independent privacy impact assessment - · pdf filemanagement process and involve key privacy...
Post on 15-Mar-2018
215 Views
Preview:
TRANSCRIPT
2018CensusIndependentPrivacyImpactAssessment
7July2017
ByDaimhinWarnerDirector(Auckland)SimplyPrivacyLtd
Anindependentassessment
Control
Privacy
Puttingtheindividualatthecentreofthe2018Census
Trust
2018Census:IndependentPrivacyImpactAssessment
2
Tableofcontents
Keymessages....................................................................................................................3
Executivesummary...........................................................................................................4
Introduction......................................................................................................................6WhatisaPIA?............................................................................................................................6HowwasthisPIAcompleted?....................................................................................................7WhatisSimplyPrivacy?..............................................................................................................7
2018Census:Digital-first...................................................................................................8
Thewiderenvironmentandcontext................................................................................10StatisticsAct:Providingastronglegalframeworkforcensus....................................................10PrivacyAct:Aroadmapforgoodprivacypractice.....................................................................10Sociallicence:Aprivacy-supportivemodel...............................................................................12Currentpublicperception:Istheresociallicence?....................................................................13
Culture,governanceandtechnicalsecurityoversight......................................................14Astrongprivacyculture...........................................................................................................14Privacygovernancestructureandresourcingforcensus...........................................................14Technicalsecurityasawiderissue...........................................................................................15
Collection:Ensuringvalueandmanagingrisk..................................................................17Whatinformation?Aprocesstoensurevalue..........................................................................17PreliminaryPIAsintocensusprocessesandsystems................................................................18Practicalprivacyprotectionsduringthecensus........................................................................19Databreachresponseplan.......................................................................................................20
Useandprocessing:Limitationstoincreasecontrol........................................................22IntegrationwiththeIDI............................................................................................................22StatsNZ’saccess,de-identificationandconfidentialityprocesses.............................................24
Opennessandtransparency:Communicatingtobuildtrust.............................................26Existingcommunications..........................................................................................................262018Censuskeymessages.......................................................................................................27Whereandhowtodeliverthem...............................................................................................28
Conclusion.......................................................................................................................30
Appendix1:Informationgathering..................................................................................31
2018Census:IndependentPrivacyImpactAssessment
3
Keymessages
Censuscanlinktostrongagency-wideprivacygovernance
andoversightmechanisms,ensuringthatcensusdataisprotectedduringitsentirelifecycle
StatsNZrecognisesthevalueofdataasanassetworthprotecting
StatsNZiscommittedtoensuringthat
personalinformationisusedonlyforstatisticaland
researchpurposes
A‘digital-first’censuscandeliver
bothprivacyprotectionandamoreefficient
process
Censusprocessesensureonlypersonal
informationthataddssocialand
communityvalueiscollected
Censuscanbuildpublictrustand‘sociallicence’bytellingits
positiveprivacystory
StatsNZhasacultureof
confidentialitywhichcreatesafoundationforsafeandsecureprivacypractices
2018Census:IndependentPrivacyImpactAssessment
4
ExecutivesummaryThecensus isn’t justaboutdata,orstatistics,or intelligence. It’saboutpeople. It involvesaskingpeopletotellagovernmentagencyaboutthemselves.ItrequirespeopletorelinquishsomecontrolbyentrustingoftensensitivepersonalinformationtoStatsNZ.StatsNZhasexpertiseindatascience.Itcananalyse,aggregateandextractinsightsfromdatawithgreatskillbutthisassessmentfocusesontheextenttowhichStatsNZrecognisesthatthisdataisaboutpeoplewithprivacyrightsandexpectations.TheassessmentconcludesthatStatsNZhasaveryclearpictureofthepersonatthecentreofthecensus.Thereisastrongcultureofconfidentialitywithintheorganisationasaresultofawell-establishedlegislativeframeworkthatbothfacilitatespersonalinformationcollectionand use, andmandates a businessmodel that treats personal informationwith care andrespect.StatsNZrecognisesthevalueofdataasanassetandthisinformsitspractices.Thisassessmentreviewsthekeyprocesses,proceduresandsafeguardsthecensusteamhasput in place, or is contemplating, to ensure that privacy remains a central theme in itsplanning and operations. The recommendations made in this assessment are aimed atensuringthatthereisconsistencybetweenthecensusteamandStatsNZmoregenerally,thatprivacygovernanceandoversightwithinthecensusteamissufficientand–mostimportantly–thatthepublicknowsaboutthegoodworkbeingdonetoensurethatthe2018Censusisaprivacysuccess.Thefollowingrecommendationsaremade:
1Provideallcensusstaffwithguidanceonthehighlevelprivacygoalsandvaluesfor2018 Census and build an understanding of the way each teams’ processes,proceduresandsafeguardscontributetothis.
2 Createanddocumentclearprivacyrolesandaccountabilitieswithinthecensusteam,includingacentralrolewithoverallprivacyresponsibility.
3EncourageclosecollaborationbetweenthisdocumentedprivacyroleandStatsNZ’sPrivacy Officer and ensure the Privacy Officer has the opportunity to contributeeffectivelyas2018Censusprocessesarefinalised.
4 EnsurethatthecensusteamreportsregularlytotheIPSaCGovernanceGroupandthatcensusprivacyisastandingitemontheGovernanceGroupagenda.
5 Continuouslyrevisitsecuritysafeguardsasthecensusprogrammeevolves,toensurethattheyarefacilitatinggoodprivacypractice.
6 Explaintechnicalsecuritysafeguardstothepublicclearlyandsimply,toestablishthatthedigital-firstapproachisgoodforprivacy.
7 Revisit thedecisionnottoundertakeafullPIAontheEPICprocessingsystemandconsiderratingthepublicimpactofthissystemashigh.
2018Census:IndependentPrivacyImpactAssessment
5
8 EnsurecontrolsareinplacetomanageanyperceptionthatoperationalinformationincorporatedintoEPICmaybeusedforstatisticalorresearchpurposes.
9Link the census crisis communication approach to Stats NZ’s wider incidentmanagement process and involve key privacy and security staff in the riskassessment,mitigationandnotificationstagesoftheprocess.
10NotifythepublicthatadministrativedataheldintheIntegratedDataInfrastructure(‘IDI’)willbeusedtoimprovethequalityofcensusdataandexplaintheoverallvalueofthisdatause.
11Notifythepublicthatnamesandaddressesareretainedandusedwithinthe IDI’ssecureprocessingand linkingenvironments tomatch informationandexplain thevalueofthisdatause.
12 Develop a clear and simple census privacy story that is structured to provide keyprivacymessagestothepublicandcontributetothebuildingofsociallicence.1
13 Makethecensusprivacystoryeasilyaccessibleandstandaloneandensurethatallchannelsconnecttothesekeymessages.
14Tell thecensusprivacystorywell inadvanceofcensus, tobuildconfidence in thedigital-firstapproachandprovidethetimeneededtorevisecommunicationstomeetpublicneedsorchangingexpectations.
1Sociallicencedescribesalevelofpubliccomfortwithaparticularuseofpersonalinformation.Thiscomfortcomesfromtrustthatpersonalinformationwillbeusedonlyaspromisedandacceptancethatenoughvaluewillbecreatedbythatuse.Itisdiscussedfurtherbelow.
