Is your Census information safe? Privacy in the spotlight
With the 2016 Census almost upon us, the issue of data privacy and security has been in the media spotlight again. The Age recently published this critique of the ABS policy by Peter Martin. When this issue was first brought up early in this year, I wrote this blog explaining what was going on, and looking at the pros and cons.
What are the key changes?
In a nutshell, the ABS is proposing to keep name identified information from the Census for longer than it has previously. Normally name identified information is destroyed after processing has finished, but this time the ABS plans to keep names and addresses for up to 4 years in order to link the Census data sets to other collections.
How secure is your information?
The ABS have said that names and addresses will be kept securely separate from the other Census data, and that no name identified information is ever released from the Census.
Census results have always been about statistics in aggregate – looking at the characteristics of the population in particular areas, rather than the characteristics of individuals.
So why do the ABS want your name and address?
The ABS have always asked for names and addresses. This has been part of every Census since the first national Census in 1911. All recent Censuses have asked for name, address of the place of enumeration, and address of usual residence, to enable coding of individuals back to their residential area if they are away from home on Census night. That said, if those fields were left blank, information was still processed and used in the Census output.
The main reason for asking for name and address in any survey, is to increase the accuracy of the data. Why? Cognitive studies show that people are more likely to give accurate information if they have put their real name to it, than if it’s anonymous. So asking for names gives a better outcome, even if those names are destroyed after processing. The Census has never been anonymous at the point of collection – only the data output is anonymous, as it’s published in aggregate.
The reason for retaining names and addresses a bit longer this time around is to enable easier linking of statistical information to other collections, enhancing the value of the datasets obtained from the Census.
What it all means
Extending the retention of names and addresses from approximately 18 months to 4 years is not really a huge change in itself, however it seems language being used may have changed. While names and addresses have been asked for in previous Censuses, the ABS didn’t make a big deal about accepting forms if these fields were left blank. With these questions now seen as compulsory and necessary, some people are worried.
This does run the risk of undermining the original purpose of asking for names and addresses, in that people may be less likely to provide accurate information.
With the move towards online forms (around 65% of households are expected to fill out the Census online in 2016), it is now more difficult to evade questions as the online form won’t let you proceed without filling in the required fields.
Should you provide your information?
Hopefully most Australians will understand the value of the Census data and still answer truthfully. Individual information is not shared with other organisations (there are significant penalties in legislation for any breach of this and the ABS have always taken privacy and confidentiality extremely seriously). .id users of the data are most likely well aware of ABS “randomisation” of small numbers, to ensure that individuals can’t be identified even by a specific characteristic in data output.
While the privacy safeguards are welcomed and I have absolute confidence that the ABS will maintain that confidentiality, I will also go on record again as saying that I don’t think any of the information that’s collected in the Census is particularly sensitive. It is not at the level of detail that would enable anyone to steal someone’s identity, and most people seem to share far more sensitive things on Facebook these days. If you look at the level of detail you need to (eg.) get a home loan from a bank, for instance, you’ll find this is far more intrusive than the Census questions. In fact I’d go as far as to say I’d happily have all my answers to the Census questions online for all to see.
Common concerns answered
Some of the more common concerns around providing your name and address include:
-
What if hackers get into to ABS and release the information publicly or use it for nefarious purposes?
– With respondents’ names and addresses stored separately to their personal and household data, this strikes me as very difficult. But if a hacker cares enough try to hack into the systems to find out that I used bike and train to get to work on Census day, good luck to them!
-
What if the ABS shares my income information with Centrelink or the ATO and discovers I lied on my tax return?
Apart from the fact that the ABS would never do this and there are large penalties for any such information sharing, it’s virtually impossible to compare ABS income information with other sources, particularly the ATO. For example, the Census asks, “What is the usual amount you receive each week in income?” This is very different to a taxable income calculated over an entire year, including deductions, offsets etc. Census also collects income in broad ranges, and includes some non-taxable payments such as pensions and allowances.
