And is it?
This is crucial. If data is held for two years (as quoted by me) then does “data” include the association table? How often is the association table destroyed, if ever? How often will the token reset?
Deanonymisation is a concern but in the extreme case if the unique token is retained for some time and the government is certain about your location within the underground network at one time then your location is compromised continuously until the token resets. There is no need for complex deanonymisation algorithms.
Of course, a random unique value (token) would be difficult to distinguish from an encrypted value (where the encryption key changing is equivalent to tossing away the association table). Is TfL’s source code auditable? I think not. 
From what I’ve read about the UK government, I wouldn’t trust that any of this is not available directly, on an ongoing basis, to them.