From Census to Surveillance

Forty years after the first attempts to de-anonymise the Australian census, in 2016 the government finally succeeded. This is the story of the forty year struggle against efforts to turn the Australian census from a population snapshot into cradle-to-grave surveillance and the public response.

Commonwealth Government Data Linkage Projects and Privacy

To understand the campaign against the 2016 census it is important to understand the changes that have been introduced to the census and the purpose of those changes.

As can be seen in the section on Historical Background, while being tempted to de-anonymise the census throughout the past half century, the ABS has avoided doing so in favour of destroying names and addresses at the earliest opportunity. That all changed late in 2015.

The point of the change is to allow the ABS to create for each individual a Statistical Linkage Key created from name and address provided in the Census- a unique number that identifies each individual (including children) that is used to join data sets together to create more interesting and useful data.

The data linkage projects the Commonwealth government intends (and has alredy begun) to create will be used for research or law enforcement.

An example of the use of the SLK is in joining data collected by health professionals with census data.

Few people would be aware that information is collected during their visits with doctors and mental health practitioners that is going to be matched with what they write on their census forms.

It is this kind of undisclosed, intrusive behaviour by the government that privacy groups are concerned about.

The Australian government holds many 'administrative datasets'. These are created when we interact with government for the purposes of receiving services or benefits. If the government is supplying or paying for our health care for example, then this creates datasets owned by the government that include the information that is necessary to carry out this service. To be consistent with the Privacy Act 1988, the data collected and stored by organisations including government agencies must be treated in a manner consistent with the Australian Privacy Principles.

Under these principles, only the information necessary for the service should be collected (APP3 3.1 & 3.2) and it should be stored in a way that provides a reasonable level of protection against mis-use (APP 11). The Australian Privacy Principles grant the public access to their data for the purpose of ensuring it is correct however it is important to note that this right does not apply in respect to census data. An ALRC report on Privacy and the Census, recommended the public be given access to data collected via the census if is to be used for research purposes:

The Commission accepts the fundamental principle of privacy protection that an individual should normally be allowed to have access to, and to challenge, a record of personal information about him. This principle is based on the fact that a personal record affects the way in which an individual is perceived by others. It is also based on the value which access has as a means of controlling the quality of the information held in a system of personal records. It does not follow that a person should have unrestricted access to his own census information. That information is used for statistical purposes, unlike many other collections of personal information; it may not be used to the individual's personal detriment. Nonetheless, experience in North America indicates that there may be good reason for allowing access in special circumstances.

The Statistician should be required to grant access to an individual who is able to demonstrate that he has a reasonable ground for seeking access to census information and that his need for that information could not reasonably be met in other ways. Mere curiosity or a desire to check the accuracy of information which is to be used solely for statistical purposes should not constitute a reasonable ground for this purpose. (Para. 56)

If, as the Commission recommends later in this report, census forms were in future to be retained for research, a general right should be granted to census subjects to have access to, and to challenge, census information after it has been transferred to Archives. (Para. 56)

There should be a system of administrative review of decisions made with respect to such rights of access as may eventually be established. (Para. 56)

This position was echoed by the Privacy Commissioner to the later (1997-8) Senate Inquiry set up to examine the de-anonymisation of the census:

4.34 The Privacy Commissioner considers that should name- identified census forms be retained for disclosure at a later point in time for research purposes, and potentially for wider purposes, then a case could be made for the FOI exemption to be removed, restoring individuals rights to access the information held about them and to seek to amend that information if it is incorrect.

Privacy expert, Roger Clarke makes this point more recently:

Individuals have no right of access to personal information about themselves held by the ABS. This is because data gathered by the ABS from the Census is exempt from the FOI Act (although the ABS does have a discretion to provide a copy of data back to the person who provided it). A right of access and correction might have seemed superfluous when the only data that was held was that from each single census form, and only for a matter of 12-18 months, until processing was completed.

Despite these recommendations coming out of the government's own commissioned Inquiries both in 1979 and 1998, the recommendations have never been implemented. As the 1979 ALRC report points out: data collected under the Census and Statistics Act 1905 is intended to be used for statistical purposes only - which is the reason it does not enjoy the protections afforded to administrative data. It is obvious then, that linking administrative datasets together using information gleaned from the census muddies the waters in terms of the privacy laws and principles currently in effect.

Further, the nature of the census which is distributed on a household (rather than individual) basis where one person is expected to fill out the form for all members of a household creates significant issues for any privacy legislation allowing later access to that information. These issues were raised by the ABS in the 1998 Senate Inquiry (Chapter 4).

4.36 The Privacy Commissioner considers that individuals ought to be able to check the information which may have been given about them by someone else (for example, by another member of their household or their parents).27 Information may be supplied about an individual member of a household without that individual providing or verifying it.

Census data is intended for statistical purposes only yet the mapping of census data at a person by person level against administrative datasets collected for the purpose of providing services to the public or law enforcement is a radical departure from this concept.

