questions regarding the pseudo-anonymity of the IDI, indefinite data retention, Significant privacy concerns
John Fabrizio made this Official Information request to Statistics New Zealand
This request has an unknown status. We're waiting for John Fabrizio to read recent responses and update the status.
From: John Fabrizio
Dear Statistics New Zealand,
Based on my understanding of the Integrated Data Infrastructure (IDI), it appears that you possess highly sensitive information regarding every individual who has interacted with a government agency, at-least, within the past 20 years, and your intentions is to indefinitely retain all future interactions with government agencies, that is recorded by administrative data later sent to you. Statistics New Zealand frequently asserts that "it is extremely difficult to extract information about a specific individual," yet I believe this may not accurately reflect the truth.
Each distinct identity within the IDI has its own "snz_uid." Nearly every snz_uid is linked to at least one encrypted identifier, such as "snz_ird_uid" or "snz_dia_birth_reg_uid," alongside identifiers like a birth registration number, National Health Index (NHI) number, Inland Revenue Department (IRD) number, or a physical address. While encryption may hinder direct searches for personal identifiers like NHI/IRD numbers known to researchers, the new unique number generated through encryption is still inherently tied to a single identifiable person. Furthermore, through analysis and using public databases, it's possible that most encrypted addresses could also be easily de-identified.
Although we cannot be absolutely certain that every unique identity within the IDI, and every variable linked to that identity, definitively belongs to a specific individual, we can reasonably infer that most of it does, especially considering the permanance of NHI/NSN/IRD numbers throughout an individual's life. Notably, variables within the IDI, such as birth parents' date of birth (DOB) and individual DOB, alongside place of birth, enable the tracing of a particular identity to a snz_uid within the IDI, thus facilitating access to associated data such as mental health records, criminal records, and tax records.
While other agencies routinely discard individual-related information to safeguard privacy, it appears that Statistics NZ indefinitely retains administrative data provided by cooperating agencies in the form of "de-identified" and pseudo-anonymous datasets, data that cooperating agencies themselves may securely dispose of at a later date following their own disposal schedules.
1. Do you retain the encryption key for every encrypted variable within the IDI indefinitely?
2. Is there a practice of routinely securely disposing of the encryption key for certain encrypted variables? which which put limits on the continuity of some linkages
3. Do you have plans to further enhance the confidentiality or anonymization of old IDI instances in the future? for example archived IDI data.
4. Does the value of insights gained through research using the IDI outweigh the risk of a malicious actor gaining access to a complete copy of the IDI database, thus acquiring knowledge of any individuals' interactions with most government services going back past the 1990s for many agencies? I believe that consolidating records from various government agencies into a singular database, thereby establishing a single point of failure and relying solely on "de-identification" as a means of protection, poses a significant security and privacy risk that impacts all citizens of New Zealand.
Yours faithfully,
John Fabrizio
From: Stallah Valaau
Statistics New Zealand
Tēnā koe John
I am writing to acknowledge receipt of your Official Information Act (OIA)
request below.
We received your request on Thursday, 8 February 2024. We will endeavour
to respond to your request as soon as possible and in any event no later
than Thursday, 7 March 2024, being 20 working days after the day your
request was transferred to us, taking into account public holidays. If we
are unable to respond to your request by then, we will notify you of an
extension of that timeframe.
Your request is being handled by the Office of the Government Statistician
and Chief Executive. If you have any queries, please feel free to contact
me using the details in the signature below. If any additional factors
come to light which are relevant to your request, please do not hesitate
to contact us so these can be taken into account.
Ngā mihi nui
Stallah Valaau (pronouns: he/him/his)
Advisor – Executive and Government Relations, Office of the Government
Statistician and Chief Executive
Kaitohutohu – Tari O Te Kaitautauranga Matua Me Te Pouārahi Matua | Stats
NZ | Tatauranga Aotearoa
P O Box 2922, Wellington 6011 | ddi: +64 4 931 4838 |mob: +64 21 575 528 |
[1]stats.govt.nz
About Aotearoa, for Aotearoa
Data that improves lives today and for generations to come
[2]Facebook | [3]Twitter | [4]LinkedIn
-----Original Message-----
From: John Fabrizio <[5][FOI #25669 email]>
Sent: Thursday, February 8, 2024 5:50 PM
To: Info Mailin - Shared Mailbox <[6][email address]>
Subject: Official Information request - questions regarding the
pseudo-anonymity of the IDI, indefinite data retention, Significant
privacy concerns
Dear Statistics New Zealand,
Based on my understanding of the Integrated Data Infrastructure (IDI), it
appears that you possess highly sensitive information regarding every
individual who has interacted with a government agency, at-least, within
the past 20 years, and your intentions is to indefinitely retain all
future interactions with government agencies, that is recorded by
administrative data later sent to you. Statistics New Zealand frequently
asserts that "it is extremely difficult to extract information about a
specific individual," yet I believe this may not accurately reflect the
truth.
