Statistical Confidentiality and UK Population Censuses: A Summary
of Recent Findings and Ethical Issues
William Seltzer Fordham University, Dept. of Sociology and Anthropology (Dealy 407), 441 East Fordham Road, Bronx, NY 10458 USA. E-mail: [email protected] Sessions
STCPMs 1. Introduction The confidentiality of personal information provided to government statistical authorities during population censuses and similar statistical operations is a well-established principle, at least among statisticians. Accordingly, as discussed more fully in section 3 below, most sets of ethical norms in the field of statistics explicitly refer to the responsibility of maintaining statistical confidentiality on the grounds that such disclosures may lead to respondent harm. This ethical norm has been reflected, at least to some degree, in the confidentiality provisions of census and statistical laws adopted in most countries. These laws are of two broad types: first, those that prohibit disclosures for all types of non-statistical uses, and second, those that permit disclosures for certain important non-statistical state purposes. While those laws of the first type may permit some disclosures considered as harmless (for example, sharing data among statistical agencies to foster enhanced analytical possibilities) such strong statistical confidentiality laws adhere closely to the ethical principle that the personal information provided will not be used to harm or target individuals. Unfortunately, many other countries, whether by tradition or in response to perceived national threats, have adopted weaker census or other statistical confidentiality laws that allow for a distinction between authorized and unauthorized disclosures without reference to the issue of individual harm, and only bar the latter.
Sessions To understand the implications of this distinction it is useful to consider how disclosures of personal
STCPMs information provided to census and statistical agencies arise. Such disclosures arise from three main sources: 1) inadvertent disclosures (for example, lost laptops or flash drives, enumeration records erroneously put in the general trash, misdirected mail), 2) ad hoc disclosures (for example, those attributable to individual hackers, disgruntled or over-zealous census staff, or gossipy interviewers), and 3) targeted disclosures arising from the efforts of government or private sector entities external to the government statistical system to obtain personal information for some non-statistical purpose.
The first two sources primarily use what might be termed “back-door” methods of obtaining this information, i.e., by means of the unauthorized disclosures prohibited by the confidentiality provisions of the census and statistical acts. The third type of disclosure, those arising from the efforts of other governmental agencies to gain access to personal information obtained in the census for non-statistical purposes, generally derive from the use of so-called “front-door” methods, i.e., by means of the authorized disclosures permitted under these laws. This distinction is important, both from policy and ethical perspectives. Most discussions of statistical confidentiality either ignore this distinction or focus only on methods used to deter “back-door” disclosures. On the other hand, it is the “front-door” disclosures that, in a number of countries, have been associated with substantial harm to vulnerable individuals or population subgroups (see, for example, Seltzer and Anderson, 2001; 2008). Sessions
STCPMs The over-all goal of the line of research focusing on “front-door disclosures, of which the present paper is a part, is to explore the ethical issues and responsibilities associated with the prevention of disclosures of personal data gathered in censuses and other statistical operations, particularly those disclosures more often associated with respondent harm. How these issues play out is closely linked with a country’s legal and political history and traditions and its particular pattern of statistical organization. Accordingly, the paper focuses on the UK experience, with a particular reference to the forthcoming 2011 UK population census. This paper is a preliminary report of a larger study of the subject (Seltzer, 2009).1
The balance of the present paper is divided into five sections: a description of the confidentiality protections planned for the 2011 Census as articulated by the UK Office of National Statistics (section 2); a short presentation of the ethical context surrounding the topic of statistical confidentiality (section 3); a summary history of legal provisions relating to statistical confidentiality in UK censuses and the confidentiality assurances provided to the responding public on the census forms (section 4); a brief history of known and suspected disclosures of personal information from UK censuses (section 5); and a presentation of the main conclusions emerging from the findings presented here (section 6).
2. Plans for the 2011 UK Census Sessions Writing in the October 2008 issue of the Royal Statistical Society’s newsletter, RSS News, the UK Office of
STCPMs National Statistics [ONS] Census Director strongly reaffirmed the commitment of the staff and management of the ONS to maintain the confidentiality of personal information provided by the responding public in the forthcoming 2011 Census. The census director wrote, in part, Existing UK law already prevents disclosure of census data. Under the Statistics and Registration Service Act 2007 it is a criminal offence to disclose personal census data, punishable by a fine or imprisonment or both . . . Further details of the . . . data security and confidentiality provisions are available on the ONS website . . . The protection given to personal census data has always been very strong throughout the 200 year history of census taking. ONS takes data security and the confidentiality of personal information extremely seriously, and we trust that the statistical community recognises the additional stringent measures that we have taken in pursuit of a successful and high quality census in 2011 (Watson, 2008).
The ONS website postings referred to by the census director expand upon the points made in his letter, and include the following: ONS confirms its overriding commitment to ensuring the confidentiality of personal Census data for a period of 100 years, and its use strictly for statistical purposes only . . . All employees of both ONS and any appointed contractors working with Census data are bound by Regulations made under the 1920 Census Act and the confidentiality provisions of the Statistics and Registration Service Act 2007 (SRSA). Any breach of Sessions the SRSA confidentiality provisions is a criminal offence, subject to possible imprisonment and fines. All
STCPMs staff working with personal Census data sign a confidentiality declaration to confirm their understanding and commitment to the legal confidentiality undertakings. (ONS website: 2011 Census project: 2011 Census Commitment to confidentiality and data security, accessed at: http://www.ons.gov.uk/census/2011-census/2011-census-project/commitment-to-confidentiality/index.html on 10-31-2008).
