Statistics and research: statement on confidentiality and data access

This Statement is issued in conformance with the requirements set out in Principle T6: Data governance of the Code of Practice for Statistics.

It sets out the arrangements we have put in place to:

• protect the security of our data and uphold our guarantee that no statistics will be produced that are likely to identify an individual or organisation (in very exceptional circumstances we may contact an organisation to request their permission to identify them within one of our statistical outputs)
• while at the same time; obtaining maximum value from these micro-data, once obtained, by extending appropriate access to bona fide and authorised third parties

Welsh Government Statistical and Social Research team analysts hold and process various data which are sensitive because they are either personal or commercially sensitive.

Specific measures are taken to preserve their confidentiality and security:

• legislation and codes of practice governing the collection, storage and use of confidential data are strictly observed
• we only publish statistics after careful consideration of the risk of releasing confidential information to ensure no individual or organisation can be identified
• staff members receive appropriate training in information  security measures, and in the importance of accessing confidential data appropriately, and only when necessary
• data access arrangements must be signed by any external researchers and contractors who may be allowed access to confidential data, while confidentiality declarations are made by internal colleagues who work outside the Welsh Government Statistics and Research team
• all confidentiality undertakings are respected when data are received from other organisations

The Welsh Government Statistics and Research team aims to ensure that it has the required policies, systems and culture in place in order to meet international standards on information security management systems.

Staff members receive appropriate training in IT security measures including the mandatory “Responsible for Information” course developed by the Cabinet Office and Civil Service Learning.

The Welsh Government has designated Information Asset Owners across the organisation and senior managers have responsibility for

• identifying and recording information assets
• ensuring staff who manage information assets in the Department are appropriately trained
• managing risk relating to information assets
• ensuring information is passed to third party suppliers with appropriate governance and security in place, and third party suppliers managing any of our information are aware of their responsibilities

The Chief Statistician and Chief Social Research Officer are Information Asset Owners for their respective areas of responsibility.

Staff work to the Welsh Government security policy which provides guidance to staff around protecting information in all work contexts (i.e. within and off Welsh Government premises). All staff working in the organisation and all visitors to its sites require a pass to access any premises. There is no public access to any part of the organisation where confidential statistical data may be held.

Any data stored or synced to laptops is secure with all laptops using BitLocker and drive encryption. Any data stored on laptops is managed by organisational identities with data retention policies removing local data every 60 days. All transmission of data pertaining to individuals, households or businesses is conducted within the corporate network or else shared via Data encryption services such as the Welsh Government’s iShare Connect (this is similar to drop box) or our DEWi and AFON exchange systems.  Secure messaging can be used with the email encryption service provided by O365.

We use a combination of survey project managers and data managers (sometimes referred to as data custodians) to protect and maintain our data and Welsh Government Statistics and Research team staff are trained in the importance of accessing confidential data appropriately, and only when necessary.  Further we use a Declaration of Confidentiality when sharing individual or personal data with non-Welsh Government Statistics and Research staff within the organisation.

We comply with data protection law, including the UK General Data Protection Regulation, and privacy notices are used for relevant data collections to ensure data subjects and suppliers are aware of the purposes of the collection and how their data will be used. When contractors undertake work on our behalf, the contract we have with them includes conditions around the security and protection of personal and confidential data.

We regularly assess the risk of the accidental disclosure of an individual’s information in each of our relevant outputs, and the statistical disclosure techniques used to mitigate these risks are tailored for each output to meet the confidentiality guarantee. These risk assessments are reviewed regularly to ensure they provide the necessary balance between management of the risk and data usability.

We may provide micro-data for statistical and research purposes to bona fide researchers, to the academic sector, to local authorities, Welsh Public Bodies, medical researchers, other government departments and devolved administrations. Data may be released under arrangements described in a formal Data Access Arrangement (or occasionally via a Service Level Agreement, a Concordat, or a contract).  We will ensure that unless it is otherwise absolutely necessary, non-personal data are shared or we provide access to anonymised personal data through an appropriate secure research environment (for example, SAIL databank or WG SeRP). We will only share identifiable personal data where there is a clear legal gateway and a relevant purpose for doing so, in line with legislation.

In every case, a prospective user must make an application for approval for release to the Chief Statistician. In some circumstances the Chief Statistician will delegate this approval to another senior statistician or the Chief Social Research Officer.

Details of the data to be shared, the agreed uses of the data, the legal basis for the data share, the data transfer mechanism and an expected date of destruction are set out in the agreement to be signed by the requesting body. The Agreement must have the Chief Statistician’s approval to give the business area the authority to release the data. Details of all authorised access to the organisation’s data pertaining to individuals, households or businesses are updated regularly on our 'Data sharing for statistical and research purposes' page.

All beneficiaries of access to personal data are required to sign a Security Aspects Letter confirming their agreement to appropriate technical and physical security standards. We currently use two secure systems (AFON, DEWI) for data collection and sharing, alongside corporate tools (iShare Connect) which allow the secure sharing of various file types. These systems enable secure movement of different types of data between the Welsh Government and its data providers or users.

The Chief Statistician (in consultation with the National Statistician as necessary) must authorise any exceptions to the principle of confidentiality protection prior to any data being released. Records of any authorisations are kept in a registered file.