Tag CloudCensus ABS OGP submission media Data Inquiry re-identification open data consultation PM&C CensusFail correspondence OAIC meta-data event legislation A-G data-retention women animal welfare welfare Indigenous book FOI gender survey parenting governance Hansard Australia Card health NSS disability Census Inquiry ICAC race youth military ComBank inequality refugees religion technology Parakeelia
Get the Low Down on the 2016 Aussie Census Fail – by Roger ClarkeThis post has been viewed
Revision of 24 April 2016
By Roger Clarke
Copyright licence available under an AEShareNet
or a Creative Commons licence.
This document has been made available in order to inform the Australia public,
and to counter the misinformation published by the Australian Bureau of Statistics.
Many People are Very Concerned about the Census of 9 August 2016
Most people consider it to be a good idea to count people within geographical areas, and very few consider such counting to be an invasion of privacy.
Some people are concerned about the considerable intensity of personal data collected by modern Census forms, and by the legal obligation to answer every single question (except religion), irrespective of sensitivities.
Many more people are much more concerned about major changes that the Australian Bureau of Statistics (ABS) has declared it is going to make, starting with the 2016 Census. These changes are:
1. Every person’s identity will remain linked to the data collected,
forever [or for 4 years, maybe].
This was imposed on 5% of the population (1 million people) in 2006 and 2011.
Applying it to everybody is a massive extension first attempted in 2006, and
revived in 2016.
2. The data about each person, from all available Census and ABS Surveys,
will be linked together.
This was imposed on 5% of the population (1m people) in 2006 and 2011.
Applying it to everybody is a massive extension first attempted in 2006, and
revived in 2016
3. Additional data will be expropriated from other sources and added
to each person’s record.
This is new in 2016
4. Individual data about people and households will be made available
Nominally it will be de-identified, but in practice it will be so rich that
it will be readily re-identifiable.
This is substantially new in 2016.
(It appears that the ABS is already doing this, without public knowledge)
5. In some cases, the individual data that is released to researchers
will even include address, and “anonymised versions of names” (whatever
This is substantially new or entirely new in 2016.
(Possibly the ABS is already doing this, without public knowledge)
Each of these features, individually, is a gross,
unjustified and unacceptable intrusion into people’s privacy, and the
combination of them is a serious breach of trust.
Many Australian will be so angry at these breaches
of trust that the ABS will lose its reputation, and as a result the Census
will cease to deliver data of sufficient accuracy to be usable for public
policy and business purposes.
For many decades, the Australian Bureau of Statistics (ABS) was highly trustworthy.
For all Censuses conducted up to 2001, the data that it collected was quickly de-identified and disclosed only in the form of aggregated statistics. The Census did not involve significant risks to people’s privacy. Unlike most other
government agencies, the ABS gained and sustained a strong reputation of not leaking personal data.
Unfortunately, significant changes occurred in 2006 and 2011 that undermined that reputation.
The further changes proposed for the 2016 Census would completely
destroy the trust that the public once had in the ABS.
It is reasonable to expect a surge in the proportion of Australians who refuse to participate, who avoid submitting data, and who falsify data. The prospect exists that the number of people avoiding the Census in 2016 may swell from hundreds of thousands of people in the past to 1-3 million people.
The steps needed are as follows:
1. The ABS must conduct a proper Privacy Impact Assessment including meaningful
involvement of privacy advocacy organisations
2. Clear information must be made available to the public about the ABS’s
3. A properly-conducted PIA process would make clear that the current design
is untenable, because it would result in unacceptable harm to privacy and
to the quality of information collected
4. The ABS would then appreciate that it is necessary to revert to the
privacy-positive approach that it adopted until 2001
If any aspect of the ABS’s behaviour concerns you, here are some channels for complaints.
1. To the ABS
See the ABS’s Census Service Charter for the 2016 Census, or maybe here.
It points to the National Information and Referral Service on 1300 135 070, with a web-form but no email, open 9am–5pm, Monday to Friday. (In 2011, the Census Inquiry Service was on 1 300 338 776, 08:30-20:00,7 days).
There are some additional possibilities on the the ABS’s normal Contact page.
2. For previous Census events, the next place to raise issues has been an
ABS Liaison Officer
Population Census Liaison Officer
Population Census Field
Australian Bureau of Statistics
Locked Bag 10
Belconnen ACT 2616
[But they offer no email or phone.]
3. For previous Census events, complaints could then be raised with an ABS
Complaints Review Officer
Strategic Liaison and Risk Management Section
Australian Bureau of Statistics
Locked Bag 10
Belconnen ACT 2616
[But they offer no email or phone.]
These are worth a try, if only as a delaying tactic.
4. The complaint can the be escalated to The Ombdusman or the Privacy Commissioner
See the Ombudsman’s Complaints page.
No email, but an online form option. Phone Enquiries 9am – 5pm (AEST) Monday to Friday – 1300 362 072.
During the last 10 years, the Privacy Commissioner has been of very limited
use to the public; but you can try at the Privacy Commissioner’s Complaints page.
And the Office’s slowness in responding could be used as a weapon against the ABS, by pointing out to them that you’re awaiting the Privacy Commissioner’s determination of your complaint.
5. And/or to Your Local MP
This is a channel that’s always open to you. You can find your local MP here.
