Criterion I – Ability to ensure secure data management
Auditor rating against criterion I – compliant
|I(a) How does your agency adhere to the separation principle? Provide details of how only that information, from datasets to be linked, that is required to perform specific tasks is made available to those people performing the tasks. Specifically:
- linking separation (where those people performing the linking of the datasets can only access those parts of the datasets to be linked that are required to complete the linkage)
- analysis separation (where those people performing analysis of the lined datasets can only access those parts of the datasets required for the analysis).
|The ABS practices separation of datasets to protect data confidentiality. Each dataset to be linked is stored in a separate location, with appropriate levels of access. Parts of these datasets are brought together (based on the dataset metadata and without access to the microdata) for linking purposes by a Librarian (see below). Once a linked file is created (by a Linker - see below), a common identifier for the link is copied back to each of the original datasets. When analysis of linked data is required by an Analyst (see below), a specific analysis dataset is created using the common identifier and containing only the variables required for that analysis.
This is achieved using a functional separation of roles. At the agency level, the function separation is outlined in the ABS Corporate Manuals and applies to all ABS data linkage projects
The key linking roles are:
Librarian: a staff member who has this role has access to run processes against the data such as creating datasets for 'linkers' or 'analysts'. The librarian does not have access to the data itself, just access to run the processes.
Linker: Staff performing linking are only able to see a view of the data that contains the fields that they need to do their linking (i.e. demographic/linking variables file), which will be provided to them by the Librarian. The datasets are linked and a common linking ID is created in each dataset.
Analyst: Staff performing analysis of linked data are only provided with access to the fields that they need to do their analysis, which is again provided to them by the Librarian.
- All of the linking roles described above are internal ABS roles, undertaken by ABS staff.
- No individual can have access to more than one role at a time and no role allows the entire combined files to be viewed.
- A senior ABS officer (an Executive Level officer or above) is responsible for access control.
- All access to data files is logged and monitored.
|I(b) How does your agency’s audit program (internal and external) ensure the continued security of data?
NOTE: If your agency complies with the Australian Government Protective Security Policy Framework (and can demonstrate this to the auditor) the remaining questions under criterion I do not need to be answered so proceed to question IIa. Otherwise, please complete the following questions.
|The ABS is required to adhere to the Australian Commonwealth security frameworks such as the Protective Security Policy Framework (PSPF), which is what the ANAO bases its compliance activities on.|
In a Directive from the Attorney-General it is stated that:
“Agency heads are to apply the Protective Security Policy Framework with the understanding that it is the path to successfully protecting our people, information and assets.”
There are mandatory governance arrangements in place requiring the ABS to report to their portfolio Minister, the Secretary of the Attorney-General's Department, and the Auditor-General, to ensure compliance with the PSPF.
ABS had a rolling audit program spanning from 2010-11 to 2017-18 financial year. Two of the audits are the physical security audit (which focuses on different areas such as building access, document handling, and contractors) and Information security/ access (which focuses on different systems such as secure deposit box, email, computer assisted interviewing, laptops). The latter audit is to be undertaken annually.
|I(c) Do employees (including contractors) undergo police checks upon employment?|
|Yes. The Personal Security Policy on the ABS Corporate Manuals outlines that:
‘All appointments, promotions or transfers to the ABS, or engagement under an employment contract that do not require escorted access to ABS premises, are to be conditional on:
- the person obtaining a pre-employment suitability assessment or,
- written confirmation from another Commonwealth Agency that they hold a current National Security, Protected or Highly Protected or above clearance.’
It goes on to say that:
‘As a minimum, a suitability assessment will include:
- establishing identity
- criminal history check
- provision of a signed Undertaking of Fidelity and Secrecy form, or Deed of Confidentiality for consultants.’
|I(d) How is access to the agency’s premises controlled? Provide details.|
|The Physical Security Policy on the ABS Corporate Manuals outlines the access control to ABS premises.