Census data confidentiality is protected by the Statistics and Registration Service Act 2007 (SRSA) . . . Section 39 of the SRSA prohibits the disclosure of personal information with a penalty of imprisonment for a maximum of two years, a fine, or both (ONS website: 2011 Census Project: Census data confidentiality and UK law accessed at http://www.ons.gov.uk/census/2011-census/2011-census-project/census-data- confidentiality-and-uk-law/index.html accessed on 10-31-2008).
Data security and confidentiality is a top priority for the Census. In addition to the strong protection provided by the law, ONS has put in place stringent additional safeguards . . . ONS will control system access rights to all systems and data. All security measures cover the completed questionnaires, the electronic data set, the website, the archive image system and the communications links relating to any of these items . . . We have secure systems in which to hold data, with stringent controls and procedures in place. We do not store any Sessions financial details, and names and addresses are removed from the data sources used for the day to day
STCPMs production of statistical tables . . . The information in questionnaires is used only for Census related publications and analyses published for geographic areas. These outputs do not attribute any of the statistics back to specific individuals (ONS website: 2011 Census project: Census data security measures accessed at http://www.ons.gov.uk/census/2011-census/2011-census-project/census-data-security-measures/index.html on 10-31-2008).
It is clear from even this summary that the commitments of the UK 2011 Census staff and management to the principle of statistical confidentiality are strong and that they are introducing many technical and operational safeguards to help protect census confidentiality. Moreover, based on the Census Director’s letter in the RSS News and the postings on the ONS website, one would be clearly justified, but mistaken, in assuming that the 2007 Statistics and Registration Service Act barred all potentially harmful disclosures. In fact, these protections seem largely aimed at deterring only the so-called “backdoor” disclosures arising from inadvertent and ad hoc sources referred to earlier. The questions the present paper raises relate primarily to the weaknesses of the underlying law with respect to “front-door” disclosures, the failure of most ONS public statements and respondent assurances to acknowledge these weaknesses, and to the ethical and policy quandaries that these weaknesses and failures present.
Sessions 3. The Ethical Context
STCPMs It is widely recognized that statisticians and others working in statistical operations have an ethical duty to protect the identity of respondents and the confidentiality of information they provide. For example, in the UK, the Royal Statistical Society’s code of conduct states, “The identities of subjects should be kept confidential unless consent for disclosure is explicitly obtained” (RSS, 1993, rule 2). Similarly, the International Statistical Institute’s ethics declaration states, “Statistical data are unconcerned with individual identities. They are collected to answer questions such as 'how many?' or 'what proportion?’ not 'who?’. The identities and records of co-operating (or non- cooperating) subjects should therefore be kept confidential, whether or not confidentiality has been explicitly pledged” (ISI, 1985, 4.5) and continues, “Statisticians should take appropriate measures to prevent their data from being published or otherwise released in a form that would allow any subject's identity to be disclosed or inferred” (ISI, 1985, 4.6). Other ethical statements dealing with statistical work are equally explicit (see, for example, the American Statistical Association’s Ethical Guidelines for Statistical Practice (ASA 1999, II.D.4 and D.5), the UN Statistical Commission’s Fundamental Principles of Official Statistics (1994, principle 6), and EUROSTAT’s European Statistics Code of Practice (2005, principle 5)). Most of these ethical or normative documents state or imply that one of their underlying purposes is to protect research subjects, the public, and society at large from harm and a few explicitly link their confidentiality norm to the objective of harm prevention (for example, see some of the language in rule 2 of Sessions the RSS Code of Conduct and in principle 4.4 of the ISI’s Declaration on Professional Ethics.)
STCPMs 4. A Summary History of Census Confidentiality Assurances and Legal Protections Provided in The UK The full history of the confidentiality assurances provided to the public in pubic statements or on the census schedules themselves and the statuary protection enacted by the UK Parliament over the years is too extensive for presentation here. It may be found in Seltzer (2009).2 An earlier and less complete history appeared in Hakim (1978, cited in Hakim, 1979).
In brief then the first confidentiality assurance (perhaps it might be better described as a privacy assurance) in a UK census, seems to be contained in Form A of the 1851 Census of Ireland (Ireland was a part of the UK until 1922) where the Census Commissioners advise household heads to provide the requested information “as the information thus obtained will be published in General Abstracts only, and strict care taken that the Returns are not used for the gratification of curiosity, or other object than perfecting the Census.” The householder’s schedule used in the 1851 Census of Great Brittan was silent on the matter. The two governing census laws, the 1850 Census Acts for Ireland and Great Britain, neither mentioned confidentiality nor provided penalties for disclosure of information. The experience in 1851 was typical of what was to come: Irish practice with respect census confidentiality was well ahead of that in other parts of the UK and that the Sessions assurances given to respondents were well ahead of the protections provided in the then current census law.
STCPMs By the time of the 1861Census of England and Wales, the census form contained a shortened version of the 1851 Irish Census respondent assurance: “The facts will be published in General Abstracts only, and strict care will be taken that the returns are not used for the gratification of curiosity.” By contrast, the 1861 Irish Census, contained an extended version of the assurance used in 1851, concluding explicitly, “The Returns will, of course, be considered by the Officer as strictly confidential” [Emphasis in the original]. One may conjecture that the stronger assurances provided in the 1861 Irish Census forms were made because that census for the first time asked a question pertaining to religion. Moreover, these confidentiality assurances were explicitly invoked in a letter the Irish Registrar General wrote to the local press in March 1861 attempting to counter “several articles and letters that have lately appeared in various newspapers that . . . convey the erroneous impression that the census returns when obtained . . . are to be submitted for general inspection in each district, especially with respect to the inquiry” on religion (Census of Ireland, 1861; also cited in Macourt, 1978: 183).