6. And/or the Media
Unfortunately, most of the media are hard-pressed, and ‘good news’ stories about the Census that are fed to journalists by the ABS’s Public Relations machine are simply regurgitated. But if your argument is clear and sound, some media outlets may be interested.
A section below provides such limited published information as appears to be available. Roughly speaking, in recent Censuses, thousands have refused, and hundreds of thousands have avoided completing the Census, one way or another.
If the ABS carries through with its state intentions, the numbers are likely to be far, far higher in 2016.
And that shouldn’t be a surprise to the ABS. In the late 1990s, the ABS commissioned
a survey, which established that:
- 89% of respondents agreed that “Census forms should be destroyed to protect people’s privacy and confidentiality”
Hence, in a population of 23 million, 20.5 million people are potentially highly disappointed with the ABS
- 34-45% said that they were “less likely to complete a census form if forms were kept”
Hence, in a population of 23 million, there are between 7.8 and 10.3 million potential ‘refuseniks’
Another indicator is that only about 50% of people have taken up the voluntary ‘Time Capsule’ scheme that commenced in 2001. Under this scheme, people can request that their identities be kept together with the data, but for release only in 99 years’ time – to help future family historians. This suggests that there may be scepticism about the ABS keeping its promises.
Following the breaches of trust in 2006 and 2011, there has already been an increase of betwwen 2 and 4 times in the number of people not reflected in the Census. (For details, see below). If the far greater breaches being perpetrated in 2016 were to result in another increase of 2-4 times, the number of missing people would be of the order of 3 million.
So, in 2016, the people who fail to complete the form may rise from hundreds of thousands to well over a million.
If you fail to complete the 2016 census, you will be far from alone.
The following is known:
- in previous Census years, a considerable number of people have adopted
various avoidance approaches
- some of those people have received successive follow-ups and letters
- some of those people have later been threatened with prosecution
- a much smaller number of those people have actually been prosecuted
Here are samples of the kinds of letters that are sent to people who refuse, called in order a ‘passive refusal letter’, an ‘active refusal letter’, a ‘pre-NOD (Notice of Direction) letter’ and a ‘NOD (Notice of Direction)’ letter, mirrored here.
If the Bureau does want to take the matter further, the offence provisions are under the Census and Statistics Act:
– “fail to comply with a direction”. The direction may be “to fill up and supply a form” (s.10(4)),
or “to answer … a specified question” (s.11(2)).
[Maximum] Penalty: One penalty unit = $180 per day max. fine. I’ve seen no evidence of multiple-day fines under this section. My impression from the few case reports is that the direction given is usually under s.10 rather than s.11.
– “[provide] false or misleading [information] in a material particular”
[Maximum] Penalty: Ten penalty units = $1800 max. fine. I’ve seen no evidence of any prosecutions under this section.
The following sources of information have been found about cases arising from failure to provide information to the Census:
- 1991: In response to a 1996-97 Parliamentary Question With Notice, the then Treasurer replied that 5,234 persons refused to complete the 1991 Census form and 91 were successfully prosecuted for their refusal (1.7%)
- 2001: Jozsef Pelican, of Regent St, Waverley, had refused to fill out a 2001 census form. Launceston Magistrates Court was told Mr Pelican further refused despite being warned and subsequent visits by Australian Bureau of Statistics personnel. Magistrate Peter Wilson said the refusal amounted to “wilful defiance”. Pelican was fined $100 and given 28 days to pay. (Launceston Examiner, 11 Dec 2002)
- 2001: Following the UK Census in 2001, there were 78 prosecutions, but those were predominately people who were abusive or troublesome to field staff
- 2006: The ABS told Queensland Pride that 4,955 formal notices were sent to people directing them to fill out their census. Of these, approximately 4,000 completed forms were returned. Of those that weren’t, 278 people were later prosecuted. [29% prosecuted, but no information was provided about the outcomes.] Penalties for failing to fill out the census form range from Good Behaviour Bonds to fines of up $500 plus court costs (Qld Pride, 2 Nov 2007)
People can draw their own conclusions about the relationship between the number of instances of non-provision of data, notices, prosecutions and successful prosecutions.
But with hundreds of thousands of potential targets, it would seem likely that ABS would pursue only the priority cases, e.g. those who:
- were violent or otherwise seriously nasty (you’d hope so – Census collectors are people too!)
- formally and successively refused (‘refuseniks’)
- were so annoying that they drew the ABS’s attention to themselves
- were semi-randomly unlucky by virtue of having a zealot for a collector and/or collector’s supervisor
People have adopted a number of approaches in previous Census years in order to avoid their personal data being captured during the Census and subsequently abused.
These approaches are neither encouraged nor discouraged.
(It could be unwise for anyone to actively encourage their use, because that might be interpreted as an incitement to break the law). The following information is published, and recommended for re-publication, so that people are informed about the situation.