Each distinct identity within the IDI has its own "snz_uid." Nearly every
snz_uid is linked to at least one encrypted identifier, such as
"snz_ird_uid" or "snz_dia_birth_reg_uid," alongside identifiers like a
birth registration number, National Health Index (NHI) number, Inland
Revenue Department (IRD) number, or a physical address. While encryption
may hinder direct searches for personal identifiers like NHI/IRD numbers
known to researchers, the new unique number generated through encryption
is still inherently tied to a single identifiable person. Furthermore,
through analysis and using public databases, it's possible that most
encrypted addresses could also be easily de-identified.
Although we cannot be absolutely certain that every unique identity within
the IDI, and every variable linked to that identity, definitively belongs
to a specific individual, we can reasonably infer that most of it does,
especially considering the permanance of NHI/NSN/IRD numbers throughout an
individual's life. Notably, variables within the IDI, such as birth
parents' date of birth (DOB) and individual DOB, alongside place of birth,
enable the tracing of a particular identity to a snz_uid within the IDI,
thus facilitating access to associated data such as mental health records,
criminal records, and tax records.
While other agencies routinely discard individual-related information to
safeguard privacy, it appears that Statistics NZ indefinitely retains
administrative data provided by cooperating agencies in the form of
"de-identified" and pseudo-anonymous datasets, data that cooperating
agencies themselves may securely dispose of at a later date following
their own disposal schedules.
1. Do you retain the encryption key for every encrypted variable within
the IDI indefinitely?
2. Is there a practice of routinely securely disposing of the encryption
key for certain encrypted variables? which which put limits on the
continuity of some linkages
3. Do you have plans to further enhance the confidentiality or
anonymization of old IDI instances in the future? for example archived IDI
data.
4. Does the value of insights gained through research using the IDI
outweigh the risk of a malicious actor gaining access to a complete copy
of the IDI database, thus acquiring knowledge of any individuals'
interactions with most government services going back past the 1990s for
many agencies? I believe that consolidating records from various
government agencies into a singular database, thereby establishing a
single point of failure and relying solely on "de-identification" as a
means of protection, poses a significant security and privacy risk that
impacts all citizens of New Zealand.
Yours faithfully,
John Fabrizio
-------------------------------------------------------------------
This is an Official Information request made via the FYI website.
Please use this email address for all replies to this request:
[7][FOI #25669 email]
Is [8][Statistics New Zealand request email] the wrong address for Official Information
requests to Statistics New Zealand? If so, please contact us using this
form:
[9]https://fyi.org.nz/change_request/new?bo...
Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[10]https://fyi.org.nz/help/officers
If you find this service useful as an Official Information officer, please
ask your web manager to link to us from your organisation's OIA or LGOIMA
page.
-------------------------------------------------------------------
This email is from an external sender. Do not click links or open
attachments unless you recognise the sender and know the content is safe
References
Visible links
1. http://www.stats.govt.nz/
2. https://www.facebook.com/StatisticsNZ
3. https://twitter.com/Stats_NZ
4. https://www.linkedin.com/company/statist...
5. mailto:[FOI #25669 email]
6. mailto:[email address]
7. mailto:[FOI #25669 email]
8. mailto:[Statistics New Zealand request email]
9. https://fyi.org.nz/change_request/new?bo...
10. https://fyi.org.nz/help/officers
hide quoted sections
From: Joy Skye
Statistics New Zealand
Tēnā koe John
Please see attached a response from Stats NZ to your OIA request regarding
IDI data retention and privacy concerns.
Ngā mihi,
Joy Skye (she/her and Ms)
Senior Advisor – Executive and Government Relations, Office of the Chief
Executive
Kaitohutohu Matua – Ngā Hononga Whakawaho, Kāwanatanga hoki, Tari o te
Tumu Whakahaere
Stats NZ | Tatauranga Aotearoa | [1]stats.govt.nz | 04-931 4699
About Aotearoa, for Aotearoa
Data that improves lives today and for generations to come
[2]Facebook | [3]Twitter | [4]LinkedIn
Work days: Monday to Thursday
From: Stallah Valaau <[email address]>
Sent: Friday, February 9, 2024 8:48 AM
To: John Fabrizio <[FOI #25669 email]>
Subject: Acknowledgement of your Official Information Request
Tēnā koe John
I am writing to acknowledge receipt of your Official Information Act (OIA)
request below.
We received your request on Thursday, 8 February 2024. We will endeavour
to respond to your request as soon as possible and in any event no later
than Thursday, 7 March 2024, being 20 working days after the day your
request was transferred to us, taking into account public holidays. If we
are unable to respond to your request by then, we will notify you of an
extension of that timeframe.
Your request is being handled by the Office of the Government Statistician
and Chief Executive. If you have any queries, please feel free to contact
me using the details in the signature below. If any additional factors
come to light which are relevant to your request, please do not hesitate
to contact us so these can be taken into account.