Over the next two Censuses (1871 and 1881) there was little change in the wording of the assurances provided in the English and Irish Census forms and no relevant change in governing census acts. The status quo (that is, a weak and ambiguous assurance given on the census form and no statutory mention of Sessions disclosures) continued to prevail in England and Wales. This situation also remained unchanged for the 1891
STCPMs Census of England and Wales. On the other hand, the census act governing the 1891 Census of Ireland, the Census (Ireland) Act, 1890, contained language that provided for the first time penalties for disclosures by census staff “for any other object than that of rendering the census as complete as possible.”
The 1900 Census Act enacted for Great Britain for the first time finally introduced a penalty for disclosures by census employees “without lawful authority” by equating any such disclosures and related penalties to “a breach of official trust, within the meaning of the Official Secrets Act, 1889.” The 1900 Census Act for Ireland used almost the same language as the British Act. (For Ireland, the 1900 Act was actually a step backward from the stronger language used in the 1890 Census Act that prohibited any disclosure not aimed at improving census completeness, since the 1900 law only penalized disclosures made “without lawful authority.”) By contrast, the confidentiality assurances provided on the census forms differed substantially: in England and Wales the assurance made no mention of the just-enacted disclosure penalties, although the assurance statement did include the word “confidential” for the first time; in Ireland the language used on the census form was further strengthened by stating that census employees who make unauthorized disclosures are “liable to punishment under the Official Secrets Act, 1889.”
The confidentiality provisions in the Acts adopted for the 1911 Censuses were essentially unchanged from Sessions 1901. Similarly, the assurances used in the 1911 Irish Census were the same as those used in the 1901 Irish
STCPMs Census. On the other hand, the forms used in England and Wales in the 1911 Census, used a radically shortened assurance that read simply, “The contents of the Schedule will be treated as strictly confidential.”
The Census Act adopted in Great Britain for the 1921 Census attempted to provide British censuses with a continuing mandate ending the need for new legislation each decade. The confidentiality provisions of the 1920 Act represented a major revision from those in the 1910 Act. This was accomplished by removing any reference to the Official Secrets Act from the 1920 law, by in effect including cumbersome clause after clause modeled on the language of the Official Secrets Act directly into the Census Act. This highly legalistic text spent about as much space in describing defenses to apparent violations as it did to other aspects of the matter. Despite the length and complexity of the confidentiality provisions of this law, the words “confidentiality” or “disclosure” never appeared. These provisions, unamended, governed all censuses in England from 1921 through 1981. In fact, although the confidentiality provisions of the 1921 Census Act were replaced by the 1991 Census (Confidentiality) Act, the 1991 Act essentially reenacted the provisions of the earlier law by placing the provisions in a separate subsection with the its own sub-head, “Unlawful disclosure of information.”
Despite the unchanging law – which basically only barred “unlawful” or “unauthorized” disclosures and left Sessions the issue of what constituted a lawful or authorized disclosure unspecified – the confidentiality assurances
STCPMs provided to the responding public became increasingly stronger over the decades beginning with the 1951 Census. Starting then, all UK censuses (1951, 1961, 1966, 1971, 1981, 1991 and 2001) all used the word “confidentiality” or “confidential” in the assurances provided on the householder form. Moreover, in the 1971 Census the following unqualified confidentiality assurance was provided to the responding public: “The information you give on the form will be treated as CONFIDENTIAL and used only for compiling statistics. No information about named individuals will be passed by the Census Office to any other Government Department or any other authority or person.” These words or ones very similar, and equally unqualified, have been used in the confidentiality assurances provided on the census forms in each subsequent census, despite the fact that the governing census act only barred disclosures made “without lawful authority.”
In 2007 the legal protections for the confidentiality of personal information gathered in UK censuses and other governmental statistical inquiries were completely rearticulated by section 39 of the 2007 Statistical and Registration Service Act. The language of subsection 39(1), “personal information held by the [Statistics] Board in relation to the exercise of any of its functions must not be disclosed,” would seem to justify the absolute confidentiality assurances provided respondents in recent UK censuses. Unfortunately, the law goes on in subsection 39(4) to list a sweeping set of exceptions where disclosures are permitted. Sessions Some of these exceptions (for example, where the information is already public, where it is made available
STCPMs with the consent of the subject, or with appropriate safeguards it is made available to a researcher) seem to present few problems.
However, other exceptions specified in subsection 39(4) of the 2007 Act seem to run counter the concept of statistical confidentiality as envisioned by most statements of statistical ethics. These exceptions permit disclosures of personal information “required or permitted by any enactment,” “required by a Community obligation”, are “made in pursuance of an order of a court,” are “made for the purposes of a criminal investigation or criminal proceedings (whether or not in the United Kingdom),” or are “made, in the interests of national security, to an Intelligence Service.” It would appear that these exceptions simply codify and spell out practices that took place in the past as part of the “lawful authority” disclosures implicit under the 1920 Census Act and the 1991 Census (Confidentiality) Act. At least that is the position advanced by the Government’s Financial Secretary (Labor MP John Healey) when he introduced the amendment that added “national security” to the list of permitted exemptions specified in sub-section 39(4) Data security and confidentiality is a top priority for the Census. In addition to the strong protection in effect . . . [the amendment] replicates the current position, which is understood and accepted to be that where the intelligence services can make a principled case for access to information—in cases where there is no specific statutory bar on disclosure of the information—restrictions on disclosure could be overridden in the Sessions public interest (UK House of Commons Debates, Session 2006-07, Vol. 458, 13 Mar 2007, col. 207).
