MADIP Privacy Impact Assessment

The ABS and the MADIP Board are committed to upholding the privacy, confidentiality and security of information in the Multi-Agency Data Integration Project (MADIP). The ABS continually assesses MADIP operations for potential privacy impacts and will continue to take a privacy by design approach for MADIP.

Privacy Impact Assessments (PIAs) are an important part of the governance and accountability framework for MADIP. PIAs help identify and manage the privacy impacts of MADIP.

The ABS is trusted as the Accredited Integrating Authority for MADIP. We lead, publish, and implement recommendations for MADIP PIAs on behalf of the MADIP Board. The ABS generally conduct updates to the MADIP PIA every two years to assess and minimise privacy risks of MADIP.

History of MADIP Privacy Impact Assessments

MADIP continues to evolve in response to an increasing demand for integrated data to fill crucial information gaps about our community. MADIP PIAs reflect the evolution of MADIP data and uses and are consistent with privacy best practice in Australia.

Since MADIP was established, the ABS has undertaken several PIAs that have been published on the ABS website. The original MADIP PIA was completed in March 2018 by privacy consultant Galexia. The ABS conducted an update to build upon the original PIA in November 2019. The 2019 MADIP PIA Update was quality assured by privacy consultant Maddocks. Several project specific PIAs involving MADIP data were also conducted following the 2019 MADIP PIA Update.

A second MADIP PIA update was undertaken by Maddocks in 2022 to build upon the previous MADIP PIAs.

MADIP privacy processes over time

The following MADIP PIAs and related privacy processes have been completed since MADIP became operational. Items marked with an asterix (*) are project specific PIAs involving MADIP. You can find out more about the MADIP PIAs and project specific PIAs from the reports published to the ABS Privacy Impact Assessments web page.

2022

2022 MADIP PIA Update, June 2022
2022 Response by MADIP Board, June 2022
Supplementary Consultation: Private sector health data, October 2022

2021

Australian Immunisation Register (AIR) Data Integration, August 2021 *
National Health Measures Study, December 2021 *
NSW Their Futures Matter, December 2021 *

2020

Weekly Payroll Jobs & Wages, July 2020 *
Jobs Related Data Integration, September 2020 *
MADIP PIA Implementation Report, November 2020
- 12-month implementation report for the 2019 MADIP PIA Update
NSW Cancer Research, November 2020 *
National Study of Mental Health and Wellbeing, December 2020 *

2019

MADIP PIA Implementation Report, April 2019
- 12-month implementation report for the 2018 MADIP PIA
2019 MADIP PIA Update, November 2019
2019 Response by MADIP Board, November 2019

2018

2018 MADIP PIA, April 2018
2018 Response by MADIP agencies, April 2018
National Health Survey PIA, August 2018 *

2022 MADIP Privacy Impact Assessment update

The MADIP PIA was updated in 2022 to consolidate the findings from PIA processes undertaken since the 2019 MADIP PIA Update and to consider planned changes or updates to MADIP. The ABS engaged independent privacy consultant Maddocks, on behalf of the MADIP Board, to conduct the 2022 MADIP PIA update.

Maddocks found that:

MADIP continues to be compliant with the Privacy Act 1988 and the Australian Privacy Principles (APPs) and
existing mitigation strategies were sufficient to address privacy risks.

Maddocks made six recommendations to advance privacy best practice and enhance compliance with the APPss.

Targeted stakeholder consultation

Consultation is a valuable part of conducting a PIA. The ABS and Maddocks held targeted stakeholder consultation sessions during February 2022 to inform the PIA. Consultation aimed to inform stakeholders about MADIP, including its current privacy practices and protections, and identify and discuss stakeholder views on potential changes to MADIP.

Participating stakeholders included the Office of the Australian Information Commissioner (OAIC), Commonwealth and State Government agencies, State and Territory privacy regulators, universities and research institutions, Aboriginal and Torres Strait Islander stakeholder groups, peak bodies, privacy advocates and consumer advocates.

The MADIP Board and the ABS thank stakeholders for their significant contributions to the 2022 PIA Update. You can find out more about the consultation process and stakeholder views in the Consultation Report.

Implementation progress

The MADIP Board has agreed with all the recommendations from the 2022 PIA Update. The MADIP Board Response provides a summary of recommendations together with how the recommendations will be implemented.

The 2022 PIA Update recommendations focus on actions to advance privacy best practice and enhance existing governance processes. The ABS is working with the MADIP Board to implement these recommendations over a 12-month timeframe to June 2023. The ABS will publish an implementation report in the latter half of 2023.

In October 2022, the ABS considered a proposal to link a new type of data in MADIP. In line with the recommendations from the 2022 PIA Update, the ABS:

provided notice to the public on the ABS website
sought views from stakeholders
published the decision to link the new type of data, and reasons for that decision.

