pdf (42.95 KB)

Submission to the Australian Bureau of Statistics by the Office of the Privacy Commissioner July 2005

1. Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office currently has responsibilities under the Privacy Act 1988 (the Act) for the protection of individuals' personal information, that is handled by federal and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

2. This Submission

The Office welcomes the opportunity to make a submission on the proposal by the Australian Bureau of Statistics (the ABS) to create a Statistical Longitudinal Census Dataset (SLCD) by combining datasets created from the 2006 Population Census with data from future census collections and other (externally generated) datasets. This proposal represents a fundamental change to the nature of the Census. The Office understands that the purpose of the creation of these new datasets is to enrich the census data, by providing a way of looking for trends in groups, over time.

The Office has had the opportunity to examine the Privacy Impact Assessment Report (the PIA), and the ABS response posted on the ABS website. The PIA found that the proposals complied with the Information Privacy Principles (IPPs) in the Act and that the “residual privacy risk” was that in the future, subsequent governments might make different uses of the data. The submissions made by the Victorian Privacy Commissioner and the Northern Territory Information Commissioner also raise many salient and important issues, particularly in relation to possible future uses and disclosures of datasets derived from personal information without the consent of the individual.

The proposal, as outlined in the Discussion Paper, is to enhance the value of the Census and contains three parts:

Creating the SLCD

• Creating the SLCD by combining the data provided in the 2006 Census with the data provided in future censuses, and using statistical techniques, not involving name and address, to bring the data together.
• The SLCD could be extended by including 2001 Census data, again using statistical techniques. This is an extension to the proposal and particular views are being sought.

Using the SLCD with other datasets

• Using statistical techniques to allow the SLCD to be used with other datasets, namely:
  • Other collections conducted by the ABS, such as household surveys.
  • Birth and death register data, long term immigration data, and national disease registers.

In these cases, uses would be for specific approved projects only.

Using name and address information at the time of census processing

• During the period of Census processing, name and address information could be used to bring together census data and other selected datasets.
• Three distinct purposes are being considered, namely:
  • quality studies – to help the ABS understand and evaluate the quality of its statistical operations and outputs
  • analysis of the 2005-06 Agricultural Census data with Population Census data and
  • specific statistical studies – where there is insufficient information to bring the data together with the SLCD, using statistical techniques to produce a dataset of adequate quality for a significant statistical purpose.

3. Community trust in the ABS

The ABS has earned the trust of the community in the handling of census information, and will be keen to ensure that any new proposals do not undermine that trust. The ABS argues that there are important social benefits to be gained from the SLCD.

The concept of privacy is dynamic, and can change as attitudes and the technical, business, government and wider environment change. How we balance different social and economic interests to come up with privacy-sensitive solutions which are appropriate, will also change over time, and as new uses of personal information and statistics are developed.

The value and benefits of research and statistics for public policy development have been clearly demonstrated by the ABS and recognised in legislation.

These benefits will need to be weighed against any privacy risks that may arise, either now or in the future. However, the proposal, if implemented, is likely to mean that a richer set of data will be retained by the ABS for long periods, and the privacy implications of this should be rigorously explored. There needs to be a balance between new and possibly more intrusive collection, uses and disclosures of personal information, and the confidence and trust of the community, whose often highly sensitive personal information is being analysed.

4. Legislative Framework

The ABS advises, and this is supported by the PIA, that these proposals do not require new legislation. However, given the nature of this proposal and the privacy risks it raises, a legislative framework is more appropriate. The legislative process itself, including scrutiny by the Parliament, provides an important additional safeguard. Legislation could specifically confine the uses of the SLCD data and could provide an opportunity to reassure the public that Census data, and the SLCD in particular, will not be used without independent and careful consideration.

5. Consultation

The Office understands that the proposal is still in the development stage and subject to widespread community consultation and welcomes the ABS's commitment to public debate. The community consultation period has been quite short and as this proposal is a significant change to previous Census practices further consideration may be necessary.

The ABS commissioned a Privacy Impact Assessment (PIA), conducted by an independent expert, in order that interested parties and the community be informed of the privacy implications, and planned privacy protections. A PIA is an assessment tool that describes, in detail, the personal information flows in a project, and analyses the possible privacy impacts of the project – it “tells the story” of the project from a privacy perspective.

The Office welcomes the publication of the PIA and submissions received by the ABS as part of the consultation process. This adds value to the process and is a useful way to gauge both stakeholder and community reaction. The Office sees this as essential to a fully informed community debate about the risks and merits of the proposals.

