Inquiry into the 2016 Census — submission to the Senate Economics References Committee
Our reference: D2016/006779
Senator Chris Ketter
Chair, Senate Economics References Committee
PO Box 6100
Canberra ACT 2600
Submission to Inquiry into the 2016 Census
As the Australian Privacy Commissioner and Acting Australian Information Commissioner, I welcome the opportunity to comment on the Inquiry into the 2016 Census by the Senate Economics References Committee (the Committee).
As the Committee would be aware, on 10 August 2016 I opened an investigation into the Census 2016 cyber-attack (the census incident). On 11 August 2016, following its assessment of the incident, the Australian Signals Directorate (ASD) advised me that the distributed denial of service (DDoS) attacks against the online census system did not involve any compromise of personal information. The briefing I received from the ASD and the Australian Bureau of Statistics (ABS) provided me with the necessary assurances I required to be satisfied that the personal information being collected as part of the 2016 Census was secure. I subsequently made a public statement to that effect. However, my investigation into this matter remains open and will be informed by the Review led by the Special Adviser to the Prime Minister on Cyber Security, Mr Alastair MacGibbon. Staff from my Office have been assisting in conducting that Review.
As the Committee would appreciate, given the ongoing nature of both the Review and my investigation I will not comment in this submission on either process.
By way of a general comment, it is important for me to note that in my dual roles of Australian Privacy Commissioner and Acting Australian Information Commissioner I am supportive of new data-related activities which seek to maximise and enhance the use of valuable public data. I recognise that these activities can yield significant public benefits. However, I also note that where this data is derived from personal information entrusted to the government, it must be respected, protected and handled in a way that is commensurate with broader community expectations.
This is important particularly in circumstances whereby government agencies have the legal authority to collect, use and disclose personal information in particular ways. Even where an agency may have this legal authority, consideration must be given to whether their use of personal information strikes an appropriate balance between achieving policy goals, and any impact on privacy. As part of this, agencies need to assess whether their handling of personal information is consistent with the community’s expectations.
Role of the OAIC
The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency. The OAIC was established by the Australian Parliament to bring together three functions:
- privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Privacy Act), and other Acts)
- freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (FOI Act)), and
- information management functions (as set out in the Information Commissioner Act 2010).
The integration of these three interrelated functions into one agency has made the OAIC well placed to strike an appropriate balance between promoting the right to privacy and broader information policy goals. This includes ensuring that public sector data is made available to the community, for example through mechanisms such as the FOI Act, as openly as possible (provided there are appropriate safeguards in place).
On 11 November 2015, the ABS published a ‘statement of intent’ to conduct a privacy impact assessment (PIA) on a proposal to retain name and address information, collected as part of the 2016 Census, and requested comments from interested members of the public. The OAIC was advised shortly before the ABS’s public announcement of its intentions in this area. A subsequent three-week public consultation period ended on 2 December 2015.
On 18 December 2015, the ABS announced that it had decided to retain name and address information gathered in the 2016 Census. The stated purpose was to ’enable a richer and dynamic statistical picture of Australia through the combination of Census data with other survey and administrative data’. The ABS also published a copy of the PIA. In this PIA, the ABS said it proposed to retain names and addresses from responses to the 2016 Census as long as there is a purpose for doing so. A further announcement on that aspect was made in April 2016, stating that the ABS would destroy names and addresses collected when there was no longer any community benefit in retaining them or four years after collection (i.e. August 2020), whichever is earlier. The PIA did not consider any implications of the shift to a digital first Census.
The ABS’s obligations under the Privacy Act and other legislation
The ABS, like most Australian Government agencies, is subject to the Privacy Act. The Privacy Act contains the Australian Privacy Principles (APPs), which are the cornerstone of the privacy protection framework in the Privacy Act. The APPs set out the standards, rights and obligations which apply in relation to the collection, use and disclosure of personal information. A breach of an APP is an ‘interference with the privacy of an individual’. I can receive individual complaints and/or investigate on my own initiative whether APP entities are complying with their obligations under the APPs.
However, if specific information-handling practices are required or authorised by an Australian law, as is the case with the Australian Bureau of Statistics Act 1975 and the Census andStatistics Act 1905, the APPs may not apply (or may apply with modifications). Importantly, the ABS is still required to comply with the privacy principles which relate to transparency and security of personal information.
Privacy concerns about the 2016 Census
In my public statement of 11 August 2016, I noted that in my view the ABS’s decision to shut down its website on 9 August was a privacy protective measure. Nonetheless, it appears that the DDoS attack heightened the already existing community concerns about security and privacy in Census 2016 as a result of the ABS’s decision to retain the name and address information for longer than it had done previously.