2018Census:IndependentPrivacyImpactAssessment
6
IntroductionThisisanindependentprivacyimpactassessment(‘PIA’)intothe2018Census.Thecensus isamajorpublic touchpoint forStatsNZ. It isamomentatwhich theagencyengages extensively with the public and gathers personal information for statistical andresearchuse.Thecensusisn’tjustaboutdata,orstatistics,orintelligence.It’saboutpeople.Itinvolvesaskingpeopletotellagovernmentagencyaboutthemselves.ItrequirespeopletorelinquishsomecontrolbyentrustingoftensensitivepersonalinformationtoStatsNZ.The2018Censusis‘digital-first’.Unlikepreviouscensuses,itwillfocusondigitalengagement,encouragingrespondentstocompletethecensusonline.ThisispositivefortheNZpublic.Thedigital-firstapproach(whichalsoextendstotheprocessingsystemandthemanagementofworkloadsforfieldstaff)isexpectedtoreducecost,increaseengagementanddeliverbetterinformation for research. However, these benefits cannot be achieved at the expense ofindividualprivacy.Privacymustbebuiltintothe2018Censusfromtheoutset.ThisPIAisapartofthatprocess.StatsNZhasexpertiseindatascience.Itcananalyse,aggregateandextractinsightsfromdatawithgreatskillbutthisassessmentfocusesontheextenttowhichStatsNZrecognisesthatthisdataisaboutpeoplewithprivacyrightsandexpectations.TheassessmentconcludesthatStats NZ has a very clear picture of the person at the centre of the census and makesrecommendationsintendedtoensurethatthisisdemonstratedeffectivelytothepublic.WhatisaPIA?APIAexaminesachange,projectorproposaltoevaluatehow,andtowhatextent,itmightimpact on individual privacy. The PIA process is about designing privacy into changes, toensurethatrisksare identifiedearlyandprocesses,productsandsafeguardsaredesignedwithprivacyinmindfromtheoutset.It’saboutsettingtherightcourse.Thisassessmentfocusesonanumberofkeyissuesthatareuniquetothecensus.ItdoesnotconfineitselftothePrivacyActortheinformationprivacyprinciplesbutconsidersthe2018Censuswithin awider context, taking into account the legislative framework, the currentenvironment,publicperception,andsociallicencethemes.ItisStatsNZ’sintentiontomakethisPIAavailabletothepublic.This isacommendableapproachtotakeandshowsarealcommitmenttoaccountability.ThisisnotareviewofStatsNZ’stechnicalinformationsecurity.Whileinformationsecurityisan important part of the overall privacy framework, it is a specialised part that requiresseparateanddetailedconsiderationbyinformationsecurityexperts.StatsNZhasengagedtheservicesofDeloittetoassesstheserisksforthe2018Census.
2018Census:IndependentPrivacyImpactAssessment
7
HowwasthisPIAcompleted?AnindependentPIAprovidesafreshandimpartialviewoveraprocessorsetofprocessesthat may have become business as usual to the agency itself. It is not affected bypreconceptionsorassumptionsandshouldassisttheagencyto“seethewoodforthetrees”.In undertaking this PIA, key census staff and teams were interviewed, with a view tounderstandingthegovernancestructure,censusprocesses,safeguardsandcontrolseitherinplaceorcontemplated.Asignificantdocument reviewhasalsobeenconducted, includinginternalprocessandpolicydocuments,systemoutlinesanddiagrams,internalprivacyimpactassessmentsandexternalcommunicationsandotherkeymaterials.AfulllistofinterviewsconductedandmaterialsreviewedisattachedatAppendix1.WhatisSimplyPrivacy?Simply Privacy Ltd is a consultancy which provides privacy strategy, programme andconsultancyservicestopublicandprivatesectoragencies.SimplyPrivacy’sdirectorshaveacombined20 years’ of privacyexperience, including in senior roleswith theOfficeof thePrivacyCommissioner,andhaveprovidedPIAandotherassessmentservicestonumerousagenciesandonvariedprojectsandprocesses.In preparing this PIA, Simply Privacy has relied upon information, statements andrepresentations provided to it by Stats NZ. Simply Privacy provides no warranty ofcompleteness,accuracyorreliabilityinrelationtothisinformation,thesestatementsortheserepresentations.
2018Census:IndependentPrivacyImpactAssessment
8
2018Census:Digital-firstAtahighlevel,2018Censusisnodifferentfromanyothercensusanditisimportantforthepublicandstakeholders toappreciate this.StatsNZhas runcensusesof theNZpublic fordecades.Thereisageneralunderstandingbygovernmentandthepublicthatcensusesaddvalueandareanimportantpartoftheprocessofgovernmentpolicymaking.Traditionally, censuses have been highly manual. Census staff have visited every homethroughoutthecountrytodistributeandthencollectpapercensusformsandreturnthemtoStatsNZ.The2018Census,however,willbeprimarilydigital.StatsNZwillmailinternetaccesscodestohouseholdsandencouragethepublicto‘self-respond’online.Theaimisforatleast70% of responses to be online. This digital-first approach is anticipated to improve dataqualitywhilereducingthecostofdatacollection.Aswithpreviouscensuses,censusdatawillbe integratedwithotherpersonal informationheldbyStatsNZinordertoprovidethestatisticsrelieduponbythepublicandprivatesectortomakesoundpolicydecisionsanddrivebettersocialandcommunityoutcomes.Thedigital-firstapproachprovidesStatsNZwithopportunitiestosignificantlyimproveprivacycompliance, and the privacy experience of the public. A reliance onmanual paper-basedcensusprocessescreatedinformationsecurityrisksthatcanbeveryeffectivelymitigatedintheonlineenvironment.Well-managed,thedigital-firstapproachprovidesStatsNZwithauniqueopportunitytobetterengagethepublictoshowthevalueofcensusandbuildtrust.However,thereanumberofchangestothecollectionanduseofcensusdatain2018thatwarrantspecificmentionandconsiderationhere,notbecausethesechangesareinherentlynegativebutbecausetheyaredifferentandmustbemadecleartothepublic.
1. 2018Censusdataisbeingcollectedinadifferentway.Theflowsofinformationthattraditionally occurred will now be easier, faster and more efficient. Stats NZ isengaging a varietyof thirdparties to facilitate thesenewdata flows. Someof thequestions asked in the census may also change, to reflect evolving priorities andattitudes.
2. 2018CensusdatawillbeincorporatedintoStatsNZ’sIntegratedDataInfrastructure
(‘IDI’). The IDI is adatabaseofde-identifiedpersonal informationgathered fromawiderangeofinformationsources,includinggovernmentagenciesandNGOs.TheIDIalsocontainsthedatafromthe2013Census.2Forthe2018Census,informationwillflowtwoways:
• IDIdatawillbeusedtoimprovethequalityof2018Censusresponses,byfilling
gapsinresponsesandimputingdatabaseduponclearlinkstootherdataalreadyheld.
2ForafulllistofIDIinformationsources,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/idi-data/idi-data-overview.aspx.
2018Census:IndependentPrivacyImpactAssessment
9
• 2018CensusdatawillbeintegratedintotheIDI,andcombinedwithotherdatacollected,toprovideafullerdatasetintendedtodrivebetteroutcomesforNewZealanders.
3. Tofacilitatethisintegration,individualnamesandaddresseswillberetainedwithina
secureIDIlinkingenvironmentandusedtomoreaccuratelylinkthe2018Censusdatawith2013Censusdataandpersonal informationgatheredfromothersources.Theretentionanduseoftheseidentifiersmaycomeasasurprisetothepublicandsoisexaminedbelowinmoredetail.
ThesedifferenceshavethepotentialtoimpactnegativelyonthepublicperceptionofStatsNZandonoverallengagementwiththecensus.Ifthepublicfeelthatthedigital-firstapproachisfacilitatingamoreintrusive,orlessrobust,census,theymaybereluctanttoprovidegoodinformation on census day. If the public has a sense that the personal information theyentrusttoStatsNZwillbeusedinwaysthatmakethemuncomfortable,theymaylosefaithintheprocess.
2018Census:IndependentPrivacyImpactAssessment
10
ThewiderenvironmentandcontextStatsNZoperatesinauniquecontext.Ithasaclearlegislativemandatetocollectasignificantamount of often sensitive personal information. This mandate simplifies privacyconsiderationstosomeextentbutinotherwaysitcreatespublicperceptionissuesunlikeanyotherpublicsectoragencyfaces.StatsNZmusttakeparticularcaretodisplaytothepublicthatitisexercisingitslegislativemandateresponsibly,fairlyandinawaythatisnotoverlyintrusive.ItrequiresStatsNZnotonlytoensurethatithasalawfulbasistogatherandusepersonalinformationbutalsothatitsactionsaremeasuredandwilladdvalueandbringbenefitstoNewZealanders.StatisticsAct:ProvidingastronglegalframeworkforcensusTheStatisticsActgivesStatsNZlegalauthoritytocollectpersonal informationofacertaintypefromindividualsanditrequiresindividualstocomplywithsuchrequests.Thislimitstheapplication of the Privacy Act insofar as any actions are permitted by this legislativeframework.However,theStatisticsActalsoplacesanumberofimportantobligationsonStatsNZanditsstaffthatgoaboveandbeyondthemoreflexibleobligationscontainedinthePrivacyAct.Itrequiresallstafftotakeastatutorydeclarationofsecrecyinrespectoftheinformationtheyhandle.ItalsoplacesveryrobustinformationsecurityobligationsonStatsNZ,thataremoreonerousandcomprehensivethanthegeneralrequirementsofthePrivacyAct,andincludeanexpresslimitationontheuseofinformation(forstatisticalandresearchpurposesonly).ThislegislativeframeworkhasinfluencedtheculturewithinStatsNZinwaysthatcanhaveanimpactonprivacypractice.Thereisanoverridingcultureofconfidentialitythatinformstheagency’sprocessesandprocedures.Providedthatthisculturedoesnotresultincomplacency–andthereisnoevidencetosuggestthatithas–thenthiscreatesahighlysafeandsecurefoundationforthedevelopmentofsoundpersonalinformationhandlingpractices.Thereisalsoarecognition–borneoutinrecentworkbytheDataFuturesPartnership(anddiscussed inmoredetail below) – that the compulsory collectionof personal informationfacilitated by the Statistics Act brings with it heightened obligations to be open andtransparent.PrivacyAct:AroadmapforgoodprivacypracticeWhileStatsNZoperatesunderaclearlegislativemandate,itisstillsubjecttothePrivacyActandtheinformationprivacyprinciples.ThePrivacyActprovidesthesafetynetthatensuresStatsNZexercisesitslegislativemandatefairly,responsiblyandinanopenandtransparentway.IthastheflexibilitytopermitStatsNZtooperateinwaysthatareefficientandeffectivewhilesupportingmanyofthesafeguardstheStatisticsActrequires.
