independent privacy impact assessment - · pdf filemanagement process and involve key privacy...

2018CensusIndependentPrivacyImpactAssessment

7July2017

ByDaimhinWarnerDirector(Auckland)SimplyPrivacyLtd

Anindependentassessment

Control

Privacy

Puttingtheindividualatthecentreofthe2018Census

Trust

2018Census:IndependentPrivacyImpactAssessment

2

Tableofcontents

Keymessages....................................................................................................................3

Executivesummary...........................................................................................................4

Introduction......................................................................................................................6WhatisaPIA?............................................................................................................................6HowwasthisPIAcompleted?....................................................................................................7WhatisSimplyPrivacy?..............................................................................................................7

2018Census:Digital-first...................................................................................................8

Thewiderenvironmentandcontext................................................................................10StatisticsAct:Providingastronglegalframeworkforcensus....................................................10PrivacyAct:Aroadmapforgoodprivacypractice.....................................................................10Sociallicence:Aprivacy-supportivemodel...............................................................................12Currentpublicperception:Istheresociallicence?....................................................................13

Culture,governanceandtechnicalsecurityoversight......................................................14Astrongprivacyculture...........................................................................................................14Privacygovernancestructureandresourcingforcensus...........................................................14Technicalsecurityasawiderissue...........................................................................................15

Collection:Ensuringvalueandmanagingrisk..................................................................17Whatinformation?Aprocesstoensurevalue..........................................................................17PreliminaryPIAsintocensusprocessesandsystems................................................................18Practicalprivacyprotectionsduringthecensus........................................................................19Databreachresponseplan.......................................................................................................20

Useandprocessing:Limitationstoincreasecontrol........................................................22IntegrationwiththeIDI............................................................................................................22StatsNZ’saccess,de-identificationandconfidentialityprocesses.............................................24

Opennessandtransparency:Communicatingtobuildtrust.............................................26Existingcommunications..........................................................................................................262018Censuskeymessages.......................................................................................................27Whereandhowtodeliverthem...............................................................................................28

Conclusion.......................................................................................................................30

Appendix1:Informationgathering..................................................................................31


3

Keymessages

Censuscanlinktostrongagency-wideprivacygovernance

andoversightmechanisms,ensuringthatcensusdataisprotectedduringitsentirelifecycle

StatsNZrecognisesthevalueofdataasanassetworthprotecting

StatsNZiscommittedtoensuringthat

personalinformationisusedonlyforstatisticaland

researchpurposes

A‘digital-first’censuscandeliver

bothprivacyprotectionandamoreefficient

process

Censusprocessesensureonlypersonal

informationthataddssocialand

communityvalueiscollected

Censuscanbuildpublictrustand‘sociallicence’bytellingits

positiveprivacystory

StatsNZhasacultureof

confidentialitywhichcreatesafoundationforsafeandsecureprivacypractices


4

ExecutivesummaryThecensus isn’t justaboutdata,orstatistics,or intelligence. It’saboutpeople. It involvesaskingpeopletotellagovernmentagencyaboutthemselves.ItrequirespeopletorelinquishsomecontrolbyentrustingoftensensitivepersonalinformationtoStatsNZ.StatsNZhasexpertiseindatascience.Itcananalyse,aggregateandextractinsightsfromdatawithgreatskillbutthisassessmentfocusesontheextenttowhichStatsNZrecognisesthatthisdataisaboutpeoplewithprivacyrightsandexpectations.TheassessmentconcludesthatStatsNZhasaveryclearpictureofthepersonatthecentreofthecensus.Thereisastrongcultureofconfidentialitywithintheorganisationasaresultofawell-establishedlegislativeframeworkthatbothfacilitatespersonalinformationcollectionand use, andmandates a businessmodel that treats personal informationwith care andrespect.StatsNZrecognisesthevalueofdataasanassetandthisinformsitspractices.Thisassessmentreviewsthekeyprocesses,proceduresandsafeguardsthecensusteamhasput in place, or is contemplating, to ensure that privacy remains a central theme in itsplanning and operations. The recommendations made in this assessment are aimed atensuringthatthereisconsistencybetweenthecensusteamandStatsNZmoregenerally,thatprivacygovernanceandoversightwithinthecensusteamissufficientand–mostimportantly–thatthepublicknowsaboutthegoodworkbeingdonetoensurethatthe2018Censusisaprivacysuccess.Thefollowingrecommendationsaremade:

1Provideallcensusstaffwithguidanceonthehighlevelprivacygoalsandvaluesfor2018 Census and build an understanding of the way each teams’ processes,proceduresandsafeguardscontributetothis.

2 Createanddocumentclearprivacyrolesandaccountabilitieswithinthecensusteam,includingacentralrolewithoverallprivacyresponsibility.

3EncourageclosecollaborationbetweenthisdocumentedprivacyroleandStatsNZ’sPrivacy Officer and ensure the Privacy Officer has the opportunity to contributeeffectivelyas2018Censusprocessesarefinalised.

4 EnsurethatthecensusteamreportsregularlytotheIPSaCGovernanceGroupandthatcensusprivacyisastandingitemontheGovernanceGroupagenda.

5 Continuouslyrevisitsecuritysafeguardsasthecensusprogrammeevolves,toensurethattheyarefacilitatinggoodprivacypractice.

6 Explaintechnicalsecuritysafeguardstothepublicclearlyandsimply,toestablishthatthedigital-firstapproachisgoodforprivacy.

7 Revisit thedecisionnottoundertakeafullPIAontheEPICprocessingsystemandconsiderratingthepublicimpactofthissystemashigh.


5

8 EnsurecontrolsareinplacetomanageanyperceptionthatoperationalinformationincorporatedintoEPICmaybeusedforstatisticalorresearchpurposes.

9Link the census crisis communication approach to Stats NZ’s wider incidentmanagement process and involve key privacy and security staff in the riskassessment,mitigationandnotificationstagesoftheprocess.

10NotifythepublicthatadministrativedataheldintheIntegratedDataInfrastructure(‘IDI’)willbeusedtoimprovethequalityofcensusdataandexplaintheoverallvalueofthisdatause.

11Notifythepublicthatnamesandaddressesareretainedandusedwithinthe IDI’ssecureprocessingand linkingenvironments tomatch informationandexplain thevalueofthisdatause.

12 Develop a clear and simple census privacy story that is structured to provide keyprivacymessagestothepublicandcontributetothebuildingofsociallicence.1

13 Makethecensusprivacystoryeasilyaccessibleandstandaloneandensurethatallchannelsconnecttothesekeymessages.

14Tell thecensusprivacystorywell inadvanceofcensus, tobuildconfidence in thedigital-firstapproachandprovidethetimeneededtorevisecommunicationstomeetpublicneedsorchangingexpectations.

1Sociallicencedescribesalevelofpubliccomfortwithaparticularuseofpersonalinformation.Thiscomfortcomesfromtrustthatpersonalinformationwillbeusedonlyaspromisedandacceptancethatenoughvaluewillbecreatedbythatuse.Itisdiscussedfurtherbelow.