“ Access to all areas, excluding public areas, will at all times be restricted to approved persons and will be controlled by the use of an ABS electronic access control system, sign in registers and reception personnel or contract guards.”
|I(e) How is your agency’s Internet gateway secured?|
|The ABS Security Plan 2009-10 in the ABS Corporate Manuals outlines how the ABS secures the internet gateway. This document is relevant for the next three years and is endorsed by the Protective Security Management Committee (PSMC).The ABS Security Plan 2009-10 states that the ABS Internet Gateway is certified to the PROTECTED level.
Further, all staff must electronically sign a Declaration annually to agree to abide by ABS Policy on internet usage to access the internet. There are different levels of access according to role:
- Restricted Internet Access (People who have been identified as not requiring expanded internet services)
- Restricted Internet Access 1 (Restricted Internet Access for Data Processing Centre staff)
- Restricted Internet Email Access (People in areas that have been identified as not needing internet email access for business purposes)
- Restricted Internet Email Access 1 (People in areas that have been identified as not needing internet email access for business purposes)
- Restricted Internet Email Access 2 (The second role including people in areas that have been identified as not needing internet email access for business purposes)
|I(f) Does your agency have an Information Security Policy and procedural plan (including protective control of data, secure ICT access and documented procedures)? Please specify key elements of your Information Security protocols.|
|Yes. ABS has an Information Security Policy on the ABS Corporate Manuals that outlines that:
“access to any sensitive/classified information in the possession of the ABS is only authorised if the intended access is permitted by legislation and:
a. there is no conflict of interest;
b. there is a valid 'Need to Know'; and
c. an appropriate ABS Security Clearance is held where the information has a national security classification, or a non-national security classification of "Protected" or Highly Protected".”
Further, the ICT Security Policy on the ABS Corporate Manuals outlines that:
“Access to the resources of the IT Environment, and to the various data stores residing within the environment, is granted on a need-to-know or job requirements basis. Staff must only be granted access to those components or data stores on that basis.”
Criterion II – IAs must demonstrate that information that is
likely to enable identification of individuals or organisations
is not disclosed to external users
Auditor rating against criterion II – compliant
|II(a) How will safe data access be provided?|
Please provide details of the proposed method. For example:
· providing access to data that are not likely to enable identification of individuals or organisations via on site data laboratories
· providing access to data that are not likely to enable identification of individuals or organisations via secure remote access facilities
· review of data by appropriately skilled internal staff to ensure data is appropriately confidentialised before release
· provision of only confidentialised files to users (e.g. using formal algorithms to apply confidentiality)
· other - specify.
As an extra protection, in addition to one of the methods above, IAs may also restrict access to endorsed applicants (similar to the restrictions placed on access to Confidentialised Unit Record Files by the ABS, for example).
NOTE: Any of these options is acceptable provided the applicant can demonstrate safe practices. The application will need to include details of how the IA confidentialises data.
|The ABS has been making microdata available for statistical purposes in the form of Confidentialised Unit Record Files (CURFs) since 1985, mostly for household survey data. Some business microdata has been made available, under certain conditions, in the form of CURFs.
The ABS currently releases three levels of microdata: Basic CURFs, Expanded CURFs and Specialist CURFs, via modes of access suitable to the level of detail and disclosure risk of the microdata. CD-ROMs provide access to Basic CURFs only; the Remote Access Data Laboratory (RADL) provides access to Expanded CURFS and the ABS on-site Data Laboratory (ABSDL) provides supervised access to Expanded and Specialist CURFs.
The Basic CURFs released on CD-ROMs are files of individual records that have been confidentialised using a range of different strategies such as aggregating into broader categories, swapping, perturbation or cell suppression. RADL provides a facility where approved users can remotely use Expanded CURFs that contain more variables and/or more detail than is available with the Basic CURF. The users submit analysis jobs to be run against the CURFs which remain on the ABS premises. The data is confidentialised before researchers perform their analyses. The code submitted to the RADL facility is automatically logged and audited so that ABS retains a history of the outputs produced from each CURF.
