not address the fact that the Transport Ministry is already collecting personal data from passengers and storing it on a database, he added.
“The Transport Ministry has developed a database without putting any regulations in place,” he said.
Although ILITA’s regulations say that passengers can have the option of purchasing “anonymous” Rav Kav cards, Pinchuk said that the issue of anonymous cards is problematic.
Currently, not all Rav Kav vendors issue the anonymous cards and passengers risk losing money if the cards get lost because there is no way to identify the owner and return the card, he said.
Concerns over the safety of the Rav Kav database come after the Justice Ministry revealed last October that it had cracked the case of a massive information theft case involving personal information on nine million Israelis, including many minors, deceased persons and citizens living abroad.