Confidentiality of data collected for statistical purposes

The quality of statistical outputs and services rests on the collection of high quality data, which relies on the trust and co-operation of respondents. Maintaining the confidentiality of all data collected is therefore of paramount importance to the Office for National Statistics (ONS), as well as to the reporting public. The Code of Practice for National Statistics will include a guarantee to individuals that information they supply in confidence for wholly statistical purposes will be protected. This guarantee applies not just to data collected for National Statistics purposes (which includes all ONS statistics) but for any Government Statistical Service (GSS) activity. Protocols are to be included to define minimum standards and practices to be adopted, and these will also provide a framework for identifying and managing any particular areas of concern.

Identification of risks in relation to the confidentiality of data has several components. Firstly the Code of Practice and protocols provide a framework of good confidentiality practice. This can be used as a checklist for areas of risk. The Code of Practice is also supported by ethical guidelines set down by professional associations such as the Royal Statistical Society, the Social Research Association, Market Research Society as well as standards set by the International Statistical Institute. ONS ensures its practices meet the requirements of each of these. ONS is also subject to UK legislation and EU Statistical Law, both of which contain provisions designed to maintain the confidentiality of data. Examples are the Statistics of Trade Act 1947 and the Data Protection Act.

While the Code of Practice and related standards provide a framework for assessing risk to confidentiality, a systematic approach to risk identification involves an analysis of the statistical processes inherent in collecting, analysing and disseminating data, and the risks inherent at each stage.

Table 1 sets out the various stages in the statistical process and the main risks that are considered at each stage. Risks can now be separated into those associated with collecting the data (risks of inappropriate employee behaviour, inappropriate contract behaviour, system errors, administrative errors, or non-secure storage of confidential information), errors associated with processing and analysing the data, and errors associated with dissemination (risks of inadequate scientific analysis, inappropriate user behaviour, and inadequate monitoring of use). Having established sources of risk, for example inappropriate employee behaviour or system error, during data collection, a risk analysis can be undertaken in terms of who has access to particular data, what part of the technical environment can access the data, and so on.

ONS employs a deliberate strategy of limiting access by individuals to particular parts of the technical environment, and particular data sources, thus reducing the implicit level of risk, and assisting the targeting of potential risk.

The risks faced by ONS are the same as those faced by other statistical agencies throughout the world, and risk-identification is a common need. Therefore frameworks, management strategies and scientific techniques to identify, assess and respond to risk are developed jointly by the international statistical community. In the case of confidentiality, this is particularly true in the areas of collection and production.

Identification of specific risks associated with new methodologies, and ways to manage them, are shared at international discussions, conferences and in joint research projects. Peer review across agencies is undertaken to ensure that risks to confidentiality are identified in new methodologies where this is a potential concern. For example, the proposed approach to ensuring the confidentiality of results to be disseminated from the 2001 Population Census, has been peer reviewed by an expert from Statistics Canada. This review process is intended to identify risks associated with the proposed approach, and ensure an appropriate methodology is implemented.

Important areas for potential risk in relation to confidentiality of respondent information are the physical environment, the technical environment and the systems used. These aspects of security are of critical importance to ONS, and ONS risk management processes follow the principles of risk management laid out in the "Manual of Protective Security" (MPS).

Like other government departments and agencies, ONS is also planning for compliance with the British standard BS7799 for information security management. This is aimed specifically at protecting the confidentiality, integrity and availability of our information and covers issues such as how we manage our physical, personnel and IS security. An integral part of the BS7799 process is identifying risk and developing appropriate response strategies. A review of a pilot area is already under way and the results of this review will help with more detailed plans to cover the whole department.

Effective risk identification requires specific skills and motivation of people in the particular field. ONS contracts of employment remind all new staff of their duties of confidentiality and that they must adhere to the ONS Code of Practice on confidentiality of data. The Code of Practice (which has been praised by the Data Protection Registrar) is included in the ONS Induction Database. Chapter 5d of the ONS Guide, which forms part of ONS terms and conditions of service, also sets out guidance on confidentiality and handling of official information. Survey interviewer’s instructions for maintaining confidentiality are set out in their contracts of employment. Staff working in Registration and on the Census, sign a specific confidentiality declaration. We are considering whether there is a need to introduce a general ONS confidentiality declaration for staff in the future. For existing staff, ONS provides training in issues associated with confidentiality as part of induction and also in ongoing training and development modules. We encourage our managers to promote confidentiality as a key value.