6

IntroductionThisisanindependentprivacyimpactassessment(‘PIA’)intothe2018Census.Thecensus isamajorpublic touchpoint forStatsNZ. It isamomentatwhich theagencyengages extensively with the public and gathers personal information for statistical andresearchuse.Thecensusisn’tjustaboutdata,orstatistics,orintelligence.It’saboutpeople.Itinvolvesaskingpeopletotellagovernmentagencyaboutthemselves.ItrequirespeopletorelinquishsomecontrolbyentrustingoftensensitivepersonalinformationtoStatsNZ.The2018Censusis‘digital-first’.Unlikepreviouscensuses,itwillfocusondigitalengagement,encouragingrespondentstocompletethecensusonline.ThisispositivefortheNZpublic.Thedigital-firstapproach(whichalsoextendstotheprocessingsystemandthemanagementofworkloadsforfieldstaff)isexpectedtoreducecost,increaseengagementanddeliverbetterinformation for research. However, these benefits cannot be achieved at the expense ofindividualprivacy.Privacymustbebuiltintothe2018Censusfromtheoutset.ThisPIAisapartofthatprocess.StatsNZhasexpertiseindatascience.Itcananalyse,aggregateandextractinsightsfromdatawithgreatskillbutthisassessmentfocusesontheextenttowhichStatsNZrecognisesthatthisdataisaboutpeoplewithprivacyrightsandexpectations.TheassessmentconcludesthatStats NZ has a very clear picture of the person at the centre of the census and makesrecommendationsintendedtoensurethatthisisdemonstratedeffectivelytothepublic.WhatisaPIA?APIAexaminesachange,projectorproposaltoevaluatehow,andtowhatextent,itmightimpact on individual privacy. The PIA process is about designing privacy into changes, toensurethatrisksare identifiedearlyandprocesses,productsandsafeguardsaredesignedwithprivacyinmindfromtheoutset.It’saboutsettingtherightcourse.Thisassessmentfocusesonanumberofkeyissuesthatareuniquetothecensus.ItdoesnotconfineitselftothePrivacyActortheinformationprivacyprinciplesbutconsidersthe2018Censuswithin awider context, taking into account the legislative framework, the currentenvironment,publicperception,andsociallicencethemes.ItisStatsNZ’sintentiontomakethisPIAavailabletothepublic.This isacommendableapproachtotakeandshowsarealcommitmenttoaccountability.ThisisnotareviewofStatsNZ’stechnicalinformationsecurity.Whileinformationsecurityisan important part of the overall privacy framework, it is a specialised part that requiresseparateanddetailedconsiderationbyinformationsecurityexperts.StatsNZhasengagedtheservicesofDeloittetoassesstheserisksforthe2018Census.


7

HowwasthisPIAcompleted?AnindependentPIAprovidesafreshandimpartialviewoveraprocessorsetofprocessesthat may have become business as usual to the agency itself. It is not affected bypreconceptionsorassumptionsandshouldassisttheagencyto“seethewoodforthetrees”.In undertaking this PIA, key census staff and teams were interviewed, with a view tounderstandingthegovernancestructure,censusprocesses,safeguardsandcontrolseitherinplaceorcontemplated.Asignificantdocument reviewhasalsobeenconducted, includinginternalprocessandpolicydocuments,systemoutlinesanddiagrams,internalprivacyimpactassessmentsandexternalcommunicationsandotherkeymaterials.AfulllistofinterviewsconductedandmaterialsreviewedisattachedatAppendix1.WhatisSimplyPrivacy?Simply Privacy Ltd is a consultancy which provides privacy strategy, programme andconsultancyservicestopublicandprivatesectoragencies.SimplyPrivacy’sdirectorshaveacombined20 years’ of privacyexperience, including in senior roleswith theOfficeof thePrivacyCommissioner,andhaveprovidedPIAandotherassessmentservicestonumerousagenciesandonvariedprojectsandprocesses.In preparing this PIA, Simply Privacy has relied upon information, statements andrepresentations provided to it by Stats NZ. Simply Privacy provides no warranty ofcompleteness,accuracyorreliabilityinrelationtothisinformation,thesestatementsortheserepresentations.


8

2018Census:Digital-firstAtahighlevel,2018Censusisnodifferentfromanyothercensusanditisimportantforthepublicandstakeholders toappreciate this.StatsNZhas runcensusesof theNZpublic fordecades.Thereisageneralunderstandingbygovernmentandthepublicthatcensusesaddvalueandareanimportantpartoftheprocessofgovernmentpolicymaking.Traditionally, censuses have been highly manual. Census staff have visited every homethroughoutthecountrytodistributeandthencollectpapercensusformsandreturnthemtoStatsNZ.The2018Census,however,willbeprimarilydigital.StatsNZwillmailinternetaccesscodestohouseholdsandencouragethepublicto‘self-respond’online.Theaimisforatleast70% of responses to be online. This digital-first approach is anticipated to improve dataqualitywhilereducingthecostofdatacollection.Aswithpreviouscensuses,censusdatawillbe integratedwithotherpersonal informationheldbyStatsNZinordertoprovidethestatisticsrelieduponbythepublicandprivatesectortomakesoundpolicydecisionsanddrivebettersocialandcommunityoutcomes.Thedigital-firstapproachprovidesStatsNZwithopportunitiestosignificantlyimproveprivacycompliance, and the privacy experience of the public. A reliance onmanual paper-basedcensusprocessescreatedinformationsecurityrisksthatcanbeveryeffectivelymitigatedintheonlineenvironment.Well-managed,thedigital-firstapproachprovidesStatsNZwithauniqueopportunitytobetterengagethepublictoshowthevalueofcensusandbuildtrust.However,thereanumberofchangestothecollectionanduseofcensusdatain2018thatwarrantspecificmentionandconsiderationhere,notbecausethesechangesareinherentlynegativebutbecausetheyaredifferentandmustbemadecleartothepublic.

1. 2018Censusdataisbeingcollectedinadifferentway.Theflowsofinformationthattraditionally occurred will now be easier, faster and more efficient. Stats NZ isengaging a varietyof thirdparties to facilitate thesenewdata flows. Someof thequestions asked in the census may also change, to reflect evolving priorities andattitudes.

2. 2018CensusdatawillbeincorporatedintoStatsNZ’sIntegratedDataInfrastructure

(‘IDI’). The IDI is adatabaseofde-identifiedpersonal informationgathered fromawiderangeofinformationsources,includinggovernmentagenciesandNGOs.TheIDIalsocontainsthedatafromthe2013Census.2Forthe2018Census,informationwillflowtwoways:

• IDIdatawillbeusedtoimprovethequalityof2018Censusresponses,byfilling

gapsinresponsesandimputingdatabaseduponclearlinkstootherdataalreadyheld.

2ForafulllistofIDIinformationsources,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/idi-data/idi-data-overview.aspx.


9

• 2018CensusdatawillbeintegratedintotheIDI,andcombinedwithotherdatacollected,toprovideafullerdatasetintendedtodrivebetteroutcomesforNewZealanders.

3. Tofacilitatethisintegration,individualnamesandaddresseswillberetainedwithina

secureIDIlinkingenvironmentandusedtomoreaccuratelylinkthe2018Censusdatawith2013Censusdataandpersonal informationgatheredfromothersources.Theretentionanduseoftheseidentifiersmaycomeasasurprisetothepublicandsoisexaminedbelowinmoredetail.

ThesedifferenceshavethepotentialtoimpactnegativelyonthepublicperceptionofStatsNZandonoverallengagementwiththecensus.Ifthepublicfeelthatthedigital-firstapproachisfacilitatingamoreintrusive,orlessrobust,census,theymaybereluctanttoprovidegoodinformation on census day. If the public has a sense that the personal information theyentrusttoStatsNZwillbeusedinwaysthatmakethemuncomfortable,theymaylosefaithintheprocess.


10

ThewiderenvironmentandcontextStatsNZoperatesinauniquecontext.Ithasaclearlegislativemandatetocollectasignificantamount of often sensitive personal information. This mandate simplifies privacyconsiderationstosomeextentbutinotherwaysitcreatespublicperceptionissuesunlikeanyotherpublicsectoragencyfaces.StatsNZmusttakeparticularcaretodisplaytothepublicthatitisexercisingitslegislativemandateresponsibly,fairlyandinawaythatisnotoverlyintrusive.ItrequiresStatsNZnotonlytoensurethatithasalawfulbasistogatherandusepersonalinformationbutalsothatitsactionsaremeasuredandwilladdvalueandbringbenefitstoNewZealanders.StatisticsAct:ProvidingastronglegalframeworkforcensusTheStatisticsActgivesStatsNZlegalauthoritytocollectpersonal informationofacertaintypefromindividualsanditrequiresindividualstocomplywithsuchrequests.Thislimitstheapplication of the Privacy Act insofar as any actions are permitted by this legislativeframework.However,theStatisticsActalsoplacesanumberofimportantobligationsonStatsNZanditsstaffthatgoaboveandbeyondthemoreflexibleobligationscontainedinthePrivacyAct.Itrequiresallstafftotakeastatutorydeclarationofsecrecyinrespectoftheinformationtheyhandle.ItalsoplacesveryrobustinformationsecurityobligationsonStatsNZ,thataremoreonerousandcomprehensivethanthegeneralrequirementsofthePrivacyAct,andincludeanexpresslimitationontheuseofinformation(forstatisticalandresearchpurposesonly).ThislegislativeframeworkhasinfluencedtheculturewithinStatsNZinwaysthatcanhaveanimpactonprivacypractice.Thereisanoverridingcultureofconfidentialitythatinformstheagency’sprocessesandprocedures.Providedthatthisculturedoesnotresultincomplacency–andthereisnoevidencetosuggestthatithas–thenthiscreatesahighlysafeandsecurefoundationforthedevelopmentofsoundpersonalinformationhandlingpractices.Thereisalsoarecognition–borneoutinrecentworkbytheDataFuturesPartnership(anddiscussed inmoredetail below) – that the compulsory collectionof personal informationfacilitated by the Statistics Act brings with it heightened obligations to be open andtransparent.PrivacyAct:AroadmapforgoodprivacypracticeWhileStatsNZoperatesunderaclearlegislativemandate,itisstillsubjecttothePrivacyActandtheinformationprivacyprinciples.ThePrivacyActprovidesthesafetynetthatensuresStatsNZexercisesitslegislativemandatefairly,responsiblyandinanopenandtransparentway.IthastheflexibilitytopermitStatsNZtooperateinwaysthatareefficientandeffectivewhilesupportingmanyofthesafeguardstheStatisticsActrequires.