6. Community Attitudes

Until recently there had not been any major changes to the way the Census had been conducted. However in the 2001 Census, the ABS invited individuals to opt to have their census data lodged in the Australian Archives for research purposes for future generations. 54% agreed to this proposal while 46% declined to participate. This could be interpreted as an indicator of community caution about any changes to the Census process, including the retention of identifying data.

In the Office’s Community Attitudes Towards Privacy 2004[1] research study, almost two thirds of respondents (64%) felt that permission should be sought before de-identified information was used for research purposes. The majority of respondents agreed that governments should be allowed to cross reference or share information, but only in some circumstances (62%). Almost one in ten respondents (9%) thought this should happen for any purpose, whereas nearly one in four respondents (24%) thought this should not happen under any circumstance.

Respondents were also asked whether they felt that an individual’s permission should be sought before “de-identified” health information (that is, health information not linked to information that identifies an individual) derived from personal information about them was used for research purposes. Almost two thirds of respondents (64%) felt permission should be sought, with one third reporting that permission was not necessary (33%). Proposals to combine data from disease registers with Census data may raise a similar level of concern.

If members of the community still have doubts or fears about how their personal information, and in particular, how their health information is being used, even in de-identified form, then they may be reluctant to fully or accurately complete the Census and the quality of data could be compromised. This may suggest that data quality could be at risk if there is public disquiet about these proposals. Some groups in the community that are already cautious in their dealings with large institutions and governments, may also be more reluctant to provide personal information if these proposals are implemented.

7. Possible effects of the proposal

Personal information and identifying individuals

Personal information is defined in the Act as “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.” [2]

Aggregated statistics derived from personal information are not included in the definition of personal information, and are therefore not specifically covered by the Act. However, information from which only name and address has been removed, may still fall under the definition of “personal information,” as an individual’s identity may still be reasonably ascertainable from the information.

Re-identification of personal information is usually context-sensitive. An organisation’s capacity to re-identify data may depend critically on its particular resources, or changing priorities. Factors which may impact on the capacity for data to be re-identified include available data, new technologies, resources, and social or political imperatives for access to new or different types of data. Combining unrelated datasets, now or in the future, may create the environment for more intrusive profiling, data-linking or data-matching of individuals’ personal information.

It appears the proposed SLCD, while based on probabilistic matching of individuals, rather than matching on name and address, may still be relatively accurate, and it may be fairly straightforward for the ABS to re-identify individuals, in some circumstances. As a result, privacy concerns with keeping a longitudinal dataset with names and addresses apply, to some extent, to the SLCD proposal. The Office notes that the ABS is not currently intending to re-identify SLCD data.

The creation of the SLCD may have the effect in relation to many individuals, of collecting and linking information about many important and sensitive aspects of their lives over an extended period, and in a way that may allow that information to be identified in the future.

The ABS is an agency for the purposes of the Privacy Act 1988. The privacy protections of the Act, combined with the functions and purposes defined in the Australian Bureau of Statistics Act 1975; and the secrecy and confidentiality provisions in the Census and Statistics Act 1905 (ABSA) provide a framework which clearly limits the disclosure of personal information.

While further privacy protection flows from the use of statistical rather than exact name based linkage, nonetheless this proposal marks a significantly new and detailed form of linking personal information about the Australian population.

It is in recognition of this that the proposal should be the subject of a thorough legislative process to test Parliament’s and the community’s acceptance to codify the permitted uses of the SLCD and to introduce greater or renewed privacy protections. This may reassure the community that the benefits to be gained from the SLCD will not come at an unacceptable risk to individual privacy.

2001 Census data (Creating the SLCD)

The proposal to use 2001 Census data to begin to populate the longitudinal dataset seems to be a retrospective policy change, about which the community was not consulted at the time the information was collected in 2001. It is generally not appropriate to use data obtained under one set of circumstances for entirely new and different purposes, especially if there will be no opportunity for individuals to exercise choice. The retrospective use of 2001 data may also raise questions in the community about ABS assurances in relation to possible future policy changes to the use of Census data. The Office does not support the use of the 2001 Census data to create the SLCD.

Using the SLCD with other datasets

The ABS will need to be confident that it has a sound legal basis for collection of datasets from other sources such as State and Territory government agencies, which may be subject to local privacy regimes. It is re-assuring that privacy protections such as Memoranda of Understanding, which would include privacy protections, are being considered to effect these arrangements.

