1. Scope

 Implemented on   May 2018
 Last review on   February 2024
 Next review due on   February 2025
 Policy owner   Ross Young
 Policy owner (division)   Data Governance Legislation and Policy
 Main point of contact  DPO@Statistics.gov.uk
 Published version link  Data policies


The UK Statistics Authority and its executive office, the Office for National Statistics (ONS) process a large quantity of personal data, principally for the purposes of producing aggregate National and official statistics and statistical research, and all our staff will likely come into contact with it in some way.

Our data comes from a variety of sources such as mandatory and compulsory surveys, administrative sources in the public and private sectors, information we hold on behalf of other organisations and the data we hold about our own staff and stakeholders.

We all have a responsibility to ensure that the personal data we hold is treated with respect, always kept secure and confidential, and that we comply with data protection legislation.

This policy applies to all staff, contractors and others working on behalf of the UK Statistics Authority and its executive office, the ONS. This policy applies to all functions and activities undertaken by the UK Statistics Authority that involve the use of personal data.

Back to table of contents

2. Background

In the UK, Data Protection Legislation is primarily set out in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and determines how and when organisations, such as UK Statistics Authority, can process personal data.

Back to table of contents

3. Policy statement

The UK Statistics Authority takes data protection seriously and adheres to the UK GDPR principles, in all its business interactions that involve the processing of personal data. The UK GDPR principles state that personal data shall be:

1. processed lawfully, fairly and in a transparent manner.

All processing of personal data shall be in accordance with UK law, and only take place to the extent that one of the following applies-

  1. the data subject has given their consent.
  2. the processing is necessary for the performance of a contract.
  3. the processing is necessary for compliance with a legal obligation.
  4. the processing is necessary to protect the vital interests of the data subject.
  5. the processing is necessary either for a task carried out in the public interest or in the exercise of the data controller's official authority
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (as the UK Statistics Authority is a public authority, it cannot rely on legitimate interests for any processing it does to perform its tasks as a public authority).

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

4. accurate and, where necessary, kept up to date.

5. kept in a form that permits identification for no longer than is necessary for the purposes for which the data are processed.

6. processed in a manner that ensures appropriate security of the personal data.

Back to table of contents

4. Policy detail

Practices

Data protection by design and by default

The UK Statistics Authority shall ensure that the principles and practices of data protection are built into all processing activities, and that the rights and freedoms of individuals are given due consideration at all times.

Extra protection should be provided, as necessary, to the data of individuals who may be considered vulnerable. Vulnerability can be considered to exist where circumstances may restrict an individual's ability to freely consent or object to the processing of their personal data, to understand its implications, or where there is an imbalance of power in the relationship between the individual and the Authority.

Data minimisation

Personal data shall only be processed where it is necessary to achieve the aims of the organisation. Only the minimum amount of personal data required to achieve the aim shall be used. Personal data shall be de-identified or anonymised at the earliest opportunity and in accordance with best practice.

Data retention

Personal data shall be held only for so long as they continue to enable or assist the UK Statistics Authority undertake its functions. Personal data shall be disposed of appropriately and in accordance with best practice.

Data security

The UK Statistics Authority shall implement technical and organisational measures to ensure a level of security appropriate to the personal data being processed. The measures put in place shall be regularly reviewed.

Personal data breaches

All breaches that present a risk to the rights and freedoms of individuals, as determined by the Data Protection Officer (DPO), shall be reported to the Information Commissioner at the earliest opportunity and in any event no later than 72 hours from discovery. Where a breach represents a high risk to individuals, the UK Statistics Authority shall notify all data subjects concerned.

When discovering a personal data breach (or suspected breach), the DPO must be notified immediately (dpo@statistics.gov.uk) regardless of further investigations or information gathering.

Data protection impact assessments

When introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals, the UK Statistics Authority business areas will undertake an impact assessment to identify and mitigate those risks and seek guidance from the Data Protection Officer if required.

Transparency

The UK Statistics Authority will provide data subjects with all the information they require to constitute fair processing, at the point of data collection. Where data are collected from administrative sources this information will be provided to data subjects within one month, unless to do so would be disproportionate effort. In addition, and where possible, such information will also be published on ONS website.

Records of processing

The UK Statistics Authority shall maintain up to date records of all the processing activities it undertakes.

Data subject rights

The UK Statistics Authority shall respond to all requests made by data subjects, in relation to the rights they hold under data protection legislation, within one month.

Consent

Where the UK Statistics Authority relies on consent as a lawful basis for processing that consent shall be fully informed, freely given and as easy to withdraw as to give.

Processors

The UK Statistics Authority shall only use data processors capable of providing sufficient guarantees in relation to security of personal data and data protection legislation compliance.

International Data Transfers

Where the UK Statistics Authority transfers personal data internationally, it will only do so where an adequacy regulation is in place, or a safeguard or derogation is used. Where derogations are used, the organisation shall seek the advice of the Data Protection Officer.

Training

All staff who process personal data will receive adequate and regular training in data protection.

Data Protection Officer (DPO)

The UK Statistics Authority will nominate a suitably trained and experienced Data Protection Officer to provide advice and guidance on all matters related to data protection. The DPO will report directly to the National Statistician and will have no other duties that may cause a conflict of interest.

The Information Commissioner

The UK Statistics Authority will provide support and assistance as required by the Information Commissioner in the fulfilment of their tasks.

Compliance

All staff, contractors and others working on behalf of UK Statistics Authority and its executive office, the ONS, are required to comply with this policy. Compliance with the policy will be monitored by the Data Protection Officer. Failure to comply may result in disciplinary action in line with the organisation's Discipline Policy. Staff making a complaint in relation to the application of this policy should refer to the organisation's Grievance Policy.

Back to table of contents

5. Roles and responsibilities

National Statistician/Statistics Board

The National Statistician and the Statistics board are responsible for the organisational compliance with data protection legislation and are ultimately accountable to Parliament.

Data Protection Officer (DPO)

The DPO will monitor compliance and provide advice and guidance to the organisation on all matters relating to data protection. The DPO reports to the National Statistician.

Data Protection Compliance and Audit (DPCA)

The DPCA team within Data Governance Legislation and Policy branch, reports to the DPO and monitors and audits the organisation's compliance with data protection. The team will also provide advice and guidance to the organisation.

Legal Services

The Legal Services team within the Central Policy Secretariat division provides support to the Data Protection Officer and accountable to the National Statistician.

Chief Security Officer (CSO)

The CSO and their team within the Security and Information Management (SaIM) Division ensures organisational services utilising personal data are compliant and are accountable to the National Statistician.

Departmental Records Officer

The Departmental Records Officer, within the Security and Information Management (SaIM) division, ensures records management and document storage, and provides advice on retention of personal data and is accountable to the Chief Security Officer.

Information Asset Owners

An Information Asset Owner (IAO) is the senior individual in the business area with responsibility for an information or data asset to ensure its appropriate access, use and security.

Back to table of contents

6. Definitions

Data protection legislation

This means collectively; the UK General Data Protection Regulation, and the Data Protection Act 2018.

Personal data

This means any information relating to an identified or identifiable natural living person.

Data subject

This means the natural person to which personal data applies.

Processing

This means any operation which is performed on personal data, including storage.

Data controller

This means a natural person, public authority or other body, which determines the purposes and means of the processing of personal data.

Data processor

This means a natural person, public authority or other body, which processes personal data on behalf of the data controller.

Personal data breach

This means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Back to table of contents