In response to demand for more flexible access to a wider array of datasets, while safeguarding confidential information, the ABS has commenced development of a new Remote Execution Environment for Microdata (REEM). In the future, this new approach will allow researchers to submit requests to build customised table from de-identified unit record files which will be automatically confidentialised before being sent to the researcher. The advantage of REEM over RADL is that the analysis is performed on non-confidentialised data but only confidentialised outputs are divulged to the researcher. Another advantage is that the researcher does not have to use SAS, SPSS or other specialised coding systems in order to perform the analysis, as is the case with the RADL. And researchers will be able to export tables in Excel or csv format.
CURFs may only be used by those organisations and individuals who have been approved by ABS to access that CURF. The application management process is described on the ABS website.
The ABS approach to releasing microdata can be broadly split into two independent strategies:
1. Reducing the risk that an attempt at identification will be made.
2. Releasing data in a manner that is not likely to enable identification.
These areas are commonly broken down into the following four key strategies:
1. Reducing the risk that an attempt at identification will be made.
- Strategy 1. Access is restricted to approved users and the actions of the user are limited to those specified by the undertaking and accompanying documents, including the improved education provided by the ‘responsible use’ manual.
2. Releasing data in a manner that is not likely to enable identification.
- Strategy 2. The data is protected, for example, by limiting detail and perturbing a small number of values (achieved via the assessment and subsequent confidentialisation process undertaken through ABS’ Microdata Review Panel.)
- Strategy 3. The RADL and ABSDL methods of access prevent a large part of the CURF coming into contact with external databases, by restricting the amount and nature of information which can be viewed freely, and outside of a restricted environment.
- Strategy 4. All outputs from the RADL and ABSDL are logged and audited (on a sample basis for RADL). Sanctions can be applied to anyone detected breaching the rules when using CD-ROM, RADL or ABSDL.
The ABS has established governance procedures that relate to the release of information, with delegations clearly detailed in the release approvals matrix which restricts approval for the release of CURFs to the Australian Statistician.
Reporting to the Australian Statistician on the release of any CURF data, is the ABS’ Microdata Review Panel (MDRP). It is chaired by the First Assistant Statistician, Methodology and Data Management Division and is responsible for providing technical advice to the Australian Statistician on the likelihood of a particular person or organisation being identified, as a consequence of disclosure under clause 7 of the Statistics Determination, 1985 (disclosure of unidentified information) or disclosure of personal or domestic information under clause 7A of the Statistics Determination, 1985 (disclosure of information to enable the Statistician to perform relevant functions).
The MDRP discusses any concerns they have regarding the likelihood of identification with the responsible survey areas and makes suggestions or recommendations for how the risk can be reduced to an acceptable level. The chair of the MDRP submits a written report to the Australian Statistician, covering its assessment of the methods proposed to reduce the risk of identification. The report points out any special conditions that should apply to the release of the microdata file to ensure that it is released in a manner that is not likely to enable the identification of any particular person or organisation.
How the ABS keeps data confidential is described on the ABS website.
Criterion III – Availability of appropriate skills
Auditor rating against criterion III – compliant
|III(a) What expertise and experience does the agency have to undertake high risk data integration projects?|
If your agency does not have this expertise or experience, what strategies are in place to acquire the necessary expertise to undertake a high risk integration project?
NOTE: Relevant skills to consider include: expertise in linkage and merging functions; expertise in privacy; expertise in confidentiality; information management skills; ability to provide useful metadata to data users; and appreciation of data quality issues.
As Australia's official statistical organisation, the core business of the ABS is to collect, process, analyse and disseminate statistical information. The ABS has the infrastructure and a range of expertise available to enable it to undertake high risk data integration projects. This includes specialists in statistical methodology and analysis, technology support, legal and policy advisors and subject matter. These specialist areas within the ABS support the functional areas undertaking statistical operations, including data integration and are outlined in Section 3 (Report on Performance) in Chapter 5 of the Annual Report 2010-2011. For example, Analytical Services (page 83) provides methodological expertise and Technology Services (page 87) provides technical infrastructure assistance.
Section 6 of the Australian Bureau of Statistics Act 1975 sets out the functions and responsibilities of the Statistician and the ABS which include the maximum possible utilisation, for statistical purposes, of information, and means of collection of information, available to official bodies.
