The Problems with the 2016 Census
NEW: Board member Katina Michael on ‘The Data Key Hole: Privacy, Security and Civil Liberties ‘;
NEW: Past APF Chair Anna Johnston’s ‘Why I’m taking leave of my Census’;
NEW: APF’s first and second letter to PM;
Thoughtworks open letter;
Privacy and the 2016 Census by former statistician Bill McLennan
See also IA version with external links; and the Thoughtworks open letter.
APF’s view: The Census collects data that can be helpful for planning and research, but it needs to be worthy of our trust: it is an acquisition, under threat of legal compulsion, of what is often very sensitive personal information.
Most people have assumed until now, with good reason, that the Census was an anonymous snapshot, and therefore safe enough to trust.
However the Australian Bureau of Statistics (ABS) quietly announced in December 2015 that, from this coming Census on 9 August2016, everyone’s name and address information will be kept, indefinitely. (In early April 2016, after adverse attention, ABS announced it had changed its mind, and now said it will be kept for ‘up to four years’; when name is deleted, it will be replaced by a Statistical Linkage Key or SLK which will permit connection with other data sets about you, and future census data, which will apparently generate the same SLK.)
Previously, names and addresses given were not kept after the Census processing was complete, and were not retained as part of or linked to the Census data, so it was effectively anonymous.
The exceptions were:
- a sample of 5%, which the ABS started storing in 2006, quietly and without consent – referred to by ABS as the ‘Australian Census Longitudinal Dataset’ (ACLD); and
- data archived with the individual’s consent, for release only after 99 years – referred to by ABS as the ‘Time Capsule’ project).
The ABS says your name and address will now be kept to improve data quality andthe ABS’ efficiency. But it’s clear from other ABS statements that your census data may also increasingly be linked to data about you from other censuses and surveys, and from other government data systems. For example, “whilst the Census has always been valuable in its own right,when used in combination with other data the Census can provide even greater insight”.
ABS’s site also says:
- The combination of Census data and education data can provide insight into employment outcomes from the various educational pathways available to Australians, and
- The combination of Census data and health data can help improve Australia’s understanding and support of people who require mental health services and assist with the design of better programs of support and prevention.
- The retention of addresses will also support the ABS Address Register enabling more efficient survey operations, reducing the cost to taxpayers and the burden on Australian households.
The Privacy and Other Risks
Australian Privacy Foundation (APF) believes that while there is value in a trusted and accurate Census, keeping all names and addresses changes its nature, and this creates an unnecessary risk to the privacy of everyone in Australia.
The risks include:
- Retaining name and address changes the nature of the Census, from an anonymous snapshot to a ‘longitudinal’ identified record, and puts community trust and confidence in the Census in jeopardy.
- The data you provide to the Census is to be linked by the ABS with data about you that it acquires from other sources. This would build a far more detailed picture of you than any agency has ever had before
- Many government agencies will be interested in getting access to the same data as researchers, with the intention of consolidating it with data that they already hold about you. While there are at present restraints on this, a future government could decide, at any time, to permit use of your data for further purposes, including data-matching and the administration of taxation, government benefits, etc.
- Security can no longer be guaranteed. There are increasingly frequent instances of serious data breaches of personal information held in online databases by both government and business, and the census was hacked in the US.
- While the SLK cannot apparently be easily reversed to derive your name and date of birth, from which it is derived, once in place it become a form of virtual identifier, tying you to other data sets. And as the rich data itself gets potentially more helpful for anyone seeking to re-identify you without the SLK, the SLK may become part of the problem after such a breach.
- Your detailed data will be released to researchers. While it won’t explicitly carry your name and address, the data is very detailed, and can potentially be ‘re-identified’, i.e. connected back to you, using new ‘Big Data’ analytical techniques and sources.
If such risks come to pass, a wide range of further consequences could potentially effect you, your family or community. There are no viable legal remedies at present, and no evidence those future implications were properly considered before the change was put in place.
These risks are unacceptable, and exposure to them is unnecessary to meet the core objectives of the Census, which has been conducted on an anonymous basis, as it is in other countries like the US, for a century.