STCPMs The weaknesses of the bill that became the 2007 Statistics and Registration Service Act with respect to statistical confidentiality were evident to informed statisticians from the very beginning of the legislative process. For example, in December 2006 the Royal Statistical Society (RSS) submitted in writing a set of comments and proposed amendments to the bill as it had been introduced in the Commons the previous month (RSS, 2006). One of the four areas highlighted in these comments was “statistical confidentiality.” This concern by the RSS was summarized in the following language, The willingness of the public and businesses to supply personal data for statistical purposes depends on confidence that the data will be held securely, not divulged and not used for other than statistical purposes. This assurance is inadequate in the Bill as there are provisions for disclosure by ministerial order in several clauses (2006, p. 2)
In January 2007 the RSS submitted a further set of comments and in this case the subject of confidentiality had moved to the top of the RSS concerns (RSS, 2007a). In these comments the RSS observed with respect to the principle of statistical confidentiality, Without confidence in this commitment compliance and response from the public will be reduced damaging the quality of the statistics produced. The possibility, for example, of data collected for statistical purposes Sessions being useful for a criminal investigation is remote and yet the potential damage to the quality of statistics is
STCPMs large. There is a strong public interest argument against allowing disclosure or use for non-statistical purposes that overrides possible public benefit from other uses. The importance to the statistical system of an unambiguous commitment to respect confidentiality is well covered in the international literature and legislation in other countries (2007a, p. 2).
The RSS also offered similar comments to the House of Lords during the period that the legislation was before that body in 2007 (see RSS, 2007b; RSS, 2007c; and RSS, 2007d). Despite these repeated efforts, the RSS was unable to correct the weaknesses of the bill with respect to “authorized” disclosures.
The issue of statistical confidentiality has rarely been the occasion of much debate in the UK Parliament. For example, based on information reported by Bulmer (1979, table 11-1), the median duration of the debates in the British House of Commons on all aspects of the census preparations in 1950, 1960, 1965, 1970, and 1975 was 1 hour and 15 minutes. Similarly, the House of Commons consideration of the clause dealing statistical confidentiality on March 13 2007 in the bill that became the Statistics and Registration Service Act lasted about 35 minutes. Another important part of the problem was certainly that the bill, as originally introduced, had so many flaws from the perspective of sound statistical policy that those who sought to improve it had to focus their Sessions attention on a limited number of priorities. In these circumstances, it is not surprising that even before the
STCPMs Government introduced the bill in Parliament, a Parliamentary Committee that took evidence and issued a report, Independence for Statistics (UK House of Commons, Treasury Committee. 2006) frequently fell into the loose language of the 1920 UK Census act by focusing only on unauthorized disclosures. For example, the Committee’s main conclusion on the subject, “recommend that the Government take this opportunity to consider whether the protection of people and organisations from the unauthorised disclosure of information held about them for National Statistics or other statistical purposes requires a statutory basis” (2006, para. 179). Overlooked, however, was the fact that the report also documented the important role that a strong statistical confidentiality law could play in building trust in government statistical work. For example, the report observed at one point, The Government should ensure that appropriate safeguards are put in place to ensure that the integrity and security of personal information is not compromised, and that access extends no further than statisticians working in specified parts of government. We refer the Government to the relevant Canadian legislation which appears to provide a useful model of appropriate safeguards (2006, para 176).
The reference to Canadian legislation is particularly relevant given the testimony provided to the Committee by Ivan Fellegi, then the Chief Statistician of Canada, that Sessions The Canadian Statistics Act gives unrestricted access to Statistics Canada to all administrative records held
STCPMs by any level of government and any organisation, private or public. We exercise that. Of course, the other side of that coin is extremely strong confidentiality guarantees, which are spelled out and which allow no exceptions. Not even the intelligence community, not even the police, not even the courts in the course of a prosecution can have access under the Statistics Act—and there has never been a violation of this aspect of the Act (2006, Evidense 21, response to Q110).
5. Known and Suspected Disclosures of Personal Information From UK Censuses The number of known disclosures of personal data from UK censuses is small. This may be because first, there have been few actual disclosures, second, the matter has not been seriously studied before, or third, that information about such disclosures has been more or less successfully suppressed. (Excluded from this listing of known or suspected disclosures are those that resulting from the 2006 decision by the UK Information Commissioner’s Office ordering the release of partial information from the 1911 Census schedules several years prior to expiration of the previously established “100 year rule” for permitted disclosures (see endnote 6).)
Sessions Given that over the decades the British Census Acts have had such weak confidentiality provisions, one must
STCPMs examine the latter two alternatives before accepting the first explanation. Moreover, the second and third explanations are not independent of each other. Both the census authorities and most government agencies that may be suspected of seeking access to census microdata with identifiers have strong vested interests in suppressing information about any such transactions.
Furthermore, in the UK, given the nature of its Official Secrets Act, current and former staff may fear prosecution if they write about disclosures based on their knowledge acquired during government service, particularly so in connection with any requests from intelligence agencies. In addition, this paper is based on only limited research. Accordingly, other instances of already-known disclosures beyond those listed here may exist. The author would welcome learning of them.
Three of the known, or inferred, instances of disclosure were identified by the historian Edward Higgs (2004). The language Higgs used in writing about them is highly circumspect probably because he wished to be careful in such a sensitive area not to push the evidence beyond what could be strictly proven. Thus, he was careful to attribute his most specific assertions and conjectures to material in published books or in public (i.e., non-secrete) archives.
Sessions Higgs described the first instance in these terms. In 1871, under instructions from the Home Secretary, the
STCPMs GRO [General Register Office] broke its pledge of confidentiality with respect to the recently collected census returns, and provided the London School Board with the names and addresses of all children aged between three and 13 years, their exact ages, and the names and occupations of their parents. This was to facilitate the provision of education under the 1870 Education Act. (2004, p. 74). He characterized this instance as the only recorded nineteenth-century occasion when such uses of personal census information were actually attempted.