The ABS has experience in statistical data integration, for example through the Census Data Enhancement Project and the Business Longitudinal Database.
The Census Data Enhancement Project commenced in 2006 and will continue for the 2011 Census. Information about this project is available in an information paper: Census Data Enhancement Project: an Update, October 2010 (cat. no. 2062.0). Given the importance of the Census to ABS operations and to Australia and due to it covering the total population, the Census Data Enhancement Project is a high risk integration project that is subject to rigorous security and governance protocols to protect confidentiality.
The first Business Longitudinal Database CURF (BLD CURF) was released in October 2009. The BLD comprises several longitudinal datasets containing both characteristics and financial data for small and medium businesses. Information included in the BLD CURF is drawn from business characteristics data sourced from an ABS survey and financial data sourced from two main administrative sources: the Australian Taxation Office (ATO) and the Australian Customs and Border Protection Service (Customs).
|III(b) What documentation and training is available to ensure staff have the appropriate skills and knowledge required in high risk data integration projects?|
|To support the Census Data Enhancement project, detailed methodological data linkage manuals were written which outline the processes and protocols for ABS data linking. Methodology research papers were also published to discuss the methodology and assess the quality outcomes of the project:
- Research Paper: Methodology of Evaluating the Quality of Probabilistic Linkage, April 2007 (ABS cat. no. 1351.0.55.018)
- Research Paper: A Linkage Method for the Formation of the Statistical Longitudinal Census Dataset, August 2009 (ABS cat. no. 1351.0.55.025)
- Research Paper: Assessing the Likely Quality of Linking Migrant Settlement Records to Census Data, August 2009 (ABS cat. no. 1351.0.55.027)
This documentation forms the basis for ongoing data integration projects and is being supplemented by the development of procedural manuals and training documentation tailored to operational staff. Some documentation and training is developed according to the needs and scope of the project, while other documentation is generic to accommodate any integration project within the ABS. On the job-training and relevant documentation is delivered to employees, as required. Training material related to confidentiality, security and privacy related to linking data in the ABS are also available to supplement standard ABS training in these areas.
Materials that support training specifically in data linking projects include:
- methodological data linkage manuals
- technical documentation
- probability linkage information
- training packages.
Criterion IV – Appropriate technical capability
Auditor rating against criterion IV – compliant
|IV(a) Does your agency have secure IT infrastructure, including hardware and software systems, and the capacity to support the potentially large and/or complex files associated with high risk data integration projects? Give a brief evidentiary statement.|
|As a statistical agency, ABS’s core business (as outlined in Section 1, Chapter 2 of the Annual Report 2010-2011) involves collecting, storing and disseminating large amounts of data. The existing technical infrastructure and ABS experience in data management provide it with the capacity to support the potentially large and complex files associated with high risk integration projects. ABS already deals with large files, including the Census. Further details about ABS’ capacity to deal with potentially large files can be found in Section 3, Chapter 5 of the Annual Report 2010-2011.
Current data integration projects use separate servers with the capacity to expand. Data and results are stored on separate servers with password protection and provisions to limit access to authorised staff who need it for their work. Senior ABS Managers (Executive Level officers and above) maintain and review this access on a regular basis to ensure access is provided on a need-to-know basis.
The ABS IT environment has comprehensive security measures in place, including firewalls against external intrusion, the use of regularly changed passwords, access control and audit trails. Information security in the ABS is formally audited through a range of audits conducted on a rolling basis. As an added measure against unauthorised access to data, the ABS is about to introduce a two level security access system where employees require not only a password but also to swipe their security pass into the computer to enable access.
|IV(b) How does the system track access and changes to data to allow audits by date and user identification? Does the system 'footprint' inspection of records and provide an audit trail? |
|The storage locations of sensitive data used in data integration projects have active tracking mechanisms in place. All log actions are recorded, stored and maintained as an audit log. Access reports are regularly reviewed in the section database as part of the record keeping practice.|
|IV(c) What IT support is in place for staff?|
|The Technology Services Division (TSD) comprises about 400 people and is an integral part of the ABS. It serves the ABS with high-quality information and technology leadership and supports the organisation in providing an effective statistical service. A key focus of TSD is supporting data linking and integration activities in the ABS. TSD assists with data linking, integration of data from multiple sources and the secure provision of microdata. TSD has three Branches:
- The Technology Application Branch develops and supports a wide range of computer systems that process ABS statistical collections as well as general administrative systems
- The Technology Infrastructure Branch maintains and operates the Information Technology and Communication (ITC) infrastructure
- The Technology Strategy and Planning Branch provides leadership in ITC direction and includes Security and Project Office functions.
