Jan 27, 2016

Govt to store a trove of highly personal data, putting you at risk

The ABS has rejected advice from a decade ago not to keep names and addresses from its national census, creating a data trove that future governments may find too tempting.

Bernard Keane — Politics editor

Bernard Keane

Politics editor

A census-taker on the job in 2011

The Australian Bureau of Statistics is pressing ahead with plans to retain names and addresses obtained in the 2016 census despite having commissioned advice warning against it a decade ago. Last week Crikey explained that the ABS had decided it would retain the names and addresses of every individual in the country collected as part of the 2016 census. According to the ABS media release, this would “provide a richer and dynamic statistical picture of Australia", particularly when coupled with matching up census data “with other survey and administrative data”. To address privacy concerns, the ABS commissioned a Privacy Impact Assessment that had given the idea the all-clear. Retaining your name and address -- to be held separately from the main census information, the ABS says -- will enable “more efficient survey operations, reducing the cost to taxpayers and the burden on Australian households”. In announcing the decision, what the ABS didn’t say was that when it proposed the same retention for the 2006 census, it was told by a privacy expert it was a bad idea. In 2005, the ABS commissioned Nigel Waters to conduct a privacy impact assessment report. Waters is a privacy sector veteran who was deputy Australian federal privacy commissioner in the 1990s. Assessing the ABS’ proposal to retain names and addresses and to use unique identifiers, Waters told the ABS:
"Some will see the Proposal as a radical departure from established practice, which will create a data resource so rich and valuable for administrative uses that the privacy and secrecy framework under which the ABS operates may come under great and possibly irresistible pressure, if not immediately, then at least in the medium to long term … Despite the rigour of the legislative protections, and the ABS track record both of procedural safeguards and of defence of the principle of confidentiality, there remains a residual privacy risk of future changes in legislation to allow administrative or other nonstatistical uses.”
Waters, in recommending name matching be abandoned, noted that there were strong legislative safeguards in place to prevent unauthorised and authorised but unnecessary access to ABS data. And the ABS had demonstrated a commitment to observing these safeguards, but this offered no guarantees or protections into the future.
"Neither the ABS nor the current government can guarantee that the current and proposed legislative controls will remain indefinitely in the absence of any constitutional protection of privacy, they are ultimately vulnerable to the decisions of the government of the day, subject to parliamentary approval. Those concerned about the possibility of changes typically referred to in the privacy context as 'function creep' will inevitably cite the example of the progressive extension of the use of the Tax File Number (TFN) since 1989, despite very firm promises and assurances."
This reflects a point that should be at the heart of any privacy debate: the best way to prevent breaches or misuse of personal information is never to collect it in the first place, because you don’t know future governments, third parties or actors who exploit security breaches will do with the information. While critics of censuses around the world cite historical examples such as Hitler’s use of the German census to target minorities, and the use of US census data to help with internment of Japanese-American citizens during WWII, not all the examples are from the history books. In 2004, the US census bureau provided the Department of Homeland Security with a database of information from the 2000 US census on the location of Arab-Americans and their countries of origin. While the ABS has a good history of protecting Australians’ privacy, that’s no guarantee that future governments won’t decide -- possibly in the midst of a national security scare -- that that privacy is secondary to public policy. In that event, the 2016 census -- the greatest population-wide infringement on Australians’ privacy since census-taking began in Australia in colonial times -- will offer a trove of information. The ABS has provided the following response after deadline:
"After a long period of consideration, public submissions and consultation, the Australian Bureau of Statistics (ABS) announced in December that it will retain the names and addresses collected in the 2016 Census of Population and Housing to provide a richer and dynamic statistical picture of Australia through the combination of Census data with other survey and administrative data. The ABS is committed to the protection of the privacy and confidentiality of everyone who completes the Census. The ABS has legal obligations to keep data secure and ensure that it does not disclose identifiable information about a person, household or business. These protections been central to the ABS since its formation and have been consistent in our legislation throughout our 111 year history (Census and Statistics Act 1905). To secure Census data, the ABS will remove names and addresses from other personal and household information after data collection and processing. Names and addresses will be stored separately and securely. No-one working with the data will be able to view identifying information (name and address) at the same time as other Census information (such as occupation or level of education). The names are used to generated anonymised linkage keys, which are then used to link Census data to other data sets - thus maintaining the separation of names from Census data at all time. This is explained in detail in the Privacy Impact Assessment on pages 12 to 15. The ABS will use well-established governance infrastructure and procedures to manage the approval, conduct and review of statistical data integration projects using Census data. Before making this decision the ABS conducted a Privacy Impact Assessment which has been published on the ABS website. It shows that the retention of names and addresses in the manner proposed, has very low risks to privacy, confidentiality and security. The Privacy Impact Assessment process included consultation with the Australian Privacy Commissioner, as well as State and Territory Privacy Commissioners."

Free Trial

Proudly annoying those in power since 2000.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

12 thoughts on “Govt to store a trove of highly personal data, putting you at risk

  1. AR

    I’m surprised at how little recognition there is that massive data collection/surveillance is now often a function of excess capacity in computer systems.
    No bureaucrat likes to see their toys underutilised, else there might be serious question during the next budget allocations.
    In an unfortunate mirror image of one of the dumb/dumb (Wayne’s World?) flics of the 80s, “if they’ve built it they’re gonna use it”.

  2. p Collins

    How is different from the massive amount of data the government >>>all ready has<<< , via TAX office and social security and metadata laws?

  3. zut alors

    This should be the subject on Australian’s lips today not the issue whether to become a republic.

  4. zut alors

    typo, ‘ should read ‘Australians’ lips….’

  5. JMNO

    The UK census of old was kept in its entirety and could be accessed by anyone after 100 years. Their old censuses don’t have quite as much information as our modern ones but still have quite a lot.

    This is really useful for us family history buffs. Is it possible to keep census data with a 100 year ban on accessing the original documents?

  6. Dogs breakfast

    Given that politicians immediately bend over to any request from the AFP and spy agencies, under the pretext of terrorism, it would be surprising if the data was even a few months old before it was being used inappropriately.

  7. RachelP

    Surely the correct response to this is to organise a bit of civil disobedience. Lead a campaign for everyone to tell outrageous lies on their Census in protest of privacy breaches?

  8. Marion Wilson

    If this information is stored anywhere at all there are people who will access it and use it themselves or sell it on – or both. No matter how well intentioned our government may be at present – and I’m not confidant that that is so – stored information can and will be hacked (possibly altered) and vulnerable individuals will be exposed to predators.

  9. paddy

    I wonder how long it will be, before the census data is hacked?
    In a digital age, the constant lesson seems to be, that digital data is inherently insecure.
    If you don’t HAVE to keep it, then DON’T!

  10. zut alors

    Paddy, have no fear about the data being hacked. It will likely be sold or traded before the hackers even get a crack at it.

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details