2018Census:IndependentPrivacyImpactAssessment
11
ThePrivacyActrequiresStatsNZtoalwaysensurethatit:
1 collects only the personal information it needs (for census, the information it ispermittedtocollectundersection24oftheStatisticsAct);
2 collects personal information from the person concerned (for census, therespondent);
3tellsthepublicwhyitneedstheinformationithasrequested,whatitwilldowithit,and who it may be shared with (for census, a major part of openness andtransparency);
4 collectspersonalinformationinwaysthatarefairandlawful;
5 takes reasonable steps to keep personal information safe and secure (this issupportedbysection37oftheStatisticsAct);
6 enablesindividualstoaccessinformationaboutthem;
7 enablesindividualstocorrecttheirinformationifitiswrong;
8 takesreasonablestepstoensurethatpersonalinformationisaccuratebeforeusingit(forcensus,thisincludesstepstocleansecensusdataandensureitismeaningful);
9 keepspersonalinformationonlyforaslongasitisneeded;
10 usespersonalinformationonlyforthepurposesforwhichitwascollected(forcensus,thisisstatisticalandresearchpurposes);
11 doesnotdisclosepersonalinformation;and
12 takescarewithuniqueidentifiers.
While someof theseprinciples apply less clearly in the StatsNZ context thanothers (forexample, the access and correction principles are more difficult to comply with whensignificantstepsaretakentode-identifypersonalinformationinternally),theyprovideasetoffoundationalconceptsthatshouldinformgeneralpractice,particularlyinrespectofareasonwhichtheStatisticsActissilent.ThePrivacyActandinformationprivacyprinciplesarealsosupportedbythesevenprinciplesofPrivacybyDesign,whichareintendedtofacilitateprivacypracticesthatdonothindertheultimategoalsoftheprogramme.Forthecensusteam,theseprinciplesarearelevantandusefulsetofremindersasthecensusdrawsnear:
1. Privacymeasuresshouldbeproactivenotreactive;2. Privacyshouldbethedefaultsetting;3. Privacyshouldbeembeddedintodesign;4. Aimforfullfunctionality–positivesum;5. Ensureend-to-endinformationsecurity;6. Promotevisibilityandtransparencyofrisksandsolutions;and7. Makesuresystemsareuser-centric.
2018Census:IndependentPrivacyImpactAssessment
12
Sociallicence:Aprivacy-supportivemodelWhere the collection of personal information is compulsory, issues of trust and controlbecome more critical. While Stats NZ has a legislative mandate to collect and use thisinformation, it needs to build an equivalent public mandate; a social licence to useinformationforthebenefitofthecommunity.Sociallicencedescribesalevelofpubliccomfortwithaparticularuseofpersonalinformation.Thiscomfortcomesfromtrustthatpersonalinformationwillbeusedonlyaspromisedandacceptancethatenoughvaluewillbecreatedbythatuse.TheDataFuturesPartnership3hasidentifiedasetofthemesuponwhichitsuggeststhatsociallicencecanbebuilt.Thesethemesarecomponentsoftransparencyandtheystronglymirrortheinformationprivacyprinciples.
Theme Howprivacysupportsthis
PurposeWhatwillmyinformationbeusedfor?
CollectonlytheinformationyouneedTellpeoplewhyyouneedit
ValueWhatarethebenefitsandtowhom?
CollectonlytheinformationyouneedTellpeoplewhyyouneedit
UseWhowillbeusingmyinformation?
TellpeoplewhyyouneeditUseitonlyforthosepurposesLimitaccesstothosewhoneedit
ControlWillmyinformationbeanonymousand
coulditbesold?
Tell people who will have access to theirinformationEnsurethatitisprotectedDon’tdiscloseitinanidentifiableformEnsure that people can access their owninformation
SecurityIsmyinformationsecure?
EnsurethatitisprotectedEnsurethatitisaccessedonlyforlegitimatepurposesTellpeopleaboutthesesteps
UsingtheinformationprivacyprinciplesandPrivacybyDesignprinciplesasabenchmarkforgood personal informationmanagement, an agency can start to build social licence. Putanotherway,ifanagencyfocusesonaddressingthethemesidentifiedbytheDataFuturesPartnership,itwillbelesslikelytofallfoulofthePrivacyAct.
3Formoreinformationonsociallicence,andtheworkoftheDataFuturesPartnership,gotowww.datafutures.co.nz.
2018Census:IndependentPrivacyImpactAssessment
13
Currentpublicperception:Istheresociallicence?Privacy is now an important public expectation. Themedia closely observes the personalinformationmanagementpracticesofpublicandprivatesectoragencies.Poorpracticesbyotherpublicsectoragencieshavenegativelyimpacteduponpublicperceptionsofthesectorasawhole.Thiscreateschallengeswhenattemptingtobuildasociallicencebasedontrustandcontrol.PublicperceptionsmeasuredintheyearspriortotheACCprivacybreachwouldlikelyhaveindicateda stronger social licence thanexists today.Highprofilebreaches– including therecentpublicityaroundMSD’sdemand for client leveldata fromserviceproviders–haveshakenageneralpublicassumptionthatpersonalinformationisinsafehands.Further, the highly publicised failures during the 2016 Australian eCensus4(knownmorecolloquiallyas#CensusFail)maynegativelyimpactontheNZpublic’sperceptionofadigital-firstcensus.TheAustralianexperiencemaycreatecautionamongtheNZpublicthatwillneedtobecarefullymanaged.StatsNZwillbenefitfromthelessons learnedfromthis incident,includingtheneedtoensurethatpubliccommunicationsare focusedontherightprivacyissuesandareresponsiveandflexible.Stats NZ has commissioned a number of surveys into public perception. A 2016 ColmarBruntonUseandTrustSurvey5focusedonpublicunderstandingoftheuseofinformationandof trust in the statistics themselves.While the survey revealed a general acceptance thatstatistics are important, it gave no indication of any understanding of value as againstindividualprivacy.Thesurveytestedparticipants’trustinthequalityofthestatisticsStatsNZreleased,notininStatsNZasanagency.A2015OPUSSurveyonPublicAttitudestoDataIntegration6cameclosertomeasuringpublictrustinStatsNZanditsinformationuses.Thissurveyshowedsomepublicdiscomfortwiththeideathatpersonalinformationmaybeheldinasingledatabaseandlinkedtoidentifiers.Access,useandsecuritywerekeyconcernsandparticipantsindicatedthattheywouldfinddata integrationmoreacceptable iftheywerepersuadedthat itwasuseful,fair,accurate,representativeandinthepublicinterest.While these surveys show amoderate level of understanding and engagement from thepublicinthefunctionofStatsNZand,tosomeextent,theneedforgoodstatistics,theyaresomewayoffestablishingtheexistenceofanysociallicence.Aswillbeexplainedbelow,thereisgoodreasontotrustStatsNZ.However,inviewofthemoregeneralperceptionsofpublicsectorprivacypractice,itissuggestedthatStatsNZshouldassume a low level of social licence and target its practices at developing openness andtransparencytoshowvalue,buildtrustandstarttoearnone. 4ForagoodoutlineoftheeCensusfailuresandlessonslearned,seeAlistairMacGibbon’sReviewoftheEventsSurroundingthe2016eCensus13October2016.5http://www.stats.govt.nz/about_us/what-we-do/our-publications/use-trust-in-oss-2016.aspx.6http://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/keep-data-safe/public-attitudes-data-integration-2015.aspx.
