Following #CensusFail
2016 Prime Minister Malcolm
Turnbull ordered a review of events by Cybersecurity Special Advisor, Alastair MacGibbon.
In what the
media is characterising as an
excoriating report, a mirror was held up to the Australian Bureau of Statistics – sadly one that it is unlikely to
avail itself of given its current leadership.
DPM&C, Office
of the Cybersecurity Special Advisor, Review
of the Events Surrounding the 2016 eCensus (October 2016):
Not just communications,
but engagement…
In most respects, the
ABS had a well formed and prepared communications strategy and awareness raising
campaign; but it was focussed on the wrong things. The communications problem
they needed to address was not a low level of awareness of the Census, but
rather, the introduction of a ‘digital first’ approach and the associated
barriers to participation – concerns over security and
privacy.
The ABS failed to adapt
its media and communications in response to the public relations storm that built
up in the weeks prior to the Census regarding privacy and security in both
mainstream and social media. Instead, ABS rigidly stuck to its plans, forgoing
crucial opportunities to influence and drive the conversation around the
Census. Processes for approval of campaigns, and changes to them, may need to
be changed to promote agility.
On Census night, the ABS
severely underutilised social media as a communications tool to keep the public
up to date and informed of the incident. The ABS’s lack of timely and
transparent
communications lost it
trust because it opened the door to speculation. The continued slow updates and
virtual absence from the media meant that ABS struggled to win back the trust
of the public in the following days. Ministers must also be supported with
clear and accurate advice, and senior executives must be equipped to understand
and talk about cyber security as a matter of business
risk……
Reacting to public
sentiment
…..The ABS announced
public consultation regarding privacy via a media release issued on its
website, with a submission period of only four weeks – 11 November to 2
December 2015 (just before Christmas).
The ABS received only
three public submissions. Not only should this low response rate have indicated
to the ABS that its public engagement on the key issue of privacy was
inadequate, it also left a huge vacuum with regard to capturing public
concerns. So the ABS missed an opportunity to identify how to evolve its
communication plans developed following qualitative research in 2014 to address
more up to date concerns.
As a result, the ABS was
ill-equipped to manage the impact changes in the Census would have on a small
but important segment of the population and their willingness to complete the
eCensus online.
In January 2016, seven
months out from the Census, the first articles raising concerns about privacy
and security of data appeared in the media. More substantial rumblings began in
March, with two main themes emerging:
•
That the Census was intrusive and no longer anonymous
•
The Census was vulnerable to hackers.
The ABS prides itself on
the constant measuring of public sentiment and awareness using traditional
survey techniques (see Figure 4, page 53). The Review concludes that these
surveys contributed to a false sense of security and failure – still at time of
writing – to grasp the significance and power of social media groundswells.
Major shifts in public
statements regarding the security of the Census began the week prior to Census
night, culminating in Senator Nick Xenophon and several other parliamentarians
issuing warnings about security and privacy concerns and apparent
implementation problems leading to a ‘debacle.’
Prior to the closure of
the eCensus form, over 11,000 individual mentions (social and mainstream media)
were published voicing concerns about the privacy and security of the eCensus.
The closure of the eCensus resulted in 17,730 privacy related mentions, far
outweighing mentions (1,200 total) of the technical issues experienced – i.e.
what happened (see Figure 4).
This coverage created
overwhelming ‘noise’ making it difficult for the ABS to remain on message.
The ABS’s planned
communications were being drowned out. But rather than trying to adapt its
approach to limit the impact the reporting had on the public sentiment toward
the Census, the ABS stuck to planned messaging ignoring the public relations
storm brewing around them.
The failings of the ABS
to address issues of concern in the media extend to its use of social media.
Analysis conducted on ABS Twitter and Facebook accounts shows that at no point
did the ABS significantly change its planned posting schedule or content as a
result of critical media reporting (shown in Figure 5, page 54) and of
considerable online chatter around privacy (Figure 4). The ABS did change its
social media advertising as well as engage posters directly on social media.
But this was not enough.
The ABS’s virtual
absence from the privacy and security debate is reflected in its social media
crisis escalation matrix – the process designed to monitor, escalate and handle social conversations. The matrix
had two main flaws:
1.
The ABS’s ‘qualifiers’ (thresholds that had to be met to raise concern) were
too high. A ‘red level scenario,’ the highest categorisation for negative
conversation, was enacted only if someone had 10,000 plus followers or a post
had over 30 engagements.
2.
The ABS’s response/action for a ‘red scenario’ was to hold all social media
communications.
The ABS’s social media
strategy was too restrictive and didn’t allow enough flexibility to respond to
changing trends in media and social media. As a result, the ABS missed crucial
opportunities to inform the conversation around privacy and security and the
benefits of the digital first approach.