More information about current and past proposals to include new types of data in MADIP can be found on the MADIP data and legislation web page.

Further information

You can find out more about the 2022 MADIP PIA Update from the reports published to the ABS Privacy Impact Assessments web page.

2022 MADIP PIA Update
2022 MADIP PIA Update - Consultation Report
2022 MADIP PIA Update - MADIP Board Response
2022 Supplementary Consultation Report: Private sector health data

Previous MADIP Privacy Impact Assessments

2019 MADIP Privacy Impact Assessment update

From June to November 2019, the ABS conducted an update to the 2018 MADIP PIA on behalf of the MADIP Board. External privacy advisors Maddocks were engaged to provide independent review, advice, and assurance for the PIA process and report.

The PIA acknowledged the privacy by design approach to MADIP operations and the strong framework of protections that preserve privacy and ensure data security. It made five recommendations to improve compliance with the APPs and several suggestions towards modelling privacy best practice across the public service data community.

Targeted stakeholder consultation

The ABS held consultation sessions with a broad range of stakeholders during August and September 2019. The consultation summary report provides a summary of the key findings and themes.

Implementation

The MADIP Board agreed and responded to the recommendations and suggestions of the 2019 MADIP PIA Update in a written response. The ABS published an implementation report summarising progress made against the recommendations in the 12 months following the publication of the 2019 MADIP Update. The implementation report also described next steps towards implementing compliance recommendations and best practice suggestions from the MADIP PIA Update.

Further information

You can find out more about the 2019 MADIP PIA Update from the reports published to the ABS Privacy Impact Assessments web page.

2019 MADIP PIA Update
2019 MADIP PIA Update - Consultation Report
2019 MADIP PIA Update - Independent Assurance Report
2019 MADIP PIA Update – MADIP Board Response
2019 MADIP PIA Update - Implementation Report November 2020

2018 MADIP Privacy Impact Assessment

In July 2017, the ABS engaged independent privacy advisory consultants Galexia to undertake a PIA of MADIP.

The PIA was finalised in March 2018 in preparation for MADIP becoming fully operational under the Data Integration Partnership for Australia (DIPA) in July 2018.

The 2018 PIA acknowledged there were strong measures in place to protect privacy for MADIP. The 2018 PIA also identified some areas for improvement and provided strategies for managing, minimising, or eliminating residual privacy risks.

Targeted stakeholder consultation

To support the 2018 PIA process, the ABS held a series of targeted consultations with key stakeholders on behalf of MADIP partner agencies. The feedback received during these consultations was provided to Galexia to further inform the 2018 PIA and direction of MADIP.

Implementation

The ABS published an implementation report to communicate progress made against the recommendations of the 2018 PIA in the 12 months following its publication in April 2018.

Further information

You can find out more about the 2018 MADIP PIA Update from the reports published to the ABS Privacy Impact Assessments web page.

2018 MADIP PIA
2018 MADIP PIA - MADIP Board Response
2018 MADIP PIA - Implementation Report November 2020

Frequently asked MADIP privacy questions

Can I be identified in MADIP?

No. MADIP information is protected by the Census and Statistics Act 1905. This ensures that no information is released in a way that is likely to enable an individual to be identified.

Only aggregate statistics - not data about individuals – are produced from MADIP.

Can MADIP be used for enforcement or compliance purposes?

No. Under the Census and Statistics Act 1905, the ABS cannot release information in a way that will identify any individual. When releasing data, the ABS has rigorous processes and protections in place to:

ensure individuals are not identified
prevent use for enforcement or compliance purposes.

MADIP data is made available to researchers under section 15 of the Census and Statistics (Information Release and Access) Determination 2018. This section does not permit direct identifiers (such as names and addresses) to be disclosed and also restricts use of the information to statistical and research purposes only. The ABS applies the principles of the internationally recognised Five Safes Framework including assessment of safe data and safe projects. Projects that seek to use data for compliance purposes would not be approved.

How are government agencies authorised to share my information to the ABS for MADIP?

Each agency involved in MADIP collects personal information related to its functions or activities. This information is disclosed to the ABS for MADIP as authorised by law for policy analysis, research and statistical purposes, consistent with the Privacy Act 1988.

For more information about the legislative authorities for agencies to share information with the ABS for MADIP, see MADIP data and legislation.

Further information

The ABS Privacy Impact Assessments web page provides a register of PIAs that have been conducted for all ABS projects, including ABS data integration projects and MADIP-related PIAs.

More information on the ABS privacy and security protections for MADIP is available on the Keeping integrated data safe web page.

More information on how the ABS handles personal information for MADIP is available on the MADIP Privacy Policy web page.

For more information about MADIP privacy processes, please contact us via data.integration.privacy@abs.gov.au.