2018Census:IndependentPrivacyImpactAssessment
14
Culture,governanceandtechnicalsecurityoversightAstrongprivacycultureAspartof thisassessment,acrosssectionofStatsNZandcensusstaffwere interviewed.These interviews served twopurposes. Firstly, they facilitated the gathering of importantinformationaboutthe2018Censusprocessesandprocedures.Secondly,theyallowedforanevaluationofgeneralprivacycultureandvalueswithinboththecensusteamandStatsNZmorewidely.Overall, itwasveryclear thatStatsNZhasa strongcultureofprivacyandconfidentiality,borne out of a legislative framework that focuses on security but also out of a generalappreciation of the value of data. No person interviewed questioned the importance ofprivacy or an independent privacy impact assessment. All had an appreciation of privacyconceptsand showeda strongunderstandingofprivacy considerations thatwentbeyondtechnicalsecuritysafeguards.Itwasalsoveryclearthatseniorcensusstaffgraspedtheimportanceofgoodprivacypracticetothesuccessofthecensus.AsaresultoflessonslearnedfromAustralia’seCensus,andduetothewiderculturethatexistswithinStatsNZ,seniorstaffhaveexpressedacleardesiretoensurethatprivacyreceivesproperattentionattherighttime.Thatsaid,thetechnicalknowledgemanystaffshowedinrespectoftheparticularprivacyandsecurityprocessesinplacewithintheirfunctionalunit(forexample,censusdatacollection,dataprocessing,orthedevelopmentofdataproductsandservices)appearedinsomecasestocloudamoregeneralunderstandingof thebiggerStatsNZpicture.Someworkmayberequiredtotietheseprocessestogetherandensurethatallcensusstaffunderstandtheendgoal,whichmustbetoprovidethepublicwithasimplevalueandtrustpicture.Recommendation1:Provideallcensusstaffwithguidanceonthehighlevelprivacygoalsandvalues for 2018 Census and build an understanding of the way each teams’ processes,proceduresandsafeguardscontributetothis.PrivacygovernancestructureandresourcingforcensusStatsNZhasputeffortintostrengtheningitsstrategicprivacyoversightandgovernance.Aspartofthis,StatsNZhasestablishedanInformationPrivacy,SecurityandConfidentiality(‘IPSaC’)GovernanceGroupandWorkingGroup.TheGovernanceGroup isexecutive level(members include theChiefPrivacyOfficer,DeputyChief Executive–DataServices,ChiefMethodologist, Chief Digital Officer and Legal Counsel) and it directs theWorking Group(composedofseniorstaffincludingthePrivacyOfficer)tomanagethedevelopmentoftheprivacystrategyandprogramme. IPSaCminutesaresharedwith theExecutiveLeadershipTeamaftereachmeeting.
2018Census:IndependentPrivacyImpactAssessment
15
Some organisation-wide privacy resource is available, though this is limited. Privacy isoverseenbyOrganisation, Strategy andPerformancewhichhas a 0.6 full timeequivalentdedicatedresource(thePrivacyOfficer)tosupporttheorganisation’sprivacypractices.Theprivacy resource is small, particularly in view of the fact that Stats NZ is an organisationfocusedonthecollectionanduseof information(includingpersonal information).Forthisreason,theresourceislimitedinitsabilitytoidentify,manageandmitigateallprivacyrisksacrosstheorganisation.Thisismademorechallenginginrelationtothe2018Censusbecausethecensusteamisquitedistinctfromtherestoftheorganisation,withstaffeitherengagedsolelyforthisprogrammeorsecondedfromotherteamswithintheagency.ThisincreasestheriskofprivacygapsorweaknesseswithincensusprocessesandmakesitmoredifficultforStatsNZ’swiderprivacyresourcetoeffectivelyensurethatprivacyissuesarebeingmanagedsatisfactorily.Thecensusisparticularlyhighriskfromaprivacyperspectiveandsoitisimportantforthecensusteamtoensurethatprivacyisadequatelyresourced,itsinternalprivacygovernanceandaccountabilityprocessesarestrongandeffective,andtheteamconnectsdirectlytoStatsNZ’swiderprivacyriskandassuranceprocesses.ThisshouldincludesharinganypreliminaryPIAs(someofwhicharediscussedbelow)withboththePrivacyOfficerandIPSaCGovernanceGroup.ArealconnectionbetweenthecensusteamandStatsNZ’swidermanagementofpersonalinformationwillensureconsistencyofapproachandbetteroversightofprivacyrisks.Itshouldalsoensurethatthemanystrongprocesses,proceduresandsafeguardsbeingdevelopedbyvariousteamswithincensusareconsistentandclearlyarticulatedtothepublic.Recommendation2:Createanddocumentclearprivacyrolesandaccountabilitieswithinthecensusteam,includingacentralrolewithoverallprivacyresponsibility.Recommendation3: Encourage close collaborationbetween this documentedprivacy roleandStatsNZ’sPrivacyOfficerandensurethePrivacyOfficerhastheopportunitytocontributeeffectivelyas2018Censusprocessesarefinalised.Recommendation4:EnsurethatthecensusteamreportsregularlytotheIPSaCGovernanceGroupandthatcensusprivacyisastandingitemontheGovernanceGroupagenda.TechnicalsecurityasawiderissueMany of the risks presented by a ‘digital-first’ approach to the census relate to technicalinformation security. The new information flows needed to facilitate digital engagementrequiretheuseofarangeoftechnologies,platformsandinformationserviceproviders.Byoutsourcingsomefunctionalityforthe2018Census,StatsNZisatriskoflosingsomecontroloverthesecurityofthepersonalinformationgathered.Technical information security is an important part of the privacy framework. A matureagencyhasstrongprocessesinplacetoensurethatthepersonalinformationitcollectsissafe
2018Census:IndependentPrivacyImpactAssessment
16
andsecureatall times.This isnotatechnical informationsecurityassessmentbut itdoesseektoprovidesomeassurancethatStatsNZistakingaproactiveapproachtoinformationsecurityaspartofthe2018Censusdevelopment.StatsNZhasengagedtheservicesofDeloitte’sCyber,PrivacyandResilienceteamtoprovideindependentadviceandguidanceonimplementingasecure,vigilantandresilientapproachforthe2018Census.DeloittehasawidemandatetoassistStatsNZandisdeliveringabroadrange of ongoing advisory and support services in this regard, including systems review,incidentresponsesimulations,controlsassessments,andadviceontheprocurementofthirdpartyinformationandtechnologyrelatedservices.Forthepurposesofthisassessment,StatsNZistakingmorethanreasonablestepstoensurethatitbuildssecurityintothetechnologyandsystemsitusestorunthe2018Census.Therecommendations below are intended simply to ensure that the security and privacyprocessessupportoneanotherandthatthevaluetheseprocessesaddismadecleartothepublic.Recommendation 5: Continuously revisit security safeguards as the census programmeevolves,toensurethattheyarefacilitatinggoodprivacypractice.Recommendation6:Explaintechnicalsecuritysafeguardstothepublicclearlyandsimply,toestablishthatthedigital-firstapproachisgoodforprivacy.
2018Census:IndependentPrivacyImpactAssessment
17
Collection:EnsuringvalueandmanagingriskThe2018Census focuseson increasingpublic engagement, creating efficiencies, and alsoimproving thequalityof informationgatheredbyStatsNZ.Theseare importantandvalidconsiderationsthatofferoverallbenefitstothecommunity.Further,thedigital-firstapproachhasthepotentialtobettersafeguardindividualprivacythanthe previous manual approach. Online information gathering removes many of the risksinherentinpaper-basedprocesses.Today’stechnologyallowsforeffectiveencryptionofdataatallpointsof theprocessandenablesaccesscontrols tobeput inplace tomanageuselimitations.Asnotedabove,thisisnotaninformationsecurityassessment.However,thisassessmenthastoucheduponthevarioussteps,processesandsystemsthecensusteamhasputinplaceoriscontemplatingtosafeguardpersonalinformationthroughoutthecensusinformationlifecycle.Whatinformation?AprocesstoensurevalueTheinformationStatsNZispermittedtocollectfromthepublicissetoutintheStatisticsAct.Section 4 of the Act lists the classes of official statistics. Section 24 of the Act lists theparticularstobecollectedatcensus.TheGovernmentStatisticianhasawidemandatetosetthe topics for any given census, provided that the information collected meets therequirementsofsection4oftheAct.Within these legislativeboundaries, StatsNZ followsa careful process toensure that anychangestothecensusarenecessaryandaddvalue.Thecensusmustchangefromtimetotime toensure that it is relevant and responsive to theparticular conditionsof the time.Otherwise, the information collected may not provide the insights needed to deliverimportantsocialandcommunitybenefits.StatsNZhasdevelopedaContentDeterminationFrameworkforthispurpose.Thisframeworkincludespublicconsultationandisdesignedtoensurethatanyneworalteredcensuscontentiscarefullyconsidered.Fromaprivacyperspective,thisprocessisimportantbecauseit:
• focuses on purpose and value, by requiring StatsNZ to establish the relevance ofquestionsandthebenefitsthesequestionswilldeliver;
• encouragesStatsNZtoexerciseits legislativemandateresponsiblyandreasonably;and
• focusesStatsNZonindividualexperience,byrequiringaconsiderationoftheimpactaquestionmighthaveontherespondent’simpressionofintrusiveness.