-
What if the government decided to target people based on their religion?
This seems to be part of the current angst about Islam in the community (a religious group which makes up 2.2% of the population), and those conflating a religion with terrorist acts commited by a tiny minority of individuals within it. Nevertheless, the main concern seems to be that a future government may access individual records to target particular people based on their religion. Given that the name identified information is still being destroyed after 4 years, this wouldn’t even be technically possible after 2020. And if you’re concerned about this specifically with the religion question, don’t forget that religion is an OPTIONAL question. You are free to leave it blank.
-
Don’t I have to mark a box to say I consent to having my name identified information kept?
This is a separate project, call the Census Time Capsule. For each person who marks “yes” to question 60 on the Census form, their name identified information with full Census details will be scanned and kept securely for 99 years, to be released in the year 2115. The records are kept within a secure storage area within the National Archives in Canberra. This has been an option on the past three Censuses, with around 50-60% of people consenting to it. If “Yes” is not marked (so the person has marked “No” or left the answer blank), the personal information will not be scanned for this project and all names and addresses will be destroyed by August 2020.
This time capsule project will be a fantastic resource for future genealogical and social research, and I’d encourage everyone to mark “Yes” for that too, but it is totally optional. Unfortunately the current publicity around the name and address retention for data linking, which is completely separate, runs the risk of getting mixed up with the time capsule, which is unrelated. People may be less likely to mark the “Yes” box, which would be to the detriment of future generations.
So in short, I really don’t see what the fuss is about with the name and address retention.
At .id we encourage people to answer their Census truthfully. We only get a chance to collect this vital information once every 5 years, and it’s used in planning for all levels of government, business and individuals. It’s also a lot of fun to find out about ourselves, and how we are changing as a nation, and right down to suburbs, towns, even streets and city blocks (but not individuals or households, for which the information is private and confidential)!
.id’s toolkit showcases the value of Census every day. So get online on August 9 and make a difference!
.id specialises in analysing, enhancing and presenting Census data. Access our community profiles and see how some of the results from previous Censuses relate to your local area: Community profiles for Australia and New Zealand.
I’m not on board with your dismissal of people’s concerns, Glenn.
In your March 20 blog post on the subject, you said that you didn’t notice the announcement about the longer retention period, despite following the ABS closely. Doesn’t this fact alone bother you?
I apologise to the genealogists who you mention in that earlier blog for wishing they had no more information to work with, but a nation shouldn’t have to share personal information just because some families regret not having kept adequate records.
Your FAQ above acknowledges that people may now wish to leave the religion question blank out of security concerns. I’m sure others will find more than just the religion question too intrusive. There will be new holes in the dataset and some deliberately inaccurate answers, thanks to the ABS’s new system. The ABS is shooting itself in the foot at best.
Our government already imprisons children, indefinitely and offshore, with minimal oversight; and our Attorney General could not describe the telecommunications metadata that is supposedly collected for national security reasons, but which state racing ministers now wish to access. My lack of faith in either our government’s intentions or competence is not unfounded. I hope I never become desensitised to each new step towards bumbling authoritarianism.
“I’d happily have all my answers to the Census questions online for all to see.”
Go on then, and don’t forget your home address and income…
You’re missing the entire point. You can downplay the level of sensitivity of the data all you want, but that’s not the concern here. Its the fact that as citizens we are having our basic human right of privacy ignored, and by law, enforcing us to divulge personal information and having it back traceable to the individual by name. I don’t care if you can find out more sensitive data about me by cross referencing my online profile, but I do find it highly offence when I have no other choice but to unwillingly give information about myself to an organisation I have no reason to trust or idea of what the information will be used for, without repercussions of breaking the law.
Thanks for the comments here. There is clearly a lot of angst about this change in the community. I think the ABS could have communicated the change better in the first place. I find it interesting, given ABS’s exemplary track record in protecting confidentiality of Census and survey respondents before, and the fact that they have always collected name and address and are now just keeping them a bit longer. Is it the fact that there is data linking going to happen that has people so concerned?
