MADIP Privacy Policy

Purpose

This policy outlines how personal information collected by the Australian Bureau of Statistics (ABS) or shared with the ABS by data custodian agencies will be treated as part of the Multi-Agency Data Integration Project (MADIP). 

The policy outlines what personal information is collected and shared, and how it will be used in the project, as well as how people can apply to access or correct their personal information. 

Authority to share personal information

The MADIP is a partnership among seven Australian Government agencies that brings important national datasets together securely to maximise their value for policy analysis, research, and statistical purposes. 

The agencies are the Australian Bureau of Statistics, Australian Taxation Office, and the Departments of Education, Skills and Employment, Health, Home Affairs, and Social Services, and Services Australia. 

Each agency involved in the MADIP collects personal information related to its functions or activities. This information will be disclosed to the ABS for the MADIP as authorised by law for policy analysis, research, and statistical purposes, consistent with the Privacy Act 1988. Each agency will assess the authority and purpose for disclosure of information to the ABS prior to disclosure. For the MADIP, agencies only share information with the ABS that is necessary for approved uses such as linkage and analysis. 

The ABS conducts the MADIP in accordance with its mandate to collect, compile, analyse, and disseminate statistics established by the Australian Bureau of Statistics Act 1975 and the Census and Statistics Act 1905

The collection and use of personal information in the MADIP is consistent with legislation applying to the MADIP agencies such as the Privacy Act 1988, including the Australian Privacy Principles and the Australian Government Agencies Privacy Code 2017, as well as their own legislation. 

Visit the ABS website for more information on the data and legal authority for the MADIP. 

What personal information is used in the MADIP

The MADIP links information from a range of datasets relating to healthcare, education, government payments, personal income tax, and demographics. Only information that is necessary for an approved purpose is used (i.e. not whole datasets). 

The ABS manages all data in the MADIP consistent with processes required by law and best practice for handling personal information. 

Personal information is used to link separate datasets together to produce integrated data for analysis by authorised researchers. Personal information is stored separately from other records and is managed in accordance with the Separation Principle. Access to analytical data is controlled according to the Five Safes Framework so that analysis is only done on data which is not likely to identify a person. Information on these management practices is provided below. 

Personal information used in linkage (either in original form, or changed into an unrecognisable form to protect privacy) includes name, address, date of birth, and government identifiers. Other demographic information which does not directly identify a person (such as country of birth) may also be used to link datasets together where necessary to ensure high quality linked data. 

Information used for analysis is unidentified (see note below). Variables include age, sex, date of birth, marital status, country of birth, languages spoken, housing tenure, educational qualifications, employment information, income and financial information, and use of healthcare and government support services. 

The unidentified analytical data is used by authorised researchers to look at patterns and trends, providing a better understanding of the effectiveness of government policies, programs and services. 

For more information on data in the MADIP, visit the MADIP data and legislation webpage. Information about data linkage processes can be found in the MADIP independent Privacy Impact Assessment

Note relating to unidentified 

Information is considered ‘unidentified’ when direct identifiers such as name and address are removed or altered into an unidentifiable form, and other factors (such as combination of variables) are managed to ensure a person is not reasonably identifiable. In addition, access is controlled (see below). This is in accordance with guidance issued by the Office of the Australian Information Commissioner. 

Note relating to Census name information 

The MADIP does not use original names collected in the Census of Population and Housing, as this information has been destroyed (Census 2011) or irreversibly encoded prior to linkage in the MADIP (Census 2016). For more information on the management of Census data, see Census Privacy, Confidentiality and Security or the Census Privacy Policy

Management of and access to personal information

Access to MADIP data is only provided to authorised users for approved purposes, within highly secure environments. The ABS manages all data in the MADIP in accordance with legal and best practice standards for handling personal information. 

The ABS applies the Separation Principle to store identifiable personal information separately from other information in the MADIP, and to restrict access to personal information according to function. Functional separation involves allocating each person involved in the MADIP a specific role (or function), and only providing access to information which is necessary for them to perform that role. 

A person working on the MADIP can only hold one role at a time, and no role has access to identifiable personal information (such as name and address) at the same time as other information (such as income or education level). 

The roles involved in the MADIP are librarian (prepares data for linkage), linker (links data together), assembler (creates files for analysis), and analyst (analyses linked data). There are also specific roles for people working with Census data in the MADIP: Census name manager (encodes Census names to give to the linker), and Census librarian (prepares non-name Census information for linkage). 