2018Census:IndependentPrivacyImpactAssessment
18
Inthecaseofthe2018Census,StatsNZiscomingtotheendofthecontentdeterminationprocess. IthasappliedtheContentDeterminationFrameworkandistakingcaretoensurethatnewcontentmeetsrequirements.7PreliminaryPIAsintocensusprocessesandsystemsAspartofthecensustestconductedearlierin2017,StatsNZcompletedanumberofinternalpreliminaryPIAswithrespecttoindividualprocesses,platformsorsystems.ThesepreliminaryPIAs were intended to identify potential privacy risks early on. In each case, theseassessmentsrecommendedwhetherafullPIAwouldberequired.Theprocesses,platformsandsystemsassessedtodateinclude:
1. WorkloadCreationandAllocationTool(usingatooltocreateandallocateworkduringaddresscanvassing)
2. RespondentFacingContactCentre(usingathirdpartyserviceprovidertomanageanexpectedincreaseincontactsfromcensusrespondents)
3. ContactCentreHomeworkers(usingamixedonandoffsiteworkermodelforcontactcentreoperations)
4. EPICsystemforcensusprocessing(usingsoftware,toolsandsystemsprovidedbyEPICforprocessingcensusdata)
5. Internet Collection System (using a third party service provider to manage thecollectionandstorageofonlinecensusresponses)
6. CensusOnboarding(managingtherecruitmentandday-to-dayoperationsofcensusfieldstaff)
7. Post-EnumerationSurvey(collectingpersonalinformationaftercensustomeasuretheaccuracyofpeopleanddwellingcounts)
8. CensusTestInformationWebsite(creatingaseparatecensus.govt.nzwebsite)Forthemostpart,thesepreliminaryassessmentsarecomprehensiveandwell-considered.Theyfollowagoodstructure,whichensuresthatkeyinformationflowsaremappedandrisksassessed. Stats NZ has explained that these are living documents. They will inform thedevelopmentoffinal2018Censusprocesses,platformsandsystems,andwillbeamendedasrequiredtoensurethattheyremainuptodateandrelevant.This isapositivesteptotake,and isevidenceofthecensusteam’soverallconcernaboutprivacyandsecurity(asnotedabove).Thecensusteammustensure,however,thatthesepreliminary assessments are consistently shared with the Privacy Officer and IPSaCGovernanceGroup,andarenottreatedsolelyasacomplianceexercise.
7Formoreinformationonthestatusofthe2018Censuscontentreview,gotohttp://www.stats.govt.nz/Census/2018-census/prelim-content.aspx.
2018Census:IndependentPrivacyImpactAssessment
19
SpecificcommentsonpreliminaryPIAsThe EPIC processing system will collate and process census data (that is, the personalinformationpeopleprovideintheircensusresponses)andsoisamajorpartof2018Censusdelivery.ThefollowingcommentsaremadeaboutthepreliminaryPIA:
• ThePIAnotesthatoperationalinformationaboutdwellingoccupancyandrespondent
behaviorwillbeincorporatedintoEPICtoassistwithdeterminingcensuscompletion.However, as noted below, the census team stated during interview that thisoperationalinformationwouldbestoredonlyintheCRMsystemandnotintegratedwith any other information systems. This apparent inconsistency should beinvestigatedtoensureitraisesnorisks–orpublicperception–ofinappropriateuse.
• ThePIAratedpublicimpactasmedium.However,duetoinherentsensitivitiesaroundthemovetoadigital-firstcensus,andtheimportanceoftheinformationprocessingsystem to the security, accuracy and ultimate use of census information, it isrecommendedthatpublicimpactberatedashigh.
• Overall,thePIAratedrisksaseithermediumorhighbutrecommendedthatafullPIAwas not required. It is recommended that such a risk rating would warrant thecompletionofafullPIAinrespectofthesystem,particularinviewofthepotentialpublicimpactofpoorlymanagedrisks.
Recommendation7:RevisitthedecisionnottoundertakeafullPIAontheEPICprocessingsystemandconsiderratingthepublicimpactofthissystemashigh.Recommendation8:EnsurecontrolsareinplacetomanageanyperceptionthatoperationalinformationincorporatedintoEPICmaybeusedforstatisticalorresearchpurposes.ThePost-EnumerationSurvey(‘PES’)PIArightlyhighlightedtheriskthatinformationaboutcensuscompletionmightbeusedforpurposesotherthanmeasuringcensuscoverage.ThispreliminaryPIAhassuggestedthatanyusesofPESinformationthatgobeyondmeasuringcensuscoveragemustbesubjecttoafurtherPIA.Thissuggestionissupported.
The InternetCollectionSystem(‘ICS’) isamajorpartof2018Censusdelivery.Aswiththeprocessingsystem,afailureintheICSduringthecensuscouldhaveamajorimpactonpublicconfidence(noting,forexample,theAustralianeCensusexperience).ThepreliminaryPIAintothe ICS rightly identified public impact as high but recommended that a full PIAwas notrequired.Onbalance,thisoutcomeissupportedonthebasisthatthemajorriskspresentedbytheICSrelatetothesecurityandintegrityofthesystem,ratherthanthewaypersonalinformationisused.TheICSserviceproviderhasoutlinedtoStatsNZthemeasuresitwilltaketoensurethatICSsecurityrequirementswillbemet.PracticalprivacyprotectionsduringthecensusAs with previous censuses, temporary field staff are engaged to manage the practicalinformationgatheringprocessbefore,duringandafterthecensus.Thedigital-firstapproachmeans less staffwill be required in 2018.However, the2018Censuswill still require the
2018Census:IndependentPrivacyImpactAssessment
20
collection,retentionanduseofpersonalinformationaboutdwellingoccupantsinordertomanagetheprocess.Thisinformationisdistinctfromthecensusresponsesandsoraisesdifferentprivacyissues.Information could include reports about occupant behaviour or safety concerns thatmayimpactonotherfieldofficersoraffectdecisionsaboutsolicitingresponsesfromaparticulardwelling.Thecensusteamhastakenthefollowingstepswithrespecttothispartoftheprocess:
• Fieldofficersusetabletstorecordinformationaboutdwellingsandoccupants.Thesetabletsarepasswordprotected.
• Operational information is retained in a CRM system and is not integrated withstatistical information nor used by Stats NZ for statistical or research purposes(although,noterecommendation8above).
• Where possible, field officers are not providedwith individual names. Rather, theprocess is operated at the dwelling level. Incidents or concerns with a particulardwellingtendnottobelinkedtoaparticularindividual.
• Fieldofficersareprovidedwithface-to-faceandonlineprivacytrainingtoensurethattheyunderstandStatsNZ’swiderprivacyexpectations.
• Fieldofficersarerequiredtosignadeclarationofsecrecy.Thesearepositivesteps,whichtakentogethershouldeffectivelymitigatemanyoftheprivacyriskscreatedbyalargescaleinformationgatheringexercisesuchascensus.Havingapresence inthefieldalsoprovidesStatsNZwithauniqueopportunitytoengagewithrespondentsandreiterateprivacyandtrustmessages.Aswillbediscussedinmoredetailbelow,itiscriticalthatfieldofficersareequippedtodothisinaconsistentandmeaningfulway.DatabreachresponseplanThe2016AustralianeCensusisagoodreminderthatthingscangowrong.Itisimpossibletoentirelynegatetheriskofdatabreachanditwouldbeunreasonabletoexpectanagencytodoso.Forthisreason,itiscriticalforStatsNZtohaveastrongdatabreachmanagementplaninplacebefore,duringandafterthecensus,thatincludesclearescalationpaths,reportingandcommunicationsprocesses.StatsNZhasdevelopedan agency-wide incidentmanagementplan thatdirects how staffshouldreportandmanageasecurity,privacyorconfidentialityincident,oranearmiss.Theplansetsoutanescalationpathandguidesstaffthroughaprocessofreporting,containmentandnotification.Theplanalsoensuresthatanumberofgovernancelayersareinvolvedinthemanagementoftheincident.