Criterion V – Lack of conflict of interest
Auditor rating against criterion V – compliant
|V(a) Does the agency have a compliance monitoring or regulatory function? If yes, describe how this function will be separated from integration projects undertaken for statistical and research purposes to avoid this conflict of interest.|
|No. The ABS operates under the provisions of the Australian Bureau of Statistics Act 1975 and the Census and Statistics Act 1905. These Acts establish the ABS as Australia's official statistical agency and authorise the ABS to collect data for statistical and research purposes only. The ABS has been set up solely for statistical purposes and has no regulatory or compliance purpose. |
The Acts are available in the following links, Australian Bureau of Statistics Act, Census and Statistics Act.
Criterion VI – Culture and values that ensure protection of confidential information and support the use of data as a strategic resource
Auditor rating against criterion VI – compliant
|VI(a) How is an appropriate culture and values embedded in the agency’s corporate plan/mission statement/policies etc?|
|ABS values are an integral component of the ABS Corporate Plan, along with the ABS mission and objectives. The ABS Mission Statement supports the use of data as a strategic resource: we assist and encourage informed decision making, research and discussion within governments and the community, by leading a high quality, objective and responsive national statistical service.
The ABS and its staff uphold the APS Values and Code of Conduct. ABS values, which are congruent with the APS values, are material to our role as an independent provider of statistical information for Australia. Our values are:
- trust of providers
- access for all.
Our commitment to maintaining data confidentiality is also reflected in the ABS corporate objectives, particularly in terms of maintaining the trust and cooperation of providers (Objective 6, below) and being a respected and strongly supported organisation (Objective 7, below).
To achieve the ABS mission, the ABS has the following objectives:
1) an expanded and improved National Statistical Service
2) ABS services that are timely, relevant, responsive, and respected for their integrity and quality
3) informed and increased use of statistics
4) a key contributor to international statistical activities that are important to Australia or our region
5) an organisation that builds capability to continually improve its effectiveness
6) the trust and cooperation of our providers
7) ABS is a respected and strongly supported organisation
The obligations of employees to uphold the APS and ABS values and abide by the APS Code of Conduct are:
- promoted in learning and development activities across all levels from the induction of new starters through to senior management development programs
- actively applied through human resource processes
- supported by a suite of guidelines, policies and procedures, which themselves acknowledge the APS values
- reflected as appropriate throughout ABS corporate documents, which are readily accessible to all employees through the ABS Intranet, and advertised through promotional material including posters and the distribution of bookmarks to all employees and new starters.
|VI(b) How have staff been trained in requirements for protecting personal information and how are they made aware of policies regarding breaches of security or confidentiality? |
|All ABS induction training places a strong emphasis on the importance of security in safeguarding confidentiality, and on the appropriate use of the technology environment. A "Confidentiality in the ABS" course was rolled out in 2007–08, and attendance was compulsory for all staff. This course covered various aspects of confidentiality and disclosure, and the video presentations from this course (which provide an overview of why confidentiality is paramount to the success of the ABS; explain some of the key legal requirements governing confidentiality; and outline the main processes and procedures used to ensure confidentiality in the ABS) are available to ABS staff to view online as part of the ABS learning portal.
Since 2007-2008, the confidentiality course has been part of the ABS induction program - which means that all staff in the ABS have undertaken the course (either in the initial roll-out for staff employed up to 2007-08 or subsequently for new staff employed after 2007-08). This course is a requirement for all staff, and not just those undertaking data-linking activities.