1. Avoid being resident in any household on the Census date, Tuesday 9 August 2016
The Census is based on the premises, not the person, and hence if you aren’t resident you shouldn’t be recorded. (It appears that ‘grey nomads’ have had success with this “gone fishin'” approach)
2. If others in the household are submitting a return, instruct them to leave you off it
(This may cause ructions within a family, but may be entirely appropriate in a shared house or flat. The wording of the Act leaves open whether the ABS may still have the power to prosecute the objector)
3. Get an envelope and a form, and send a blank form in
(This will very likely result in successive re-visits from the collector, followed by threatening letters from the ABS. But if enough people were to do it, the volume would be such that the ABS would not have enough resources to follow everyone up)
4. Avoid being at home when the Collector calls
(This will require great persistence, because Collectors and their supervisors are paid to chase, chase, and chase again)
5. Be absent or too busy
Whenever the ABS’s contractor calls or arrives, some people make themselves absent or say that they’re too busy, and avoid appointments. (This requires great persistence, because collectors and their supervisors are paid to chase, chase, and chase again. Eventually they may run out of time, although they have the option to argue to the magistrate that your continual busyness constitutes refusal to answer)
6. Ask lots of questions
These may be about, for example, the process, the questions, the privacy protections, or the security of the data. This may be accompanied by saying or implying that you may be prepared to provide the data once you have satisfactory answers.
(Based on experience, the ABS is likely to reply slowly, and with pre-written, carefully-composed and vague text that does not answer your questions. It’s commonly necessary to ask the questions again, and address letters further up the organisation. It’s necessary to sustain your patience over many months until one side or the other gives up)
7. Provide made-up answers to the particular questions that are of greatest concern to you
(This is not appropriate for people who do not like to be forced to lie in order to protect their privacy. Moreover, if the intention is to avoid prosecution, the lies need to be subtle enough that the ABS believes them, or considers
them too difficult to prove to be lies. On the other hand, because ABS is handling 5-10 million forms, it may be impractical for them to check even for silly answers, let alone for plausible but incorrect answers)
8. Refuse to provide answers to the particular questions that are of greatest concern to you
(It is likely that this will not be possible with the online form, so it would be necessary to demand a paper one. This approach appears less likely to lead to prosecution, and it seems likely that the magistrate would be both less likely to convict, and less likely to levy a significant fine)
9. Refuse to fill in the form
(The ABS has the power to prosecute under Census and Statistics Act ss. 14-15, and to seek fines that the magistrate could choose to apply once, or for every day that the data is not provided. Some prosecutions do take place. In practice, only a very small proportion of the people who have failed to provide the data have ever been charged, and no report has been seen of any large fine being imposed)
10. Fill in the form using a light blue pen [Added 17 April 2016]
A recent proposal is based on a statement on the 2011 census form that you must fill it in using “black or blue” pen.
Forms are then scanned in order to extract the data. The graphic arts industry uses a pen that writes in a form of very light blue that is not normally picked up by scanners, called ‘non-photo blue’ or ‘non-repro blue’ – RGB 164, 221, 237.
(There are practical limitations. A pen of that kind is needed, or a digital equivalent. The ABS’s scanners may be able to be set so as to cope with the colour. If only a few people use it, the ABS would detect it, and could manually capture the data from a modest number of forms. There’s an outside chance that ABS could attempt to convince a magistrate that use of a light blue pen was tantamount to a refusal to provide data. If many people
use it, on the other hand, it could have an impact. Note, however, that ABS would be very likely to maintain
secrecy about countermeasures used, and refuse to divulge information about how many people adopt the approach).
For the 2006 Census, the ABS planned to make very substantial changes to its Census process. It intended to keep the data that it collected in a way that associated it with the individuals concerned.
During 2005-06, the Australian Privacy Foundation (APF) conducted a campaign against these measures. The campaign succeeded in forcing the ABS to conduct a Privacy Impact Assessment (PIA). Here are the PIA Report of 2005, the ABS’s Response, andpublic submissions.
The Privacy Commissioner has made abundantly clear that the importance of doing a PIA is indicated by “the significance or scope of a project, and the extent to which a project involves the collection, use or disclosure of personal information”, and has expressly recommended “the introduction of a statutory requirement on public sector agencies to undertake a Privacy Impact Assessment (PIA) for [major] projects”.
Following the conduct of the PIA, ABS made significant adjustments to its plans. For 95% of the population, the ABS continued the practice of destroying the connection between the rest of the data and the individuals it relates
to. However, ABS kept the name and address with the Census data for 5% of the population. This was a serious breach of privacy in respect of the c. 1 million people affected by it.
The ABS then called this the SLCD program, but now calls it ACLD. Some information about it is below.
A separate, voluntary retention program, which ABS calls the ‘Census Time Capsule’, is also described below.
It appears that no PIA was conducted in 2010-11, and that no consultations were held with any privacy advocacy organisations.
It appears that:
- ABS again breached the privacy of 1 million Australians in 2011, as they had done in 2006
- ABS extended its breach of trust by linking the 2006 and 2011 data
The ABS PIA process and PIA Report were not compliant with the Privacy Commissioner’s Guidance document:
- The Statement made clear that the PIA would not consider whether
the retention of name and address should proceed, but was only to “ensure
the right privacy design can be put in place and inform the processes, risks
and risk mitigation strategies”
- No privacy advocacy groups at all were contacted – despite the ABS’s familiarity with a number
of groups from the 2005-06 process. The PIA report states that “the ABS directly notified key … external stakeholders”. So it is clear that the ABS did not consider privacy advocacy organisations to be ‘key stakeholders’
- The announcement included a statement that was constructively misleading:
“Historically, the ABS has destroyed all name and address information
after statistical processing of the Census has been completed”.