• Staff–Attempt immediatecontainmentof the incidentandreport tosecurityandprivacystaffandtheirmanager.
2018Census:IndependentPrivacyImpactAssessment
21
• Manager–Immediatelyreviewtheincidentanddetermineiffurthercontainmentisrequired.Ensureincidenthasbeenrecordedinincidentlog.
• SecurityandPrivacy–Actasfirstpointofcontactandadvisebusiness.Evaluatelevelofrisk.Startpreventionprocess.
• Triageteam–Assistwithdeterminingnotificationandcommunications,includingtoaffectedindividuals,NationalCyberSecurityCentreandPrivacyCommissioner.
Thecensusteamrecognisesthatstrongcommunicationisacriticalpartofmanagingadatabreach.TheteamhasdevelopedaCrisisCommunicationsApproachdesignedtoensurethatanycrisis–relatingtopeople,systemsordata–ismanagedquicklyandopenly.Theteamhastakenacentralisedapproach, toensure thatany response is targetedandcoordinated. Itidentifiesthreekeyphases:
• Alert–SeniorManager,CommunicationsandMarketing.Crisiscommunicationsteamwillthenscheduleameetingtobeginmanagingthecrisis.
• Gather–Relevantinformationtoconfirmsituationandtimeframesforresponse.• Respond–coordinatedcommunicationswillbedeveloped,reviewedandadjustedas
required,untilthecrisisisresolved.Itisverysensibletoensurethatthe2018Censustakesaconsistentandcoordinatedapproachto managing a data breach. As we have learned from the Australian eCensus failures,communicationisacriticalpartofaneffectivedatabreachresponseplan.However,theCrisisCommunicationsApproachfocusesonlyonthispartoftheprocess.Itwillbeimportanttoensurethatthe2018CensusdatabreachresponseplanlinksclearlyandeffectivelytoStatsNZ’swiderincidentmanagementprocess.Onceacrisis,orincident,hasbeenidentifiedasinvolvingpersonalinformation,itisimportantthatprivacyandsecuritystaffareinvolvedandhaveinputintothedecisiontonotify(ornot)andthenatureofthecommunicationsthatfollowthisdecision.Acentralthemeofthisassessmentistheneedtoputtheindividualattheheartofcensusprocesses. Thedatabreach responseplanmust reflect this too. StatsNZ’swider incidentmanagementprocessensuresthattherightstakeholdersarenotified.Thesestakeholderscanassist the census team to focuson the individuals andeffectively assess the likelihoodofharm. They can also assist the census team to take effective steps tomitigate harm andmanageanynegativepublicperceptionscausedbyabreach.Recommendation 9: Link the census crisis communication approach to Stats NZ’s widerincident management process and involve key privacy and security staff in the riskassessment,mitigationandnotificationstagesoftheprocess.
2018Census:IndependentPrivacyImpactAssessment
22
Useandprocessing:Limitationstoincreasecontrol2018CensusdataformsasmallpartofthepersonalinformationStatsNZroutinelycollectsforstatisticalandresearchpurposes.Censusdataisusedbytheagencyinvariouswaystodevelopbetterstatisticalproductsthatcandelivermeaningfulinsightstodrivebettersocialandcommunityoutcomes.8A keypart of StatsNZ’s overall privacy and security framework is its ability to effectivelyensurethatthepersonalinformationitcollects–includingcensusdata–isaccessedandusedonlyforlegitimatestatisticalandresearchpurposes.Gettingthisrightiscriticaltobuildingtrust andensuring that thepublichas some senseof controlover theway theirpersonalinformationwillbeusedandprotected.StatsNZexcelsinthisarea.Ithasdevelopedagency-wideprocessestoensurethatpersonalinformation is de-identified before it is accessed and used. Recognising that even de-identifiedpersonalinformationcanidentifyindividualsinsomecircumstances,StatsNZtakesfurtherstepsto“confidentialise”personalinformationbeforeitisincorporatedintostatisticalproductsoraggregatedtoprovidestatisticalinsights.Inaddition,StatsNZ’ssystemsandplatforms includecomplexaccesscontrols thatensureonlystaffwhoneedtoseepersonalinformationbeforeitisde-identifiedcandoso.Theseprocessingandlinkingenvironmentsprovideasafeplatformforeffectivelylinkingthevariousdatasetsusedtocreatestatisticalproductsandinsights.TheseprocessesgototheheartofStatsNZ’soperations.Theyareelaborateandintelligentprocessesrunbydatascientistswithexpertiseinunderstandinghowbesttoensurethatrisksofre-identificationandunauthorisedaccessareminimised.IntegrationwiththeIDIThe IDI was introduced briefly above. Put simply, it is a database designed to facilitateeffective data integration. The IDI pulls together a series of de-identified datasets fromgovernmentagenciesandNGOs9(thisdataisreferredtoas“administrativeinformation”)andintegratesthesedatasetswithcensusdatafrom2013and,shortly,thedatacollectedin2018.Researcherscanthenapplytoaccessthede-identifieddataintheIDI,understrictconditionsoutlinedbelow,forstatisticalandresearchpurposes.WhileintegrationwiththeIDIisnottheonlyusetowhich2018Censusdatawillbeput,10itis a significantone.Data integration is viewedwith somecautionby thepublic, asnotedabove.Withoutstrongcontrolsaroundinformationlinking,accessanduse,dataintegration
8ForexamplesoftheproductsandservicesStatsNZdevelopedwith2013Censusdata,gotohttp://www.stats.govt.nz/Census/2013-census.aspx.9ForafulllistofIDIinformationsources,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/idi-data/idi-data-overview.aspx.10Seenote8,above.
2018Census:IndependentPrivacyImpactAssessment
23
couldpresentsignificantprivacyrisks,particularlyifidentifiableinformationaboutindividualswasaccessibletothepublicortoothergovernmentdepartments.Stats NZ’s IDI team has approached data integration with care and consideration. DataIntegrationGuidelines,11whichincludeasetofdataintegrationprinciples(publicbenefit,uselimitation, openness, and no integration where a promise has been made not to), haveinformedallIDIriskassessments.AnumberofcomplexPIAshavebeencompletedintotheIDIgenerallyandaseachnewdatasethasbeenconsideredforinclusionintheIDI.ThesePIAsareallpubliclyavailable.12IntegrationforprocessingcensusdataStatsNZisbuildinganewinfrastructurefortheprocessingof2018Censusdata(referredtoaboveastheEPICprocessingsystem).Inmanyrespects,theprocessingofcensusdatawillbesimilar to previous censuses. The information security considerationswith respect to thissystem are beyond the scope of this assessment and are, in any event, being addressedelsewhere.However,thenewinfrastructuredoesfacilitateanewuseofpersonalinformationalreadyheldbyStatsNZ,forthepurposeofimprovingthequalityof2018Censusdata.Theprocessingsystemwill linktotheIDIanduseadministrative informationto improvetheoverall inputfromthecensus.Thesystemfillsgapsincensusresponsesandcleansesinformationcollectedduringthecensus.Section37(1)oftheStatisticsActstatesthatinformationprovidedtoStatsNZcanonlybeusedforstatisticalpurposes.Principle10ofthePrivacyActtakesasimilarapproach.Itstatesthatpersonalinformationshouldonlybeusedforthepurposesforwhichitwascollected.Here, StatsNZ is proposing to use administrative information collected fromgovernmentdepartmentstoimprove2018Censusdata.Thisisbeingdoneforthepurposeofimprovingthe quality and linking of census data, and for the ultimate purpose of providing betterstatisticalinsightsandresearchoutcomes.Theproposedimprovementsare,therefore,consistentwithStatsNZ’soverallpurposesandwiththelimitationcontainedinitsownAct.However,thischangemaynonethelesscomeasasurprise to thepublic.For this reason, it is recommendedthat thischangebeexplainedclearlytothepublicinanyprivacymessagingcreatedforthecensus.Thisrecommendationwillberevisitedbelow.Recommendation10:NotifythepublicthatadministrativedataheldintheIntegratedDataInfrastructure(‘IDI’)willbeusedtoimprovethequalityofcensusdateandexplaintheoverallvalueofthisdatause.
