ThoughtWorks slams ABS for census data retention “risk”

22

news Global technology consultancy ThoughtWorks has strongly criticised the Australian Bureau of Statistics (ABS) for “risk” it took in the running of the Australian Census 2016, which saw the body retain the details of millions of people.

In choosing to keep the names and addresses of around 24 million people in 10 million households alongside their “sensitive demographic data”, the ABS is “taking risk with the privacy rights of all Australian residents”, the consultancy said in an open letter to David Kalisch, head of the ABS.

While acknowledging the value of the census when used for “evidence-driven policy”, ThoughtWorks said “we are unable to remain silent while the 2016 census threatens this excellent policy tool”.

Claims that the risk of the data being leaked is low “may not be correct”, it said, citing as evidence the ABS’s reporting of 14 data breaches in the last three years.

“In light of the security threats observed in recent years, we are afraid that no matter how strong the security capability of the ABS, the risk is real and should this data leak the impact would be immense,” said ThoughtWorks. “As one example, consider the impact on an individual should their information end up with a fraudster or violent ex-partner.”

Saying the holding of any data brings the responsibility of securing it and bearing the risk of it being compromised, ThoughtWorks urged the ABS to commit to the following actions:

  • Accepting census submissions without names or addresses as legitimate
  • Not to seek to fine people who choose not to submit their identifying information
  • The destruction of all personally-identifiable information, such as names and addresses, within six months of taking the 2016 census
  • Independent scrutiny and verification that this information has been destroyed

It further requested that the ABS make the commitment before 8 August.

In its commercial work, the consultancy said, it practices “datensparsamkeit” – the principle of holding as little personal data as needed. Not only is securing data difficult, it added, but once leaked it is “impossible to retrieve”.

“The ABS’ collection of personally-identifying and sensitive data needlessly puts the private lives of Australian residents at risk”, ThoughtWorks said.

It acknowledged that “many people recognise this” and may refuse to engage with the census or provide accurate information as an act of civil disobedience.

“The ABS may be able to force compliance with some of those who choose not to complete the census form, but they will have no way to verify the answers provided by those who do complete the form as accurate,” said ThoughtWorks.

“We believe that, given these concerns and strong community opposition to the retention of personally-identifiable information, the 2016 census results will be insufficiently accurate to justify the collection of such personal information,” it concluded.

22 COMMENTS

    • I do.

      Anyone with an interest in privacy, or data security cares too.

      One of the absolute, fundamental first principles that is taught when it comes to data security is that you only collect what you need to collect. You don’t have to secure data that you don’t collect. It is easy, it is bulletproof, it is essential.

      The ABS has failed at the first step, in a monumentally incompetent way.

      • Follow-on from my comment below.

        I agree. You don’t have to protect what you don’t collect. Everybody actually knows this, we all see that it’s the wealthy who get robbed the most 8( Funny how we all want to collect lots, innit?

        On the other hand, we would all like some good news. So read this news report. In short, because the ABS linked names from 2006 to death certificates, they found good news about Indigenous lifespans.

        Actually, not collecting isn’t “bullet-proof security”, it’s often laziness. Good security involves rigidly observed permissions and regulated authority. Unfortunately, the average Oz dislikes both of these, as they are highly intrusive.

        • Not collecting data is bulletproof security for that specific data. It is impossible for it to be stolen.
          The over-collecting of data is also a sign of laziness, and arguing from convenience. In fact, I would say that this is where most occurrences of over-collection come from – simple laziness.

          • “… most occurrences of over-collection come from – simple laziness.”

            In most cases I would agree with you. OTOH, over-collecting always involves a degree of extra work, and in many cases requires a senior sign-off simply due to the extra work-load. Under-collecting is a far more serious sin.

            However, data retention is a different kettle of fish. Once collected for compliance reasons, it must then be subject to a decision process, with a simple argument: “Do we have further use for it?” Not “legitimate use”, nor “illegitimate use”, just “use”. So in this case, laziness is not a factor, as non-retention is the least-work option.

        • So does this mean in the absence of data we got a better outcome? This sounds like the case for not having data.

          Is it not in the experience of most of us that resources tend to be allocated to the needs of marginal seats; “an election has been announced, I feel a dam coming on.” Does the statistic gathering exercise just give the whole process the veneer of being done transparently?

  1. You can tell who cares real fast. Those who care about preserving their Census Anonimity have locked down their Social Media accounts, use Tor and/or other privacy systems all the time, almost certainly use PGP or similar on their emails, use older BlackBerry mobile phones, and continuously monitor every institution which has or may have collected their personal data.

    I’m thinking that on the bell-shaped curve, you’d find these people on the far right end.

    • I guess we’ll find out who cares based on how bad the data the census collects is.

      civil disobedience is gonna be a real pain if enough folk do care.

