Statistical guidance: policy statement on confidentiality and access
Published 14 July 2010
1. Introduction
The Code of Practice for Official Statistics requires all producers of Official Statistics to publish a clear statement on confidentiality and access of data holdings used in producing statistical outputs.
Department for Work and Pensions (DWP) is governed by the department’s own data protection policy along with theData Protection Act 1998 and specific social security legislation.
This policy reflects the wide range of uses to which data are put within the department, including the production of statistics.
We only give access to personalised data to external bodies where there is a legal gateway to do so (this includes research done under contract for DWP).
Statistical Services Division is responsible for most of the Official Statistics produced by DWP. The head of Statistical Services Division Neil McIvor, is also our Head of Profession for Statistics and therefore has overall responsibility for all DWP Official Statistics.
2. Confidentiality and access – general policy statement
We protect the security of our data holdings in order to maintain the privacy of the citizen, fulfil relevant legal obligations and uphold our guarantee that no statistics will be produced that are likely to identify an individual, while at the same time taking account of our obligation to obtain maximum value from the data we hold for statistical purposes.
Staff are given information security training on a regular basis, data handlers are provided with additional training dealing with the principles of the Data Protection Act including confidentiality of personal information and they are required to sign to say that they have received this training.
The majority of data accessed by analysts is obfuscated and access is business case controlled based to the minimum data required.
The department accords to the Code of Practice for Office Statistics and the supporting guidance Privacy and data confidentiality methods a national stasticians quality review NSQR
3. Physical security
All staff working in this organisation and all visitors to its sites require authority andphotographic passes to access the premises. In most locations there are further internal security doors, segregating areas of higher sensitivity.
Confidential statistical data is held in a secure environment that includes secure storage such as locked security cabinets. Access is strictly controlled in line with departmental policy.
4. Technical security
DWP maintains a secure technical environment in order to protect the confidentiality, integrity and availability of information. Access to the DWP network is controlled by layered authentication using a combination of physical token, password and PIN.
In addition, a number of technical controls are present to prevent unauthorised access and data leakage.
5. Organisational security
DWP has a single Senior Information Risk Owner (SIRO) and for each of the department’s major business areas there is a Deputy SIRO who is responsible for promoting good information management and security across their area of responsibility.
For individual datasets DWP assigns accountability for data security and confidentiality to nominated Information Asset Managers (IAM). They ensure that specific information assets are handled and managed appropriately.
Government Legal Department has teams who are responsible for security and data protection policies that support Information Asset Managers. The Knowledge and Information Management Division is responsible for the policies, practices and process for the recording and exploitation of departmental information
6. Disclosure security
Disclosure control techniques are always implemented before Official Statistics are released. As an additional protective measure, details of the methodology are not published.
Where a sample data extract has been used for Official Statistics, the data are grossed and rounded to provide an estimate of the true number before release.
Where a 100% data extract has been used for Official Statistics, we use statistical disclosure techniques to help ensure confidentiality is maintained.
7. Arrangements for providing to third parties
The department may contract third parties to conduct research on its behalf. This will only happen when they meet the necessary data handling conditions, security requirements, prescribed standards and followed the Security Assurance for Research and Analysis framework.
In the case of contracted analysis, information provided to third parties is inconsistently masked, giving careful consideration to all variables. This prevents variables being combined to reveal individuals’ identities and a case by case assessment is made taking into consideration other known or assumed data sets that may be in the contractors’ possession. The primary consideration is to minimise the risk of identification and possible distress to individuals.
Non-masked data would only be provided to contractors where there is a genuine business requirement to do so, such as surveys, and would operate under contract to ensure that appropriate security arrangements are in place and are enforceable.
In both situations, the number of records in a sample and the attributes contained within are limited to only those that are absolute necessary in accordance with policy.
8. Recording the details of access authorisations
All authorisations for access to private information are recorded and details of accesses to such information are recorded for auditing and compliance purposes.
Department for Work and Pensions
Contact: [email protected]
March 2017