11http://www.stats.govt.nz/about_us/legisln-policies-protocols/data-integration-gdlns.aspx.12ForafulllistoftheIDIPIAs,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/keep-data-safe/privacy-impact-assessments.aspx.
2018Census:IndependentPrivacyImpactAssessment
24
Integrationfordevelopingbetterstatistics2018CensusdatawillalsobeintegratedintotheIDIandlinkedwith2013Censusdataandadministrativeinformationdatasets.ItisclearthatsuchintegrationalsofitswithinStatsNZ’soverall use limitations. The purpose of this integration is to improve Stats NZ’s ability todevelop meaningful and relevant statistical products and insights. The value is easy tounderstand.However,toeffectivelylinkthe2018CensusdatawithinformationalreadyheldintheIDI,StatsNZmustretainanduseanumberofidentifiers.Inparticular,StatsNZproposestoretainindividualnamesandaddressestomatchinformationwithintheIDI.Thisisnotnew.NamesandaddresseshavebeenusedwithintheIDIforsometimetoensurethattheinformationisaccurate.ThePrivacyActpermitsanagencytoretainpersonalinformationforaslongasitisneededforalawfulpurpose.BoththePrivacyActandtheStatisticsActpermittheretentionanduseofnamesandaddressestofacilitateStatsNZ’swiderpurposes.However, this may impact on public perceptions of census anonymity and control. It isimportantthereforetoclarifythatnamesandaddressesareonlyusedwithintheprocessingandlinkingenvironments.StatsNZprocesses(whichareoutlinedbelow)ensurethatitisnotpossibleforstatisticalproductstorevealpersonalinformationthatmightidentifyaparticularindividual.It is recommended that the retention anduseof names andaddresseswithin the secureprocessing and linking environments be made clear to the public at the outset. Thisrecommendationwillberevisitedbelow.Recommendation 11: Notify the public that names and addresses are retained and usedwithintheIDI’ssecureprocessingandlinkingenvironmentstomatchinformationandexplainthevalueofthisdatause.
StatsNZ’saccess,de-identificationandconfidentialityprocessesStatsNZ’scoreoperationalmodelisfocusedonresponsibleandlegitimateaccesstoanduseof personal information. The processes it uses ensure that the risk of identification ofindividuals is minimised while permitting the effective analysis, aggregation and use ofpersonalinformationforstatisticalandresearchpurposes.StatsNZachievesthisbyapplyingthe5safes framework.This framework issupportedbytechnicalsecuritysafeguardsandauditandassuranceprocessestoensurethatitisadheredto.
2018Census:IndependentPrivacyImpactAssessment
25
1. Safe data – Personal information is de-identified by removal of all unencrypteduniqueidentifiersandidentifiableinformationsuchasnamesanddateofbirth.13
2. Safe settings – Only staff who need to see identifiable personal information for
processingorlinkingpurposeshaveaccesstosecurelinkingenvironments.Oncede-identified,personalinformationcanonlybeaccessedbyresearchersthroughasecureDataLab.Researcherscanonlyaccessinformationrelevanttotheirresearch.
3. Safepeople–Thoseaccessingpersonalinformationmustsignadeclarationofsecrecy
andpass referencechecks.Researchersmustalso signa researchundertakingandunderstandandfollowStatsNZ’srulesandprotocols.
4. Safeprojects–ToaccesstheIDI,researchersmustestablishthattheirprojectshave
astatisticalpurposeandareinthepublicinterest.
5. Safe outputs – Personal information is further “confidentialised”. Before beingdisclosedtothepublic(thatis,outsidetheIDIandDataLabenvironment)aspartofStats NZ’s wider products, the statistical outputs must be run through a furtherprocesstoensurethatindividualscannotbeidentifiedfromtheinformation.
StatsNZ’sprocesses allow for thecontrolled release of de-identified informationwithin asecure and carefully protected research environment, and the public release ofconfidentialisedinformation.Asthesettings,peopleandprojectcontrolsarereduced,thesafeguards around the data itself are increased, thereby permitting a wider audience tobenefitfromstatisticalinsights.TheseprocesseseffectivelyensurethatpersonalinformationgatheredbyStatsNZ–whetherfrom a census or from another source – is protected. They allow Stats NZ to providemeaningfulreassurancestothepublicthatpersonalinformationisaccessedandusedonlyfor legitimate statistical and research purposes. It is to this topic, to openness andtransparency,thattheassessmentnowturns.
13FormoreinformationaboutStatsNZ’sde-identificationprocess,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/idi-data/de-identified-data.aspx.
2018Census:IndependentPrivacyImpactAssessment
26
Opennessandtransparency:CommunicatingtobuildtrustOpennessand transparencyhasbeenaprevailing theme in this assessment. StatsNZhasdevelopedverystrongandsoundprocessesandcontrolstoprotectpersonalinformationbutthesearenotgoingtobuildtrustiftheyarenotknowntothepeopletheyareintendedtoprotect.ThecensusprivacystoryisaboutmorethancompliancewiththePrivacyAct.ThisisStatsNZ’sopportunity tomanagepublicperceptionandquellanymisunderstandingsabout thewaypersonalinformationcollectedduringthecensusisused.Itisanopportunitytotellthepublicthattherearelegitimateandvaluablereasonsforusingpersonalinformationtobetterlinkandimprovestatistics.Itistheopportunitytoshowvalue.Stats NZ embraces transparency about its practices. Its willingness to make policies,processes,riskassessmentsandotherkeyprivacymaterialspublicsetsitapartfromotherpublicandprivatesectororganisationsandsetsabenchmarkforotherstofollow.StatsNZ’swebsitecontainsawealthofinformationaboutthewayStatsNZmanagespersonalinformation,fromitsgovernancestructureandhighlevelprivacypolicyandexpectationstoits complex physical, technical and procedural safeguards for ensuring that personalinformationisprotected.Thereisasignificantamountofdetailedinformationavailabletothepublic,shouldtheywishtoaccessit.ExistingcommunicationsTheStatsNZwebsiteprovidesthepublicwithaccesstoinformationaboutitsgeneralprivacypoliciesandprocedures,14andtheprivacyandsecuritystepsinplacewithrespecttotheIDI.15Privacygeneral–StatsNZprovidesindividualswithanoverviewofitsapproachtoprivacycompliance,alongwithdetailedpolicydocumentsthatoutlineindepththeprivacy,securityand confidentiality processes. The overview is plain English and clear.However, as notedabove,thisinformationisgeneralandhaswideapplication.IDI–Similarly,StatsNZprovidesspecificprivacymessaginginrespectoftheIDI,recognisingthatdata integration raisesparticularconcerns for thepublic.Aswith thegeneralprivacycontent,anoverviewofIDIprivacyandsecurityisgiven,alongwithmoredetailedlinkstoprocessesandprocedures,includingthede-identificationandconfidentialityprocesses.ThewiderIDIcontentalsoincludesanexplanationofthedatasetsinvolvedandthevaluetheyadd.Itshouldbenotedthatthemessagingframesprivacyprimarilyintermsofinformationsecurity(“HowwekeepIDIdatasafe”). It issuggestedthatthedatasetscollectedandthevaluetheseaddshouldalsobeframedaskeyprivacymessages.
14http://www.stats.govt.nz/about_us/legisln-policies-protocols/confidentiality-of-info-supplied-to-snz.aspx.15http://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/keep-data-safe.aspx.