3.2 Processes for judging the likelihood the impact of identified risks, and the response for risks related to confidentiality

Identifying risks is the first step in the risk management cycle. Evaluating these risks in terms of likelihood and potential impact is the next step, and an appropriate response then ensues. In the case of release of confidential information, the likelihood of each risk is assessed according to the potential source of breach and is based on judgement and past experience as well as the shared experience of statistical agencies across the world. As this risk is one of considerable potential impact on ONS, any risk likely to occur requires a response. ONS has a very low appetite for risk in this area.

The impact of the release of any confidential information is the potential loss of trust of respondents in the commitment and ability of ONS to safeguard their information. This loss will accrue across all areas of statistics regardless of where the breach of confidentiality has occurred. Any risk to confidentiality is seen as having a high impact. Nonetheless, some data is particularly sensitive to individuals or businesses, for example income or medical information, or commercially sensitive business information, and the inadvertent release of such information would create a higher profile, and hence have a higher impact, than less sensitive information.

The impact of any breach in public trust through the release of confidential information will also depend to some extent on significant collection activity taking place, or about to take place, at the time of the breach. For example, a breach in public trust from whatever survey would have a far greater impact immediately prior to the Population Census than at another time. Conversely, because of its high profile, any breach in public trust associated with the Census returns could have a potentially devastating impact on the collection of survey data and the confidence which both the public and private sectors would have in ONS.

The process for determining the likelihood, impact and response to identified risks is the responsibility of the relevant work area. However, a member of the Executive is tasked with ensuring that methods and practices across ONS support the security of confidential information, and that risks to confidentiality are being adequately managed.

For risks identified as of corporate significance, the likelihood and impact is monitored, and the response to any increased change of status is reported to the Executive, in monthly reports, or more frequently depending on the urgency of the issue. The Population Census programme maintains a detailed risk register, and reports on risk are raised through a monthly report provided to the National Statistician.

3.3 Processes for evaluating risk management strategies relating to confidentiality

A standard way to evaluate the effectiveness of a risk management strategy would be to monitor the extent to which problems arise as a result of unidentified risks, or inappropriate responses, including 'over response'. In the case of confidentiality, breaches are extremely rare. In cases where a breach has occurred, or been perceived to have occurred, or the potential for a breach has been high, ONS evaluates the processes leading to the breach or near breach, in order to take action to ensure it could not recur.

The rarity of any past breaches raises the question of whether too much effort is spent on safeguarding confidentiality. However ONS is strongly of the view that a breach carries such a high cost to the reputation of the organisation, and the quality of future statistics, that the current approach of high risk aversion is appropriate.

3.4 Involvement of stakeholders in management of risk to confidentiality

There are four sets of stakeholders in the ONS risk management strategy for issues of confidentiality. These are the respondents, the representatives of respondents (for example, Data Protection Commissioner), the users of the data, and the users of other ONS data that would be affected by a breach in confidentiality on any particular data set.

ONS does not engage directly with respondents on its risk management strategy in this area, although it does keep close watch on the media and monitors public views of the accessibility and use of identifiable data. Clear statements are made to respondents about confidentiality and data release in association with the collection of the survey data. Respondents are therefore aware of ONS’s commitment to confidentiality and can query any risks they perceive.

ONS also seeks informed consent for the release of certain identifiable data to particular users for statistical purposes, and monitors respondent attitudes to such informed consent. ONS is also commissioning research work on the perceptions of individual respondents to the use of data across government and the risks of such work to confidentiality. This research will also assess the impact, if any, on survey response rates caused by widening the sharing of identifiable data under strictly controlled conditions to named departmental statisticians outside ONS.

ONS does engage directly with the Data Protection Commissioner as well as representatives of ethics and civil liberties groups, in terms of the procedures and methods used, the likely risks that might arise, and the risk management strategies. It also engages with industry bodies on issues of data collection and confidentiality regarding business information. On most household health surveys, it engages with the national system of Ethics Committees, particularly those involving more intrusive aspects such as physical measurement, blood collection and the administration of detailed instruments to assess mental health. For such surveys, ethical approval is required from the relevant Multi-Research Ethics Committee, and issues of risk are discussed as part of the approval procedure. Input from these sources form an important element in ONS risk management strategies for ensuring data confidentiality.