This is false. For 1 million records in 2006, and again in 2011, name and address were retained by ABS; and in each Census since 2001, c. 50% of individuals have requested that the data be retained in an identified form, for release 99 years later, under the Census Time Capsule program
- The announcement of 11 November 2015 gained almost no publicity at all
- The substantive information provided amounted to 208 words, with no references
to any other sources
- Feedback was required on 2 December 2015, i.e. only 15 business days later
- The response and decision were announced on 18 December 2015, only 12 business
days after that.
No public service organisation is capable of moving that quickly. So the
PIA Report and the final decision were clearly in advanced draft before the
invitation was even put on the ABS’s web-site on 11 November 2015
- The PIA Report includes no evidence of the ABS using privacy expertise
from outside the organisation, which is normal public service practice, and
which was done by the ABS in 2006
- The PIA Report states that “No substantive privacy-related concerns
were raised by any of “the Office of the Australian Privacy Commissioner,
… the State and Territory Privacy Commissioners [and] relevant representatives
for each State and Territory” (p.19). This is extraordinary, to the
point of not being credible
- “Public feedback consisted of three responses from private citizens
who all raised concerns with the
proposal” (p.20). The 100% rejection by the tiny sample, and the complete
absence of submissions from organisations with expertise in privacy matters,
appears not to have caused the ABS the slightest ripple of concern
- The risk of “Reduction in participation levels in ABS
collections due to loss of public trust” was assessed as “Likelihood: Very
This is quite extraordinarily naive, or disingenuous, or worse.
It has been since publicly contradicted by a former Australian Statistician
- The same applies to the risk assessment that “‘Function creep’ – unintentional
expanded future use of retained name and address information – Likelihood:
The data will be very attractive to many agencies, and many agencies have
the power to demand its release, including dozens of law enforcement and
national security agencies
The PIA was not only in breach of the Privacy Commissioner’s Guidance
document, but also perfunctory to the point of serious sub-professionalism.
It has not a skerrick of credibility.
ABS then simply decided that it would do what it had originally intended doing a decade earlier in 2006.
Moreover, ABS intends to catch up lost time by immediately moving further with its long-term plan, as follows:
- ABS intends to add some of the data to its Address Register, to improve efficiency (of the ABS) in relation to existing (and perhaps even more) compulsory Surveys
- ABS intend to combine the data with other Census and Survey data that it already holds, or that it gathers in the future
- ABS intends to expropriate data about people from other sources, and combine the various sources into a single record linked to the specific person. The personal data that the ABS has expressly mentioned is:
- education data (which is mostly about children)
- health data (which is the most sensitive of all forms of personal data)
ABS intends extending its existing breaches in relation to 1 million Australians, by breaching the privacy of all Australians, and doing so in ways that are more intensive, and far more objectionable, than ever before.
The measures in the 2016 Census design are not the end-game.
All Australian Statisticians until 2000 (Bill McLellan) had been very careful about privacy issues, and strongly protective of public trust in the institution. The last three, however, (Trewin, Pink and the incumbent, David Kalisch) have been seeking to greatly expand the sources of data, to destroy anonymity by keeping data identified, and to consolidate data from many other sources into a databank, data warehouse, big data collection, or (currently) ‘the Australian Integrated Data Resource’. (Leave space here for future fashionable euphemisms for an inhabitant registration system, dataveillance system, panopticon or Australia Card Register which encompasses all of the country’s inhabitants).
A little-known pseudo-organisation was formed several years ago, called the National Statistical Service. Its function was to cross-legitimise several mechanisms whereby sensitive personal data is expropriated from government agencies, and data-laundered into agencies with respectable titles, such that the data can then be further disclosed to other agencies and researchers. In addition to the ABS, the club includes the powerful Australian Institute of Health and Welfare (AIHW) and the Australian Institute of Family Studies (AIFS).
AIHW accumulates masses of highly sensitive patient health care data, and distributes it, not in statistical form, but as individual consolidated personal data records – although the concept has been ‘laundered’, by applying the term ‘microdata’ to it. The data is nominally de-identified but is in practice so rich that it is readily re-identifiable. It is also highly attractive to many organisations for administrative purposes (e.g. fraud investigations), for commercial reasons (e.g. insurance), and for criminal reasons (e.g. extortion).
The Commonwealth Dept of Health has invested vast sums of taxpayers’ funds into a so-called ‘Personally Controlled’ Electronic Health Record (PCEHR). This project has been so disastrous that it has had to be re-birthed recently, as MyHR.
However, the scheme’s purpose is not to assist in patient care. Its function is to assist the Commonwealth to expropriate personal health care data from health care professionals’ records, in order to consolidate it into a single repository for administrative, research and probably insurance purposes. AIHW is a natural repository for that data.
The current Australian Statistician, David Kalisch, was previously head of AIHW. When he was appointed, his first manoeuvres were to seek a merger of the ABS and AIHW, and to declare his desire to breach current privacy laws by pillaging the holdings of personal data in a range of government agencies including Centrelink, Medicare, the ATO and Immigration(e.g. Canberra Times, 6 April 2015).
“An Australian Integrated Data Resource?
“This government administrative data becomes a more valuable resource if it is combined with other information to provide more insights.
“For example, administrative data can be combined, such as information on social security recipients with child care and employment services, or Commonwealth MBS/PBS information with state government hospital services to design better policy or service delivery responses.
“Administrative data can also be combined with the five yearly ABS census information to provide a more comprehensive picture of changes in Australian households. Other ABS surveys of households and businesses provide further opportunities for constructing linked data sets that deliver additional insights”.