The purpose of collection and how it relates to the functions of the ABS is critical from a privacy and data protection standpoint. The ABS will also need to be confident that the general functions of the ABS and the particular functions associated with conducting the Census provide a clear legal basis for the proposed collections of personal information. This would be particularly useful when additional collection topics are being proposed in the future as it may lead to data-matching with a wider range of external datasets. These richer datasets will be of interest to many users including to commercial users. To minimise the possibility of “function creep’ it would be desirable for the ABS to apply strict controls to any additional uses of the datasets.

The submission questionnaire asked specifically if there were any particular datasets or sources that data-users might require, suggesting that the ABS would consider those requests. Making the SLCD available to be matched with other datasets, which may contain identified information or be geographically precise, may expose individuals to unwanted or unexpected attention.

The proposal to match census data with data from other ABS surveys, such as those listed in Appendix 1 of the PIA, may also lead to some reluctance by individuals to participate fully or accurately in other surveys. For example, additional topics proposed for the 2006 Census include questions about fertility and (optional) questions in the crime and safety surveys are about (sexual) assault and relationships. Many of the questions relate to very sensitive matters, and additional precautions should be applied so that this material cannot be re-identified.

Any future proposals for matching the SLCD with external datasets should involve a transparent consultation process and fall under the legislative framework for the SLCD that the Office recommends.

Using name and address information at the time of census processing

The proposal to use name and address data for matching with external databases, during the 15 month window of processing census data, appears to be largely independent of the longitudinal data set proposal. There is a significant risk that the use of identified data during the processing time could give rise to pressures for more matching during the 15 months, and possibly for the extension of the 15 month period.

In addition, the proposal, if implemented, may mean that a richer set of data will be retained by the ABS for long periods. This would be a departure from existing policy and may give rise to community concern about the keeping of increased amounts of information about individuals. As with the SLCD proposal, this proposal should be considered in a legislative framework which sets clear limits.

8. Managing Privacy

The privacy protections outlined in the Discussion Paper (see Section 6 Confidentiality and Privacy) have been assessed in the PIA as adequate in relation to the IPPs. These protections include strong legislative protections that ensure that the ABS does not release identifiable information, along with a longstanding culture of privacy within the ABS that has earned widespread community respect and trust. However the internal ABS policies and practices outlined in the Discussion Paper could be subject to change.

The Office is aware of suggestions made in other submissions for additional procedures to assess and approve particular census data-linking projects and supports these. Guidelines and criteria developed in conjunction with this Office for the approval of new projects and defining access to and use of the data were suggested as were auditing and evaluating the SLCD, at an appropriate interval, by independent experts. The Office would support this approach.

In the initial ABS Issues Paper there was a proposal to establish a Privacy Reference Committee. This could comprise privacy advocates, indigenous and community representatives, and those with expertise in the ethical assessment of research projects. The Privacy Reference Committee could publish an annual report of the proposals it has considered and the outcome in each case. The Office supports the establishment of such a committee.

If these proposals go ahead the Office would also recommend that a wide ranging and targeted community awareness program be undertaken to advise individuals of new uses of census data and of the privacy protections both planned and in place. The Office would expect to be consulted on the content of notices and information products associated with the SLCD.

The PIA generally finds that the planned privacy protections will be adequate to address most of the proposed uses of census data but recommends, as do the Victorian Privacy Commissioner and the Northern Territory Information Commissioner, that specific legislative provisions should be considered by the Parliament. The Office supports this approach.

9. Conclusion

Statistical research, particularly that undertaken by ABS data users, provides an evidence-based approach to public policy development and planning. Equally as part of good public policy there needs to be a balance between the public interest in using data derived from the Census with how this might intrude on individual privacy rights, particularly when the collection of personal and sometimes sensitive information (for the Census) is compulsory.

Given the importance to the Australian community of the Census, and the privacy implications raised by the proposal, the Office recommends:

• The suggestion that any pre-2006 data be used in creating a SLCD be omitted from the proposals
• The proposals be implemented by way of legislation. Legislation should detail any new ways of dealing with Census data, clearly limit the allowable uses of Census data generally and SLCD data in particular and reinforce the existing strong privacy protections that govern the handling of personal information and related data by the ABS
• Any future proposals for matching the SLCD with external datasets should involve a transparent consultation process and fall under the legislative framework for the SLCD that the Office recommends
• The establishment of a Privacy Reference Committee tasked with the development and application of guidelines to assess new proposals and evaluation criteria and
• A comprehensive information and education program to inform the community of any changes to the use of future census data.