#CensusFail: the ABS hasn't convinced the public their privacy is protected

The Australian Census, which takes a snapshot of the demographics of the Australian population, is embroiled in a last minute furore around the mandatory collection of names and addresses.

South Australian Senator Nick Xenophon has declared he will not be providing his name and address. In doing so, he risks a A$180 fine for each day of “non-compliance”.

Xenophon argues that the Australian Bureau of Statistics (ABS) has not made “a compelling case why names must be provided”. However, the rationale is actually quite simple.

With names and addresses, the Census data can be linked to other data sets where we have already allowed our name and address to be used. This includes health, education and other data. Together, they should help give a more complete and accurate picture of how the distribution of people in Australia matches present and future services.

From a population health perspective, linked health data may also reveal underlying health trends or relationships between age and income, or general health outcomes, that were not possible to see without this linkage.

How the linkage works

When the Census form is submitted, either online or on paper, the name and address is split from the other information and replaced with a unique number.

This number is called a “statistical linkage key” (SLK), as claimed by the former NSW deputy privacy commissioner.

She has called this out as a major issue because the linkage key is created using a standard formula of letters of the name, the person’s date of birth and their gender. This means that someone could accurately guess the individual represented by a SLK if they only know the person’s name, sex and birth date.

However, the census doesn’t force people to specify their date of birth and people can simply give their age. This means the linkage key would need to be created by matching names and addresses against another data source.

An additional problem the ABS has created for itself is that the online forms do not allow characters with accents or special characters.

There is little validation being done to the text being entered into various fields, so the overall data quality of names and addresses may actually turn out to be quite low.

Can we trust the ABS?

Whatever the form of linkage, names and addresses are held separately from the rest of the data in what the ABS calls a “secure environment”. Although the ABS claims this conforms to the latest industry standards of security, it recently had to remove a claim it made that it was storing the data in a certified “Cyber Secure Zone”, as it had failed to achieve this rating from the Australian National Audit Office.

The ABS has also said it will never release identifiable data to anyone. However, this promise may not carry weight with those who distrust the government, especially those who remember cases where the government has failed to protect or interfered with private information.

It is possible that Xenophon and others are also concerned about the risk of it being leaked via a malicious hack, especially in light of recent high profile hacking cases such as that of Ashley Madison.

The main difference between Census data and Ashley Madison, though, is that with Ashley Madison, the very presence of a name on the list was itself sensitive. With the Census, it’s the other data attached to the name that is sensitive, and that data is split from the name record.

Some people may also mistrust the government’s intentions with their private data in the wake of the metadata retention laws that came into effect last year. These permit the government to track two years worth of call records and internet addresses, among other things.

This information can be far more revealing than simply giving names and addresses, although the census will find out about all people in the household, not just those with an internet account.

Selling the Census short

Even though privacy concerns surrounding the Census have come to a head this week, the ABS actually announced its intention to collect names and addresses as far back as November 2015.

That the concerns are peaking today, on Census day, suggests the ABS has not done a particularly good job of communicating and justifying these changes to the public, either at the consultation stage or now, as the collection proceeds.

The fight against the collection of names and addresses by the ABS has become a focal point for certain members of the public’s general concern about privacy. In the context of how much information is shared by the public with companies and government organisations, it is innocuous by itself.

However, it represents a background concern of loss of control over what is essentially something that is especially precious to the individual: their personal identity.

The ABS is unfortunate in that it has allowed attention to coalesce around this particular day of the collection, which amplifies the concerns of what is a relatively small number of vocal dissenters.

The good news for the ABS, though, is that past the Census date, attention of the issue is likely to quickly dissolve and it can see how successful or otherwise their attempt to capture this new data has been.