11

ThePrivacyActrequiresStatsNZtoalwaysensurethatit:

1 collects only the personal information it needs (for census, the information it ispermittedtocollectundersection24oftheStatisticsAct);

2 collects personal information from the person concerned (for census, therespondent);

3tellsthepublicwhyitneedstheinformationithasrequested,whatitwilldowithit,and who it may be shared with (for census, a major part of openness andtransparency);

4 collectspersonalinformationinwaysthatarefairandlawful;

5 takes reasonable steps to keep personal information safe and secure (this issupportedbysection37oftheStatisticsAct);

6 enablesindividualstoaccessinformationaboutthem;

7 enablesindividualstocorrecttheirinformationifitiswrong;

8 takesreasonablestepstoensurethatpersonalinformationisaccuratebeforeusingit(forcensus,thisincludesstepstocleansecensusdataandensureitismeaningful);

9 keepspersonalinformationonlyforaslongasitisneeded;

10 usespersonalinformationonlyforthepurposesforwhichitwascollected(forcensus,thisisstatisticalandresearchpurposes);

11 doesnotdisclosepersonalinformation;and

12 takescarewithuniqueidentifiers.

While someof theseprinciples apply less clearly in the StatsNZ context thanothers (forexample, the access and correction principles are more difficult to comply with whensignificantstepsaretakentode-identifypersonalinformationinternally),theyprovideasetoffoundationalconceptsthatshouldinformgeneralpractice,particularlyinrespectofareasonwhichtheStatisticsActissilent.ThePrivacyActandinformationprivacyprinciplesarealsosupportedbythesevenprinciplesofPrivacybyDesign,whichareintendedtofacilitateprivacypracticesthatdonothindertheultimategoalsoftheprogramme.Forthecensusteam,theseprinciplesarearelevantandusefulsetofremindersasthecensusdrawsnear:

1. Privacymeasuresshouldbeproactivenotreactive;2. Privacyshouldbethedefaultsetting;3. Privacyshouldbeembeddedintodesign;4. Aimforfullfunctionality–positivesum;5. Ensureend-to-endinformationsecurity;6. Promotevisibilityandtransparencyofrisksandsolutions;and7. Makesuresystemsareuser-centric.


12

Sociallicence:Aprivacy-supportivemodelWhere the collection of personal information is compulsory, issues of trust and controlbecome more critical. While Stats NZ has a legislative mandate to collect and use thisinformation, it needs to build an equivalent public mandate; a social licence to useinformationforthebenefitofthecommunity.Sociallicencedescribesalevelofpubliccomfortwithaparticularuseofpersonalinformation.Thiscomfortcomesfromtrustthatpersonalinformationwillbeusedonlyaspromisedandacceptancethatenoughvaluewillbecreatedbythatuse.TheDataFuturesPartnership3hasidentifiedasetofthemesuponwhichitsuggeststhatsociallicencecanbebuilt.Thesethemesarecomponentsoftransparencyandtheystronglymirrortheinformationprivacyprinciples.

Theme Howprivacysupportsthis

PurposeWhatwillmyinformationbeusedfor?

CollectonlytheinformationyouneedTellpeoplewhyyouneedit

ValueWhatarethebenefitsandtowhom?

CollectonlytheinformationyouneedTellpeoplewhyyouneedit

UseWhowillbeusingmyinformation?

TellpeoplewhyyouneeditUseitonlyforthosepurposesLimitaccesstothosewhoneedit

ControlWillmyinformationbeanonymousand

coulditbesold?

Tell people who will have access to theirinformationEnsurethatitisprotectedDon’tdiscloseitinanidentifiableformEnsure that people can access their owninformation

SecurityIsmyinformationsecure?

EnsurethatitisprotectedEnsurethatitisaccessedonlyforlegitimatepurposesTellpeopleaboutthesesteps

UsingtheinformationprivacyprinciplesandPrivacybyDesignprinciplesasabenchmarkforgood personal informationmanagement, an agency can start to build social licence. Putanotherway,ifanagencyfocusesonaddressingthethemesidentifiedbytheDataFuturesPartnership,itwillbelesslikelytofallfoulofthePrivacyAct.

3Formoreinformationonsociallicence,andtheworkoftheDataFuturesPartnership,gotowww.datafutures.co.nz.


13

Currentpublicperception:Istheresociallicence?Privacy is now an important public expectation. Themedia closely observes the personalinformationmanagementpracticesofpublicandprivatesectoragencies.Poorpracticesbyotherpublicsectoragencieshavenegativelyimpacteduponpublicperceptionsofthesectorasawhole.Thiscreateschallengeswhenattemptingtobuildasociallicencebasedontrustandcontrol.PublicperceptionsmeasuredintheyearspriortotheACCprivacybreachwouldlikelyhaveindicateda stronger social licence thanexists today.Highprofilebreaches– including therecentpublicityaroundMSD’sdemand for client leveldata fromserviceproviders–haveshakenageneralpublicassumptionthatpersonalinformationisinsafehands.Further, the highly publicised failures during the 2016 Australian eCensus4(knownmorecolloquiallyas#CensusFail)maynegativelyimpactontheNZpublic’sperceptionofadigital-firstcensus.TheAustralianexperiencemaycreatecautionamongtheNZpublicthatwillneedtobecarefullymanaged.StatsNZwillbenefitfromthelessons learnedfromthis incident,includingtheneedtoensurethatpubliccommunicationsare focusedontherightprivacyissuesandareresponsiveandflexible.Stats NZ has commissioned a number of surveys into public perception. A 2016 ColmarBruntonUseandTrustSurvey5focusedonpublicunderstandingoftheuseofinformationandof trust in the statistics themselves.While the survey revealed a general acceptance thatstatistics are important, it gave no indication of any understanding of value as againstindividualprivacy.Thesurveytestedparticipants’trustinthequalityofthestatisticsStatsNZreleased,notininStatsNZasanagency.A2015OPUSSurveyonPublicAttitudestoDataIntegration6cameclosertomeasuringpublictrustinStatsNZanditsinformationuses.Thissurveyshowedsomepublicdiscomfortwiththeideathatpersonalinformationmaybeheldinasingledatabaseandlinkedtoidentifiers.Access,useandsecuritywerekeyconcernsandparticipantsindicatedthattheywouldfinddata integrationmoreacceptable iftheywerepersuadedthat itwasuseful,fair,accurate,representativeandinthepublicinterest.While these surveys show amoderate level of understanding and engagement from thepublicinthefunctionofStatsNZand,tosomeextent,theneedforgoodstatistics,theyaresomewayoffestablishingtheexistenceofanysociallicence.Aswillbeexplainedbelow,thereisgoodreasontotrustStatsNZ.However,inviewofthemoregeneralperceptionsofpublicsectorprivacypractice,itissuggestedthatStatsNZshouldassume a low level of social licence and target its practices at developing openness andtransparencytoshowvalue,buildtrustandstarttoearnone. 4ForagoodoutlineoftheeCensusfailuresandlessonslearned,seeAlistairMacGibbon’sReviewoftheEventsSurroundingthe2016eCensus13October2016.5http://www.stats.govt.nz/about_us/what-we-do/our-publications/use-trust-in-oss-2016.aspx.6http://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/keep-data-safe/public-attitudes-data-integration-2015.aspx.


