Every five years Australians partake in a national survey known as the Census. The Census collects statistics from every household in the country and captures a snapshot of the nation. This year the Census has created controversy as the ABS decided to embrace the digital age and attempted to conduct the Census through an online survey.
The ABS has also opted to remove the anonymity factor in this year’s Census. They will be collecting names and addresses of survey participants, justifying the change as a way of providing better insights into key areas such as employment, transport, health and education. Trialling an online survey and shifting away from anonymity has concerned many Senators and Civil Liberty Advocates, who have asked, “what will the government do with this information? Is this a breach of Privacy law? And will my online survey data be safe?”
Is the Mandatory Collection and Retention of Data Secure?
The legislation that permits the ABS to collect statistical information and outlines its responsibilities in doing so is the Census and Statistics Act 1905 (Census Act). The Census Act must comply with APP 3 of the Privacy Act, which requires that a Commonwealth agency may only collect personal information that is reasonably necessary or directly related to one or more of its functions or activities. The ABS must follow the provisions of the Census Act (s19) and treat all information collected in a strictly confidential manner.
Breaches of privacy are unpredictable, yet extremely common. The APPs set out four key steps to managing a breach. The ABS will also look to these steps should a breach of Census data occur:
- Contain the breach: Once notified of a breach, containment may involve closing or shutting down the compromised system to prevent further records from being misused.
- Determine the risk of the breach: It is important to assess the risk. What information has been compromised? Who is affected by this breach?
- Notify: Determine whether notification of the breach is required, whether to individuals or the relevant authority.
- Prevent future breaches: As a result of a direct breach, there should be a review of policies and procedure to staff and a security audit of data. It is important to learn from breaches and prevent them from recurring.
In the Event of a Breach, Must the ABS Notify Individuals?
It will depend on the nature of the privacy breach and seriousness of the harm caused to that individual. Providing notice to an individual can help reduce the harm caused by a privacy breach. Notice should also be given to the relevant authorities, whether this is the Office of the Australian Information Commissioner (OAIC), local police or other relevant regulatory bodies.
How Long Can Personal Information Be Kept Under the APPs?
Under the APPs 4.3 and 11.2, APP entities are required to take reasonable steps to remove, destroy and de-identify information that is no longer used or relevant.
This Year’s Hack
In the lead up to the Census, the ABS and Federal Government was optimistic in the face of a sceptical general public. Despite reassurances that the data collected would be safe and protected, fears that the Census would be a target for hackers were realised on August 9th. As a precaution, the ABS shut down the Census site in response to these international “cyber attacks”.
Aren’t We a Generation of Data Over-Sharers Anyway?
The Small Business Minister, Michael McCormack has mentioned that the loss of anonymity in this year’s Census is “no worse than Facebook”. Facebook and other social media platforms are used daily by a majority of the population, storing private information and personal data on all of its users. Similarly, the ABS have said that your average Woolworths or Qantas loyalty card requires more information than the Census does. So if the Census is just like signing up to Facebook or for a supermarket loyalty card, why do we all care so much? It might be that we volunteer our personal information to social media or loyalty programs, whereas the census is compulsory.
You shouldn’t limit your privacy concerns to the Census because you are putting yourself at risk when volunteering your personal information online. The general rule of thumb for data sharing is, if it’s free, your personal information may be the payment. For instance, the information you provide to Facebook will be used to sell to advertisers who can in turn target you with relevant advertising material.
At work, your data may also be at risk. Larger companies can afford top IT security, but it is important to keep in mind that the information you share to startup apps may not be as secure.
What if I Don’t Complete My Census?
According to the Census Act, the penalty for failing to complete a Census form and not returning it can be up to $180 a day. However, due to the cyber attack and shut down of the Census website, Australians have until Sept 18, 2016 to return their hard copy forms and until Sept 23, 2016 to fill in their online survey.
Who Must Fill in the Census?
You are expected to participate in the Census of the household you reside in on the night of the Census, which in 2016 was August 9th. Exemptions include foreign diplomats and their families only.
The failure of this year’s Census due to cyber attacks from overseas hackers has not only proven people’s privacy concerns but revamped the discussion of privacy and data breaches in the digital age. Many countries hold surveys similar to our Census to understand their population better, and will also be facing the same dilemma the ABS has struggled with – whether the efficiency and resourcefulness of digital collection of information outweigh the risk of privacy breaches. Paper beats rock, does it also beat a computer?
While it’s not exactly surprising that the Australian National Census was attractive to hackers because of the sheer size of the operation, it can be easy to forget that cyber attacks are a legitimate risk if you are doing business online.
If you need assistance regarding a breach of your personal privacy or company’s confidential information or have questions about Australian Privacy Law, get in touch with our IT lawyers on 1300 544 755.