The Australian Bureau of Statistics’ plan for mandatory retention of names and addresses with this year’s national Census is concerning and potentially a bad precedent, argues Victoria’s commissioner for privacy and data protection David Watts.
“To keep the information … when it’s identified is concerning,” he tells The Mandarin.
For the 2016 Census, the ABS will destroy names and addresses when there is no longer any community benefit to their retention or four years after collection, whichever is earliest. Previously this information was destroyed after data processing.
Although Watts concedes the ABS has been “very alive” to the concerns expressed, the problem remains.
“I’m not sure that the case has been made out fully for that. I have reservations about it — how the information is stored and what security is attached to it are issues that are troubling and need to be thought through.”
Watts worries compulsory retention of information for purposes other than law enforcement “could set a really bad precedent”.
The Census collects a huge array of personal data in one place — a potential honeypot for those involved in identity crime. “One of the privacy principles is data minimisation and that’s contrary to what the Census is about, so I have reservations about it,” he says.
Do you know where your data is going?
Often it seems the public has a higher tolerance for mass data retention by the private sector than government.
We give mountains of data away to Google and Facebook. As Estonian government CIO Taavi Kotka told The Mandarin, “they even know what kind of porn I’m watching. The government doesn’t.”
But, even leaving the prospect of tyranny to one side, there is good reason for the close scrutiny of government.
“If you’re a client of government, it’s more likely because you have to be. You’re in gaol, you’re on parole, you’re receiving benefits,” Watts explained.
“Often there’s not a real choice associated with it. So government has super-added responsibilities and because you’re dealing with the communities most vulnerable. That creates a greater need for trust and confidence in the way government deals with information.”
When Watts met up with The Mandarin, he was preparing for Victoria’s Privacy and Data Protection Week, during May 9-13 (not to be confused with the Commonwealth’s Privacy Awareness Week the week after).
De-identification and smart cities have been big topics of conversation at this year’s Privacy and Data Protection Week.
Whether information can truly be de-identified is a live question, the commissioner says. “That is probably the most emotional topic internationally. The question is what degree of perfection you need in order to do that.”
While smart cities are a huge area for the expansion and improvement of governance — sensors can help regulate traffic flow, manage emergencies or monitor climate — they will also present new privacy questions.
Electronic public transport ticketing, like Melbourne’s myki system, is one example. It collects piles of data about where people travel and when. That information, which commuters have little choice about handing over, can reveal a lot.
“A lot of privacy is about self determination,” Watts argues.
“If people want to give up information in exchange for something, then I’m not there to stop them. But are they making a real choice? Do people really know? There’s questions about transparency and so on.”
Privacy law ‘about cultural change’
Uniquely among privacy regulators, the Office of the Commissioner for Privacy and Data Protection has just released an app featuring publications and guidance on privacy, data security and enforcement.
The commission is also releasing a new tool, in the form of a pdf, to walk public servants through the decision making process around sharing information.
Catalysed by Victoria’s Royal Commission into Family Violence, improving information sharing to prevent vulnerable citizens falling through the cracks has become a big issue for government.
The pdf was borne out of a dilemma encountered by Watts — that bureaucrats are often unsure how exactly to apply privacy rules to get the best public interest outcome.
“People come to me and say ‘we understand the basic principles, but what’s the answer to the question?’ and I say, ‘I’m the regulator, I can’t tell you what the answer to the question is. Think it through, and here are the questions you should ask.’ But I can’t end up auditing my own advice,” he explains.
He prefers to use the carrot over the stick.
“Really the Privacy and Data Protection Act is a piece of legislation about cultural change,” Watts argues.
“Cultural change can be done in a number of different ways. Cultural change through kicking people and punishing them doesn’t always work, so we have to use techniques and methods with some care.”
Sectors most trusted on privacy
The public sector ranks behind the banking industry in a recent privacy trust survey conducted by Deloitte. In its latest report, Trust Without Borders, respondents gauged organisations from 13 sectors based on security measures, transparency and how personal details and collected and used. Deloitte concluded the majority of information went overseas, mainly to the United States.
- Banking & finance
- Government
- Energy
- Insurance
- Telecommunications
- Higher education
- Technology
- Travel & Transport
- Health & Fitness
- Retail
- Social Media
- Media
- Real Estate
The original version of this story quoted David Watts as saying “To keep the information forever when it’s identified is concerning”. The ABS will actually retain the information until there is no longer any community benefit to their retention or four years after collection (ie August 2020), whichever is earliest.