Another incident that Higgs identified occurred in the years just prior to the outbreak of World War I. In writing about the same period Porter (1989) observed, most of the key developments [in creating the ‘secret state’ as we know it today] . . . took place . . . between the summer of 1909 and the autumn 1911. It was in those years that both MI5 and MI6 were born, the modern Official Secrets Act was passed . . ., a register of aliens living in Britain was set up, . . . and the Special Branch was brought close to being a proper domestic counter subversive agency on modern lines (1989, p. 120).
Accordingly, one is led to give very strong credence to Higgs’ ‘inference’ (2004, p. 110) that MI5 compiled an unofficial register of Germans and Austro-Hungarians in the country, possibly drawing upon the manuscript records of the 1911 census. This would appear to be the implication of a statement in MI5’s Sessions official history of the period3 to the effect that the Registrar General considered that the information in
STCPMs census returns had been obtained confidentially and that the police must not let it be known that they were being used for the purpose of [alien] registration. (Curry, 1999, p. 69)
It may be recalled that in contrast with the situation in 1871, the Census Act governing the 1911 Census carried penalties for disclosures made “without lawful authority” and that the 1911 Census form carried the assurance “The contents of the Schedule will be treated as strictly confidential.”
In addition, in writing about some of the implications of the evolving social welfare system in Britain during the Edwardian period, Higgs (2004, p. 120) noted that in this period there was “an expansion in the use of central record keeping to prevent fraud and prove entitlement.” In this connection, he alluded to a range of census disclosures asserting that “[t]he introduction of old age pensions in 1909, and the need to verify ages for pensions officers, led to searches in census and registration data by the GRO (i.e., the Registrar General’s office).”4
A fourth confirmed instance of a disclosure took place quite recently – during the period that Graham Jones was the ONS census director for the 2001 Census. This case was covered rather widely in the UK press in 2002 (for example, The Daily Telegraph, “Leak cost director of census his post,” 10-29-2002; The Sessions Independent, “Census chief forced to quit over leaked details,” 10-29-2002; The Times, “Census chief
STCPMs resigns after leaking details to crimes body,” 10-29-2002) largely based statements by Len Cook, then UK National Statistician and Registrar General, assisted by John Pullinger, then Executive Director, Office for National Statistics, during their examination by the UK Parliamentary Public Accounts Committee about a report from the National Audit Office dealing with the 2001 Census on October 28, 2002 (UK Parliament, House of Commons, Public Accounts Committee, 2001-2002).
According the newspaper stories and Cook’s and Pullinger’s testimony, in September 2001 Census Director Jones provided personal information, possibly including such details as place of residence and marital status, on two individuals enumerated in the 1961 Census to the UK Criminal Cases Review Commission in a response to a summons from that body. (The Criminal Case Review Commission is charged with investigating alleged miscarriages of justice and is authorized to access any government records concerning the subject of an inquiry.)
It was not until February 2002 that the Registrar General learned of the Census Director’s actions in this matter. According to The Times story, when the Registrar General “discovered what had happened . . . he took immediate action because he regarded the breach of census information to be such a serious matter . . .,” Mr Cook said: "He gave out the Sessions information. The critical thing is that he did not make it known to me what he had done on a matter that was
STCPMs known to be of some consequence."
The Registrar-General added that although Parliament had given the commission the power to seek information from any government agency, he would want to test the issue of census confidentiality up to the House of Lords, the highest court in the land. It was a matter of utmost importance that people could trust the confidentiality of information they give in the census.
The only details given to government departments, local councils and health authorities is statistical information drawn from the census.
Despite the many assurances that Census staff could be prosecuted for unauthorized disclosures, Census Director Jones was permitted to resign without prosecution, although no termination benefits were paid to him.
In addition to these four rather well-established disclosure instances, we would recall the open-ended statements in Parliament by the Treasury spokesperson in March 2007 during the consideration of amendments to the bill that became the 2007 Statistics and Registration Services Act alluding to the well- Sessions established prior practice of disclosures to the security services.
STCPMs Moreover, further disclosure incidents, particularly those potentially leading to harm for individuals or population groups, would seem likely during World War I and II. As Higgs (2004) reminds us, during both wars population registration laws were enacted and responsibility for these registration systems in England and Wales were assigned the Registrar General’s office.5 Absent clear statutory provisions barring the Registrar General from sharing information obtained in the census to help in building and correcting population and related registrations systems, it would seem highly probable that the Registrar General and his staff shared micro-level information between the various data-gathering programs under their jurisdiction. Based on the observations made by both Higgs and Porter about the renewed surveillance activities carried out in Great Britain in response initially to terrorist attacks by the Provisional IRA from the early 1970s onward, one might conjecture that selected disclosures were sought during this period as well.
6. Some Conclusions Given the apparently quite limited confidentiality protections provided to respondents under current UK law in the 2011 Census, what actions are suggested from an ethical perspective? In particular what, if anything, do statistical ethics suggest? The answers to these questions would seem rest in three quite different realms: (a) academic and other research, (b) legal and political responses, and (c) statistical policies and practices. Sessions
STCPMs I conclude by looking at each of these three areas in turn, recognizing that the walls between these three realms are far less distinct than this presentation might suggest.
