DARTS scrambling over potential privacy breach
Accessible transit agency threatening legal action against subcontractor over missing DVRs used to record rider trips
The city’s accessible transit service provider, DARTS, is threatening legal action against a former subcontractor over missing video recorders used to keep footage of riders — but a company director says the equipment has already been sold.
The potential loss or inadvertent sharing of personal rider information was not reported to the provincial privacy commissioner until after The Spectator asked about it Wednesday — and the city says it only learned about the issue from its non-profit service provider DARTS the same day.
“We appreciate that this situation may raise concerns among DARTS’ clients and their loved ones. The city takes this matter seriously and will investigate promptly,” Hamilton transit director Maureen Cosyn Heath said in a statement.
It remains unclear how much video footage of riders might be on the DVRs, how many clients may be affected, or whether they have been told about the potential privacy breach because DARTS did not respond to Spectator questions by deadline.
But The Spectator obtained a legal letter sent to a former DARTS subcontractor, City Marvel, on March 20 demanding the return of digital video recorders (DVRs) “so that video can be reviewed and erased.”
The “gravely concerned” DARTS warns it will take the subcontractor to court if it does not comply with “the legal duty you have to preserve and protect all personal information for DARTS clients.”
A director of City Marvel, Mohammad Hafiz, told The Spectator most of the requested DVRs and associated hard drives have been sold — and he blamed “mismanagement” by DARTS for any privacy breach. “They are the ones who screwed this up,” he said in an interview. “If (riders) are mad, they should take it up with DARTS.”
Hafiz said City Marvel operated around 20 of its own Dodge Caravans under the DARTS banner until it lost its contract with the agency last December. At the request of DARTS, he said the company returned equipment like tablets and Presto payment devices at that time. But he said DARTS did not ask to “wipe” any data on DVRs or associated hard drives until the second week of February. By then, he said the company had already sold some of the now-unneeded equipment.
“Why didn’t you tell us before? Now it’s gone,” he said, arguing the initial DARTS request to return equipment did not specify DVRs. “If they had told us (when the contract ended) it would have been no problem.”
Hafiz said each van had a DVR and multiple cameras facing in and out. He said his understanding was each hard drive could hold multiple days of recordings before being erased.
Hafiz said City Marvel did not wipe or even look at any data that may have been on the DVR drives, arguing only DARTS officials were allowed to examine the videos, typically to evaluate the veracity of rider complaints.
There may also be a dispute over the ownership of the DVRs, hard drives and cameras. Hafiz said his company was required to buy that equipment at the start of its contract. The DARTS legal letter, on the other hand, accuses the company of failing to “return DARTS’ property.” It’s not clear if the letter is referring to the DVRs or to data stored on the drives.
Regardless, if video images of clients were lost or inappropriately shared, that would be an obvious privacy breach and “completely unacceptable,” said Ann Cavoukian, a past privacy commissioner for Ontario and the current expert-in-residence at the Privacy by Design Centre of Excellence at Toronto Metropolitan University.
In theory, videos of DARTS trips could reveal personal information about riders’ health or home addresses, for example.
“Privacy is all about control over the use and disclosure of your personally identifiable data. In this case, that’s gone,” she said in a telephone interview.
The office of Ontario’s current Information and Privacy Commissioner initially said Wednesday it had not been alerted to the potential breach, but later emailed to say DARTS had reached out “late in the day,” following Spectator media requests to both organizations.
The privacy commissioner’s email said in general, public agencies must ensure that “any use of surveillance technology, by them or their contractors, complies with (provincial privacy law) requirements for the collection, use, disclosure, retention, and secure destruction of personal information.”
Cosyn Heath’s statement says DARTS is responsible for “taking the necessary steps to wind down a (contractor) relationship in a responsible manner that meets DARTS obligations to the city.”
She added once the city has a “full understanding” of what happened, it will determine next steps — including “ensuring DARTS notifies any customers who may have been adversely impacted, if required.”
The potential privacy breach comes amid heightened sensitivity over access to personal information as a result of an unrelated cyberattack on City of Hamilton IT systems.
It is also another headache for the beleaguered accessible transit agency, which was hit hard by pandemic challenges, a scathing safety audit and a spike in rider complaints in recent years. The city is reviewing whether to maintain its partnership with the arm’s-length, non-profit provider.
DARTS has its own unionized group of drivers for larger vehicles, but until recently it also subcontracted out some transit service in smaller vans to three other companies. It’s not clear why DARTS ended City Marvel’s contract.
DARTS did not respond to questions for this story, but Hafiz said the company was told there was not enough client demand coming out of the pandemic.
All three companies subcontracted by DARTS received criticism in a 2022 city audit that found between 34 and 47 per cent of vehicles failed an initial safety inspection, but City Marvel initially had the worst first inspection results.
The audit also said it appeared a garage owner that had been previously convicted of forging documents was at one point linked to City Marvel. That individual is not listed as a director on federal corporate records for the company and Hafiz said the garage owner was not a City Marvel partner.
‘‘ We appreciate that this situation may raise concerns among DARTS’ clients and their loved ones. The city takes this matter seriously and will investigate promptly. MAUREEN COSYN HEATH HAMILTON TRANSIT DIRECTOR