Guidance

Statistical guidance: policy statement on confidentiality and access

Published 14 July 2010

1. Introduction

The Code of Practice for Official Statistics requires all producers of Official Statistics to publish a clear statement on confidentiality and access of data holdings used in producing statistical outputs.

Department for Work and Pensions (DWP) is governed by the department’s own data protection policy along with theData Protection Act 1998 and specific social security legislation.

This policy reflects the wide range of uses to which data are put within the department, including the production of statistics.

We only give access to personalised data to external bodies where there is a legal gateway to do so (this includes research done under contract for DWP).

Statistical Services Division is responsible for most of the Official Statistics produced by DWP. The head of Statistical Services Division Neil McIvor, is also our Head of Profession for Statistics and therefore has overall responsibility for all DWP Official Statistics.

2. Confidentiality and access – general policy statement

We protect the security of our data holdings in order to maintain the privacy of the citizen, fulfil relevant legal obligations and uphold our guarantee that no statistics will be produced that are likely to identify an individual, while at the same time taking account of our obligation to obtain maximum value from the data we hold for statistical purposes.

Staff are given information security training on a regular basis, data handlers are provided with additional training dealing with the principles of the Data Protection Act including confidentiality of personal information and they are required to sign to say that they have received this training.

The majority of data accessed by analysts is obfuscated and access is business case controlled based to the minimum data required.

The department accords to the Code of Practice for Office Statistics and the supporting guidance Privacy and data confidentiality methods a national stasticians quality review NSQR

3. Physical security

All staff working in this organisation and all visitors to its sites require authority andphotographic passes to access the premises. In most locations there are further internal security doors, segregating areas of higher sensitivity.

Confidential statistical data is held in a secure environment that includes secure storage such as locked security cabinets. Access is strictly controlled in line with departmental policy.

4. Technical security

DWP maintains a secure technical environment in order to protect the confidentiality, integrity and availability of information. Access to the DWP network is controlled by layered authentication using a combination of physical token, password and PIN.

In addition, a number of technical controls are present to prevent unauthorised access and data leakage.

5. Organisational security

DWP has a single Senior Information Risk Owner (SIRO) and for each of the department’s major business areas there is a Deputy SIRO who is responsible for promoting good information management and security across their area of responsibility.

For individual datasets DWP assigns accountability for data security and confidentiality to nominated Information Asset Managers (IAM). They ensure that specific information assets are handled and managed appropriately.

Government Legal Department has teams who are responsible for security and data protection policies that support Information Asset Managers. The Knowledge and Information Management Division is responsible for the policies, practices and process for the recording and exploitation of departmental information

6. Disclosure security

Disclosure control techniques are always implemented before Official Statistics are released. As an additional protective measure, details of the methodology are not published.

Where a sample data extract has been used for Official Statistics, the data are grossed and rounded to provide an estimate of the true number before release.

Where a 100% data extract has been used for Official Statistics, we use statistical disclosure techniques to help ensure confidentiality is maintained.

7. Arrangements for providing to third parties

The department may contract third parties to conduct research on its behalf. This will only happen when they meet the necessary data handling conditions, security requirements, prescribed standards and followed the Security Assurance for Research and Analysis framework.

In the case of contracted analysis, information provided to third parties is inconsistently masked, giving careful consideration to all variables. This prevents variables being combined to reveal individuals’ identities and a case by case assessment is made taking into consideration other known or assumed data sets that may be in the contractors’ possession. The primary consideration is to minimise the risk of identification and possible distress to individuals.

Non-masked data would only be provided to contractors where there is a genuine business requirement to do so, such as surveys, and would operate under contract to ensure that appropriate security arrangements are in place and are enforceable.

In both situations, the number of records in a sample and the attributes contained within are limited to only those that are absolute necessary in accordance with policy.

8. Recording the details of access authorisations

All authorisations for access to private information are recorded and details of accesses to such information are recorded for auditing and compliance purposes.

Department for Work and Pensions

Contact: [email protected]

March 2017