14

Culture,governanceandtechnicalsecurityoversightAstrongprivacycultureAspartof thisassessment,acrosssectionofStatsNZandcensusstaffwere interviewed.These interviews served twopurposes. Firstly, they facilitated the gathering of importantinformationaboutthe2018Censusprocessesandprocedures.Secondly,theyallowedforanevaluationofgeneralprivacycultureandvalueswithinboththecensusteamandStatsNZmorewidely.Overall, itwasveryclear thatStatsNZhasa strongcultureofprivacyandconfidentiality,borne out of a legislative framework that focuses on security but also out of a generalappreciation of the value of data. No person interviewed questioned the importance ofprivacy or an independent privacy impact assessment. All had an appreciation of privacyconceptsand showeda strongunderstandingofprivacy considerations thatwentbeyondtechnicalsecuritysafeguards.Itwasalsoveryclearthatseniorcensusstaffgraspedtheimportanceofgoodprivacypracticetothesuccessofthecensus.AsaresultoflessonslearnedfromAustralia’seCensus,andduetothewiderculturethatexistswithinStatsNZ,seniorstaffhaveexpressedacleardesiretoensurethatprivacyreceivesproperattentionattherighttime.Thatsaid,thetechnicalknowledgemanystaffshowedinrespectoftheparticularprivacyandsecurityprocessesinplacewithintheirfunctionalunit(forexample,censusdatacollection,dataprocessing,orthedevelopmentofdataproductsandservices)appearedinsomecasestocloudamoregeneralunderstandingof thebiggerStatsNZpicture.Someworkmayberequiredtotietheseprocessestogetherandensurethatallcensusstaffunderstandtheendgoal,whichmustbetoprovidethepublicwithasimplevalueandtrustpicture.Recommendation1:Provideallcensusstaffwithguidanceonthehighlevelprivacygoalsandvalues for 2018 Census and build an understanding of the way each teams’ processes,proceduresandsafeguardscontributetothis.PrivacygovernancestructureandresourcingforcensusStatsNZhasputeffortintostrengtheningitsstrategicprivacyoversightandgovernance.Aspartofthis,StatsNZhasestablishedanInformationPrivacy,SecurityandConfidentiality(‘IPSaC’)GovernanceGroupandWorkingGroup.TheGovernanceGroup isexecutive level(members include theChiefPrivacyOfficer,DeputyChief Executive–DataServices,ChiefMethodologist, Chief Digital Officer and Legal Counsel) and it directs theWorking Group(composedofseniorstaffincludingthePrivacyOfficer)tomanagethedevelopmentoftheprivacystrategyandprogramme. IPSaCminutesaresharedwith theExecutiveLeadershipTeamaftereachmeeting.


15

Some organisation-wide privacy resource is available, though this is limited. Privacy isoverseenbyOrganisation, Strategy andPerformancewhichhas a 0.6 full timeequivalentdedicatedresource(thePrivacyOfficer)tosupporttheorganisation’sprivacypractices.Theprivacy resource is small, particularly in view of the fact that Stats NZ is an organisationfocusedonthecollectionanduseof information(includingpersonal information).Forthisreason,theresourceislimitedinitsabilitytoidentify,manageandmitigateallprivacyrisksacrosstheorganisation.Thisismademorechallenginginrelationtothe2018Censusbecausethecensusteamisquitedistinctfromtherestoftheorganisation,withstaffeitherengagedsolelyforthisprogrammeorsecondedfromotherteamswithintheagency.ThisincreasestheriskofprivacygapsorweaknesseswithincensusprocessesandmakesitmoredifficultforStatsNZ’swiderprivacyresourcetoeffectivelyensurethatprivacyissuesarebeingmanagedsatisfactorily.Thecensusisparticularlyhighriskfromaprivacyperspectiveandsoitisimportantforthecensusteamtoensurethatprivacyisadequatelyresourced,itsinternalprivacygovernanceandaccountabilityprocessesarestrongandeffective,andtheteamconnectsdirectlytoStatsNZ’swiderprivacyriskandassuranceprocesses.ThisshouldincludesharinganypreliminaryPIAs(someofwhicharediscussedbelow)withboththePrivacyOfficerandIPSaCGovernanceGroup.ArealconnectionbetweenthecensusteamandStatsNZ’swidermanagementofpersonalinformationwillensureconsistencyofapproachandbetteroversightofprivacyrisks.Itshouldalsoensurethatthemanystrongprocesses,proceduresandsafeguardsbeingdevelopedbyvariousteamswithincensusareconsistentandclearlyarticulatedtothepublic.Recommendation2:Createanddocumentclearprivacyrolesandaccountabilitieswithinthecensusteam,includingacentralrolewithoverallprivacyresponsibility.Recommendation3: Encourage close collaborationbetween this documentedprivacy roleandStatsNZ’sPrivacyOfficerandensurethePrivacyOfficerhastheopportunitytocontributeeffectivelyas2018Censusprocessesarefinalised.Recommendation4:EnsurethatthecensusteamreportsregularlytotheIPSaCGovernanceGroupandthatcensusprivacyisastandingitemontheGovernanceGroupagenda.TechnicalsecurityasawiderissueMany of the risks presented by a ‘digital-first’ approach to the census relate to technicalinformation security. The new information flows needed to facilitate digital engagementrequiretheuseofarangeoftechnologies,platformsandinformationserviceproviders.Byoutsourcingsomefunctionalityforthe2018Census,StatsNZisatriskoflosingsomecontroloverthesecurityofthepersonalinformationgathered.Technical information security is an important part of the privacy framework. A matureagencyhasstrongprocessesinplacetoensurethatthepersonalinformationitcollectsissafe


16

andsecureatall times.This isnotatechnical informationsecurityassessmentbut itdoesseektoprovidesomeassurancethatStatsNZistakingaproactiveapproachtoinformationsecurityaspartofthe2018Censusdevelopment.StatsNZhasengagedtheservicesofDeloitte’sCyber,PrivacyandResilienceteamtoprovideindependentadviceandguidanceonimplementingasecure,vigilantandresilientapproachforthe2018Census.DeloittehasawidemandatetoassistStatsNZandisdeliveringabroadrange of ongoing advisory and support services in this regard, including systems review,incidentresponsesimulations,controlsassessments,andadviceontheprocurementofthirdpartyinformationandtechnologyrelatedservices.Forthepurposesofthisassessment,StatsNZistakingmorethanreasonablestepstoensurethatitbuildssecurityintothetechnologyandsystemsitusestorunthe2018Census.Therecommendations below are intended simply to ensure that the security and privacyprocessessupportoneanotherandthatthevaluetheseprocessesaddismadecleartothepublic.Recommendation 5: Continuously revisit security safeguards as the census programmeevolves,toensurethattheyarefacilitatinggoodprivacypractice.Recommendation6:Explaintechnicalsecuritysafeguardstothepublicclearlyandsimply,toestablishthatthedigital-firstapproachisgoodforprivacy.


17

Collection:EnsuringvalueandmanagingriskThe2018Census focuseson increasingpublic engagement, creating efficiencies, and alsoimproving thequalityof informationgatheredbyStatsNZ.Theseare importantandvalidconsiderationsthatofferoverallbenefitstothecommunity.Further,thedigital-firstapproachhasthepotentialtobettersafeguardindividualprivacythanthe previous manual approach. Online information gathering removes many of the risksinherentinpaper-basedprocesses.Today’stechnologyallowsforeffectiveencryptionofdataatallpointsof theprocessandenablesaccesscontrols tobeput inplace tomanageuselimitations.Asnotedabove,thisisnotaninformationsecurityassessment.However,thisassessmenthastoucheduponthevarioussteps,processesandsystemsthecensusteamhasputinplaceoriscontemplatingtosafeguardpersonalinformationthroughoutthecensusinformationlifecycle.Whatinformation?AprocesstoensurevalueTheinformationStatsNZispermittedtocollectfromthepublicissetoutintheStatisticsAct.Section 4 of the Act lists the classes of official statistics. Section 24 of the Act lists theparticularstobecollectedatcensus.TheGovernmentStatisticianhasawidemandatetosetthe topics for any given census, provided that the information collected meets therequirementsofsection4oftheAct.Within these legislativeboundaries, StatsNZ followsa careful process toensure that anychangestothecensusarenecessaryandaddvalue.Thecensusmustchangefromtimetotime toensure that it is relevant and responsive to theparticular conditionsof the time.Otherwise, the information collected may not provide the insights needed to deliverimportantsocialandcommunitybenefits.StatsNZhasdevelopedaContentDeterminationFrameworkforthispurpose.Thisframeworkincludespublicconsultationandisdesignedtoensurethatanyneworalteredcensuscontentiscarefullyconsidered.Fromaprivacyperspective,thisprocessisimportantbecauseit:

• focuses on purpose and value, by requiring StatsNZ to establish the relevance ofquestionsandthebenefitsthesequestionswilldeliver;

• encouragesStatsNZtoexerciseits legislativemandateresponsiblyandreasonably;and

• focusesStatsNZonindividualexperience,byrequiringaconsiderationoftheimpactaquestionmighthaveontherespondent’simpressionofintrusiveness.