Another important aspect of privacy law is that we must be informed of the uses to which the sensitive data we provide will be put in order to grant our informed consent (APP3 3.3 & 6.1). This is a serious concern with the 2016 census as the government can no longer be said to have our informed consent for the uses to which it is putting our census information. It is probably impossible for anyone to know all the uses to which this data might be put. It is unrealistic to expect even the ABS to have established in advance all the uses to which it might like to apply the data. Given that there is little public awareness of the existing data linkage projects that are intended to be matched with census data, there is clearly no informed consent from the vast majority of the population. This issue was raised in the more recent (1998) Senate Inquiry into de-anonymisation of the census (Chapter 4):

4.20 IPP2 imposes an obligation upon ABS to ensure that individuals are generally aware of the purpose for which their information is being collected. IPP2 also obliges ABS to inform individuals about other parties to whom it is the usual practice of ABS to disclose their personal information, and if ABS knows, of any other bodies to which those other parties usually pass the information.

4.21 The Privacy Commissioner interprets IPP2 as imposing on ABS an obligation to notify individuals if their information were being collected for purposes other than ABS's own immediate statistical functions.15

4.22 The Privacy Commissioner also stated that if census forms were retained, ABS would have to notify Australians that their personal information would be disclosed to other parties after a certain period and, in general terms, who those parties would be.16

4.23 Mr Allan Thompson, Director of Legislation, WA Ministry of Justice, told the Committee that: either people should be told, firstly, up-front that it is going to be used for particular purposes; or as a fall-back position, in the event that we are not able to isolate the particular uses to which it might be put, it may be put to some uses - for example, medical or health research - alerting individuals as they fill in these forms to the fact that the information may be used for those purposes.17

In a move intended to side-step the legislative and governance issues created by the mixing of administrative, law enforcement and statistical data sets, in late 2015 the Department of Prime Minister & Cabinet publicly documented its intention to dismantle the existing governance responsibilities for linked Commonwealth data projects (Slide 31 Public Sector Data Management Report).

Arrangements put in place in 2010 required that projects linking Commonwealth data could only be established through what is called an 'Integrating Authority' and where such projects were considered 'high risk' the responsible Integrating Authority had to be 'accredited' and approved projects published at the National Statistics Service National Register of Projects.

It should be noted that the Cross Portfolio Data Integration Oversight Board oversees data linkage projects where that data is used for statistical and research purposes. This Board did not oversee data linkage projects that are used for law enforcement or administrative purposes- again pointing out the confusion in administration and oversight created by data linkage projects which collect and link data that is used for both research and administrative purposes.

'Statistical data integration must be used for statistical and research purposes only.' is one of the 'high level principles' which data linkage projects overseen by the CPDIO must adhere.

The Cross Portfolio Data Integration Oversight Board was set up with the stipulation that it would be 'reviewed' at the end of 2015. On December 3, 2015 the Department of Prime Minister and Cabinet published its intention to dispense with the governance provided through the Cross Portfolio Data Integration Oversight Board in order to run several 'catalyst' projects linking 2016 census data with multiple administrative datasets under the oversight of the Deputy Secretaries Oversight Board run out of PM&C (pg 31).

The ABS is currently conducting a 'review of legislation' to look at ways of getting around current legislative roadblocks with PM&C running a meeting on December 11, 2015 titled 'Legislative Barriers Workshop' in which 'representatives from across the APS met to identify legislative barriers to the release, use and re-use of public data'.

This is described by PM&C as a medium term goal to 'identify whether privacy and secrecy laws can be streamlined and modernised through an overriding principle-based law to enable data to be better used for policy and research'.

The main 'catalyst' project being planned by PM&C is the Multi-Agency Data Integration Project (MADIP), a cross portfolio project which links 2016 census data to multiple administrative datasets using the Statistical Linkage Keys generated from census data.

Planning for MADIP is well underway. The project joins several administrative datasets from across the health, taxation, immigration, social services, education portfolios with 2016 census data.

The ABS has also planned to link information from their other surveys (which people are also compelled under threat of fine to submit their data to) with census data.

The point of the public register maintained by the National Statistics Service is to provide the public with information on these kinds of projects yet a perusal of the existing projects does not include either MADIP or the combination of ABS surveys with census data.

As can be seen from the information and analysis presented in this section, plans to change the use to which census data has been used have been underway for some time and in some cases, linkage with census data has already occurred - without public awareness or consent.

Governance arrangements have been altered to remove the transparency and accountability that was built into the National Statistics Service system via the Cross Portfolio Data Integration Board.

2016 Census data is now being collected for use in ways that is not consistent with the Australian Privacy Principles.

These changes have caused wide-spread distrust of the Australian Bureau of Statistics that authorised these changes only eight months prior to the 2016 census in a manner which is inadequate from the perspective of open and transparent government.