Story 4: Security and privacy by design
Ensuring the security and privacy of Census data was vital in running the Census and maintaining the trust of the Australian public. For the 2021 Census, the ABS took a ‘security and privacy by design’ approach which permeated every level of the Census Program. All decisions on system architecture and design were made with security in mind. Security experts were involved in all major technology decisions as well as in testing and monitoring processes and systems.
Cyber security challenges have changed significantly in the last 10 years. All government agencies have experienced considerable increases in the frequency and sophistication of attempted cyber-attacks on their IT environments. Some of these realised threats have resulted in security incidents that affected the delivery of government services.
Australia’s Cyber Security Strategy 2020 outlines:
'Australians are increasingly reliant on the internet and the internet-connected devices we use daily. The digital economy is the future of Australia’s economy. Cyber security needs to be a fundamental and integrated part of everyday life, enabling Australians to reap the benefits of the internet safely and with confidence.'
The 2016 Census experience
In 2016, the online Census form was targeted on Census day by a series of cyber-attacks known as Distributed Denial of Service (DDoS) attacks. This resulted in the ABS taking down the service for 40 hours. This outage disrupted many Australians attempting to complete their Census, affected the ABS’s reputation and undermined the Australian government’s digital agenda. Three separate reviews were conducted after this outage. Many of the recommendations that came out of the reviews were about security and privacy.
‘Australia now knows that cyber security is not just about national security. Cyber security is about availability of services and confidence in government in a digital age. And the public’s confidence in the ability of government to deliver took a serious blow, more so than any previous IT failure.’ – extract from the Review of the events surrounding the 2016 Census.
The Census Digital Service and external partnerships
To ensure the security and success of the 2021 Census, the ABS worked with public and private sector experts to design and implement a completely new online platform. The Census Digital Service (CDS) was built by PwC Australia in partnership with Amazon Web Services. Our aim was to deliver a completely new, innovative, high performance and secure solution on the Amazon Cloud.
We engaged early in development with the Australian Cyber Security Centre and the Digital Transformation Agency.
The Australian Cyber Security Centre played a major role in ensuring the security of the CDS by:
- reviewing the architecture and design
- reviewing system configurations
- conducting IT source code reviews
- performing penetration testing – simulating cyber-attacks to check for weaknesses.
It also supplied extra cyber security protection and detection capabilities for other ABS IT systems. The Australian Cyber Security Centre provided a highly skilled and dedicated extension to the ABS IT Security and Security Operations Centre teams.
The CDS was developed with end-to-end data encryption. This means that no public provided data was unencrypted at any time when stored in files or in transit, keeping that data secure at all times until it reached the ABS. All services used were accredited to ‘Protected’ status by an independent security assessor accredited by the Australian Signals Directorate.
During the Collection period when the Census Digital Service was live, our processes repelled almost 1 billion attempted cyber-attacks, and we also blocked 130,000 malicious IP (network) addresses.
Although the CDS was one of the keys to the success of the 2021 Census, there were many other IT systems that supported collection, processing and dissemination for the Census.
We ran security risk assessments during the collection and processing period on more than 48 individual IT systems. We assessed many twice, once for the operational readiness exercise in October 2020 and again for the Census itself. We conducted more than 111 security risk assessments for the 2021 Census. Cyber security personnel worked closely with each of the technical teams to make sure they kept security and privacy in focus throughout the design, delivery and operation of all IT systems.
We did extensive independent testing and assurance to ensure we delivered a safe and secure Census. Specialist cyber security firms Cyconsol, North, Cyber CX and Red Wolf helped us in this work. We conducted these tests at regular intervals and in line with major system releases.
The tests included:
- nine major source code security reviews
- more than 20 large scale penetration testing exercises against Census systems to make sure the systems and data were secure
- four DDoS tests that finished in the ABS performing the largest DDoS test ever conducted in Australia
- many performance and load tests, up to more than double the expected peaks and for extended time periods
- 20 independent security risk assessments to cover all our Census systems. These were conducted by certified third party assessors through the Australian Cyber Security Centre Information Security Registered Assessors Program.