Kalisch has been quite explicit about his intentions to finally, 30 years late, assemble the Australia Card Register. The Australian Statistician would thereby become the Australian personal data supremo.
There have been two programs under which identified Census data has been kept.
If the ABS received a form in 2001, 2006 or 2011 with all of the relevant boxes at the end of the form ticked – whether or not everyone in the household had actually agreed – the whole form has been be kept by Australian Archives, to be released after 99 years. ABS refers to the scheme as the ‘Census Time Capsule’ project. ABS says that about half of all forms are ticked in this way.
The UK has kept all forms, securely, for 100 years, since 1841. On the other hand, the data collected up to 1911 was very limited, and nothing like as detailed and intrusive as forms in recent decades.
The UK recently compromised the 100-year rule a little, by releasing the 1911 census a few years early. It’s unclear whether that may turn into the thin end of the wedge, with shortened disclosure times.
A program of this kind is very appropriate, subject to some important provisos. (Declaration: the author has used such records to better understand his family history). The vital conditions are that the prohibition against access is absolute, the archives are carefully-controlled, and retention is only with consent by each adult individual that is actually free and informed (which in the present situation, is doubtful).
A project commenced in 2006, then called the Statistical Longitudinal Census Dataset (SLCD).
This applies to “a random sample of 5% of persons in the 2006 Census of Population and Housing”.
You have no choice, and you don’t know whether you’re in the 5% sample or not.
The data is identified. Expressed in ABS bureaucratese: “in the absence of name and address, inclusion of a non-identifying grouped numeric code when linking records can improve accuracy and efficiency”.
The 2011 Census Form glossed over this with a constructively misleading statement.
It said “A person’s name-identified information will not be kept …”.
That statement obscures (and appears to have been devised in order to obscure)
- the data carries a ‘pseudo-identifier’, and an index links the pseudo-identifier with the name
- in any case, the data is rich enough to enable correlation with the person’s name
- the ABS is doing precisely that, in order to link all of each person’s data through time
- the fact that the data is not “name-identified” is irrelevant
Expect some similar form of ‘economy with the truth’ in the 2016 Census.
The SLCD method has indeed been pursued. It has been re-named the ACLD (“The first issue of the Australian Census Longitudinal Dataset (ACLD) brings together data from the 2006 and 2011 Censuses”), and formalised as Catalogue No. 2062.0.
Moreover, it appears to be already available as large tables of individuals’ census records covering both 2006 and 2011 personal data, as Catalogue No. 2080.0 – Microdata: Australian Census Longitudinal Dataset, 2006-2011.
This section gathers together what can be found from official sources.
1986: “Refusal by householders to complete the  census form [was] not a significant cause of underenumeration and account[ed] for less than 0.012 per cent of households [c. 6.75m?, so c. 800 in 1986, long before the abuses began in 2006]. In about 70 per cent of these cases the number of occupants was able to be estimated by the collector from information obtained orally from a member of the household or other persons, and this estimate was included in the census count” (ASSDA ?1986). [The ASSDA organisation has since disappeared from the ANU web-site.] (Presumably what was made up was a count, not data about the missing people. Very few people would be likely to object to merely being counted. The privacy concerns are (a) the collection and retention of identified personal data, (b) its consolidation with data from other sources, (c) its disclosure, at this stage in re-identifiable form, and (d) in due course, doubtless its disclosure in directly identifiable form]
1996: ” … System Created [i.e. dummy] Records are created where the collector has not been able to make contact with the household, yet believes that the dwelling was occupied on Census Night.
Smaller numbers of System Created Records are due to situations where people indicate a desire to mail back a census form but do not do so, and where people refuse to complete a census form. The term ‘non-contact’ dwellingis used in this paper to refer to all these situations … In 1996, non-contact-dwellings were 62,234 (0.9%) [missing say an average of 2 people each = 125,000 people]
2001: The count of non-contact-dwellings was 156,460 (2.0%) [missing say an average of 2 people each = 300,000 people]
2006: Searches of the ABS site unearthed no figures, so everyone was free to draw their own conclusions, and extend their own extrapolations; but see further below (ABS 2970.0.55.019 – 2001)
2011: “Refusal by householders to complete the Census form is not a significant cause of undercounting” (2901.0- Census Dictionary, 2011) [But ‘significant’ has a meaning in statistics. If the undercounting is evenly spread, it can be quite large but not significant].
In a more recent document, ABS carefully blends together the ‘no form received’, ‘incomplete form received’ and ‘nonsense data’ categories. No attempt was made to estimate the proportion of people who refused rather than forgot. ABS estimates that between 800,000 and 900,000 people were not represented by a satisfactorily-completed census form in 2006 and 2011. That’s overall 4% – in the range 2.6-3.7% in most States and ACT, 5% in WA, 8% in NT. No response was received at all for about 300,000 dwellings, c.4%. ( Non-Response Rates, 6 Jun 2013). There has also been mention in the media that “About 10,000 homes around the [Sydney] CBD – or more than one in 10 – were found to be vacant on census week in 2011” (SMH, 17 Aug 2015). What proportion of those were tacit refusals is of course difficult to tell.
The trend-line of non-completions has risen steeply, as follows:
- 0.5% in 1986 (est.)
- 2.0% in 2001
- 4.0% in 2011
And this was all before the ABS’s current and most serious breaches of trust.