I also really don’t see how attractive the dataset would be to hackers given its general demographic nature.
Some have said having your name, address and date of birth on the one file could be used to steal an identity etc. If you’re worried about this – note that the question on date of birth also allows you to enter just “Age last birthday”, so you don’t actually have to give your date of birth at all.
And it’s worth noting that over 60% of Australia’s population marked “Yes” in 2011 to Question 60, the time capsule question, which entails having your Census record with name and address included (and attached to your answers, which the retention for linking purposes will keep separate) kept by the National Archives for release in 99 years. I will certainly be answering “Yes” to this again, as it’s a fantastic resource for future generations. So the majority of the Australian population don’t seem to have a problem with this.
“Over 60%”? So, over a third don’t want to participate in the time capsule initiative. The ABS should let people opt in to the longer retention period and data linking.
Do you really think Malcolm Turnbull is suddenly going to divulge his income when he admits he hides it off shore to avoid paying tax? Only a few months ago the ABS announced it was scrapping the census completely. Now it’s a data mining exercise to track and map every citizen. What changed? Worthless one minute, now so important they will fine you if you use a false name or give a false answer. They must be matching our data if they already have the answers.
Well the thing about income is that it’s collected in broad ranges, with the top range being $3,000 or more per week. So whether your income is $160k p.a. or in the millions (and even if you hide most of it) you fall into the same range anyway. So it’s a bit of a non-issue.
You’re right that the ABS was thinking of cancelling the Census last year. We are glad they got the funding they required to complete it. It was never worthless and many people were horrified at the thought of scrapping it.
The Census is not and never has been a data mining exercise, and it doesn’t track everyone. Name and address information is being kept for a few years statistical matching to other collections only, to improve data richness – and the ABS is committed to keeping everyone’s information 100% confidential. There is no tracking of individuals or sharing with other organisations.
Every study I can find has the EXACT OPPOSITE finding to this bizarre statement: “Cognitive studies show that people are more likely to give accurate information if they have put their real name to it, than if it’s anonymous.”
It’s common sense, taught in all reputable universities, and many-times-proven that anonymity encourages more reliable and honest answers.
What fake “Cognitive study” are you talking about? Reveal your sources, or remove that lie!
Here here
Well Glenn,
Looks like you were wrong and our privacy it is at risk.
Someone needs the sack at ABS
How so? I’m not aware of any privacy breach. There was a Denial of Service attack – which involves a malicious attempt to take a website offline – not to access the details within.
G’day Glenn,
You do realise that the Census act is an Act of Parliament and as such can be changed by Parliament, don’t you?
Here is a scenario for you. Three years down the track the government has control of both upper and lower house and decides it wants to use census data to locate possible tax avoiders. It legislates to force the ABS to hand over all data held in order to to do this. And it makes it retrospective. In fact it is almost written into part 13 of the Act already.
This scenario is incredibly unlikely because it would undermine any future Census or survey collection. No-one would ever give any info again knowing this could happen.
But even if it did, individual Census information would be useless for catching tax avoiders because it doesn’t ask for taxable income, and is collected in broad ranges.
“How so? I’m not aware of any privacy breach. There was a Denial of Service attack – which involves a malicious attempt to take a website offline – not to access the details within.”
The point is Glenn with over 20 years experience working in the field I find it amazing that we ae supposed to trust these people when they have made an enourmous cockup collecting the data. As for the Ddos attack I’m yet to see the evidence. One other thing if they are truly concerned about hacking/ privacy why still use the SHA-1 hash? Their argument is, so people with older browsers can still access the site. Tell me Glenn do people with older browsers deserve less security then ones with new ones? SHA-1 has been a known security risk for years.
We are supposed to trust these clowns. As for your playing down the value of the data to hackers ever heard of identity theft?
By the way, assuming there was a ddos attack (the story changes continually) this can be used as a diversion while someone grabs the data. Uncommon, but possible.
I’m sharing with facebook
I’m sharing in my partner networks