ABS is also currently considering targeted training, tailored to the requirements of individual statistics areas, as a way of increasing confidentiality knowledge.
Additionally, security and confidentiality messages are reinforced regularly through corporate documentation, computer log in procedures, posters, emails, on-going training, section documentation and staff meetings.
Confidentiality procedures are an integral component of the statistical processing cycle and the ABS has strict confidentiality protocols that are applied to all data before they are disseminated.
The ABS Corporate Manuals provide detailed policies and guidelines in relation to privacy and confidentiality requirements. Topics include:
- ABS legislation
- information management
- confidentiality and disclosure
- dissemination of data
- information technology.
The chapter on confidentiality comprises 11 documents, including a detailed document on disclosure of confidentialised microdata.
|VI(c) Do staff sign undertakings related to secrecy and fidelity?|
|Yes. ABS is bound by legislation to ensure that all ABS staff (either ongoing or non-ongoing) sign the 'Undertaking of Fidelity and Secrecy' Form. Part II (s.7) of the Census and Statistics Act 1905 states that ‘Every officer executing any power or duty conferred or imposed on any officer under this Act or the regulations, shall, before entering upon his or her duties or exercising any power under this Act, sign, in the presence of a witness, an undertaking of fidelity and secrecy in accordance with the prescribed form.’
The undertaking requires that employees do not disclose information acquired during their employment with ABS and continues to apply after ceasing employment. Significant penalties apply for any breach, including up to 120 penalty units (currently $13,200) or two years imprisonment or both.
Further, ABS has processes in place to ensure we meet our obligations to the Act. All new starters (ongoing and non-ongoing) are required to sign an ‘Undertaking of Fidelity and Secrecy Form’ on their first day. The importance of it is also either explained in a handout or verbally mentioned. Once signed and witnessed by a permanent staff member, all paperwork is then send to Recruitment in NSW. ABS also employs some contractors who are not covered by the Census and Statistics Act 1905 and these contractors will not exercise any powers under the Act, so will not be involved in any data linking (or in fact any other data related) activities. These contractors may be employed for facilities management purposes, e.g. cleaning. These contractors are covered by having a Police check, a Compliance with Laws and Guidelines Form and Deed of Confidentiality.
|VI(d) What mechanisms are in place to engage with stakeholders to maximise the usefulness of the data holdings? |
|The ABS determines future priorities by consulting and planning with users of statistics. These consultations are a key input to decisions on the scope, content and frequency of statistical collections. ABS consults on the data items which are released in order to maximise usability for data users while protecting confidentiality and access mechanisms (e.g. recent consultations were held to discuss infrastructure the ABS is developing to provide safe access by researchers to integrated datasets, and other datasets, through virtual data laboratories that can be accessed from their desktops). Consultation takes place through the ABS organised statistics user groups; direct discussion with Australian, State, Territory and local government agencies, academics, industry bodies, non-government and community organisations etc.; and the release of information or discussion papers inviting comment. |
The ABS has around 60 user groups which it calls on for advice. These are listed in Appendix 2 (pages 203-204) in the ABS 2009-10 Annual Report.
The ABS Act established the Australian Statistics Advisory Council (ASAC). The functions of ASAC are to advise the Minister and the Statistician in relation to:
(a) the improvement, extension and coordination of statistical services provided for public purposes in Australia
(b) annual and longer-term priorities and programs of work that should be adopted in relation to major aspects of the provision of those statistical services, and
(c) any other matters relating generally to those statistical services.
All State and Territory Governments are represented on ASAC. The other Council members are chosen to represent a broad cross-section of perspectives, covering government, business, academic and community interests.