2018Census:IndependentPrivacyImpactAssessment
27
2018Census-Atthispoint,noinformationhasbeenprovidedtothepublicinrespectofthe2018Censusprivacyprocessesandprocedures,inlargepartbecausemanyofthesearestillindevelopment.Thecensusteamdiddevelopasetofprivacymessagesaspartofthe2017censustest.Theseprovideagoodstartingpointtodevelopacensusprivacystorybutshouldbecomplementedbysomethingmoreholisticwhichfocusesonthefullinformationlifecycle.Itshouldbenotedthatthesemessagesarefocusedlargelyontechnicalsecurityissuesanddonotprovideanoverallvalueandtrustmessage.2018CensuskeymessagesDuringthecensus,StatsNZtargetseveryNewZealander.AllpeopleareaskedtoengagewithStatsNZatthispoint,regardlessofknowledge,literacyorsophisticationofprivacyawareness.BeingrequestedtoprovidedetailedpersonalinformationtoagovernmentagencycanmakepeoplefeeluncomfortableanditisunlikelymostindividualswilltakethetimetostudyStatsNZ’swebsite to find the information they need to get a full understanding of the censusinformationlifecycleandthereasonstheyshouldtrustStatsNZatcensustime.Forthisreason,itiscriticalthatthecensusteamdevelopsacensusprivacystorythatisclearandsimpleandaimedatthewiderpopulation,notjustthosewiththecapacity,knowledgeandunderstandingtoengagewithdetailedtechnicaldocuments.Thisstoryshould:
1. beclearlycensus-focusedbutbrandedinawaythatconnectsdirectlywithStatsNZ;2. verysimplyoutlinethecensusinformationlifecycle,fromcollectiononlineorinhard
copythroughtosharingeitherwithinIDIoraspartofotherproductsorinsights;3. provideacompellingvaluepropositiontoensurethatpeoplequicklyunderstandwhy
theyshouldprovidetheirinformationandhowthiswillbenefitthecommunity;4. provide clear notice to the public about key issues that may impact on public
perception,includingtheretentionanduseofnamesandaddressesandintegrationwiththeIDIandexplainthatthisislegitimateandaddsvalue;
5. promotetheprivacyandsecuritybenefitsofadigitalcensusandprovidequickandsimplereassurancesinrespectoftechnicalsecuritystandardsinplace;
6. show transparency about the use of third party information service providers,includingcloudserviceproviders,andlinktoanyrisksassessmentsundertakenintotheseproviders;and
7. very simply outline the internal processes in place to ensure that access and uselimitationscanbetrusted.
Thesemessagessupportthethemesthathavebeen identifiedascritical tobuildingsociallicence. It is inthisopennessandtransparencyspacethatStatsNZcaneffectivelystart tocreateandbuildapublicmandateforcensus,dataintegrationandtheworkofStatsNZmoregenerally.
2018Census:IndependentPrivacyImpactAssessment
28
Itissuggestedthereforethatthecensusprivacymessagingbestructuredinawaythatmeetsbothprivacycomplianceandsociallicencegoals:
Sociallicencethemes Privacymessaging
PurposeandValueWhyismyinformationbeingcollected,and
whodoesthiscollectionbenefit?
What personal information is beingcollected?Why is this information important to StatsNZ,andtoNewZealandmoregenerally?What value will be added by dataintegration?What value will be added by retainingnamesandaddresses?
UseandcontrolWhowillbeaccessingandusingmyinformationandinwhatways?
Who will have access to the information,andinwhatforms?Howwilltheinformationbeused,andhowwillStatsNZensure that this isalways thecase?Whatwillnothappenwiththeinformation?
SecurityIsmyinformationsecure?
How is information protected during thecensus?How is information protected within StatsNZ?How are physical and process safeguardsbolsteredbytechnicalsafeguards?Whatwillhappenifthereisadatabreach?
Recommendation12:Developaclearandsimplecensusprivacystorythat isstructuredtoprovidekeyprivacymessagestothepublicandcontributetothebuildingofsociallicence.WhereandhowtodeliverthemSimplicityandconsistencyarekeytodeliveringoneclearmessagetothepublicaboutthe2018Census.Peopleshouldbedirectedtooneplacetobeprovidedwiththekeymessagestheyneedtofeelcomfortable.Thepublicationofdetailedprocessdocuments,PIAsorothertechnicalinformation,whilecommendable,willnotachievethispurposeandrisksconfusingthepublicandobscuringthekeymessagestheyneedtounderstand.Itisrecommendedthatthecensusteamshouldaimtotellonestory,inoneplace,thatleadsrespondentsthroughthekeymessagesofpurposeandvalue,useandcontrol,andsecurity.Thisstorycanlinktomoredetailedtechnicaldocuments,whetherprocesses,proceduresorPIAs,butshouldstandaloneandgiverespondentsenoughinformationtounderstandandtrusttheprocess.
2018Census:IndependentPrivacyImpactAssessment
29
Allcensuschannels–whetherfieldstaff,contactcentrestafforonlinecontent–shouldtalkfromthesamesimplescript.Itisalsorecommendedthatthisprivacystorybetoldwellinadvanceofthecensus.Thiswillgivetheteamthetimeneededtobuildconfidenceandreviseitscommunicationsplanstoensurethatthepublic’sneedsaremet.Bythetimeofthecensus,thebenefitsofadigital-firstapproachshouldbeaccepted.Recommendation13:Makethecensusprivacystoryeasilyaccessibleandstandaloneandensurethatallchannelsconnecttothesekeymessages.Recommendation 14: Tell the census privacy story well in advance of census, to buildconfidence in the digital-first approach and provide the time needed to revisecommunicationstomeetpublicneedsorchangingexpectations.
2018Census:IndependentPrivacyImpactAssessment
30
ConclusionThe2018Censusisingoodhands.Theessentialingredientsareinplacetoensurethatthe2018Censuscanmaximisethebenefitsofdigitalengagementandextract realvalue fromdatawhilerecognisingthepersonatthecentreofitall.BytakingafewstepstomakesurethatthemanycensusprocessesandprocedureslinkeffectivelywithStatsNZ’swiderprivacyframework, the census team canmeaningfully and honestly tell the public their personalinformationisinsafehands.Thiscensusprivacystoryiskeytobuildingtrustandconfidenceinthe2018CensusandinStatsNZmorewidely.Peopleneedtounderstandandacceptthatconcernsaboutvalue,use,controlandsecurityarerecognisedandtakencareof.ThisstorymustdemonstratetothepublicthatStatsNZhasconsideredwhetheritcancollectpersonalinformation,consideredwhetheritshouldcollectpersonalinformation,ensuredinformationcollectionandusecanbedonesafely,andbeenasopenandtransparentasitcanwiththepublic.
WithanunderstandingofthevalueofpersonalinformationandaclearpictureofthewaysStatsNZensuresthisinformationisusedonlyforthebenefitofthecommunity,thepubliccanandwillwholeheartedlyengageinthecensusprocess.
2018Census:IndependentPrivacyImpactAssessment
31
Appendix1:InformationgatheringThefollowingindividualswereinterviewedaspartofthisPIA:
• TeresaDickinson,DeputyGovernmentStatistician,InsightsandStatistics• DeniseMcGregor,GeneralManager2018Census• RichardStokes,SeniorManager,CommunicationsandMarketing(2018Census)• NancyLinton,SeniorAdviserCommunications(2018Census)• SarahJohnson,Manager,CensusProgrammeDesignandIntegration• LyndseyWhelan,Manager,2018CensusProcessingandEvaluations• GilesReid,SeniorAnalyst,ProcessingandEvaluations• RorySarten,StatisticalAnalyst,ProcessingandEvaluations• AlanBailey,SeniorManager,2018CensusFieldOperations• AlexBayley,SeniorManager,2018CensusRespondentFocus• GlennLetts,ProjectManager,Channels,Statistics,andEnablingInfrastructure• VictoriaTreliving,Manager,2018CensusProductsandServices• KelleyReeve,SeniorManager,DataFuturesPartnership• HeatherJones,SeniorAdvisor,Strategy,PerformanceandPrivacy(PrivacyOfficer)• TimHenwood,SeniorAdvisor,StrategyandDevelopment,DataServices• AnnaMcDowell,Manager,IntegratedDataInfrastructure(IDI)• YolandideBeer,StatisticalAnalyst,IntegratedData• GarethMeech,SeniorManager,CustomerFocus(2018Census)• AnuNayar,Partner,NationalLeader–Cyber,PrivacyandResilience,Deloitte
ThefollowingkeydocumentswereexaminedaspartofthisPIA:
• 2018CensusDesignPrinciples(April2017)• OPUSSurveyintoPublicAttitudestoDataIntegration(2015)• ColmarBruntonUseandTrustSurvey(June2016)• IntegratedDataInfrastructurePIAOverarchingDocumentv10(2017)• PIAfortheIntegratedDataInfrastructure(2012)• IntegratedDataInfrastructureextensionPIAFourthEdition(2016)• FullsetofPIAsandotherassessmentdocumentationinrespectofCensusTest• Fullsetofexistingandcontemplatedexternalcommunications• StatsNZprivacyguidelines,processesandpolicies• StatsNZDe-identificationandConfidentialityrules• 2018CensusContentDeterminationFramework• 2018CensusCrisisCommunicationsApproach• StatsNZAnnualAgencySelf-AssessmentReporttoGCPO(2017)
top related