(a) Needed Academic and Other Research There are two broad areas of relevant research. The first focuses on the technical aspects of disclosure control using statistical methods to alter census responses in a controlled manner to deter the identification of individuals in a census or learn about the characteristics of specific, real individuals enumerated. This rich body of research (see, for example, Doyle, et al., 2001; Fienberg and McIntyre, 2005), carried out almost exclusively by statisticians, whether working in government, academia, or the private sector, is primarily directed toward protecting against inadvertent and ad hoc disclosures that are largely obtained through “backdoor” methods. The only input that an ethical perspective might add to this work would be to urge that possible harm to respondents arising from such disclosures be explicitly modeled in studies of disclosure risk. The failure to do so implicitly assumes that all disclosure risks are equally harmful.
On the other hand, research into so-called “front door” disclosures, those made to other governmental agencies and authorized by law has been far more limited. Three lessons learned from such research in the United States is that first, current agency staff often have little accurate information about past events; Sessions second, the agencies themselves seem to have little interest in undertaking or commissioning sound historical
STCPMs research on the topic; and third, most external historians and other external commentators on the census have insufficient familiarity with census traditions, procedures, and objectives to have realistic understanding of real disclosure issues (see, for example, Anderson and Seltzer, 2007; 2009 and Seltzer and Anderson, 2007). The same situation seems to be the case up to now in Great Britain.6 To be effective research into “front- door” disclosures requires a degree of independence from the concerned statistical agency and a solid familiarity both with census methods and historic research. This often means collaborative interdisciplinary research.
Drawing on the results reported here and the questions left unanswered, several areas of further research are apparent. They include: • Research aimed at identifying further disclosures and better understanding the circumstances under which they arose. Based on Porter (1989) and Higgs (2004) this research might focus on the periods of World War I and II and from 1970 onwards. Admittedly such research in British archives might be difficult since it would be carried out under the long shadow of the Official Secrets Act. Although because of the ubiquitous nature of copies in modern bureaucracies, revealing duplicate records sometimes turn up in foreign archives or in other unexpected places. • Further research into the origins of the concept of statistical confidentiality in the United Kingdom and Sessions elsewhere.
STCPMs • Research that might help to better explain why in the 19th Century Irish census authorities were so far ahead of their British counterparts in addressing census confidentiality issues beyond the ideas sketched out here and in Seltzer (2009). • Research into the subject of census confidentiality in Ireland after 1922 and that looked at the pre- and post-independence periods in a single framework. • Research into the history of census confidentiality in other countries that, like the present study, would attempt to examine the evolution the relevant laws or regulations, the assurances provided to the responding public, information on disclosures, and steps taken by the census authorities to deter future disclosures.
(b) Legal and Political Responses. Suggesting changes in the laws of other countries must be done with considerable diffidence. I am emboldened to do so in the present case because as a statistician I feel that the norms of our profession require us to ensure that our policies of restricting disclosures of personal information obtained on the course of statistical operations are re-enforced by strong statistical confidentiality laws, that is, laws that bar “front door” disclosures. In other words, a strong statistical confidentiality law does more than protect the personal information provided as a state secret; it goes further to limit the state in how it may use such personal Sessions information. There has been considerable misunderstanding on this point. However, in practice we recognize
STCPMs this principle when we assure respondents that the information they provide will be used only for statistical purposes and not shared with non-statistical agencies.
Strong confidentiality laws exist in a number of other countries. Although the legal protections provided by UK census and statistical acts treat such information as a state secret that may be passed, in confidence and under specified conditions, from agency to agency regardless of the consequences to the responding public, far stronger legal protections would appear to be provided by the legal authority of the European Union (1997). Under regulation (EC) No 322/97 (Community and Union regulations have the authority of law in EU countries such as the UK) dealing with statistics, national statistical authorities are expected to adhere to several principles including one statistical confidentiality, which is defined as implying “the prevention of non-statistical utilization of the data obtained” (1997, chapter III, article 10).
What has the UK statistical community, done to raise public awareness of the serious shortcomings of the 1920 Census Act, the 1991 Census (Confidentiality) Act, and the 2007 Statistics and Registration Act with respect to statistical confidentiality? At least based on the public record that I could find, nothing has been done since the enactment of the 2007 Statistics and Registration Act after the repeated, explicit, and discrete communications by the RSS while the Sessions latter Act was being considered in Parliament (RSS, 2006; 2007a-d). I assume that this public silence can be
STCPMs attributed in large part to the belief that raising public awareness about these issues might discourage responses in the forthcoming census. As noted earlier, this may reflect sound utilitarian thinking, but is it ethical thinking? Only by making it clear to the public, including the business community (since the 2007 Act impacts the disclosure of information provided both by businesses as well as persons), what the stakes are can one be sure that a nation’s laws, including laws related to statistical confidentiality, embody informed public judgment. Accordingly, the scope for helpful action by the UK statistical community would seem to be wide.
(c) Improving Statistical Policies and Practices As already indicated the ONS has announced a broad program of technical and procedural safeguards that should help to deter most inadvertent and ad hoc disclosures. Continuing the practice of separating name and address information from information on characteristics, particularly in media that may be used in computerized matching operations, is an important priority that may help to deter systematic disclosures that have been associated with human rights abuses in the past in other countries.
In the absence of an improved statutory protections against what are now “authorized” disclosures, one would hope that the UK Statistical Board and UK government statisticians, at all levels, will feel themselves Sessions bound by the widely-recognized ethical obligation (see, for example, the United Nations Fundamental
STCPMs Principles of Official Statistics) and EU law to protect the responding public from possible harm arising from the diversion of responses in the forthcoming census to non-statistical ends. This is nothing more than acting in accordance with the assurances provided on the ONS website that “ONS confirms its overriding commitment to ensuring the confidentiality of personal Census data for a period of 100 years, and its use strictly for statistical purposes only . . . The information in questionnaires is used only for Census related publications and analyses published for geographic areas. These outputs do not attribute any of the statistics back to specific individuals.”