The level of public concern about these issues is considerable, and that puts the Census itself at risk because of the ABS’s breach of people’s trust.
Summary of the Changes
- Every person’s identity will remain able to be linked to the data collected in the census for a period of years (initially ‘indefinite’, changed in April 2016 to ‘up to four years’; potentially changeable to some other period)
- The data about each person, from all available Census and ABS surveys, will be linked
- Additional data from other external non-Census sources may be added to each person’s record or associated by further linking
- De-identified data records, as well as aggregate statistical data, will be made available to researchers. Depending on the detail, increasing risk of it being re-identified by someone in future with better techniques and sources.
The Inadequate Privacy Impact Assessment (PIA)
A Privacy Impact Assessment is the key process which should help experts and interested parties contribute knowledge and perspective to understanding and minimizing the unwelcome privacy impacts of a plan. ABS conducted a PIA in late 2015, but it was quite inadequate. The problems were:
- The PIA was not conducted by an independent body
So, no one inside seems to have realized that the planned change is fundamental and potentially a matter of wide concern.
- The consultation process for the PIA was almost non-existent
For example, neither APF nor other civil society bodies appear to have been consulted,
and the media release had negligible impact, so almost no-one heard about it in time.
- The PIA does not comply with the Federal Privacy Commissioner’s guidance.
- This PIA failed to adequately address the issues in respect of keeping names and addresses which were identified and raised in the previous PIA in 2005, when a 5% sample was proposed.
It appears that corporate knowledge from the last PIA, exploring similar concerns, was lost or disregarded.
What Needs to Change to Fix the Problem
- ABS should abandon the keeping of Name and Address for the Census 2016, and conduct it as most Australians would be expecting, as was done before.
- If ABS still wants to consider such long term Name and Address retention (which we think is not appropriate or necessary) it should, well beforehand, conduct a proper, robust, independent, and well-publicised Privacy Impact Assessment, with wide engagement with the various parts of the Australian community and full independent analysis of the implications and potential risk minimisation issues.
- Parliament should remove the criminal offence provisions and the draconian penalties for non-compliance. (They may have been reasonable when the Census was a safe, anonymous snapshot. But it isn’t any more.)
- Parliament should in any case urgently pass the long-overdue data breach notification law and privacy tort law, so that if ever this proposal is raised again, there will at last be legal protections requiring affected Australians to be told if and when their data is breached (so they can take mitigating action), and enabling them to enforce their own rights in court in the event of a serious intrusion of privacy.
How to Complain
You can talk about this among your friends, family and wider circle, and encourage everyone interested to make a complaint, with the requested fixes above, to the following:
1. The ABS itself
The ABS has a web-page for ‘Compliments and Complaints’.
It offers no email-address, but only the main phone-number (1300 135 070) – Mon-Fri 9-5 East Coast Time.
It says that it offers a web-form, but in early April 2016 the link was broken.
If you make no progress with that, you can move on to:
Complaints Review Officer
Strategic Liaison and Risk Management Section
Australian Bureau of Statistics
Locked Bag 10
Belconnen ACT 2616
But there’s no email-address or phone-number.
After that you can complain to The Ombudsman.
2. Your local Federal Member of Parliament and the Senators for your state
You may also want to contact the relevant Minister [as of early 2016]:
- Hon Alex Hawke MP, Assistant Minister to the Treasurer
and/or the relevant Shadow Minister:
- Hon Chris Bowen MP, Shadow Treasurer
3. Twitter, Facebook and traditional media
You can find discussions of this issue, and what you can do about it, and you can add your voice and these suggestions.
Census 2006: Deja vu all over again?
The APF and others with similar concerns campaigned against essentially the same proposal in 2005-06. We won that round, with 95% of Australians protected from Name and Address retention. Here are the details of the 2005-06 campaign.
And here are Public Information Statements:
The ABS has kept APF and other people and organisations at arm’s length since 2006, and is trying to ignore the public’s concerns. So now it’s time for the public to take action.
Media Releases etc.
- Media Release for 13 April 2016