Moreover, the ABS’s own surveys have established that the proportion of the Australian population that does not trust the ABS had already risen to 19% ( High community trust in the ABS, 20 October 2015), even before anyone knew that the ABS was shortly to announce its breaches of trust in relation to the 2016 Census.
I didn’t even mention data security as an issue in my opening statement that Many People are Very Concerned about the Census of 9 August 2016.
However, since late March 2016, ABS have attempted to treat security as though it were an issue.
Presumably they think this will deflect attention away from the many, very serious concerns about Census 2016.
In running the security ‘red herring’, the ABS, and some of the people who rely on the data it publishes, have made misleading statements about various aspects of the security of the data gathered by ABS. The ABS’s misrepresentations are significant, but not quite grim enough for them to be added to the list of concerns at the top of this page.
This section presents some relevant facts.
Contrary to impressions given by the ABS, it is not precluded from releasing the data gathered from individual census forms. Moreover, they’ve been doing so for many years, and the intensity of the data that they’re releasing is
becoming far greater than it was in the past.
The ABS is subject to legal constraints, most usefully presented in the 2005 PIA, p.16-26. But the provisions include discretions and other loopholes, some quite possibly inadvertent, some arising because of changes in technology or practice, and some designed-in by government lawyers. These loopholes didn’t matter much from 1911 until 2001,
when census data did not contain identifiers, and individual entries were not released. But if the ABS continues with its breaches of trust, they will matter a great deal in the future.
(a) The Offence Provisions
The relevant provisions are the Census and Statistics Act ss. 19, 3, 13, 12 and 19A, the Statistics Regulations cl. 7, and the Statistics Determination cl. 7. Links to those provisions are at the end of this section.
The ABS is also subject to the Privacy Act, but the provisions of that legislation are so weak and qualified that they have little impact on the analysis.
Under C&S s.19, it is an offence to “divulge or communicate” “information given under the Act”, whether “directly or indirectly”, unless the action is “for the purposes of the Act” or “in accordance with a determination under s.13 of the Act”. The categories of people subject to the s.19 offence provision are understood to be ABS employees, ABS contractors and relevant staff of other agencies ‘seconded’ to ABS. Under s.7, all such persons must have been sworn in by means of an undertaking specified in the Schedule to the C&S Regulations.(I’ve expressed this somewhat cautiously, because of the indirectness of some of the expressions in ss. 19 and 3 including the cross-references to the ABS Act, and the circular definition of the term ‘officer’).
But it’s not clear that there has ever been any prosecution mounted under s.19, nor what the courts would make of it if a defendant mounted a well-resourced defence (i.e. employed a barrister). Personally, I’m only aware of one prosecution of an ABS officer for divulging data (and that was CPI data, not census data).
But that person wasn’t charged under s.19. The prosecutor instead used the Criminal Code Act and the Corporations Act, for “insider trading, identity theft and abuse of public office charges” – ABS, SMH.
(One possible reason is that s.19 only incurs “120 penalty units [@ $180 = $21,600] or imprisonment for 2 years, or
both”, whereas the miscreant in question went down for over 3 years, even after he pleaded guilty and ‘turned Queen’s’ on the person who incited him to do it).
The term “information given under the Act” refers to data that ABS acquires as a result of requiring or requesting people to fill in forms and answer questions (under ss.10(2), 10(3) or 11(1)), or directing them to do so (under ss.10(4) and 11(2)). This relates both to each Census and to the various surveys that it conducts. (Surveys can involve both much
more intrusive questions than the census, and multiple iterations over an extended period).
(In addition, under s.19A, there’s a nominal preclusion of the disclosure of data “that is contained in a form”. However, this says nothing about the same data once it’s been captured, it is expressed in the passive voice, and hence does
not appear to actually apply to any legal or natural person, and it does not prescribe any offences. s.19A is primarily the authority for the ABS to pass on to Archives the data approved by individuals for disclosure after 99 years.
It is unclear whether the section provides, or is even intended to provide, any relevant protections).
There appears to be no mechanism whereby the ABS as an organisation (or the Crown of which it is a part) commits an offence if the provisions are breached, and there is no means for an individual to sue the agency if it misbehaves. This is a problem with many breaches by government agencies; but it’s a potentially serious problem in this case, because whereas the 20th century ABS could be trusted to protect data, the 21st century ABS cannot.
(b) Authorised Disclosures of Individual Records
An ABS employee or contractor is not committing an offence if the disclosure is authorised by a determination under s.13. These are expressed in the Statistics Determination document, in particular at cl.7. This adopts a key expression from s.12(2) (a section that is concerned with processed, ‘statistical’ data, rather than individual records). The safeguard is meant to be that data is not to be released in such a manner as to be “likely to enable the identification of the particular person”.
Individual records have been released by ABS since at least the mid-1990s. They are variously
referred to as ‘microdata files’ and ‘confidentialised unit record files’ (CURFs). It appears that hundreds of instances of such releases occur each year, to hundreds of individuals and organisations.
The 2005 PIA referred to some safeguards being in use at that stage, although under what circumstances and with what degree of effectiveness is unclear. It appears that obvious identifiers were removed, and (presumably only when
seen to be necessary) changes were also made to a small number of values (‘data perturbation’) in order to reduce the likelihood of re-identification.