18

Inthecaseofthe2018Census,StatsNZiscomingtotheendofthecontentdeterminationprocess. IthasappliedtheContentDeterminationFrameworkandistakingcaretoensurethatnewcontentmeetsrequirements.7PreliminaryPIAsintocensusprocessesandsystemsAspartofthecensustestconductedearlierin2017,StatsNZcompletedanumberofinternalpreliminaryPIAswithrespecttoindividualprocesses,platformsorsystems.ThesepreliminaryPIAs were intended to identify potential privacy risks early on. In each case, theseassessmentsrecommendedwhetherafullPIAwouldberequired.Theprocesses,platformsandsystemsassessedtodateinclude:

1. WorkloadCreationandAllocationTool(usingatooltocreateandallocateworkduringaddresscanvassing)

2. RespondentFacingContactCentre(usingathirdpartyserviceprovidertomanageanexpectedincreaseincontactsfromcensusrespondents)

3. ContactCentreHomeworkers(usingamixedonandoffsiteworkermodelforcontactcentreoperations)

4. EPICsystemforcensusprocessing(usingsoftware,toolsandsystemsprovidedbyEPICforprocessingcensusdata)

5. Internet Collection System (using a third party service provider to manage thecollectionandstorageofonlinecensusresponses)

6. CensusOnboarding(managingtherecruitmentandday-to-dayoperationsofcensusfieldstaff)

7. Post-EnumerationSurvey(collectingpersonalinformationaftercensustomeasuretheaccuracyofpeopleanddwellingcounts)

8. CensusTestInformationWebsite(creatingaseparatecensus.govt.nzwebsite)Forthemostpart,thesepreliminaryassessmentsarecomprehensiveandwell-considered.Theyfollowagoodstructure,whichensuresthatkeyinformationflowsaremappedandrisksassessed. Stats NZ has explained that these are living documents. They will inform thedevelopmentoffinal2018Censusprocesses,platformsandsystems,andwillbeamendedasrequiredtoensurethattheyremainuptodateandrelevant.This isapositivesteptotake,and isevidenceofthecensusteam’soverallconcernaboutprivacyandsecurity(asnotedabove).Thecensusteammustensure,however,thatthesepreliminary assessments are consistently shared with the Privacy Officer and IPSaCGovernanceGroup,andarenottreatedsolelyasacomplianceexercise.

7Formoreinformationonthestatusofthe2018Censuscontentreview,gotohttp://www.stats.govt.nz/Census/2018-census/prelim-content.aspx.


19

SpecificcommentsonpreliminaryPIAsThe EPIC processing system will collate and process census data (that is, the personalinformationpeopleprovideintheircensusresponses)andsoisamajorpartof2018Censusdelivery.ThefollowingcommentsaremadeaboutthepreliminaryPIA:

• ThePIAnotesthatoperationalinformationaboutdwellingoccupancyandrespondent

behaviorwillbeincorporatedintoEPICtoassistwithdeterminingcensuscompletion.However, as noted below, the census team stated during interview that thisoperationalinformationwouldbestoredonlyintheCRMsystemandnotintegratedwith any other information systems. This apparent inconsistency should beinvestigatedtoensureitraisesnorisks–orpublicperception–ofinappropriateuse.

• ThePIAratedpublicimpactasmedium.However,duetoinherentsensitivitiesaroundthemovetoadigital-firstcensus,andtheimportanceoftheinformationprocessingsystem to the security, accuracy and ultimate use of census information, it isrecommendedthatpublicimpactberatedashigh.

• Overall,thePIAratedrisksaseithermediumorhighbutrecommendedthatafullPIAwas not required. It is recommended that such a risk rating would warrant thecompletionofafullPIAinrespectofthesystem,particularinviewofthepotentialpublicimpactofpoorlymanagedrisks.

Recommendation7:RevisitthedecisionnottoundertakeafullPIAontheEPICprocessingsystemandconsiderratingthepublicimpactofthissystemashigh.Recommendation8:EnsurecontrolsareinplacetomanageanyperceptionthatoperationalinformationincorporatedintoEPICmaybeusedforstatisticalorresearchpurposes.ThePost-EnumerationSurvey(‘PES’)PIArightlyhighlightedtheriskthatinformationaboutcensuscompletionmightbeusedforpurposesotherthanmeasuringcensuscoverage.ThispreliminaryPIAhassuggestedthatanyusesofPESinformationthatgobeyondmeasuringcensuscoveragemustbesubjecttoafurtherPIA.Thissuggestionissupported.

The InternetCollectionSystem(‘ICS’) isamajorpartof2018Censusdelivery.Aswiththeprocessingsystem,afailureintheICSduringthecensuscouldhaveamajorimpactonpublicconfidence(noting,forexample,theAustralianeCensusexperience).ThepreliminaryPIAintothe ICS rightly identified public impact as high but recommended that a full PIAwas notrequired.Onbalance,thisoutcomeissupportedonthebasisthatthemajorriskspresentedbytheICSrelatetothesecurityandintegrityofthesystem,ratherthanthewaypersonalinformationisused.TheICSserviceproviderhasoutlinedtoStatsNZthemeasuresitwilltaketoensurethatICSsecurityrequirementswillbemet.PracticalprivacyprotectionsduringthecensusAs with previous censuses, temporary field staff are engaged to manage the practicalinformationgatheringprocessbefore,duringandafterthecensus.Thedigital-firstapproachmeans less staffwill be required in 2018.However, the2018Censuswill still require the


20

collection,retentionanduseofpersonalinformationaboutdwellingoccupantsinordertomanagetheprocess.Thisinformationisdistinctfromthecensusresponsesandsoraisesdifferentprivacyissues.Information could include reports about occupant behaviour or safety concerns thatmayimpactonotherfieldofficersoraffectdecisionsaboutsolicitingresponsesfromaparticulardwelling.Thecensusteamhastakenthefollowingstepswithrespecttothispartoftheprocess:

• Fieldofficersusetabletstorecordinformationaboutdwellingsandoccupants.Thesetabletsarepasswordprotected.

• Operational information is retained in a CRM system and is not integrated withstatistical information nor used by Stats NZ for statistical or research purposes(although,noterecommendation8above).

• Where possible, field officers are not providedwith individual names. Rather, theprocess is operated at the dwelling level. Incidents or concerns with a particulardwellingtendnottobelinkedtoaparticularindividual.

• Fieldofficersareprovidedwithface-to-faceandonlineprivacytrainingtoensurethattheyunderstandStatsNZ’swiderprivacyexpectations.

• Fieldofficersarerequiredtosignadeclarationofsecrecy.Thesearepositivesteps,whichtakentogethershouldeffectivelymitigatemanyoftheprivacyriskscreatedbyalargescaleinformationgatheringexercisesuchascensus.Havingapresence inthefieldalsoprovidesStatsNZwithauniqueopportunitytoengagewithrespondentsandreiterateprivacyandtrustmessages.Aswillbediscussedinmoredetailbelow,itiscriticalthatfieldofficersareequippedtodothisinaconsistentandmeaningfulway.DatabreachresponseplanThe2016AustralianeCensusisagoodreminderthatthingscangowrong.Itisimpossibletoentirelynegatetheriskofdatabreachanditwouldbeunreasonabletoexpectanagencytodoso.Forthisreason,itiscriticalforStatsNZtohaveastrongdatabreachmanagementplaninplacebefore,duringandafterthecensus,thatincludesclearescalationpaths,reportingandcommunicationsprocesses.StatsNZhasdevelopedan agency-wide incidentmanagementplan thatdirects how staffshouldreportandmanageasecurity,privacyorconfidentialityincident,oranearmiss.Theplansetsoutanescalationpathandguidesstaffthroughaprocessofreporting,containmentandnotification.Theplanalsoensuresthatanumberofgovernancelayersareinvolvedinthemanagementoftheincident.

