By Bonnie Flaws

Part two of a four part investigation by Bonnie Flaws. Read part one.

• The Statistical Register being created by Stats NZ doesn’t appear to fit with the Privacy Principles
• Stats NZ has certain exemptions from the Privacy Act in order to fulfil its statistical and policy functions
• AI can easily re-identify anonymised data with a few data points, so anonymity can’t be guaranteed
• Stats NZ would be in a position to engage in data matching (cross-referencing identifiers across databases)
• An explanation of terms can be found here

A persistent ID that links data from all agencies – and beyond – does not seem to fit the Privacy Act Principles.

Information Privacy Principles (IPP) say agencies must not assign a unique identifier that is the same as one used by another agency unless necessary, and that the use of a persistent identifier must not lead to unintended tracking or cross referencing beyond the intended statistical purposes. Hence we have different numbers for our passports, drivers license and tax.

“But a Statistical Register like the one being created, does just that”, says a Stats NZ insider who spoke to me on condition of anonymity.

They remain unclear about the legal basis for what Stats NZ is doing.

In light of the Manurewa Marae scandal, the Privacy Commissioner Michael Webster scolded Stats NZ and Health NZ for their roles in the mismanagement of private data. He said agencies “must be better at privacy”, and that “the protection of personal information needs to be treated as a priority”.

Yet notably, Stats NZ has not even consulted the public on the creation of its Statistical Register and Persistent Unique Identifier, a basic first step in transparency.

When I asked the Office of the Privacy Commissioner for comment, I was sent Privacy Impact Assessments for the IDI and the use of admin data in the 2018 and 2023 census.

• Privacy impact assessment for the Integrated Data Infrastructure
• Integrated Data Infrastructure: Overarching privacy impact assessment
• 2018 Census independent privacy impact assessment
• Privacy impact assessment for the use of admin data in the 2023 Census.

Here is the response:

“OPC has been briefed for several years on the proposed use of administrative data by Stats NZ for statistical purposes and more recently its potential use in future Census’.

“Stats NZ continues to engage with OPC as they progress this work.

“OPC would expect Stats NZ to continue to ensure strong privacy and confidentiality protections are built into the use of administrative data for general statistical and Census purposes, including undertaking Privacy Impact Assessments.”

When I asked about PIAs for the Statistical Register and admin-first 2028 census, and whether or not this new project complied with privacy law, including the use of persistent unique identifiers, I received no further response.

Weak privacy laws and permissive data gathering powers

Whether the Data and Statistics Act 2022 grants Stats NZ specific exemptions from certain provisions of the Privacy Act 2020 to facilitate the collection and use of data for official statistics, remains a matter of interpretation that has not yet been tested, according to University of Auckland Associate Professor in Commercial Law, Gehan Gunasekara.

But a general characterisation would be that New Zealand has weak privacy laws and permissive data gathering powers, he says.

The Act authorises Stats NZ to collect, use and disclose personal information in ways that might otherwise conflict with the Privacy Act's IPPs. This is because, for the most part, the IPPs do not apply to personal information used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

But Gunasekara, who specialises in information privacy, says this is where technological developments are increasingly causing strain on the privacy principle to protect anonymity.

Anonymisation can be hacked

Gunasekara says Stats NZ having a persistent real time record of every person is a concern for a number of reasons.

“They have got a lot of powers under the Act. They can source data from public sector agencies very widely, but it’s not clear to me that that allows them to engage in data matching as it were. Sourcing data is one thing, building an integrated system where you can exchange information both ways and match it [is another].”

What is called demographic data or microdata is meant to be anonymised, but Gunasekara says generative AI and large language models mean that there can be no guarantee of anonymisation.

“There are a lot of studies that show that anonymisation is not what it’s meant to be. You can easily reverse that with large language models, and generative AI can easily go through a very large data set and find the links between the various data points and then identify people.

“It can also make mistakes. So I’m not saying this is a perfect science and the generative stuff that is available to you and [me] is pretty basic. But there are paid models and people who have developed their own, and they are far more effective. And most companies would have access to those kind of platforms. You could crack open an anonymised data set quite easily – so that is not really an assurance.”

In one example from 2019, re-identification techniques developed by Imperial College London and the University of Louvain were used by journalists at the New York Times to reveal Donald Trump’s tax returns from the 80s and 90s.

“But it seems they are going a bit further with this persistent unique identifier because I don’t see what the point of that is unless you want to identify somebody or to know it’s the same person – even if you don’t know their name or exact identity. What purpose does that serve? That is what I am not quite clear about.”

Another issue Gunasekara foresees, is a weakening of the privacy principle that data should not be kept for longer than necessary. He says New Zealand is already weak in terms of getting rid of data, and most jurisdictions have this problem.

“Once you get a system like what Stats is developing, there will be more pressure on people not to delete data because it could be useful. They will say ‘we will anonymise it, we can hash it’, but that is a cop-out because you can reassemble it.”

Manurewa Marae and data privacy breaches

Gunasekara says the lessons of Manurewa Marae are already very clear. With such permissive data collection and data sharing laws, abuses can happen.

In the context of the 2023 census, the marae was empowered to collect information and also likely given information to facilitate this – but in all cases where people are given information or authorised to collect it for Stats NZ, they are required to give confidentiality guarantees before doing so. These obligations weren’t followed.

“Section 42 of the Data & Statistics Act says that anyone who is delegated to collect or handle information needs to complete a confidentiality certificate. That was not done.”

This certificate requires individuals to acknowledge and commit to maintaining the confidentiality of data they handle, and it must be done prior to commencing any duties.

He says the breaches raise questions about competence and whether oversight is up to par, especially now that Stats NZ is developing a Statistical Register capable of large-scale data matching.

“If you are going gung-ho and developing more types of information sharing and exchanges then the question is, are there commensurate safeguards?”

Data matching

Data matching is allowed under the Privacy Act for specific purposes and with certain safeguards, and is likely not a breach of the Data & Statistics legislation on a “modern interpretation of the functions of Stats NZ – public use and benefit and collection of data”, he says.

“This can probably be said to include matching and comparing datasets. My concern is there needs to be more transparency around it and social license and also oversight by Privacy Commissioner, which would be the case if information sharing occurred under the parallel Privacy Act provisions.

“Given the failures of the past, there needs to be extra effort put into transparency and social license, to show what value is going to be derived. And what commensurate privacy safeguards are going to be put in place, because when you start to hear things like ‘persistent unique identifier,’ people start to wonder.”

So far, my anonymous source and an expert in privacy law are both unclear about the legality of this activity by Stats NZ, and the OPC has not helped to illuminate the situation.

At a minimum I think we can say the situation is murky.

Follow up questions were put to Stats NZ but they are now treating it as an OIA request and were not able to respond in time for publication. I will update readers with any response I receive in due course.

Part three will be published on Sunday April 20.

Originally published on Byline Babylon.