MADIP Privacy Impact Assessment

Privacy Impact Assessments (PIA) are an important part of the governance and accountability framework for the Multi-Agency Data Integration Project (MADIP) and help identify and manage the privacy impacts of the project.

From June to November 2019, the ABS conducted an update to the 2018 MADIP PIA on behalf of the MADIP Board. External privacy advisors Maddocks were engaged to provide independent review, advice, and assurance for the PIA process and report.

The updated MADIP PIA is published on the ABS Privacy Impact Assessments page, along with a response to the PIA from the MADIP Board and the independent assurance report from Maddocks.

The PIA acknowledged the privacy by design approach to MADIP operations and the strong framework of protections that preserve privacy and ensure data security. It made five recommendations to improve compliance with the Australian Privacy Principles and several suggestions towards modelling privacy best practice across the public service data community.

MADIP is an evolving project. Since the publication of the previous PIA in April 2018, more data of the same broad type has been linked to MADIP and there have been developments in project governance, infrastructure, access, transparency and data use.

The MADIP PIA was updated to formally consider these developments in the project and to prepare for the inclusion of some new types of data in MADIP.

Consultation was an essential part of conducting the PIA Update, and was an opportunity to inform stakeholders about MADIP and its development and to hear stakeholder views on MADIP and its privacy management arrangements.

The ABS held consultation sessions with a broad range of stakeholders during August and September 2019.

The key findings from these sessions informed the update of the PIA by assisting in the identification and assessment of privacy risks and mitigation strategies.

The consultation summary report below provides a summary of the key findings and themes.

The ABS (on behalf of MADIP agencies) committed to publishing a progress report by November 2020. The implementation report below summarises the progress that has been made and next steps towards implementing compliance recommendations and best practice suggestions from the MADIP PIA Update.

Publishing this implementation report demonstrates the MADIP Board’s commitment to managing the project’s privacy impacts. The MADIP Board will continue to take a privacy by design approach for MADIP and acknowledges that another PIA Update or other PIA processes will likely be necessary in the future as MADIP continues to evolve and develop.

In July 2017, the ABS (on behalf of MADIP agencies) engaged privacy advisory consultants Galexia to undertake an independent Privacy Impact Assessment (PIA) of MADIP. The PIA assessed MADIP’s compliance with the Australian Privacy Principles, to ensure all privacy risks have been identified and mitigated in preparation for the project becoming fully operational under the Data Integration Partnership for Australia (DIPA) in July 2018. The ABS conducted an update to the MADIP PIA in 2019 - more information about this is provided in the section above.

The Galexia independent PIA was finalised in March 2018 and is published on the ABS Privacy Impact Assessments page along with the MADIP agencies’ response.

The independent PIA acknowledges there are strong measures in place to protect privacy for the MADIP, including legislative safeguards, the separation principle, and restricting the use of data to research and statistical purposes which benefit the Australian community. The PIA also identified some areas for improvement and provides strategies for managing, minimising, or eliminating residual privacy risks.

To support the independent PIA process, the ABS held a series of targeted consultations with key stakeholders, on behalf of MADIP partner agencies. The aim of these sessions was to understand stakeholder views on key data integration issues, and contribute to building community trust and understanding of MADIP as the project develops.

The consultations also provided an opportunity for privacy and advocacy groups, government, academics, and civil society groups to raise any issues or concerns about the project, and discuss the benefits of data integration and future development of MADIP.

The feedback received during these consultations was provided to Galexia to further inform the independent PIA and direction of MADIP. This consultation process also forms part of ongoing consultations held with community stakeholders about the work of the ABS.

What was the focus of the consultation meetings?

As part of the discussion, the ABS sought comments from stakeholders on three core issues, for each of which stakeholders were asked about their concerns, what could be done to minimise those concerns, and what benefits they perceived from existing arrangements:

1. MADIP data security and protection of privacy
2. The benefits and possible risks of combining key national public sector datasets
3. Data access arrangements and use

How were stakeholders selected for consultation?

Stakeholders were selected based on their:

• Involvement (potential or actual) in the project;
• Representativeness of key sector(s) of Australian society;
• Special interest or expertise (including privacy and security); and/or
• Prior contribution to government consultation processes.

For more information about MADIP consultations, email dipa@abs.gov.au

The ABS (on behalf of MADIP agencies) published the below implementation report to communicate progress made against the recommendations of the independent PIA since its publication in April 2018.

The MADIP agencies are committed to upholding the privacy, secrecy, and security of personal information, and to being transparent and open about the project.