PRESTO Privacy Review

Metrolinx complies with Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”) when it collects, uses and discloses personal information.

Recently, Metrolinx committed to reviewing our practices for responding to PRESTO personal information requests from law enforcement. We also committed to seeking your input on our proposed changes: relating to:

  1. How we communicate with customers about our policy
  2. How we respond to law enforcement requests
  3. How we could report on the information we share

Click “Give us your input” to see our current practices and the proposed changes. We will consider all of your comments and present them, along with our revised policies and protocols, to the Information and Privacy Commissioner for review.

Information collected:

When you do NOT register your PRESTO card:

  1. Where and when a card has been tapped on or off on the transit network: for fare calculation, travel validation and government credits.
  2. Financial value on a card and the mechanism used for loading that value. Note:  While credit or banking information may be collected by PRESTO to process payments, this information flows directly and confidentially to PRESTO’s Payment System Acquirer.  This information is not stored by PRESTO in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).  
  3. Concession information: student or senior fare discounts.
  4. Fare payment information, such as transfers: used for fare enforcement purposes.

When you do register your PRESTO card

In addition to the information collected when you do not register:

  • Name, email, mailing address and phone number, to support safety and security features, such as protecting your card balance if your card is lost or stolen.
  • If you choose to use PRESTO’s autoload or autorenew features to add financial value or transit pass products to your card, Metrolinx collects that financial value and product information and the mechanisms for loading and distributing that value or products.  Note:  while credit or banking information may be collected by PRESTO to process payments, this information flows directly and confidentially to PRESTO’s Payment System Acquirer.  This information is not stored by PRESTO in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). 

Change #1: policy language

The first proposed change is to update the language in our policy to more specifically outline how and when your information may be shared with law enforcement.  

Change #2: logging and validating requests

The second proposed change addresses how we’ll track requests from law enforcement. 

Change #3: reporting requests and responses

The third proposed change will enhance how we report and respond to requests.  

Metrolinx’s Privacy Commitment

Metrolinx is also committed to maintaining a high standard of privacy when it comes to protecting personal information. Part of this standard means being transparent in how we collect, use and disclose personal information, and giving people options. We incorporate best practice guidelines issued by the Provincial Information and Privacy Commissioner, and guidance by the Federal Privacy Commissioner, whenever we consider our privacy practices and protocols. And we must also be mindful about striking the right balance between protecting privacy and other policy objectives, such as the safety and security of our customers and the transportation system.