Last week saw privacy experts and consumer groups express concern at the proposal by the Australian Bureau of Statistics (ABS) to retain certain information from the Census to be held on 9 August this year.  In previous censuses information was used but not retained. 

The proposal now is that both address data and name data be retained and used.  The ABS said that it wants to be able to combine the Census data with other data sets, such as health and education statistics, to get a richer and more dynamic statistical picture of Australia.

The concern of privacy experts and consumer groups is not aimed primarily at the ABS and its proposed uses but at the possibility of "function creep" and that other government departments, such as the Tax Office and ASIO, may be able to access the data and use it for other purposes.  The risk, expressed by a number of parties is that "the ABS becomes the unwitting tool of a government intent on mass population surveillance".

The information about its intentions was released by the ABS on 7 April 2016 following a lengthy process of research into the benefits and potential risks of retaining name and address information. 

In November 2015 the ABS announced its intention to undertake a public review into potential privacy risks and also to undertake a Privacy Impact Assessment (PIA) in relation to those risks and steps to mitigate them.  The ABS PIA was completed in December 2015 and has been published on the ABS website. 

The ABS PIA considers the risks of the retention of data and references, very importantly, a number of safeguards that are built into the framework of the ABS.  Those include the protections under the Census and Statistics Act 1905 (Cth), the Privacy Act 1988 (Cth) and the fact that the ABS has been accredited as an integrated authority under the Commonwealth statistical data integration interim arrangements. 

The ABS PIA outlines in detail the risks perceived to the retention of data and the various functional separation, organisational separation and data security measures in place by the ABS.  It is difficult to disagree that the ABS has in place a range of safeguards that appear to mitigate the identified risks. 

However, the biggest concern and the biggest risk, at item 4.5 of the ABS PIA, is the risk of function creep and unintentional expanded future use of retained name and address information.  While the ABS PIA indicates that there are various procedures for the management of risk, including their own internal approval processes and governance structures, the concept of the data falling outside the control of the ABS is not contemplated.

A reasonable risk raised by privacy experts and consumer groups is that other government departments will force access in a way that may be intrusive, condoned by government and not able to be prevented by the ABS, giving rise to privacy risks to individuals.  This is something we will wait to see play out, but is significant in the context of government department information sharing and information obtained for one purpose being used for another purpose.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.