The federal government’s Multi-Agency Data Integration Project has published a new privacy impact assessment.
The MADIP was established in 2015 and became fully operational in 2018. Led by the Australian Bureau of Statistics, the project brings person-centred data together from the Australian Taxation Office, the Department of Education, the Department of Health, the Department of Human Services, and the Department of Social Services, with the hope of it being used for research.
The ABS conducted a PIA update from July to November 2019 on behalf of the MADIP board, which is made up of senior executives from the participating agencies. It also engaged privacy advisors from Maddocks in August to provide independent advice, review and assurance about the 2019 update process and report.
The latest PIA update found MADIP to be mostly compliant, ticking ten out of the 13 Australian Privacy Principles. However, the project was found to be only partially compliant in regards to notification of the collection of personal information, and in its use or disclosure of personal information.
It was recommended the ABS continue to update its collection notices to make it clearer to individuals that their personal information may be used for data integration. It was also recommended the ABS “advocate with entities responsible with collection notices to enhance transparency about their disclosure of personal information to the ABS for MADIP by taking reasonable steps to update notices or otherwise make individuals aware of data use”. The ABS was told to continue to increase transparency about its data collection and use.
It was also recommended MADIP data sharing documentation be updated to provide information that confirms the APP 6 authority for sharing data to the ABS.
The only area flagged as a major issue was security of personal information, the report noted:
“The ABS should commit to undertaking a 2 yearly IRAP [Information Security Registered Assessors’ Program] assessment of the MADIP operating environment as part of a regular program of audits of information security in MADIP. The ABS should finalise and implement the MADIP Data Retention and Destruction policy.”
The MADIP board agreed to all five recommendations, as well as the best practice suggestions:
“The ABS is committed to transparency about its collection and use of information for MADIP, including through collection notices. The ABS will continue to test collection notice enhancements to ensure updates to wording are improving transparency as intended.”
The ABS confirmed it would present a Data Retention and Destruction policy to the MADIP board early 2020, with the next IRAP review to also be conducted next year.
Maddocks’ lawyers gave the PIA process a thumbs up in its assurance report, noting that the ABS had conducted “extensive consultation” with a wide range of stakeholders to inform the update, “particularly for the assessment of actual and perceived privacy risks involved in the new developments for MADIP and whether the current mitigation strategies that have been implemented for MADIP are appropriate and sufficient to address those risks”.
“The PIA update appears to provide a robust analysis of a complex ongoing project that is MADIP and provides a framework for considering privacy impacts on an ongoing basis. The recommendations and the best practice suggestions seem to us to be practical, and we consider they will assist in further enhancing data handling practices for MADIP, addressing potential privacy issues, and meeting community expectations in relation to transparency of practices associated with the handling of personal information,” the report stated.
Consultation sessions held during the update found transparency and effective communication throughout the project to be “essential for building public trust and privacy best practice”. The importance of communicating the benefits of data integration to the community was also highlighted.