The “not likely to enable the identification of the particular person” provision may well have been adequate, say, 40 years ago. Since then, large-scale collection, processing and disclosure have exploded, and organisations
receiving ‘individual statistical records’ from ABS have access to a vast array of additional data-sources, and techniques for combining them. Added to that, during the last decade, re-identification techniques have become sophisticated.
The safeguards are therefore no longer adequate. At the very least, the s.12(2) and cl.7 obligations would have to be greatly strengthened, e.g. to “shall not be published or disseminated in a manner that may enable the identification of a particular person or organization, whether from the data itself, or in combination with other data possessed by or readily available to organisations that may gain access to it”, together with clear sanctions against both ABS and individual executives in the event that a breach occurs.
(c) Controls over Recipients
Under s.13(2), the ABS has a discretion to require recipients to undertake not to disclose information, in particular from ‘microdata files’ and ‘confidentialised unit record files’ (CURFs). Statistics Determination cl.7 enables ABS to require recipients to provide “a relevant undertaking”, and cl.7(3) lists several possible conditions. Under s.19(2), a failure to comply is an offence with a penalty of “120 penalty units [$21,600] or imprisonment for 2 years, or both”. However, whether undertakings are actually demanded is at the discretion of the ABS, and hence recipients of detailed data may or may not be subject to conditions. In any case, it is unclear how breaches would become evident, and no evidence has been found any prosecutions of a s.19(2) offence. It is far from clear that the (extremely small) risk of prosecution, even when combined with the risk of being denied further disclosures, is a sufficient deterrent.
Such loose measures may have been adequate during the period 1911-2000. But that was when the ABS was extremely careful about identifiable data, and agencies and corporations had far less sophisticated technology and were far less rapacious in their attitudes to personal data.
(d) Further Considerations
• It is entirely unclear whether courts can override the secrecy provisions. Courts commonly do so quite mindlessly, simply because a party to a case asks for a sub poena to be issued.
• All of these provisions are automatically overridden by any subsequent legislation that empowers an agency or a private sector organisation to acquire data from ABS. Many provisions have been included in the mass of ‘counter-terrorism’ legislation since 2001. More generally, there is a vast array of legislation, and legislative drafters frequently hide provisions in unexpected places, and routinely write tortuous text that is later interpreted much more broadly than the original public understanding of the legislation’s intent.
• The longstanding commitment of the ABS to defend its secrecy provisions is in serious doubt. The previous two Statisticians consistently endeavoured to broaden ABS’s role, and the incumbent, David Kalisch, has declared his ambition to make ABS the hub of an ‘Australian Integrated Data Resource’ (aka the Australia Card Register dreamt of by mandarins since at least the early 1980s).
• Individuals have no right of access to personal information about themselves held by the ABS. This is because data gathered by the ABS from the Census is exempt from the FOI Act (although the ABS does have a discretion to provide a copy of data back to the person who provided it). A right of access and correction might have seemed superfluous when the only data that was held was that from each single census form, and only for a matter of 12-18 months, until processing was completed.
The situation has changed quite dramatically since 2006. The ABS is already maintaining a longitudinal record for 5% of the population, at this stage containing at least data from the 2006 and 2011 Censuses. For some people, it may also already contain data from a series of Quarterly Surveys. And it may, or may soon, contain data expropriated from other sources (e.g. the Electoral Roll, and health and education sources). This exemption is therefore of vastly greater significance now than it was in the past.
- Census and Statistics Act:
- Statistics Regulations 1983
- Statistics Determination 1983 (PDF)
- The 2005 PIA
2. The Feasibility of Identifying Individuals from their Census Data
Claims that it is not possible to identify an individual from census data
are false, twice over:
- The ABS already does this for 5% of the population (>1 million people)
as part of its SLCD, now ACLD program
- The ALCD ‘microdata’ (which it appears is already being released in respect
of the 5% of the population forcibly enrolled in 2006 and/or 2011) is sufficiently
rich that re-identification is more than tenable.
Some kinds of data-records are capable of being effectively anonymised. However, the more data-items that a record contains, the more difficult it becomes to achieve de-identification.
Some data-items, for example, may contain data-values that only apply to a small percentage of the population, and combining that data with one or two other items reduces the possible identities to very small numbers. An extreme example is Role: Batsman, Test-Average: 99.94. More realistically, combinations of location, country of birth, need for assistance, occupation and workplace address give rise to entries that are unique or close to unique.
Note that, even without address, a fine-grained indicator of location exists. The ABS used to use Collection Districts (CDs), which contained an average of 225 households in them – about 500 people. (I’ve not found any indication of the smallest count of people in a CD). But ABS has changed to Statistical Areas Level 1 (SA1s), which contain as few as 180 people, or in the case of [remote] discrete Indigenous communities, as few as 90 people. (There is one more detailed accumulation-level than SA1s, called Mesh Blocks, of c. 30-60 dwellings, but the ABS states that it “confidentialises” data at that level).
There are well-established ‘re-identification’ techniques, which take advantage of the difficulties involved in achieving effective anonymisation. The challenges are so great that even the Privacy Commissioner (who spends more time protecting government and business than protecting privacy) has described anonymisation as ‘rocket science’.
The only way to effectively anonymise rich data records is to falsify them. The polite word used for data falsification is ‘data perturbation’: “The alteration of values within a data set to guard against data-linkage”. (There is an active area of research into how data can be ‘perturbed’ in such a way that each data-record is useless, but the data-set as a whole retains adequate statistical quality for whatever purposes it is to be used for).