Of course, to be effective, similar assurances will need to be provided by the UK Statistical Board, since that Body under the 2007 Statistics and Registration Services Act has custody of the census results and must deal with all disclosure requests. It would certainly promote transparency and trust, if the Board would announce its policies for dealing with disclosure requests well in advance of the Census.
Such Statistical Board policies should (a) make clear that it will not accede to any requests for disclosures for administrative, investigative, or judicial purposes other than those made at the request of the concerned individual and (b) proactively encourage the introduction of corrective legislation. Failing this, the ONS and the Board should undertake to report to the public and Parliament each individual request as it is received, or, Sessions at the minimum, the number of disclosure requests received and granted each year classified by requesting
STCPMs agency.
Finally, it must be recognized that even if the full menu of research, legal, and policy actions suggested here were implemented, disclosures might take place in the 2011 Census. However, these actions should substantially reduce the likelihood of such disclosures. Perhaps equally important, efforts directed toward carrying them out will demonstrate our faithfulness to the basic ethical norms of our profession. This joint need to focus on ethical conduct and to convey clearly to the public that we endeavor to do so, was embodied in Claus Moser’s (now Lord Moser and formerly a UK chief statistician) 2006 testimony to the Treasury Committee considering proposals to strengthen the integrity of the UK statistical system: [W]e statisticians live by integrity. Otherwise, we do not exist. The problem is to ensure that that integrity comes through transparently to the general public (UK House of Commons, Treasury Committee. 2006, Evidence 39, response to Q221).
REFERENCES
[1] American Statistical Association (ASA). 1999. “Ethical Guidelines for Statistical Practice.” Accessed at: http://www.amstat.org/about/ethicalguidelines.cfm on 1-9-2009.
Sessions [2] Anderson, Margo and William Seltzer. 2007. “Challenges to the Confidentiality of U.S. Federal
STCPMs Statistics, 1910–1965.” Journal of Official Statistics, Vol. 23, No. 1, 2007, pp. 1–34.
[3] 2009. “Federal Statistical Confidentiality and Business Data: Twentieth Century Challenges and Continuing Issues.” Journal of Privacy and Confidentiality, Vol. 1, No. 1, 2009, pp. 7-52. On-line journal accessible at http://jpc.cylab.cmu.edu/journal/2009/vol01/issue01/anderson.pdf. [4] Bulmer, Martin. 1979. “Parliament and the British Census since 1920.” In Censuses, Surveys and Privacy, Martin Bulmer (ed.). London: The Macmillan Press Ltd., pp. 158-169. [5] Census of Ireland, 1861, Part. V, General report, BPP 1863 LXI [3204-IV], p. cxxxix.
[6] Curry, John. 1999. “The Security Service: Its Problems and Organizational Adjustments, 1903-1945” in Christopher Andrew (ed.), The Security Service: The Official History. London: Public Record Office.
[7] Doyle, P., J. Lane, L. Zayatz, and J. Theeuwes (eds). 2001. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies. Amsterdam: North Holland,
[8] European Union. Council of the European Union. 1997. “Council Regulation (EC) No 322/97 of 17 February 1997 on Community Statistics.” Official Journal L 052, 22/02/1997 P. 0001 – 0007. Accessed on 2-7-2009 at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31997R0322:EN:HTML Sessions [9] Eurostat. 2005. “European Statistics Code of Practice for the National and Community Statistical STCPMs Authorities,” adopted by the Statistical Programme Committee on 24 February 2005 and promulgated on 25 May 2005. Accessed at http://epp.eurostat.ec.europa.eu/pls/portal/docs/PAGE/PGP_DS_QUALITY/TAB47141301/VERSION E_INGLESE_WEB.PDF on 2-7-2009.
[10] Fienberg, Stephen E. and Julie McIntyre. 2005. “Data Swapping: Variations on a Theme by Dalenius and Reiss.” Journal of Official Statistics, Vol.21, No.2, pp. 309-323. [11] Hakim, C[atherine]. 1978. Census Confidentiality, Microdata and Census Analysis, Occasional Paper No. 3, London: Office of Population Censuses and Surveys.
[12] 1979. Census Confidentiality in Britain. In Censuses, Surveys and Privacy, Martin Bulmer (ed.). London: The Macmillan Press Ltd., pp. 132-157.
[13] Higgs, Edward. 2004. The Information State: The Central Collection of Information on Citizens since 1500. New York: Palgrave Macmillan.
[14] International Statistical Institute (ISI). 1985. “Declaration on Professional Ethics.” Accessed at http://isi.cbs.nl/ethics.htm on 1-8-2009.
Sessions [15] Macourt, Malcolm P. A. 1978. “The Religious Inquiry in the Irish Census of 1861.”
STCPMs [16] Irish Historical Studies, Vol. 21, No. 82 (Sep.), pp. 168-187.
[17] Porter, Bernard. 1989. Plots and Paranoia: A History Political Espionage in Britain, 1790-1988. London: Unwin Hyman.
[18] Royal Statistical Society (RSS). 1993. “Code of Conduct.” Accessed on 1-8-2009 at http://www.rss.org.uk/pdf/Prof%20memb%20-%20code%20of%20conduct%20new%20charter.pdf.
[19] 2006. “Statistics and Registration Service Bill, Introduced in the House of Commons on 21 November 2006: Views of the Royal Statistical Society,” December 20, 2006. Accessed at http://www.rss.org.uk/docs/Statistics%20and%20Registration%20Services%20Bill%20- %20RSS%20comment%20December%202006.doc on 2-3-2009.