• Staff–Attempt immediatecontainmentof the incidentandreport tosecurityandprivacystaffandtheirmanager.


21

• Manager–Immediatelyreviewtheincidentanddetermineiffurthercontainmentisrequired.Ensureincidenthasbeenrecordedinincidentlog.

• SecurityandPrivacy–Actasfirstpointofcontactandadvisebusiness.Evaluatelevelofrisk.Startpreventionprocess.

• Triageteam–Assistwithdeterminingnotificationandcommunications,includingtoaffectedindividuals,NationalCyberSecurityCentreandPrivacyCommissioner.

Thecensusteamrecognisesthatstrongcommunicationisacriticalpartofmanagingadatabreach.TheteamhasdevelopedaCrisisCommunicationsApproachdesignedtoensurethatanycrisis–relatingtopeople,systemsordata–ismanagedquicklyandopenly.Theteamhastakenacentralisedapproach, toensure thatany response is targetedandcoordinated. Itidentifiesthreekeyphases:

• Alert–SeniorManager,CommunicationsandMarketing.Crisiscommunicationsteamwillthenscheduleameetingtobeginmanagingthecrisis.

• Gather–Relevantinformationtoconfirmsituationandtimeframesforresponse.• Respond–coordinatedcommunicationswillbedeveloped,reviewedandadjustedas

required,untilthecrisisisresolved.Itisverysensibletoensurethatthe2018Censustakesaconsistentandcoordinatedapproachto managing a data breach. As we have learned from the Australian eCensus failures,communicationisacriticalpartofaneffectivedatabreachresponseplan.However,theCrisisCommunicationsApproachfocusesonlyonthispartoftheprocess.Itwillbeimportanttoensurethatthe2018CensusdatabreachresponseplanlinksclearlyandeffectivelytoStatsNZ’swiderincidentmanagementprocess.Onceacrisis,orincident,hasbeenidentifiedasinvolvingpersonalinformation,itisimportantthatprivacyandsecuritystaffareinvolvedandhaveinputintothedecisiontonotify(ornot)andthenatureofthecommunicationsthatfollowthisdecision.Acentralthemeofthisassessmentistheneedtoputtheindividualattheheartofcensusprocesses. Thedatabreach responseplanmust reflect this too. StatsNZ’swider incidentmanagementprocessensuresthattherightstakeholdersarenotified.Thesestakeholderscanassist the census team to focuson the individuals andeffectively assess the likelihoodofharm. They can also assist the census team to take effective steps tomitigate harm andmanageanynegativepublicperceptionscausedbyabreach.Recommendation 9: Link the census crisis communication approach to Stats NZ’s widerincident management process and involve key privacy and security staff in the riskassessment,mitigationandnotificationstagesoftheprocess.


22

Useandprocessing:Limitationstoincreasecontrol2018CensusdataformsasmallpartofthepersonalinformationStatsNZroutinelycollectsforstatisticalandresearchpurposes.Censusdataisusedbytheagencyinvariouswaystodevelopbetterstatisticalproductsthatcandelivermeaningfulinsightstodrivebettersocialandcommunityoutcomes.8A keypart of StatsNZ’s overall privacy and security framework is its ability to effectivelyensurethatthepersonalinformationitcollects–includingcensusdata–isaccessedandusedonlyforlegitimatestatisticalandresearchpurposes.Gettingthisrightiscriticaltobuildingtrust andensuring that thepublichas some senseof controlover theway theirpersonalinformationwillbeusedandprotected.StatsNZexcelsinthisarea.Ithasdevelopedagency-wideprocessestoensurethatpersonalinformation is de-identified before it is accessed and used. Recognising that even de-identifiedpersonalinformationcanidentifyindividualsinsomecircumstances,StatsNZtakesfurtherstepsto“confidentialise”personalinformationbeforeitisincorporatedintostatisticalproductsoraggregatedtoprovidestatisticalinsights.Inaddition,StatsNZ’ssystemsandplatforms includecomplexaccesscontrols thatensureonlystaffwhoneedtoseepersonalinformationbeforeitisde-identifiedcandoso.Theseprocessingandlinkingenvironmentsprovideasafeplatformforeffectivelylinkingthevariousdatasetsusedtocreatestatisticalproductsandinsights.TheseprocessesgototheheartofStatsNZ’soperations.Theyareelaborateandintelligentprocessesrunbydatascientistswithexpertiseinunderstandinghowbesttoensurethatrisksofre-identificationandunauthorisedaccessareminimised.IntegrationwiththeIDIThe IDI was introduced briefly above. Put simply, it is a database designed to facilitateeffective data integration. The IDI pulls together a series of de-identified datasets fromgovernmentagenciesandNGOs9(thisdataisreferredtoas“administrativeinformation”)andintegratesthesedatasetswithcensusdatafrom2013and,shortly,thedatacollectedin2018.Researcherscanthenapplytoaccessthede-identifieddataintheIDI,understrictconditionsoutlinedbelow,forstatisticalandresearchpurposes.WhileintegrationwiththeIDIisnottheonlyusetowhich2018Censusdatawillbeput,10itis a significantone.Data integration is viewedwith somecautionby thepublic, asnotedabove.Withoutstrongcontrolsaroundinformationlinking,accessanduse,dataintegration

8ForexamplesoftheproductsandservicesStatsNZdevelopedwith2013Censusdata,gotohttp://www.stats.govt.nz/Census/2013-census.aspx.9ForafulllistofIDIinformationsources,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/idi-data/idi-data-overview.aspx.10Seenote8,above.


23

couldpresentsignificantprivacyrisks,particularlyifidentifiableinformationaboutindividualswasaccessibletothepublicortoothergovernmentdepartments.Stats NZ’s IDI team has approached data integration with care and consideration. DataIntegrationGuidelines,11whichincludeasetofdataintegrationprinciples(publicbenefit,uselimitation, openness, and no integration where a promise has been made not to), haveinformedallIDIriskassessments.AnumberofcomplexPIAshavebeencompletedintotheIDIgenerallyandaseachnewdatasethasbeenconsideredforinclusionintheIDI.ThesePIAsareallpubliclyavailable.12IntegrationforprocessingcensusdataStatsNZisbuildinganewinfrastructurefortheprocessingof2018Censusdata(referredtoaboveastheEPICprocessingsystem).Inmanyrespects,theprocessingofcensusdatawillbesimilar to previous censuses. The information security considerationswith respect to thissystem are beyond the scope of this assessment and are, in any event, being addressedelsewhere.However,thenewinfrastructuredoesfacilitateanewuseofpersonalinformationalreadyheldbyStatsNZ,forthepurposeofimprovingthequalityof2018Censusdata.Theprocessingsystemwill linktotheIDIanduseadministrative informationto improvetheoverall inputfromthecensus.Thesystemfillsgapsincensusresponsesandcleansesinformationcollectedduringthecensus.Section37(1)oftheStatisticsActstatesthatinformationprovidedtoStatsNZcanonlybeusedforstatisticalpurposes.Principle10ofthePrivacyActtakesasimilarapproach.Itstatesthatpersonalinformationshouldonlybeusedforthepurposesforwhichitwascollected.Here, StatsNZ is proposing to use administrative information collected fromgovernmentdepartmentstoimprove2018Censusdata.Thisisbeingdoneforthepurposeofimprovingthe quality and linking of census data, and for the ultimate purpose of providing betterstatisticalinsightsandresearchoutcomes.Theproposedimprovementsare,therefore,consistentwithStatsNZ’soverallpurposesandwiththelimitationcontainedinitsownAct.However,thischangemaynonethelesscomeasasurprise to thepublic.For this reason, it is recommendedthat thischangebeexplainedclearlytothepublicinanyprivacymessagingcreatedforthecensus.Thisrecommendationwillberevisitedbelow.Recommendation10:NotifythepublicthatadministrativedataheldintheIntegratedDataInfrastructure(‘IDI’)willbeusedtoimprovethequalityofcensusdateandexplaintheoverallvalueofthisdatause.

