Response to FOI request by Paul Farrell (The Guardian)
As the Office of the Australian Information Commissioner (OAIC) has noted, the ABS has taken a precautionary or ‘pro-disclosure’ approach to notify the OAIC of potential or suspected losses or breaches of personal information. The ABS considers this transparency crucial in maintaining high levels of trust in the Bureau’s work.
The ABS reported 14 incidents to the OAIC between June 2013 and February 2016.
The ABS’s assessment is that under the OAIC’s guidelines, 12 of the incidents did not warrant reporting. For example a group email containing only innocuous information, sent to stakeholders via the ‘To’ field instead of the ‘Bcc’ field. However all incidents were investigated by the ABS and contributed to further process refinements and improvements.
The ABS has provided the 12 OAIC notifications under the Freedom of Information Act 1982 however the remaining two notifications, dating back some years, have been withheld as they include information that would have an adverse effect on the operations of the ABS.
The OAIC is not making ongoing inquiries in relation to any of the 14 notifications.
There have been no notifications related to the Census. The Census processes for collection, storage and analysis are very well tested, secure, and operate in isolation from other ABS collections.
The ABS is confident that all 14 notifications could have been prevented by improved infrastructure; removing the need for manual processing and intervention that is currently undertaken.
The Government's $257 million five year investment to transform the ABS will significantly improve the ABS’ ability to regulate processes and eliminate manual work-arounds necessitated by ageing infrastructure. Procurement of the new infrastructure has commenced.
Existing ICT and IT security systems will be supported while the modernisation occurs.
The ABS continually reviews its processes to strengthen data handling policies and procedures. These are subject to audit by external assessors and international peer reviews.
ABS’ ICT, IT security and practices conform to Australian Government Standards determined by the Protective Security Policy Framework (PSPF) and Australian Signals Directorate's Information Security Manual (ISM).