ABS re-examines how long it keeps Census names, addresses

The Australian Bureau of Statistics could reconsider its controversial decision to retain names and addresses collected as part of the Census for four years in time for the next national survey.

The agency in charge of Australia’s largest peace time operation on Friday said privacy consultancy Galaxia had been brought in to assess how long names and addresses should be kept after the next Census slated for 2021.

The work will form part of an independent privacy impact assessment (PIA) of the upcoming survey, which will look at potential privacy issues or risks and recommend way to minimise or manage these.

It follows the appointment of big four consulting firm PwC earlier this year to build and operate the online platform for the 2021 Census, which will be locally hosted on Amazon Web Services.

“We are taking a ‘privacy by design’ approach to planning and conducting the Census. This ensures the privacy of individuals is considered at every step, right across the program,” Census division general manager Chris Libreri said.

“An important part of the assessment process, for Galexia, will be wide-ranging external stakeholder consultation.This will help identify privacy risks and concerns, and ensure appropriate mitigation strategies are in place.”

The decision to expand the retention of names and addresses of individuals to four years was made ahead of the now infamous 2016 Census, which was knocked out by a series of DDoS attacks.

Prior to this, the names and addresses of individuals entered on the census form were destroyed once the ABS had processed the survey, normally within 18 months.

However, the decision was widely criticised in a Senate committee probe into the events surrounding the 2016 survey.

The committee suggested bias towards expanding data matching could have driven the ABS’ seeming complacency about its decision to retain collected names and addresses for four years

This, in part, stemmed from the ABS’ decision to conduct the 2016 Census PIA internally, which the committee described as “manifestly inadequate”.

 “Based on the information received by the committee, there is no evidence that the ABS consulted with community groups, non-government organisations or privacy advocacy groups,” the committee said at the time.

The committee also called on the ABS to conduct all future PIA’s relating to the census externally and publish results a year before the census takes place, which the ABS has upheld in its appointment of Galaxia.

Galaxia has conducted a number of PIA’s for government agencies over the years, including one recommending that the Digital Transformation Agency enshrine the privacy protections behind its digital identity platform in law.