11http://www.stats.govt.nz/about_us/legisln-policies-protocols/data-integration-gdlns.aspx.12ForafulllistoftheIDIPIAs,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/keep-data-safe/privacy-impact-assessments.aspx.


24

Integrationfordevelopingbetterstatistics2018CensusdatawillalsobeintegratedintotheIDIandlinkedwith2013Censusdataandadministrativeinformationdatasets.ItisclearthatsuchintegrationalsofitswithinStatsNZ’soverall use limitations. The purpose of this integration is to improve Stats NZ’s ability todevelop meaningful and relevant statistical products and insights. The value is easy tounderstand.However,toeffectivelylinkthe2018CensusdatawithinformationalreadyheldintheIDI,StatsNZmustretainanduseanumberofidentifiers.Inparticular,StatsNZproposestoretainindividualnamesandaddressestomatchinformationwithintheIDI.Thisisnotnew.NamesandaddresseshavebeenusedwithintheIDIforsometimetoensurethattheinformationisaccurate.ThePrivacyActpermitsanagencytoretainpersonalinformationforaslongasitisneededforalawfulpurpose.BoththePrivacyActandtheStatisticsActpermittheretentionanduseofnamesandaddressestofacilitateStatsNZ’swiderpurposes.However, this may impact on public perceptions of census anonymity and control. It isimportantthereforetoclarifythatnamesandaddressesareonlyusedwithintheprocessingandlinkingenvironments.StatsNZprocesses(whichareoutlinedbelow)ensurethatitisnotpossibleforstatisticalproductstorevealpersonalinformationthatmightidentifyaparticularindividual.It is recommended that the retention anduseof names andaddresseswithin the secureprocessing and linking environments be made clear to the public at the outset. Thisrecommendationwillberevisitedbelow.Recommendation 11: Notify the public that names and addresses are retained and usedwithintheIDI’ssecureprocessingandlinkingenvironmentstomatchinformationandexplainthevalueofthisdatause.

StatsNZ’saccess,de-identificationandconfidentialityprocessesStatsNZ’scoreoperationalmodelisfocusedonresponsibleandlegitimateaccesstoanduseof personal information. The processes it uses ensure that the risk of identification ofindividuals is minimised while permitting the effective analysis, aggregation and use ofpersonalinformationforstatisticalandresearchpurposes.StatsNZachievesthisbyapplyingthe5safes framework.This framework issupportedbytechnicalsecuritysafeguardsandauditandassuranceprocessestoensurethatitisadheredto.


25

1. Safe data – Personal information is de-identified by removal of all unencrypteduniqueidentifiersandidentifiableinformationsuchasnamesanddateofbirth.13

2. Safe settings – Only staff who need to see identifiable personal information for

processingorlinkingpurposeshaveaccesstosecurelinkingenvironments.Oncede-identified,personalinformationcanonlybeaccessedbyresearchersthroughasecureDataLab.Researcherscanonlyaccessinformationrelevanttotheirresearch.

3. Safepeople–Thoseaccessingpersonalinformationmustsignadeclarationofsecrecy

andpass referencechecks.Researchersmustalso signa researchundertakingandunderstandandfollowStatsNZ’srulesandprotocols.

4. Safeprojects–ToaccesstheIDI,researchersmustestablishthattheirprojectshave

astatisticalpurposeandareinthepublicinterest.

5. Safe outputs – Personal information is further “confidentialised”. Before beingdisclosedtothepublic(thatis,outsidetheIDIandDataLabenvironment)aspartofStats NZ’s wider products, the statistical outputs must be run through a furtherprocesstoensurethatindividualscannotbeidentifiedfromtheinformation.

StatsNZ’sprocesses allow for thecontrolled release of de-identified informationwithin asecure and carefully protected research environment, and the public release ofconfidentialisedinformation.Asthesettings,peopleandprojectcontrolsarereduced,thesafeguards around the data itself are increased, thereby permitting a wider audience tobenefitfromstatisticalinsights.TheseprocesseseffectivelyensurethatpersonalinformationgatheredbyStatsNZ–whetherfrom a census or from another source – is protected. They allow Stats NZ to providemeaningfulreassurancestothepublicthatpersonalinformationisaccessedandusedonlyfor legitimate statistical and research purposes. It is to this topic, to openness andtransparency,thattheassessmentnowturns.

13FormoreinformationaboutStatsNZ’sde-identificationprocess,gotohttp://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/idi-data/de-identified-data.aspx.


26

Opennessandtransparency:CommunicatingtobuildtrustOpennessand transparencyhasbeenaprevailing theme in this assessment. StatsNZhasdevelopedverystrongandsoundprocessesandcontrolstoprotectpersonalinformationbutthesearenotgoingtobuildtrustiftheyarenotknowntothepeopletheyareintendedtoprotect.ThecensusprivacystoryisaboutmorethancompliancewiththePrivacyAct.ThisisStatsNZ’sopportunity tomanagepublicperceptionandquellanymisunderstandingsabout thewaypersonalinformationcollectedduringthecensusisused.Itisanopportunitytotellthepublicthattherearelegitimateandvaluablereasonsforusingpersonalinformationtobetterlinkandimprovestatistics.Itistheopportunitytoshowvalue.Stats NZ embraces transparency about its practices. Its willingness to make policies,processes,riskassessmentsandotherkeyprivacymaterialspublicsetsitapartfromotherpublicandprivatesectororganisationsandsetsabenchmarkforotherstofollow.StatsNZ’swebsitecontainsawealthofinformationaboutthewayStatsNZmanagespersonalinformation,fromitsgovernancestructureandhighlevelprivacypolicyandexpectationstoits complex physical, technical and procedural safeguards for ensuring that personalinformationisprotected.Thereisasignificantamountofdetailedinformationavailabletothepublic,shouldtheywishtoaccessit.ExistingcommunicationsTheStatsNZwebsiteprovidesthepublicwithaccesstoinformationaboutitsgeneralprivacypoliciesandprocedures,14andtheprivacyandsecuritystepsinplacewithrespecttotheIDI.15Privacygeneral–StatsNZprovidesindividualswithanoverviewofitsapproachtoprivacycompliance,alongwithdetailedpolicydocumentsthatoutlineindepththeprivacy,securityand confidentiality processes. The overview is plain English and clear.However, as notedabove,thisinformationisgeneralandhaswideapplication.IDI–Similarly,StatsNZprovidesspecificprivacymessaginginrespectoftheIDI,recognisingthatdata integration raisesparticularconcerns for thepublic.Aswith thegeneralprivacycontent,anoverviewofIDIprivacyandsecurityisgiven,alongwithmoredetailedlinkstoprocessesandprocedures,includingthede-identificationandconfidentialityprocesses.ThewiderIDIcontentalsoincludesanexplanationofthedatasetsinvolvedandthevaluetheyadd.Itshouldbenotedthatthemessagingframesprivacyprimarilyintermsofinformationsecurity(“HowwekeepIDIdatasafe”). It issuggestedthatthedatasetscollectedandthevaluetheseaddshouldalsobeframedaskeyprivacymessages.

14http://www.stats.govt.nz/about_us/legisln-policies-protocols/confidentiality-of-info-supplied-to-snz.aspx.15http://www.stats.govt.nz/browse_for_stats/snapshots-of-nz/integrated-data-infrastructure/keep-data-safe.aspx.