When public discourse
was rising on the issues, the ABS should have been on the front foot addressing
these concerns. Key spokespeople should have been conducting interviews,
issuing media releases and engaging on social media to drive the conversation
and shape the debate.
While the ABS did
eventually start engaging in the mainstream media, it was too little, too late.
And on the whole the ABS steadfastly stuck to its communications plans,
allowing the media, and subsequently the public, to take the lead role. The ABS
failed to insert itself in the conversation and underutilised mainstream and
social media as a vehicle to shape the debate around the benefits of a digital
first approach.
Recommendations for the Australian Bureau of Statistics
•
The ABS should engage an independent security consultant for a wide-ranging
examination of all aspects of their information collection and storage relating
to Census data – from web application through to infrastructure and policies
and procedures.
•
The ABS should ensure future significant changes to personal information
handling practices are subject to an independently-conducted privacy impact
assessment and are supported by broad ranging consultation.
• The ABS should adopt a privacy management
plan to enhance its capability to identify and manage new privacy issues.
•
The ABS should assess and enhance existing ABS privacy training for staff.
•
The ABS should develop a specific strategy to remove the current state of
vendor lock-in.
•
The ABS should strengthen its approach to outsourced ICT supplier
performance management to ensure greater oversight and accountability.
•
The ABS should draw upon the lessons it takes from the Census
experience to help to guide and to advocate for the cultural change path it is
following.
•
The ABS’s decision in August to assemble an independent panel to provide
assurance and transparency of Census quality is supported and the
resulting report should be made public.
•The
ABS should implement a targeted communication strategy to address public
perceptions about Census data quality.
The
ABS should report monthly to their Minister outlining progress against the
above recommendations
Also following
#CensusFail the Australian Senate Standing Committees on Economics
conducted an inquiry into the preparation, administration and management of the
2016 Census by the Australian Bureau of Statistics.
Its final
report 2016
Census: issues of trust made these recommendations:
Recommendation 1
4.81 The committee recommends that all
future Privacy Impact Assessments
relating to the census, are conducted
externally with the final report published on
the ABS website 12 months in advance
of the census to which it relates.
4.82 Following the release of a PIA
recommending changes to future censuses,
consultation across the Australian
community should be undertaken by the ABS
with the outcomes clearly documented
on the ABS website no less than six
months before a future census.
Recommendation 2
4.83 The committee recommends that the ABS
update its internal guidelines to
make clear that consultation requires
active engagement with the nongovernment
and private sector.
Recommendation 3
5.46 The committee recommends that the ABS
publicly commit to reporting
any breach of census related data to
the Office of the Australian Information
Commissioner within one week of
becoming aware of the breach.
Recommendation 4
6.89 The committee recommends that the
Australian Government commit the
necessary funding for the 2021 census
in the 2017–18 Budget.
Recommendation 5
6.90 The committee recommends that the ABS
conduct open tendering
processes for future census solutions
requiring the participation of the private
sector.
Recommendation 6
6.91 The committee recommends that the ABS
give greater attention to
intellectual property provisions in
contracts that include licensing and royalty
arrangements.
Recommendation 7
6.92 The committee recommends that the 2021
eCensus application be subject
to an Information Security Registered
Assessors Program Assessment.
Recommendation 8
6.93 The committee recommends that the ABS
take a more proactive role in
validating the resilience of the
eCensus application for the 2021 census.
Recommendation 9
6.94 The committee recommends that the
Department of Finance review its
ICT Investment Approval Process to
ensure that projects such as the
2016 Census are covered by the cabinet
two-pass process.
Recommendation 10
6.95 The committee recommends that the
Australian Government provide
portfolio stability for the ABS.
Recommendation 11
6.96 The committee recommends responsible
ministers seek six-monthly
briefings on the progress of census
preparations. These briefings should cover
issues including, but not limited to,
cyber security, system redundancy,
procurement processes and the capacity
of the ABS to manage risks associated
with the census.
Recommendation 12
6.106 The committee recommends that the ABS
consider establishing a
dedicated telephone assistance line
for people who require special assistance in
completing the census.
Recommendation 13
7.28 The committee recommends that the
maximum value of fines and any
other penalties relating to the census
be explicitly stated.
Recommendation 14
7.29 The committee recommends that the
Australian Bureau of Statistics
develop a clear communications
strategy outlining the outcomes for
non-compliance with the census,
including resolution processes and the value of
possible penalties.
Recommendation 15
7.57 The committee recommends that the
Australian Government provide
sufficient funding for the ABS to
undertake its legislated functions to a continued
high standard.
Recommendation 16
7.58 The committee recommends that the
responsible minister act as a matter
of urgency to assist the ABS in
filling senior positions left vacant for greater than
6
months.
No comments:
Post a Comment