Thoughtworks is a global software consultancy, with strong capabilities in data management, security, and privacy. We would like to make comment on the running of the Australian Census in 2016.
We are huge fans of the census and are proponents of its use for evidence-driven policy. Because of this, we are unable to remain silent while the 2016 census threatens this excellent policy tool.
By choosing to retain the names and addresses of about 24 million people in 10 million households alongside their sensitive demographic data, the ABS is taking risk with the privacy rights of all Australian residents. It is our belief that claims that the risk of data leaks are low may not be correct, as the ABS has reported 14 data breaches in the last 3 years. In light of the security threats observed in recent years, we are afraid that no matter how strong the security capability of the ABS, the risk is real and should this data leak the impact would be immense. As one example, consider the impact on an individual should their information end up with a fraudster or violent ex-partner.
Holding any data brings with it the responsibility of securing it and bearing the risk that it is compromised. In our commercial work, we practice datensparsamkeit – the principle of holding as little personal data as needed. Not only is securing data difficult, when it is leaked it is impossible to retrieve. Consider that the NSA, one of the world’s most well-funded and capable security organizations, was unable to prevent the leaking of thousands of documents about its operations. It is only by reducing the amount of data that we hold that we can reduce the impact when it leaks.
The ABS’ collection of personally-identifying and sensitive data needlessly puts the private lives of Australian residents at risk. Many people recognize this and may refuse to engage with the census or provide accurate information as an act of civil disobedience. The collection of excessive personal information may have some unintended repercussions for the quality and integrity of census data not only in 2016 but beyond. The ABS may be able to force compliance with some of those who choose not to complete the census form, but they will have no way to verify the answers provided by those who do complete the form as accurate.
We believe that, given these concerns and strong community opposition to the retention of personally-identifiable information, the 2016 census results will be insufficiently accurate to justify the collection of such personal information.
We urge the ABS to commit to the following:
Accepting census submissions without names or addresses as legitimate;
Not to seek to fine people who choose not to submit their identifying information;
The destruction of all personally-identifiable information, such as names and addresses, within 6 months of taking the 2016 census;
Independent scrutiny and verification that this information has been destroyed.
To address the concerns of the Australian community and to encourage participation and provision of quality information for the 2016 census, we urge the ABS to make this commitment before 8th August.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.