A census-taker on the job in 2011
The Australian Bureau of Statistics is pressing ahead with plans to retain names and addresses obtained in the 2016 census despite having commissioned advice warning against it a decade ago.
Last week Crikey explained that the ABS had decided it would retain the names and addresses of every individual in the country collected as part of the 2016 census. According to the ABS media release, this would “provide a richer and dynamic statistical picture of Australia”, particularly when coupled with matching up census data “with other survey and administrative data”. To address privacy concerns, the ABS commissioned a Privacy Impact Assessment that had given the idea the all-clear. Retaining your name and address — to be held separately from the main census information, the ABS says — will enable “more efficient survey operations, reducing the cost to taxpayers and the burden on Australian households”.
In announcing the decision, what the ABS didn’t say was that when it proposed the same retention for the 2006 census, it was told by a privacy expert it was a bad idea. In 2005, the ABS commissioned Nigel Waters to conduct a privacy impact assessment report. Waters is a privacy sector veteran who was deputy Australian federal privacy commissioner in the 1990s. Assessing the ABS’ proposal to retain names and addresses and to use unique identifiers, Waters told the ABS:
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
“Some will see the Proposal as a radical departure from established practice, which will create a data resource so rich and valuable for administrative uses that the privacy and secrecy framework under which the ABS operates may come under great and possibly irresistible pressure, if not immediately, then at least in the medium to long term … Despite the rigour of the legislative protections, and the ABS track record both of procedural safeguards and of defence of the principle of confidentiality, there remains a residual privacy risk of future changes in legislation to allow administrative or other nonstatistical uses.”
Waters, in recommending name matching be abandoned, noted that there were strong legislative safeguards in place to prevent unauthorised and authorised but unnecessary access to ABS data. And the ABS had demonstrated a commitment to observing these safeguards, but this offered no guarantees or protections into the future.
“Neither the ABS nor the current government can guarantee that the current and proposed legislative controls will remain indefinitely in the absence of any constitutional protection of privacy, they are ultimately vulnerable to the decisions of the government of the day, subject to parliamentary approval. Those concerned about the possibility of changes typically referred to in the privacy context as ‘function creep’ will inevitably cite the example of the progressive extension of the use of the Tax File Number (TFN) since 1989, despite very firm promises and assurances.”
This reflects a point that should be at the heart of any privacy debate: the best way to prevent breaches or misuse of personal information is never to collect it in the first place, because you don’t know future governments, third parties or actors who exploit security breaches will do with the information. While critics of censuses around the world cite historical examples such as Hitler’s use of the German census to target minorities, and the use of US census data to help with internment of Japanese-American citizens during WWII, not all the examples are from the history books. In 2004, the US census bureau provided the Department of Homeland Security with a database of information from the 2000 US census on the location of Arab-Americans and their countries of origin.
While the ABS has a good history of protecting Australians’ privacy, that’s no guarantee that future governments won’t decide — possibly in the midst of a national security scare — that that privacy is secondary to public policy. In that event, the 2016 census — the greatest population-wide infringement on Australians’ privacy since census-taking began in Australia in colonial times — will offer a trove of information.
The ABS has provided the following response after deadline:
“After a long period of consideration, public submissions and consultation, the Australian Bureau of Statistics (ABS) announced in December that it will retain the names and addresses collected in the 2016 Census of Population and Housing to provide a richer and dynamic statistical picture of Australia through the combination of Census data with other survey and administrative data.
The ABS is committed to the protection of the privacy and confidentiality of everyone who completes the Census. The ABS has legal obligations to keep data secure and ensure that it does not disclose identifiable information about a person, household or business. These protections been central to the ABS since its formation and have been consistent in our legislation throughout our 111 year history (Census and Statistics Act 1905).
To secure Census data, the ABS will remove names and addresses from other personal and household information after data collection and processing. Names and addresses will be stored separately and securely. No-one working with the data will be able to view identifying information (name and address) at the same time as other Census information (such as occupation or level of education).
The names are used to generated anonymised linkage keys, which are then used to link Census data to other data sets – thus maintaining the separation of names from Census data at all time. This is explained in detail in the Privacy Impact Assessment on pages 12 to 15.
The ABS will use well-established governance infrastructure and procedures to manage the approval, conduct and review of statistical data integration projects using Census data.
Before making this decision the ABS conducted a Privacy Impact Assessment which has been published on the ABS website. It shows that the retention of names and addresses in the manner proposed, has very low risks to privacy, confidentiality and security. The Privacy Impact Assessment process included consultation with the Australian Privacy Commissioner, as well as State and Territory Privacy Commissioners.”