Only ABS officers (including officers seconded to the ABS) can perform the Census, librarian, linker, and assembler roles. 

Analysts may be officers of the ABS or other government agencies, or non-government researchers who have been approved for access under the Five Safes Framework. The approval process involves assessment of the researcher, the purpose for accessing the information, the information requested, the environment in which access will be granted, and the outputs of their research to ensure that these circumstances meet confidentiality and privacy requirements. The approval process and any relevant training (such as security and confidentiality training for analysts using ABS DataLab) must be completed prior to an analyst being given access to any data. 

All individuals who undertake these roles are legally obliged to use data responsibly for approved purposes only, comply with the conditions of access, and maintain confidentiality of data. Access to and use of MADIP data are logged and monitored. 

Note relating to disclosure of personal information to overseas recipients 

Personal information in the MADIP is not disclosed to overseas recipients. 

International researchers may apply to become analysts of MADIP data. If approved under the Five Safes Framework, access would only be given to data without direct identifiers which is not likely to identify a person. 

Confidentiality

The ABS will not disclose personal information in a way that is likely to enable a person to be identified. 

The information that the ABS collects from individuals and agencies for the MADIP is covered by the secrecy provisions of the Census and Statistics Act 1905. These provisions legally bind all ABS officers (including temporary employees) to protect personal information, and attract strong penalties for breach. 

It is an offence for any past or present ABS officer to divulge, either directly or indirectly, any information collected under the Census and Statistics Act 1905 unless authorised by law. The Act provides for heavy penalties (fines of up to $33,000 or imprisonment for up to 2 years, or both) for anybody convicted of breaching this obligation. 

All users accessing MADIP data (whether ABS officers or otherwise) sign undertakings to use data responsibly, which includes not seeking to identify a person or release identifiable information. 

Security, retention, and destruction of information

Privacy and security of personal information in the MADIP is maintained through strong legislative protections and best practice data management. All personal information in the MADIP is collected and stored securely by the ABS. Electronic and paper records containing personal information are protected in accordance with the Australian Government Protective Security Policy Framework. 

In the unlikely event of unauthorised access to, loss or disclosure of personal information, the MADIP agencies will abide by the scheme for notifiable data breaches established by the Privacy Act 1988. 

In accordance with the Australian Government records management regime, personal information in the MADIP is destroyed or deleted when no longer required. For more information, see the Administrative Functions Disposal Authority AFDA and ABS records authorities (2001/00000540 and 2007/00105946). 

All information in the MADIP is retained by the ABS while there is a business need to do so. Both the source data that was used to combine datasets and the data that is used for analysis need to be retained in order to maintain and update the integrated data. The need for retention is reviewed annually for the project. This is consistent with the Privacy Act 1988. 

Accessing and correcting personal information

Under the Privacy Act 1988, agencies that collect your personal information may permit you to access or correct it, where it is reasonable and practicable for them to do so. 

You can apply to access or correct your information held by the agency which originally collected it, however it may not be possible for the ABS to correct or provide you with access to information that has been collected as part of the Census or which has been integrated with other datasets in the MADIP. This is because data collected under the Census and Statistics Act 1905 is subject to legal exemptions (within that Act, and also under the Freedom of Information Act 1982) to protect the confidentiality of personal information. It is also important to note that personal information such as names and addresses are removed when combined with other datasets as part of the data integration process, which makes it unlikely the ABS would be able to locate your information in the MADIP to update or correct. 

Any enquiries about accessing or correcting personal information in the MADIP should be directed to the ABS Privacy Officer by emailing privacy@abs.gov.au or by calling (02) 6252 7203. Mail can be directed to: 

Privacy Officer
Policy and Legislation Section
Australian Bureau of Statistics
Locked Bag 10
Belconnen ACT 2617

Making a privacy complaint

If you think we may have breached your privacy rights or our privacy responsibilities in relation to the MADIP, a complaint should first be made to the ABS Privacy Officer using the details provided above. 

If you are not satisfied with how the ABS Privacy Officer handles your complaint, or the outcome reached, you may refer your complaint to the Office of the Australian Information Commissioner

Availability of this policy

If you wish to access this policy in an alternative format (e.g. hard copy), please contact the ABS Privacy Officer using the details provided above.

More information

Contact us

For more information about the MADIP, email data.integration.privacy@abs.gov.au. For other enquiries, please contact the ABS National Information Referral Service by telephone on 1300 135 070.

Back to top of the page