27

2018Census-Atthispoint,noinformationhasbeenprovidedtothepublicinrespectofthe2018Censusprivacyprocessesandprocedures,inlargepartbecausemanyofthesearestillindevelopment.Thecensusteamdiddevelopasetofprivacymessagesaspartofthe2017censustest.Theseprovideagoodstartingpointtodevelopacensusprivacystorybutshouldbecomplementedbysomethingmoreholisticwhichfocusesonthefullinformationlifecycle.Itshouldbenotedthatthesemessagesarefocusedlargelyontechnicalsecurityissuesanddonotprovideanoverallvalueandtrustmessage.2018CensuskeymessagesDuringthecensus,StatsNZtargetseveryNewZealander.AllpeopleareaskedtoengagewithStatsNZatthispoint,regardlessofknowledge,literacyorsophisticationofprivacyawareness.BeingrequestedtoprovidedetailedpersonalinformationtoagovernmentagencycanmakepeoplefeeluncomfortableanditisunlikelymostindividualswilltakethetimetostudyStatsNZ’swebsite to find the information they need to get a full understanding of the censusinformationlifecycleandthereasonstheyshouldtrustStatsNZatcensustime.Forthisreason,itiscriticalthatthecensusteamdevelopsacensusprivacystorythatisclearandsimpleandaimedatthewiderpopulation,notjustthosewiththecapacity,knowledgeandunderstandingtoengagewithdetailedtechnicaldocuments.Thisstoryshould:

1. beclearlycensus-focusedbutbrandedinawaythatconnectsdirectlywithStatsNZ;2. verysimplyoutlinethecensusinformationlifecycle,fromcollectiononlineorinhard

copythroughtosharingeitherwithinIDIoraspartofotherproductsorinsights;3. provideacompellingvaluepropositiontoensurethatpeoplequicklyunderstandwhy

theyshouldprovidetheirinformationandhowthiswillbenefitthecommunity;4. provide clear notice to the public about key issues that may impact on public

perception,includingtheretentionanduseofnamesandaddressesandintegrationwiththeIDIandexplainthatthisislegitimateandaddsvalue;

5. promotetheprivacyandsecuritybenefitsofadigitalcensusandprovidequickandsimplereassurancesinrespectoftechnicalsecuritystandardsinplace;

6. show transparency about the use of third party information service providers,includingcloudserviceproviders,andlinktoanyrisksassessmentsundertakenintotheseproviders;and

7. very simply outline the internal processes in place to ensure that access and uselimitationscanbetrusted.

Thesemessagessupportthethemesthathavebeen identifiedascritical tobuildingsociallicence. It is inthisopennessandtransparencyspacethatStatsNZcaneffectivelystart tocreateandbuildapublicmandateforcensus,dataintegrationandtheworkofStatsNZmoregenerally.


28

Itissuggestedthereforethatthecensusprivacymessagingbestructuredinawaythatmeetsbothprivacycomplianceandsociallicencegoals:

Sociallicencethemes Privacymessaging

PurposeandValueWhyismyinformationbeingcollected,and

whodoesthiscollectionbenefit?

What personal information is beingcollected?Why is this information important to StatsNZ,andtoNewZealandmoregenerally?What value will be added by dataintegration?What value will be added by retainingnamesandaddresses?

UseandcontrolWhowillbeaccessingandusingmyinformationandinwhatways?

Who will have access to the information,andinwhatforms?Howwilltheinformationbeused,andhowwillStatsNZensure that this isalways thecase?Whatwillnothappenwiththeinformation?

SecurityIsmyinformationsecure?

How is information protected during thecensus?How is information protected within StatsNZ?How are physical and process safeguardsbolsteredbytechnicalsafeguards?Whatwillhappenifthereisadatabreach?

Recommendation12:Developaclearandsimplecensusprivacystorythat isstructuredtoprovidekeyprivacymessagestothepublicandcontributetothebuildingofsociallicence.WhereandhowtodeliverthemSimplicityandconsistencyarekeytodeliveringoneclearmessagetothepublicaboutthe2018Census.Peopleshouldbedirectedtooneplacetobeprovidedwiththekeymessagestheyneedtofeelcomfortable.Thepublicationofdetailedprocessdocuments,PIAsorothertechnicalinformation,whilecommendable,willnotachievethispurposeandrisksconfusingthepublicandobscuringthekeymessagestheyneedtounderstand.Itisrecommendedthatthecensusteamshouldaimtotellonestory,inoneplace,thatleadsrespondentsthroughthekeymessagesofpurposeandvalue,useandcontrol,andsecurity.Thisstorycanlinktomoredetailedtechnicaldocuments,whetherprocesses,proceduresorPIAs,butshouldstandaloneandgiverespondentsenoughinformationtounderstandandtrusttheprocess.


29

Allcensuschannels–whetherfieldstaff,contactcentrestafforonlinecontent–shouldtalkfromthesamesimplescript.Itisalsorecommendedthatthisprivacystorybetoldwellinadvanceofthecensus.Thiswillgivetheteamthetimeneededtobuildconfidenceandreviseitscommunicationsplanstoensurethatthepublic’sneedsaremet.Bythetimeofthecensus,thebenefitsofadigital-firstapproachshouldbeaccepted.Recommendation13:Makethecensusprivacystoryeasilyaccessibleandstandaloneandensurethatallchannelsconnecttothesekeymessages.Recommendation 14: Tell the census privacy story well in advance of census, to buildconfidence in the digital-first approach and provide the time needed to revisecommunicationstomeetpublicneedsorchangingexpectations.


30

ConclusionThe2018Censusisingoodhands.Theessentialingredientsareinplacetoensurethatthe2018Censuscanmaximisethebenefitsofdigitalengagementandextract realvalue fromdatawhilerecognisingthepersonatthecentreofitall.BytakingafewstepstomakesurethatthemanycensusprocessesandprocedureslinkeffectivelywithStatsNZ’swiderprivacyframework, the census team canmeaningfully and honestly tell the public their personalinformationisinsafehands.Thiscensusprivacystoryiskeytobuildingtrustandconfidenceinthe2018CensusandinStatsNZmorewidely.Peopleneedtounderstandandacceptthatconcernsaboutvalue,use,controlandsecurityarerecognisedandtakencareof.ThisstorymustdemonstratetothepublicthatStatsNZhasconsideredwhetheritcancollectpersonalinformation,consideredwhetheritshouldcollectpersonalinformation,ensuredinformationcollectionandusecanbedonesafely,andbeenasopenandtransparentasitcanwiththepublic.

WithanunderstandingofthevalueofpersonalinformationandaclearpictureofthewaysStatsNZensuresthisinformationisusedonlyforthebenefitofthecommunity,thepubliccanandwillwholeheartedlyengageinthecensusprocess.


31

Appendix1:InformationgatheringThefollowingindividualswereinterviewedaspartofthisPIA:

• TeresaDickinson,DeputyGovernmentStatistician,InsightsandStatistics• DeniseMcGregor,GeneralManager2018Census• RichardStokes,SeniorManager,CommunicationsandMarketing(2018Census)• NancyLinton,SeniorAdviserCommunications(2018Census)• SarahJohnson,Manager,CensusProgrammeDesignandIntegration• LyndseyWhelan,Manager,2018CensusProcessingandEvaluations• GilesReid,SeniorAnalyst,ProcessingandEvaluations• RorySarten,StatisticalAnalyst,ProcessingandEvaluations• AlanBailey,SeniorManager,2018CensusFieldOperations• AlexBayley,SeniorManager,2018CensusRespondentFocus• GlennLetts,ProjectManager,Channels,Statistics,andEnablingInfrastructure• VictoriaTreliving,Manager,2018CensusProductsandServices• KelleyReeve,SeniorManager,DataFuturesPartnership• HeatherJones,SeniorAdvisor,Strategy,PerformanceandPrivacy(PrivacyOfficer)• TimHenwood,SeniorAdvisor,StrategyandDevelopment,DataServices• AnnaMcDowell,Manager,IntegratedDataInfrastructure(IDI)• YolandideBeer,StatisticalAnalyst,IntegratedData• GarethMeech,SeniorManager,CustomerFocus(2018Census)• AnuNayar,Partner,NationalLeader–Cyber,PrivacyandResilience,Deloitte

ThefollowingkeydocumentswereexaminedaspartofthisPIA:

• 2018CensusDesignPrinciples(April2017)• OPUSSurveyintoPublicAttitudestoDataIntegration(2015)• ColmarBruntonUseandTrustSurvey(June2016)• IntegratedDataInfrastructurePIAOverarchingDocumentv10(2017)• PIAfortheIntegratedDataInfrastructure(2012)• IntegratedDataInfrastructureextensionPIAFourthEdition(2016)• FullsetofPIAsandotherassessmentdocumentationinrespectofCensusTest• Fullsetofexistingandcontemplatedexternalcommunications• StatsNZprivacyguidelines,processesandpolicies• StatsNZDe-identificationandConfidentialityrules• 2018CensusContentDeterminationFramework• 2018CensusCrisisCommunicationsApproach• StatsNZAnnualAgencySelf-AssessmentReporttoGCPO(2017)

independent privacy impact assessment - · pdf filemanagement process and involve key privacy...

Documents