National
By Tony Campbell
Australian Bureau of Statistics change in census 2016
I
read with interest that the Australian Bureau of Statistics (ABS) are planning to retaining all of the names and addresses collected from the forthcoming 2016 census. Given the depth of invasion into our personal lives the Australian census delves, coupled with the uncommon frequency of this audit compared with other counties around the world, it raises the question as to how the government plans to protect such a useful hoard of information, given its potential value on the black market. On reading the press release on ABS’s website that explains this change of policy, they say they have addressed all of the issues the general public have raised through public submissions and public testing. How was this conducted? Was this advertised well enough to get a real public opinion, or was it purposely kept low-key to engender the right responses from the tested minority? Interestingly, the justification for change reads, “The Australian Bureau of Statistics has decided to retain names and addresses collected in the 2016 Census of Population and Housing in order to enable a richer and dynamic statistical picture of Australia through the combination of Census data with other survey and administrative data.” ABS provides two examples of the justification as to how retention of our names and addresses will assist them in meeting their research objectives: • They will gain better insight into how educational pathways lead to employment • Cross-referenced census data and health records improve the government’s ability to plan support for patients with mental health issues I’m bemused. How does having our individual names and addresses linked to census responses allow the government to analyse national-scale outcomes, such as career pathways mapping to education? How can they change how they deal with mental health issues any better if the information can be tied back to an individual? Surely these are all national issues that can be addressed without having to link records back to individuals? The biggest questions that needs to be asked is what else could this corpus of information be used for by the government? Might it be used in national security matters? Is there anything stopping this database being made available to any department in government that needs it? Privacy Impact Assessments ABS seems to have followed due process in their decision to capture our Personally Identifiable Information (PII). They state that they conducted a privacy impact assessment (PIA), which looked at the risks of collecting processing and using these records, along with the risk of data breaches and what the impact might mean to the individuals affected, which in this case has the potential to be more than 15 million Australian citizens. When you undertake a PIA, you need to consider why this information might be targeted and who the threat actors might be that would be looking to steal it. This is essential so that you understand how much protection the database needs to be afforded, and if you can’t afford the level of protection in terms of security controls, then the risk needs to be accepted by someone in the agency who is accountable should the data be breached. The impact on the data being
22 | Chief IT Magazine
leaked is akin to what happened after last year’s attack on the US Office of Personnel Management (OPM), where the nation-state attack from China, saw millions of personnel records stolen, allegedly by the Chinese government according to the FBI. ABS says the following: “The Privacy Impact Assessment assessed the level of risk to personal privacy, considering the protections in place, as very low. The risks identified are mitigated by storing names and addresses separately from other Census data as well as separately from each other. The risks are further mitigated by governance and security arrangements the ABS already has in place.” I suggest that 15 million census records, all of which are personally identifiable and linkable to healthcare records, irrespective of whether they are encrypted or not and behind the biggest most modern firewall ABS can buy, is such a massive treasure trove of information for hackers, identity thieves, etc. that they will struggle to give it the protection it needs. In security we use a term called aggregation of information to explain how datasets become more valuable (and hence riskier to lose) as they become bigger. In government security circles, this usually means the protective marking of the overall data set goes up as certain thresholds are released, usually based on a risk assessment. If you look at the Australian Governments Security Classification System the SECRET security classification should be used when the following criteria are met: “When compromise of the confidentiality of information could be expected to cause serious damage to the National Interest, organisations or individuals.” My closing question would be this: has the underlying security architecture, security technology, system configurations, staff vetting, security processes and audit controls within the ABS been implemented and assessed as being ready to handle a classified dataset? Have the security controls listed in the Australian Signals Directorate’s Information Security Manual been met prior to ABS collecting a classified dataset of 15 million PII records? What will ABS do to ensure that other government departments that request access to our data will also protect the data to the same level of ABS? Security is only as strong as the weakest link in the processes, so some additional assurance to the Australian public would certainly be welcomed.