The federal government’s Multi-Agency Data Integration Project has gone through an independent privacy impact assessment, and the six big agencies involved have agreed to 14 recommendations for improvement.
The Australian Bureau of Statistics has been combining data from the Tax Office, Human Services, Social Services, Education and Health for several years already, as consulting firm Galexia notes in the new PIA, under the banner of testing the system:
“Since 2015 MADIP has been operating as an evaluation – testing the technical capability of the Partner Agencies to share data in a way that delivers useful outputs, whilst preserving privacy. The evaluation phase is expected to draw to a close in 2018.”
This work is the “core component” of the more recently announced Data Integration Partnership for Australia and the data will be shared with approved researchers via “highly secure ABS systems” according to the project website.
Galexia’s view is that broadly speaking, the public shouldn’t be too concerned about the project, for similar reasons given by the ABS regarding its storage of Census data. The independent PIA report states:
“The analytical data that forms the main component of MADIP is held separately from personal information used for linkage purposes (including name and address information).”
It adds that the “separation of this data and method that it is managed by the ABS” means no individuals are “reasonably identifiable” for the purposes of the federal Privacy Act.
The six agencies issued a brief joint response to the PIA in which they agree to implement all of Galexia’s recommendations to eliminate “residual privacy risks” from the project, and state:
“MADIP partners are committed to upholding the privacy, secrecy and security of personal information, and to being transparent and open about the project.”
The group also provided a brief description of the testing phase that has being running since 2015:
“To date, MADIP has tested the feasibility and value of combining important national datasets to create a comprehensive picture of Australia for research and statistical purposes, including to support policy analysis, decision making, and service delivery in Australia by governments at all levels.”
The 14 recommendations are linked to the consulting firm’s assessment of how MADIP complies with the Australian Privacy Principles and categorised using the popular traffic-light system.
This shows there are seven that relate to issues in the most urgent red-light category – “action required” – and six recommendations tied to areas where MADIP is only “partially compliant” with the APPs.
Several focus on improving transparency and openness about how the project works, exactly what data is used, who it will be shared with, and how.
Another change following the PIA should aim to minimise the data that is used and shared with researchers to only what is necessary. Others involve security and governance matters.