Metrolinx is reviewing its privacy policy, and you'll have a chance to weigh in

After it was revealed earlier this month that Metrolinx shares customer information with police, the regional transit authority said it's committed to improving transparency.

Better communication, more transparency top list of things under consideration

It's not entirely clear if Metrolinx actually plans to revise its privacy policy, or simply change how it applies the existing policy. Either way, the public will have a chance to comment on a "new" policy over the summer.

​The public will have an opportunity to give feedback to Metrolinx on its controversial privacy procedures this summer after the regional transit authority faced a chorus of criticism for sharing customer information with police.

At a board meeting Wednesday afternoon, Metrolinx general counsel Mary Martin told members that the service's privacy policy will be posted online for public comment at some point over the summer. A potentially revised or amended policy will be taken back to the board for consideration in September, she said. 

Metrolinx spokesperson Anne Marie Aikins said the Crown corporation is bound by provincial privacy law and that it already has "very strict guidelines" that allow for "very, very limited information" to be handed over to law enforcement, including in cases in which police do not provide a warrant. 

Earlier this month, Metrolinx committed to reviewing those guidelines after reports revealed it had provided police with customer data on 12 instances in the last fiscal year. 

Aikins said that police requests for information have jumped significantly in the last two years as more people sign up for the Presto tap-and-go card system. 

Under particular circumstances — such as a missing person case or an imminent public threat — Mextrolinx is "obliged and wants to" assist police by providing data such as a customer's travel history on a specific day, Aikins explained.

But a major problem has been communicating these procedures to the public.

"It's clear that many of our customers weren't aware of any of the circumstances in which we would share very limited information with police," Aikins told CBC Toronto.

All of these issues are to be addressed in the coming months.

"What flexibility do we have? Under what circumstances do we require a warrant? We're going to look at all that," Aikins said. 

'It's not supposed to be a surveillance system'

For privacy advocates, a revised policy can't come soon enough. 

Ontario's former privacy commissioner has been deeply critical of Metrolinx's propensity for sharing information with authorities, calling the current policy "completely unacceptable."

"This is not a complicated matter," said Ann Cavoukian, now the executive director at Ryerson University's Privacy and Big Data Institute. "They should not be revealing any information on customers, who provide that information only to enable them to use the system to get back and forth.

"It's not supposed to be a surveillance system that tracks all of the public's activity."

Only under very specific conditions should Metrolinx supply police with customer data — but never without a warrant, Cavoukian insisted.

"If they have reasonable grounds to believe something's going on, that a crime has been committed, they can get a warrant and [Metrolinx] should insist upon that."

The transit agency, however, apparently has a different interpretation of the law.

Metrolinx will, however, start posting summaries of such police requests online at least once per year, including how many requests are accepted and what type of information was provided in each case, Aikins said. ​

With files from Michelle Cheung