In the week before Christmas last year, the Australian Bureau of Statistics quietly trashed your privacy. We have only a few months to claim it back.
In December 2015, the ABS announced its plans to collect and keep the name and address of every person in Australia, starting with the August 2016 census. And to then use your name and address, to link your census answers to other sets of data, like health and educational records, so that the ABS can develop “a richer and dynamic statistical picture of Australia through the combination of Census data with other survey and administrative data”.
This article is by Anna Johnston from Salinger Privacy. Anna is a former Deputy Privacy Commissioner for NSW, and was Chair of the Australian Privacy Foundation, 2005-06. It is republished here with permission. See the original article.
That’s right – census data could be linked to health records too. So that the ABS can do things like “(understand) and support … people who require mental health services”.
This proposal represents the most significant and intrusive collection of identifiable data about you, me, and every other Australian, that has ever been attempted. It will allow the ABS to build up, over time, a rich and deep picture of every Australian’s life, in an identifiable form.
Up until now, the name and address portion of census forms was not retained by the ABS; just as soon as the rest of your census answers were transcribed, the paper forms were destroyed.
But the new proposal is to keep name and address, as well as your answers to all the Census questions included this year, such as sex, age, marital status, indigenous status, religious affiliation, income, education level, ancestry, language spoken at home, occupation, work address, previous home address, vehicles garaged at your address, and the relationships between people living in the same home.
Statements from the ABS which trivialise the risks posed by stripping away census anonymity have missed the point. Seeking to justify the proposal by saying that the ABS will never release identifiable information ignores the point that they shouldn’t have it in the first place. And, as my mother taught me – you shouldn’t make promises you cannot keep.
The risks include leaks from corrupted ABS staff, or organised criminals who wish to perpetrate identity theft and fraud by hacking into the database. The ABS is not magically immune to the risk of data breaches. It was only last year that one of their staff was convicted of leaking data to a friend at the NAB as part of a multi-million dollar insider trading scam.
Blithe reassurances about the security of census information ring hollow as we have seen the slow but steady fallout from so many recent data security breaches, from the Ashley Maddison hack to the Department of Immigration’s bungle which saw 9,250 asylum seekers’ details published online. Whether from external hackers, deliberate misuse by ABS staff or negligent losses of data, the only way to prevent data breaches from occurring is to not hold the information in the first place.
Of even more concern is the temptation posed for the Government of a centralised population dataset, just within its reach. How simple it would be for the federal police or ASIO to require the ABS to hand over details of all Muslim men. Or for Centrelink to demand to know just who is living with whom on what income, while claiming welfare benefits. This is the greatest potential impact of the proposal – that the ABS becomes the unwitting tool of a Government intent on mass population surveillance.
The ABS’s own privacy review noted that it faces the risk of what’s known as function creep: that in the future, “name and address information from responses to the 2016 Census may be used for purposes beyond what is currently contemplated by the ABS”. In what seems a fairly breath-taking degree of naivety, the ABS decided that the risk of this happening is “very low”, but that if it did, its response would be to review internal protocols and “consult affected stakeholders”.
The statisticians must be living in fantasy land if they think that once they hold identifiable data on all 24 million people in Australia, that not a single government department, Minister or police force will be interested in tapping into that data for their own, non-research purposes. Just look at the agencies queueing up to get their hands on the metadata that telecommunications companies must now keep by law.
And in the event that a Trump-esque leader demands that the ABS hand over the names and addresses of all Muslims living in Australia (as US census data was used to round up and imprison Japanese-Americans in World War II), how is a review of internal protocols, or consultation with stakeholders, going to fix things?
The only way to prevent function creep is to not hold the information in the first place.
A further privacy risk is re-identification from joined-up data. Even if names and addresses are used only for linking purposes – that is, to link your census answers with information about you from another dataset (such as health or education records), and then stripped out again – the added richness of combined datasets makes it easier to re-identify individuals. Disturbingly, the ABS’s privacy review did not even consider this risk of re-identification, also known as “statistical disclosure risk”. Nor did the concept of Big Data even rate a mention. If our chief statisticians are not calculating the statistical disclosure risk of their own proposal, we are all in trouble.
The only way to prevent re-identification from joined-up datasets is to not link them in the first place.
This proposal represents a massive breach of public trust, and shifts all of the privacy risks onto us, the people of Australia.
But it also carries enormous operational risks for governments, businesses, non-profits and community groups, which each rely on census data for evidence-based decision-making. Research tells us that when people do not trust a data collection, significant numbers of people will simply provide misinformation. Surveys conducted periodically by the Office of the Australian Privacy Commissioner found that around three in ten people stated that they had falsified their name or other details in order to protect their privacy when using websites in 2013; this figure was a jump from 25% in 2007.
In 2001, the ABS were worried enough about the impact on the integrity of census data to try and avoid a joke doing the rounds that people should list their religion on the census form as ‘Jedi knight’. Their response was eminently sensible, pointing out that the accuracy of census data is important for all Australians, as it impacts on decision-making across all aspects of our lives: from where to draw electoral boundaries, to the building of schools and hospitals, and the routing of local buses. Further, the question about religion is the only optional question on the census; so if you object to being asked about religion, you can simply not answer it, without risking criminal penalties.
Nonetheless, in the 2001 census results, just over 73,000 people described themselves as Jedi, which is more people than identified as Salvation Army or Seventh Day Adventists, and only slightly fewer than those who listed their religion as Judaism.
If census data can be so easily skewed by a bunch of Star Wars fans, the potential impact of enough people being sufficiently concerned about safeguarding their privacy to contemplate providing inaccurate responses, or not responding at all, should surely make the ABS think twice about this proposal.
And what happens to other nationally-important data collections that don’t have the force of law behind them? The ABS’s review did not consider how a loss of public trust in the census might impact on some people’s willingness to accept or embrace other government projects, such as the new My Health Record, if they fear the linking of that data with their census records.
I am surprised that the many stakeholders who seek to use census data, or indeed the agencies which run any other major government programs, are apparently willing to risk the integrity of the data on which they rely. Or perhaps, like the rest of us, they were too busy in the week before Christmas to notice that our privacy protections were being wrenched away.
The ABS’s privacy review noted that it faces the risk that this proposal “may cause public concern which results in a reduction of participation levels in ABS collections, and/or a public backlash”. Its suggestions for mitigating that risk are mostly focused on PR efforts to calm us all down, but it also says that the ABS will “reconsider the privacy design for the proposal, if required”.
Which means that there is still hope, that with enough public pressure, the ABS itself – or at least the governments, businesses and charities which care about the reliability of census data – will see this proposal for the folly it is, and return to a census format designed to ensure both the integrity of our data, and the protection of our privacy.
For more information, including details of actions that people have taken in the past, please see our Census 2016 page.