The ABS also communicates openly with the public (data providers) through discussion papers, newsletters and other means, such as focus groups. For example, in undertaking the Census Data Enhancement Project (which integrates Census data with other ABS and non-ABS datasets for specified statistical and research purposes) the ABS canvassed public views through focus groups and informed the public of its intentions to conduct the project and details about the project through the publication: Census Data Enhancement Project: an Update, October 2010 (ABS cat. no. 2062.0). Another example is the Business Longitudinal Database, Expanded CURF, Technical Manual (ABS cat. no. 8168.0.55.002) which provides information about linked longitudinal studies of the performance of small and medium-sized businesses over time, including how the different data sources (ABS, ATO and Customs) are linked, how confidentiality is maintained and the conditions of access to CURFs by authorised researchers.
|VI(e) How does your agency provide for valuable use of the data i.e. how does it maximise the value of data for users by providing them with access to as much data as possible while still protecting confidentiality?|
|The key performance indicators for the ABS include 'statistical output which meets the needs of key users of economic and social data'. ABS reports on its performance against this indicator (and other indicators) as part of its Annual Report (pages 103-109).|
There is a very broad range of data available free-of-charge on the ABS website including electronic publications, Census data, time series spreadsheets; and data cubes. More detailed and customised data is available in the form of cost-recovered information requests. Even more detailed data is provided in the form of Confidentialised Unit Record Files (CURFs), referred to in Criterion II.
The ABS website provides some details of published research which used ABS CURF microdata. Further, ABS website provides a list of expected and available CURFs.
As referred to in criterion II, ABS’ planned remote execution environment for microdata (REEM) facility will be designed to give users access to more detailed unit record data in a more flexible way, across a wider array of datasets including business data and longitudinal linked datasets. Currently in development, the first stage of REEM development is a Table Builder that will allow users to access detailed de-identified microdata from ABS household collections. At no time will the user be able to view the microdata and REEM will have in-built confidentiality so the tables generated comply with ABS legislative requirements regarding data confidentiality.
Criterion VII – Transparency of operation
Auditor rating against criterion VII – compliant
|VII(a) Are data retention and data disposal statements publicly available? Provide details.|
|The ABS has a data retention policy which specifies retention periods for collection forms and administrative material. The ABS does not currently publish its data retention statements on its website. However, according to the requirements of the Privacy Act, 1988 the ABS provides information about ABS data retention practices and all personal information holdings to the Office of the Australian Information Commissioner for inclusion in the Personal Information Digest (PID) which is published annually. Extracts for particular agencies are also available on request from the Office of the Australian Information Commissioner.
In the case of Census data, specific retention policies are applied to linked datasets created by linking name and address information during the Census processing period. Two statistical studies and four quality studies have been approved by the Statistician for the 2011 Census. The statistical studies are an Indigenous Mortality Project and Enhancing Australia’s Cancer Statistics Project. These projects have a specifically defined purpose and once this purpose has been met it is a requirement that all linked datasets created through these projects be destroyed. Furthermore, all Census name and address information must be deleted from all files once the Census processing period is complete. This is clearly articulated to the public in the recently released information paper Census Data Enhancement Project: An Update, October (ABS cat. no. 2062.0).
The information paper also specifies the disposal of census forms after statistical processing is completed. The ABS does not retain Census name and address information once the Census processing is completed. Once information has been extracted from Census forms (including electronic records) and coded, and the forms are no longer required for verification, editing or quality studies, they are securely stored and eventually destroyed in a secure manner in accordance with government policy. In Australian Censuses prior to 2001, forms and other name-identified records have been pulped and the hard disk drives used to store electronic forms is wiped to ensure there is no possibility of any Census data being accessed by any unauthorised person.
Following recommendations from the House of Representatives Standing Committee, the Government decided that for the 2001 Census all people would be given the option of having their name-identified responses retained for 99 years (census Time Capsule). After 99 years, the name-identified data will be made public for future generations. This option was also available in the 2006 Census and will be available in all future Censuses. This information is only retained for those people who explicitly give their consent. After the information is transferred on microfilm to the National Archives of Australia and statistical processing is completed, the ABS destroys all paper and eCensus forms including the computer images of those forms.
| VII(b) Are details of governance arrangements publicly available? Provide details.|
|The ABS Corporate Governance is stated within the ABS Annual Report, available on the ABS website. The ABS corporate governance arrangements ensure transparency in decision making, operation and accountability by promoting strong leadership, sound management and effective planning and review. The major senior management committees are as follows:
- ABS Management Meetings
- Executive Leadership Group Meetings (ELG)
- Senior Management Group Meetings (SMG)
- Protective Security Management Committee
- Audit Committee.