The ABS’s decision to retain name and address information in late 2015 did not initially appear to attract a great deal of community attention or media coverage. However, media and community scrutiny of this decision increased consistently from March this year, culminating in significant negative commentary both before and after the DDoS attack on 9 August. The timing of the announcement on 18 December 2015, only a week before the usual end-of-year shutdown period, may have contributed to this initial lack of media coverage and community focus.
The response to this issue has demonstrated that the Australian community is increasingly aware of privacy issues, especially in light of new technological advances. The Australian community now expects transparency in relation to the handling of personal information, and these expectations are heightened when information is collected compulsorily. Where collection is compulsory, people don’t have the option of refusing to provide information even if they don’t see the benefit in giving their personal information.
It is therefore particularly important that agencies which have the power to legally compel individuals to provide their data, are as transparent as possible about their data practices. They need to clearly articulate the purposes for which personal information is collected and used in a manner which is understood by the community, and agencies should be able to point to the clear public benefits of their activities.
Most people accept that Australian government agencies will need to use their personal information to provide them with the services they want, or to improve on those services. However, people still want to understand how their information will be used, and any impacts this will have on them. When people understand these factors, they are much more likely to support those uses of information. Good privacy practice, together with effective communication and community engagement strategies, can therefore help to ensure that the handling of personal information is consistent with the community’s expectations. In turn, having a social licence for any new uses of data will help to ensure the success of projects which rely on the use of personal information.
The census incident has demonstrated how privacy concerns can escalate quickly and have the potential to impact on community trust. This is of particular relevance given the Australian Government’s broader data innovation agenda. This agenda has placed an important emphasis on the value of enhancing access to (and use of) data, in order to achieve innovation in the digital age.
In order to support that agenda, opportunities need to be identified to optimise capability to address contemporary privacy issues. The OAIC already has a range of resources which are intended to help agencies understand their current capability levels, and identify what they need to do to achieve better practice. The OAIC is also currently in the process of building on these resources with a focus on developing guidance on the application of the Australian Privacy Principles in the context of big data activities, and is also revising its guidance on de-identification.
I believe that all APS agencies should take the opportunity to assess and where appropriate enhance their own privacy capabilities. One mechanism by which privacy management could be enhanced, is through the development of an APS-wide Privacy Code. In my capacity as Privacy Commissioner, I have the power under Part IIIB of the Privacy Act to approve or develop (in certain circumstances) a Privacy Code. A Privacy Code sets out how one or more of the APPs are to be applied, and/or can impose requirements additional to those contained in the APPs, in relation to specific activities, industries or professions.
A Code could be used to make explicit my expectations of agencies in relation to their existing obligations under the Privacy Act, creating additional clarity and accountability. In addition, it would enable agencies to move beyond a compliance approach and aim for best practice. For example, a Code could require all Australian Government agencies to:
- have a privacy management plan
- appoint dedicated privacy contact officers to assist with day-to-day privacy matters
- appoint senior government officials as ‘Privacy Champions’ to provide cultural leadership and promote the value of personal information
- undertake written PIAs where relevant, keeping a register of all PIAs conducted (and making this available to the Australian Privacy Commissioner on request), and
- take steps to enhance internal privacy capability, including by undertaking any necessary training, and conducting regular internal audits of personal information-handling practices.
While one potential mechanism, the development of such a Code is an option that I consider warrants further consideration.
If you wish to discuss any of these matters further, please feel free to contact Ms Melanie Drayton, Director, Regulation & Strategy Branch, on [contact details removed].
Timothy Pilgrim PSM
Australian Privacy Commissioner
Acting Australian Information Commissioner
22 September 2016
 See the ABS’s website: Retention of names and addresses collected in the 2016 Census of Population and Housing.
 See APPs 2, 3, 5, 6, 9, 11 and 12.
 See above, n 1.
 This includes the Privacy Management plan template and Privacy Management Framework: enabling compliance and encouraging good practice, the Guide to securing personal information, the Guide to undertaking privacy impact assessments and the Data breach notification – A guide to handling personal information security breaches. These are available on the OAIC’s website, at: https://www.oaic.gov.au/agencies-and-organisations/guides/.
 See the OAIC’s website: Consultations: Guide to big data and the Australian Privacy Principles.
 The OAIC intends to release an updated version of this resource in the near future. See the existing version on the OAIC’s website: Privacy business resource 4: De-identification of data and information.