Census and Data Protection

My significant other has acted as an enumerator for the Irish Census of Population in the past, and has applied to do it again.

Every census season, I see lots of ill-informed comment about the nature of the census, what the data can or will be used for, and who it will be shared with. This ill-informed comment actually highlights the importance of trust in government in the obtaining of personal data, something which the former Chairman of one of my company’s clients (a very large Government agency) was obsessed with – loss of trust was directly linked in their mind to a loss of their ability to conduct their agency’s primary function, which is a very important one.

So, what is the legal position regarding data provided in the Census?

  1. Data that is obtained for a statistical purpose (i.e. obtained for a purpose under the Statistics Act 1993) is subject to a specific exemption under the Data Protection Acts 1988 and 2003.
  2. However, that exemption is justified largely by reason of the fact that it is prohibited under the Statistics Act 1993 to use the data obtained under that Act for any purpose other than “statistical compilation and analysis purposes” (section 32), and that to disclose data obtained under the Statistics Act which may be related to an identifiable individual without their consent (or the consent of their representative if they are deceased) is an offence under Section 33, except under specific circumstances, pretty much all of which relate to the operation of the function of the Central Statistics Office.
    • For the purposes of prosecuting an offence under the Act (you need to be able to identify the records that were the subject of the offence to prosecute the offence, so s33(1)(a) allows for them to be disclosed for that purpose
    • For the purposes of actually doing the statistical analysis functions of “officers of statistics” so that data can be aggregated and reported on (you need to have access to raw data to do the analysis and aggregation, so this is an obvious use of the data that has a very clear statistical basis)
    • For processing data for the purposes of the CSO in a form and manner governed by a contract in writing. This covers the use of 3rd party analysis tools or services or data enrichment, but ONLY for the purposes of the CSO, which is ONLY concerned with the publication of AGGREGATED statistical analysis.
  3. These restrictions do not apply to census data over 100 years old. However, the Data Protection Acts would still apply to data relating to any living individual in that data. Statistically, that is currently a small population and reasonably easy to check, and with a low probability of impact on fundamental rights for any disclosure. But as the life span of population increases, this would need to be kept under review.
  4. It is arguable that, should the CSO provide raw data to other government Departments for matching against their databases to append data for the CSO’s purposes, the recent CJEU ruling in Bara  would require them to disclose the fact of providing data to such Departments, but the Statistics Act 1993 would prevent those departments from making use of the CSO data for their own purposes (but this would likely need to be flagged by the “other side” of such a data enrichment process along the lines of “We get data from CSO and append information to it for statistical purposes but do not retain any CSO data at any time“).
  5. Regarding the actual census forms themselves, there is a very clear requirement under Section 42 of the Statistics Act 1993 that any records held by “officers of statistics” (which includes enumerators) be kept safe and secure “in such manner as to ensure that unauthorised persons will not have access thereto “, and that non-return of records constitutes an offence. Of course, the penalties on summary conviction (a prosecution taken by the Director General of the CSO, not the DPC) are pretty paltry (up to €1000 per offence), so might not be a sufficiently dissuasive penalty under the forthcoming General Data Protection Regulation.

It’s important to note that breaches of data security or misuse of statistical data are prosecuted not by the DPC but by the Director General of the CSO. To my mind this is not ideal, but reflects the fact that the Data Protection Acts didn’t cover paper records in 1993 as this only became a function of the DPA under the 2003 Act (enacting the 1995 Directive). It does, however, make clear that there are offences, sanctions, and a prosecuting body for breaches of the 1993 Act.

But of course, none of this will placate the tinfoil hat brigade who act on the default setting that any data you give to the Government is shared willy-nilly.  This highlights the importance of proactive data protection controls and data privacy considerations on the part of Government agencies and the legislature.

While it is tempting to build ‘databases o’ the people’, every instance of non-transparent and inadequately controlled sharing of data creates a threat to trust. When trust expires, key data simply becomes unavailable or unreliable as people cease to provide it or provide misleading information (which is an offence under the Statistics Act). Trust is fragile and ‘mushroom management’ approaches and “bit of an oul’ law” fig leaves are no longer sustainable when the tinfoil hat can be a fashion trend before the facts and truth of a process has its boots on (to mangle Churchill).

So: Census data is very strongly protected (albeit with sanctions that could and should be higher), and it is census data that underpins the priorities in government strategy, investment, and expenditure. It’s important for people to fill out the census accurately so that accurate data drives appropriate strategic decisions in Government.

However, Government needs to realise the impact that damaged trust in public sector data management and respect for data protection has on the willingness of people to trust the government with large amounts of data in the form of  a census. From POD to Health Identifiers to Irish Water there is a litany of error and misstep. Trust is fragile. Government needs to learn how not to step on it, or get used to tinfoil hat fashion shows and policy decisions grounded on statistical quicksand.

One route to restoring trust would be for our independent Data Protection regulator to regulate independently and take decisive action against public sector organisations that breach the Data Protection Acts. Enforcing the law is a key step towards ensuring that people trust the law will be enforced.