The most useful general guide to de-identification is UKICO (2012) ‘Anonymisation: managing data protection risk: code of practice’ Information Commissioners Office, November 2012, esp. pp. 21-27, App. 2 pp. 51-53, and Annex 3 pp. 80-102 – the last section by Yang M., Sassone V. & O’Hara K., Uni. of Southampton
4. Retention Forever, or for Four Years?
Apparently on 7 April 2016, ABS added a statement about data retention to its page ‘About the Census: Privacy, confidentiality & security’. The page now says:
“For the 2016 Census [only], the ABS will destroy names and addresses [whatever that now means] when there is no longer any community benefit to their retention or four years after collection (i.e. August 2020), whichever is earliest”.
The statement is evidence of confusion and nervousness on ABS’s part, but not of understanding of the public’s needs or the public reaction. It does not materially reduce the ABS’s breach of trust.
5. ‘One-Way Encryption Processes’ and ‘Vaults’
In what a sports commentator would call ‘scrambling defence’, ABS has made claims that Census data will be ‘anonymised’ “in a one-way encryption process so that it can’t be traced back”, and “will be stored in three separate ‘vaults'” (although their PIA appears to refer to four rather than three).
The statements make little technical sense.
What are correctly called ‘one-way hash’ techniques are useful in some contexts, but they can’t be used to achieve
the ABS’s claim of anonymisation.
The term ‘data vault’, while it has been used on occasions by salespeople, is not a technical term in the IT world.
There are legitimate concerns about whether the ABS will be able to protect the data they hold. After all, data breaches are reported week in, week out, because data security is challenging, and organisations are slack. ABS has a far better track-record on security than most other organisations. However, the new data collections will be more attractive, to more organisations, that anything that ABS has ever stored before. So there will be more, more professional attacks on ABS’s ‘vaults’, both through technical means (‘hacking’) and through legal processes.
Unauthorised access, by attackers that even the ABS never intended to get hold of identified data, is indeed a possibility. But that’s an additional concern, i.e. a possible 6th entry in the list above. For the moment, I don’t consider it to be anywhere near as big an issue as the existing 5. So, for the time being at least, I’ve not added it in.
ABS announced that they were dramatically changing the Census, very quietly, on Friday 18 December 2015 – a date clearly chosen to avoid media coverage:
ABS (2015) ‘Retention of names and addresses collected in the 2016 Census of Population and Housing’, Media Release, Australian Bureau of Statistics, 18 Dec 2015
ABS (2016) ‘Privacy Impact Assessment: Proposal to Retain Name and Address Information from Responses
to the 2016 Census of Population and Housing’ Australian Bureau of Statistics, December 2015
The careful timing was successful, because no media reports arising from that release have been found.
People who should have known about it found out only in late January 2016.
Palmer D. (2016) ‘ABS to permanently store personal data from Australian census’ Delimiter, 01 Feb 2016
APF (2016) ‘Australian Census 2016 and Privacy Impact Assessment (PIA)’ Letter to the ABS, 12 February 2016
Greber J. (2016) ‘ABS slammed for breach of trust over ‘intrusive’ 2016 Census data matching plan’ Australian Financial Review,10 March 2016
Lauder S. (2016) ‘Census data being turned into ‘honeypot’ for hackers and governments, says privacy advocate’ ABC The World Today, 10 March 2016
Berg C. (2016) ‘If you’re worried about privacy, you should worry about the 2016 census’ The Drum, 15 Mar 2016
Johnston A. (2016) ‘Why you might want to become a Jedi Knight for this year’s Census’ Salinger Privacy, 17 March 2016
PP (2016) ‘Pirate Party Calls for Census Boycott Due to Privacy Concerns’ Pirate Party, 21 March 2016
EFA (2016) ‘Census 2016’ Electronic Frontiers Australia, 22 March 2016
Simpson C. (2016) ‘Australian Lawyers And Scholars Are Encouraging Civil Disobedience In This Year’s Census’ Gizmodo, 23 March 2016
FDOM (2016) ‘Brenda the Civil Disobedience Penguin vs. The Australian Bureau of Statistics‘ First Dog on the Moon, in The Guardian, 30 March 2016
Keane B. (2016) ‘Why you should boycott the census’ Crikey, 31 Mar 2016
Sansom M. (2016) ‘Centrelink, the Tax Office and ASIO could use Census 2016 data: privacy groups’ Government News, 4 April 2016
Stiles J. (2016) ‘Census no longer anonymous’ The New Daily, 10 April 2016
Sansom M. (2016) ‘We won’t share personal data: Census 2016 chief’ Government News, 11 April 2016
Palmer D. (2016) ‘Australian Privacy Foundation slams “Orwellian” census data retention’ Delimiter,
14 April 2016
Coyne A. (2016) ‘Is the ABS turning Census data into a hacker’s honeypot?’ it News, 19 April 2016
Cowan P. (2016) ‘Pilgrim warns data de-identification is ‘rocket science’ itNews, 20 April 2016
Here’s a petition:
Here are two advocacy organisations that have published pages on Census 2016:
July 21, 2016 / Rosie / 0
- 89% of respondents agreed that “Census forms should be destroyed to protect people’s privacy and confidentiality”