      I’m just waiting for the servers their running this thing off of to fall over when everyone tries to login and fill it out at 7pm :).

    • Rubbish. What guff.

      The correlation between Social media and Census is incorrect. It is a choice to use Social media.
      The census on the other hand is government mandated. There is also no need to connect the data in the first place.

      • And you don’t see it as a choice to take part in the Census? Who’s holding your hand?

        • No hand holding (unless its the one holding the big ass bloody stick menacing over everyone’s head if you don’t fill it out 100%).

          Maybe people would mind a whole lot less if they could actually come up with a reason as to why they are keeping said data rather than be all secretive about it. I mean its not like its not been planned for the last 5 years or so.

        • Exactly Simon. I won’t be fined for NOT using Facebook. Or Twitter or Instagram or whatever the next fad is.

          However failing to fill in census data. Fine. Fine Fine…. etc.

  2. Apparently, 1.4 million people did not cast a vote in the recent House of Representatives election http://bit.ly/2balXLX. It’s being to look as if we aren’t the compliant little automatons we had become under benign governments and more like the irreverent, individualistic individuals of our folklore.

    • “… 1.4 million people did not cast a vote …”

      Wow. Roughly 5% of the electorate had something better to do. That reduces the 2-Party Preferred to the 95% Confidence Level, below which the whole excercise is unreliable. Does anybody here know WHY and HOW we now enjoy Compulsory Voting? The story is interesting…

      “irreverent, individualistic individuals of our folklore”

      Who have you been reading? Henry Lawson? Try Banjo Patterson for a different view. But I’m glad you used the word “folklore”.

      Now if you were to pick up the subject of Class Warfare in Australia we could have a decent debate. Lawson writing about lower-class strugggles and Lawson chronicling those struggles are two different things. One of them did not happen.

        • In that case, the whole election should be rerun as the 90% confidence level is insufficient to return a valid result either statistically (its prime purpose) or as the will of the people.

          IMHO this is another indicator we should abandon compulsory voting and return to the bad old days of Voluntary Voting, true democracy.

    • read the article …. those figures include all the bung votes or mistakes that couldn’t be correctly counted (so they turned up but either donkey’d or just plain got it wrong). Considering there was a shift in how to vote this time its probably not surprising more folk ended up making what is considered and informal vote.

      Postal votes apparently an issue too with people not knowing what lower house area they ought to be in (they senate vote still counts).

      • I just did. “Voter turnout is calculated by dividing the sum of formal and informal votes by the final enrolment figure.” Add some who didn’t know their lower house electorate, but I doubt there are that many so ignorant, but maybe deliberate error? Even so, the wrong electorate people would probably not be very significant.

        I would have thought the Postal Vote system would be sorted by now? I mean, surely the Electoral Commission would get the correct ballots to the correct people? Although I do see people who need to vote in one elctorate but have their postal address in another… Of course, my brain is telling me that if they don’t know their electorate then maybe they should not be forced to vote :)

        And I have never been in favour of Compulsory Voting. “Not Voting” should be regarded as ticking the “None of the Above” box, which in my book should be a required option on all ballots.

        BTW. What’s the difference between Derryn on the left and Nick X plus the Greens on the right?

  3. Just thought I’d do a media release… :) Just in case anybody thought they didn’t tell anyone :)

    ABS to conduct a Privacy Impact Assessment
    11 November 2015 | CO/81

    The Australian Bureau of Statistics (ABS) today announced it will conduct a Privacy Impact Assessment on the retention of names and addresses from responses to the 2016 Census of Population and Housing.

    The ABS is considering the retention of names and addresses as a key enabler for improved household surveys and high quality statistics.

    The retention of names and addresses would support the integration of Census data with other high value survey and administrative data to provide a richer and dynamic statistical picture of Australia.

    Historically, the ABS has destroyed all name and address information after statistical processing of the Census has been completed.

    In considering this change, the ABS remains committed to maintaining high levels of community trust. No information will be released in a way that would enable users of Census data to identify any particular individual or household. Names and addresses will be separated from other household and personal data collected in the Census. Addresses and anonymous versions of names will only be used for approved projects.

    To inform both our decision and approach, the ABS will undertake a Privacy Impact Assessment (PIA) and is seeking feedback on this proposal.

    Further information is contained in the ABS Statement of Intent. To provide feedback on the proposal, please write to privacy@abs.gov.au by 2 December 2015.

    The ABS Privacy Policy outlines how the ABS will handle any personal information that you provide to us.

    Have a nice day. :)

    • You will note that this notice is talking only about doing the “Privacy Impact Assessment”, to inform their decision. This is not the decision itself.

      The problem is the decision previously has gone to public consultation and has been shouted down each time. Their was an expectation that the about PIA would be followed by a Decision the public could comment on.

      Either way there was not enough time prior to the Census for a proper decision to be made on this.

Comments are closed.