The ABS is currently engaged in only a small number of integration projects. It does not currently explicitly publish governance arrangements however, details of projects are published in information papers, for example, the Information Paper - Census Data Enhancement Project: An Update, October 2010 (cat. no. 2062.0). While the projects are subject to scrutiny by a Steering Committee and Senior ABS Executive, ultimately, the Australian Statistician decides whether or not a specific project will proceed and this element of the project governance is articulated in the information paper
|VII(c) Where are details of data integration projects published?|
|Details of ABS data integration projects are available on the ABS website, and are highlighted in multiple publications (e.g. ABS Annual Report, ABS forward work program, statements of intent and information papers) and newsletters in order to make people aware of the projects. The main mechanism the ABS currently uses to inform the public about data integration projects is via information papers and updates, for example, the Information Paper - Census Data Enhancement Project: An Update, October 2010 (cat. no. 2062.0), provides details of all the key projects which are encompassed by the Census Data Enhancement Project.|
Information about recent ABS data integration work was highlighted in a special article on 'Developments in data integration' in the 2009-10 ABS Annual Report (pages 18-24).
|VII(d) What other relevant material is published? Examples include data protocols such as microdata access protocols, confidentiality protocols, protocols for linking and protecting privacy; and data integration manuals.|
|ABS publishes general information on the ABS web site on how confidentiality is maintained.
While particular details about security and disclosure protection methods are not able to be divulged because it would undermine their effectiveness, the ABS is open about the way it goes about its business. It strives to maintain the confidence in the organisation held by independent guardians of the public interest (such as the Privacy Commissioner) and key stakeholders by discussing its methods and potentially sensitive areas of privacy. As part of its Annual Report, ABS reports on how it is meeting its key performance indicator of an objective statistical service as demonstrated by a transparent statistical process. See pages 97 and 98 for the report on how ABS ensured a transparent statistical process in 2009-10.
The ABS publishes information on its website regarding microdata access protocols and how to access the ABS Remote Access Data Laboratory (RADL), in a series of technical manuals, for example, Technical Manual: ABS Remote Access Data Laboratory (RADL) User Guide (ABS cat. no. 1406.0.55.002). All CURF users are required to read and abide by the instructions in the ABS publication Technical Manual: Responsible Access to CURFs Training Manual (ABS cat. no. 1406.0.55.003). Researchers and the head of their organisation must provide signed undertakings to protect the privacy and confidentiality of data.
The ABS is currently compiling a Data Integration Manual that will detail procedures on how the ABS manages data integration projects.
Criterion VIII – Existence of an appropriate governance and institutional framework
Auditor rating against criterion VIII – compliant
|VIII(a) What are the institutional and project-specific governance arrangements for data integration? (Provide attachment or link to where published.) |
|The ABS does not explicitly publish governance arrangements specifically for its data linking projects. However, ABS project governance protocols apply to all data linking projects. A Project Manager and Project team undertake the day-to-day administration of the projects and a Steering Committee comprising senior managers oversights the strategic management of the projects. Significant decisions relating to data integration are deferred to the Executive Leadership Group with ultimate determination resting with the Australian Statistician.|
|VIII(b) What framework is in place to conduct investigations and handle complaints?|
|The ABS has a number of strategies for supporting feedback. Feedback mechanisms include:|
- ABS Complaints Review Officer
- ABS website
- ABS contact details including phone numbers
- Client service staff – in relation to ABS products
- Provider contact staff – regarding business survey related inquiries and complaints
- ABS Privacy Officer
- Australian Privacy Commissioner Commonwealth Ombudsman
These feedback mechanisms operate also for data integration projects. In addition, queries and complaints arising during the Census in relation to the data integration projects will in the first instance be directed to the Census query service and if they are unable to provide sufficient information, the person will be put in touch with a senior officer involved in the Project (Assistant Statistician or Director level).
Every complaint will receive a response either in writing or by telephone contact.