[20] 2007a. “Statistics and Registration Service Bill, Introduced in the House of Commons on 21 November 2006, RSS: Further Commentary,” January 8, 2007. Accessed at http://www.rss.org.uk/docs/Statistics%20and%20Registration%20Service%20Bill%20- %20further%20commentary%20January%202007.doc on 2-3-2009.
[21] 2007b. “Statistics and Registration Service Bill, House of Lords scrutiny:
[22] Views of the Royal Statistical Society,” February 12, 2007. Text provided by T. Holt, 2-3-2009.
Sessions [23] 2007c. “Statistics and Registration Service Bill, House of Lords scrutiny:
STCPMs [24] Views of the Royal Statistical Society,” March 19, 2007. Text provided by T. Holt, 2-3-2009.
[25] 2007d. “Statistics and Registration Service Bill, House of Lords scrutiny, Royal Statistical Society, March 22, 2007.” Text provided by T. Holt, 2-3-2009.
[26] Seltzer, William. 2008. “Murky Waters: Confidentiality and the UK 2011 Census.” Prepared for circulated to participants at the September 2008 IdentiNet Workshop at the University of Oxford.
[27] 2009. “Statistical Confidentiality and the UK 2011 Population Census: Historical Background and Ethical Issues.” Unpublished paper. [28] Seltzer, William and Margo Anderson. 2001. “The Dark Side of Numbers: The Role of Population Data Systems in Human Rights Abuses.” Social Research 68 (2 Summer): 481-513.
[29] 2007. "Census Confidentiality under the Second War Powers Act (1942-1947)." Paper prepared for the Annual Meeting of the Population Association of America, March 30, 2007, New York, New York.
[30] 2008. “Government Statistics and Individual Safety – the Use of Population Data Systems to Target Vulnerable Population Subgroups and Individuals for Human Rights Abuses.” In J. Asher, D. Banks, and F. J. Scheuren (Eds.) Statistical Methods for Human Rights. New York: Springer-Verlag, pp. 273- 328.
[31] UK House of Commons Debates, Session 2006-07, Vol. 458, 13 Mar 2007, “Clause 36 - Confidentiality Sessions of Personal Information,” cols. 202-211, available at
STCPMs http://www.publications.parliament.uk/pa/cm200607/cmhansrd/cm070313/debtext/70313-0011.htm and http://www.publications.parliament.uk/pa/cm200607/cmhansrd/cm070313/debtext/70313-0012.htm
[32] UK House of Commons, Treasury Committee. 2006. Independence for Statistics, Tenth Report of Session 2005–06. HC111, July 26, 2006. London: London: The Stationery Office. Accessed at http://www.publications.parliament.uk/pa/cm200506/cmselect/cmtreasy/1111/1111.pdf on 2-11-2009.
[33] UK Parliament, House of Commons, Public Accounts Committee, 2001-2002. “Public Accounts – Uncorrected Evidence, 28 October 2002” accessed on 12-17-2008 at: http://www.publications.parliament.uk/pa/cm200102/cmselect/cmpubacc/uc1267-i/uc126702.htm.
[34] United Nations Statistical Commission. 1994. “Fundamental Principles of Official Statistics.” Accessed at http://unstats.un.org/unsd/methods/statorg/FP-English.htm on 1-9-2009.
[35] Watson, Glen. 2008. Letters, “2011 census.” RSS News, Vol. 36, No. 2 (October) 2008, p. 4.
1 A very preliminary version of Seltzer (2009) was circulated to participants at the September 2008 IdentiNet Workshop at the
University of Oxford (Seltzer, 2008). The author is deeply grateful for comments provided on successive versions of that paper by Margo Anderson, as well as to Edward Higgs and Tim Holt for comments on and corrections to later versions of that paper. The author is also grateful to all those responsible for creating and maintaining the Online Historical Population Reports (OHPR)
Sessions collection, hosted by the UK Data Archive at the University of Essex, and the online files of the Integrated Public Use Microdata Series (IPUMS), a project of the University of Minnesota’s Minnesota Population Center. These two rich sources of policy-relevant STCPMs historical research materials provided much of the empirical basis of Seltzer (2009) as well as the present paper. The author alone is responsible for the views expressed and any remaining errors. 2 Specific citations for the various census forms and laws discussed in this section may be found in appendix table A of Seltzer (2009).
3 This history of MI5 was written after the Second World War by a senior MI5 official but never published in the Official Histories series, only being released by the National Archives in 1999.
4 Many of the initial set of such census disclosures were requested by persons without birth certificates who wished to establish
their eligibility for a pension. However, some portion of these disclosures would appear to relate to efforts by State agencies to investigate possible fraud by those receiving benefits and would thus appear to run counter the ethical norm that census responses should not result in individual harm. 5 The national registration system of the Second World War was actually based on the proposed 1941 census – the GRO undertook the same planning for both eventualities. If war had broken out in 1942, the 1941 census would presumably have been used for national registration. In the event war broke out in 1939, and there was no 1941 census, although some statistics were produced from the national register enumeration (Higgs, personal communication, 2009).
6 Several examples are cited in Seltzer (2009) including misconceptions about when census confidentiality was first introduced in
Sessions UK Censuses, the extent to which disclosures took place in the past, the origions of the “100 year rule” after which census forms become generally available to the public, and concerns that the United States intelligence agencies might gain access to personal STCPMs information provided by the British public in the 2011 Census by using the USA Patriot Act to force census contractors to disclose such information. During the course of the public discussion and debate related to this concern there seems to have been no notice taken that were the US intelligence agencies to want such information from the 2011 Census, their most likely course of action would be to contact their British counterparts in the UK intelligence services to ask them to obtain this information directly from the ONS or the UK Statistical Board using subsection 39(4g) of the 2007 UK Statistics and Registration Services Act.