Ngā mihi nui
Stallah Valaau (pronouns: he/him/his)
Advisor – Executive and Government Relations, Office of the Government
Statistician and Chief Executive
Kaitohutohu – Tari O Te Kaitautauranga Matua Me Te Pouārahi Matua | Stats
NZ | Tatauranga Aotearoa
P O Box 2922, Wellington 6011 | ddi: +64 4 931 4838 |mob: +64 21 575 528 |
[5]stats.govt.nz
About Aotearoa, for Aotearoa
Data that improves lives today and for generations to come
[6]Facebook | [7]Twitter | [8]LinkedIn
-----Original Message-----
From: John Fabrizio <[9][FOI #25669 email]>
Sent: Thursday, February 8, 2024 5:50 PM
To: Info Mailin - Shared Mailbox <[10][email address]>
Subject: Official Information request - questions regarding the
pseudo-anonymity of the IDI, indefinite data retention, Significant
privacy concerns
Dear Statistics New Zealand,
Based on my understanding of the Integrated Data Infrastructure (IDI), it
appears that you possess highly sensitive information regarding every
individual who has interacted with a government agency, at-least, within
the past 20 years, and your intentions is to indefinitely retain all
future interactions with government agencies, that is recorded by
administrative data later sent to you. Statistics New Zealand frequently
asserts that "it is extremely difficult to extract information about a
specific individual," yet I believe this may not accurately reflect the
truth.
Each distinct identity within the IDI has its own "snz_uid." Nearly every
snz_uid is linked to at least one encrypted identifier, such as
"snz_ird_uid" or "snz_dia_birth_reg_uid," alongside identifiers like a
birth registration number, National Health Index (NHI) number, Inland
Revenue Department (IRD) number, or a physical address. While encryption
may hinder direct searches for personal identifiers like NHI/IRD numbers
known to researchers, the new unique number generated through encryption
is still inherently tied to a single identifiable person. Furthermore,
through analysis and using public databases, it's possible that most
encrypted addresses could also be easily de-identified.
Although we cannot be absolutely certain that every unique identity within
the IDI, and every variable linked to that identity, definitively belongs
to a specific individual, we can reasonably infer that most of it does,
especially considering the permanance of NHI/NSN/IRD numbers throughout an
individual's life. Notably, variables within the IDI, such as birth
parents' date of birth (DOB) and individual DOB, alongside place of birth,
enable the tracing of a particular identity to a snz_uid within the IDI,
thus facilitating access to associated data such as mental health records,
criminal records, and tax records.
While other agencies routinely discard individual-related information to
safeguard privacy, it appears that Statistics NZ indefinitely retains
administrative data provided by cooperating agencies in the form of
"de-identified" and pseudo-anonymous datasets, data that cooperating
agencies themselves may securely dispose of at a later date following
their own disposal schedules.
1. Do you retain the encryption key for every encrypted variable within
the IDI indefinitely?
2. Is there a practice of routinely securely disposing of the encryption
key for certain encrypted variables? which which put limits on the
continuity of some linkages
3. Do you have plans to further enhance the confidentiality or
anonymization of old IDI instances in the future? for example archived IDI
data.
4. Does the value of insights gained through research using the IDI
outweigh the risk of a malicious actor gaining access to a complete copy
of the IDI database, thus acquiring knowledge of any individuals'
interactions with most government services going back past the 1990s for
many agencies? I believe that consolidating records from various
government agencies into a singular database, thereby establishing a
single point of failure and relying solely on "de-identification" as a
means of protection, poses a significant security and privacy risk that
impacts all citizens of New Zealand.
Yours faithfully,
John Fabrizio
-------------------------------------------------------------------
This is an Official Information request made via the FYI website.
Please use this email address for all replies to this request:
[11][FOI #25669 email]
Is [12][Statistics New Zealand request email] the wrong address for Official Information
requests to Statistics New Zealand? If so, please contact us using this
form:
[13]https://fyi.org.nz/change_request/new?bo...
Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[14]https://fyi.org.nz/help/officers
If you find this service useful as an Official Information officer, please
ask your web manager to link to us from your organisation's OIA or LGOIMA
page.
-------------------------------------------------------------------
This email is from an external sender. Do not click links or open
attachments unless you recognise the sender and know the content is safe
References
Visible links
1. http://www.stats.govt.nz/
2. https://www.facebook.com/StatisticsNZ
3. https://twitter.com/Stats_NZ
4. https://www.linkedin.com/company/statist...
5. http://www.stats.govt.nz/
6. https://www.facebook.com/StatisticsNZ
7. https://twitter.com/Stats_NZ
8. https://www.linkedin.com/company/statist...
9. mailto:[FOI #25669 email]
10. mailto:[email address]
11. mailto:[FOI #25669 email]
12. mailto:[Statistics New Zealand request email]
13. https://fyi.org.nz/change_request/new?bo...
14. https://fyi.org.nz/help/officers
hide quoted sections
Things to do with this request
- Add an annotation (to help the requester or others)
- Download a zip file of all correspondence