Operations security monitoring
Throughout the Collection period of the Census we ran a Security Operations Centre (24 hours, seven days a week) to monitor all Census systems with real-time information and alerts of potential security issues. During Census week, we had Australian Cyber Security Centre personnel working with us onsite for security operations and potential incident response. PWC monitored the Census Digital Service alongside their 3rd party providers throughout the entire collection period.
2022 IPAA Spirit of Service Award for Collaboration
The ABS and Australian Signals Directorate were awarded the 2022 IPAA Spirit of Service Award for Collaboration. Our submission for the 2021 Census Digital Service – Building trust and partnerships to achieve excellence in cyber security was shortlisted out of 46 nominations from across the Australian and ACT public sector.
The award recognised our achievements and significant collaboration with the Australian Cyber Security Centre and over 50 other public and private sector organisations.
In awarding us, the judges commented they were impressed by the way we had incorporated recommendations from 2016, and the robust planning and testing undertaken ahead of the 2021 Census.
Protecting peoples’ privacy and keeping their information secure is a key principle of the Census and the ABS. The Census and Statistics Act 1905 has provisions for protection of personal information. Under this Act, the ABS cannot release personal information in a way that can identify a person or business. This includes not releasing any personally identified data to other government agencies.
It also means that all our staff who collect, process, analyse and share Census data are legally bound to protect Census information. You can find more information about how we protect private information in the 2021 Census Privacy Statement.
Separation principle and data retention
An important aspect of our privacy position is how we collect, store and process Census data, particularly the separation of names and addresses from other personal and household information. This ‘separation principle’ makes sure no one can view a name or address with other Census data nor view names with their addresses. For this Census we will keep names for 18 months and addresses for up to three years.
Any member of a household (including a visitor) could also choose to fill in the Census form privately by asking for their own individual login number for the online form, or a separate paper form and reply-paid envelope.
Privacy impact assessments
The Australian Senate Inquiry, 2016 Census: Issues of trust, recommended the following:
4.81 The committee recommends that all future privacy impact assessments relating to the census, are conducted externally with the final report published on the ABS website 12 months in advance of the census to which it relates.
We selected independent privacy experts Galexia to conduct a privacy impact assessment for the 2021 Census. They identified and evaluated matters that could impact privacy at every stage of the Census and recommended ways to manage, minimise or remove these impacts.
IIS Partners also produced a second privacy impact assessment – the 2021 Census Administrative Data Privacy Impact Assessment. This assessment looked at privacy implications for how the ABS used information collected by other government agencies, businesses or organisations. This information, called administrative data, was used to reduce the Census costs and improve Census operations and data quality.
Both Census privacy impact assessments are published in the ABS Privacy PIA register.
The ABS engaged the privacy community throughout the lead up to the 2021 Census. We held numerous meetings with the Australian Privacy Foundation and regular discussions and correspondence with the Office of the Australian Information Commissioner. We also met with state and territory Privacy Information Commissions. Their support reduced the concerns of the public and led to less negative press on privacy this Census. For instance, in 2016 there was a large-scale privacy campaign, centred around the ABS decision to keep names and addresses.
Privacy strategy and roles
We contracted privacy and security consultants IIS Partners in June 2018 to support our privacy work. This included guidance to help build trust and social licence for the Census. Social licence is the level of acceptance or approval that the community has for a project or organisation.
We formed a Census Privacy team in June 2018 and employed a dedicated Census privacy officer. The privacy team liaised with all Census teams to promote privacy discussions and provide privacy advice.
A separate Census Privacy Working Group was also created, including members external to the Census and the ABS. The group helped identify privacy risks, promote communication on privacy and review recommendations from the privacy impact assessments.
All staff employed on the Census attended Privacy by Design training by Salinger Privacy and completed the annual ABS privacy training. This ensured staff were aware of privacy issues as well as their privacy related responsibilities.
Census respondents can choose to have their Census information archived. For those who take this option, we will transfer Census information to the National Archives of Australia as part of the Census Time Capsule, where it will be preserved for 99 years. For the 2021 Census, this information will not be made available for any purpose until 2120 and cannot be accessed, altered or retrieved before that time. In 2021, 61% of people gave us permission to archive their response. This compares to 50% in the 2016 Census.