1. Scope

 Implemented on   May 2018
 Last review on   February 2021
 Next review due on   February 2022
 Policy owner (name)   Ross Young
 Policy owner (division)   Data Governance Legislation and Policy
 Main point of contact  DPO@Statistics.gov.uk


The UK Statistics Authority (UKSA) and its executive office, the Office for National Statistics (ONS) process a large quantity of personal data, principally for the purposes of producing aggregate national and official statistics and statistical research, and all of our staff will likely come into contact with it in some way.

Our data comes from a variety of sources such as mandatory and compulsory surveys, administrative sources in the public and private sectors, information we hold on behalf of other organisations and the data we hold about our own staff and stakeholders.

We all have a responsibility to ensure that the personal data we hold is treated with respect, kept secure and confidential at all times, and that we comply with data protection legislation.

This policy applies to all staff, contractors and others working on behalf of the UKSA and its executive office, the ONS. This policy applies to all functions and activities undertaken by the UKSA that involve the use of personal data.

Back to table of contents

2. Background

In the UK, Data Protection Legislation is set out in a combination of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Together these two pieces of legislation determine how and when organisations such as the UK Statistics Authority can process personal data.

Back to table of contents

3. Principles

The UK Statistics Authority (UKSA) takes data protection seriously and adheres to the UK General Data Protection Regulation (GDPR) principles, in all its business interactions that involve the processing of personal data. The UK GDPR principles state that personal data shall be:

1.Processed lawfully, fairly and in a transparent manner.

All processing of personal data shall be in accordance with UK and EU law, and only take place to the extent that one of the following applies:

  • the data subject has given their consent
  • the processing is necessary for the performance of a contract
  • the processing is necessary for compliance with a legal obligation
  • the processing is necessary to protect the vital interests of the data subject
  • the processing is necessary either for a task carried out in the public interest or in the exercise of the data controller’s official authority

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Accurate and, where necessary, kept up to date.

5. Kept in a form that permits identification for no longer than is necessary for the purposes for which the data are processed.

6. Processed in a manner that ensures appropriate security of the personal data.

Back to table of contents

4. Practices

Data protection by design and by default

The UK Statistics Authority (UKSA) shall ensure that the principles and practices of data protection are built into all processing activities, and that the rights and freedoms of individuals are given due consideration at all times.

Data minimisation

Personal data shall only be processed where it is necessary to achieve the aims of the organisation. Only the minimum amount of personal data required to achieve the aim shall be used. Personal data shall be de-identified or anonymised at the earliest opportunity and in accordance with best practise.

Data retention

Personal data shall be held only for so long as they continue to enable or assist the UKSA undertake its functions. Personal data shall be disposed of appropriately and in accordance with best practise.

Data security

The UKSA shall implement technical and organisational measures to ensure a level of security appropriate to the personal data being processed. The measures put in place shall be regularly reviewed.

Personal data breaches

All breaches that present a risk to the rights and freedoms of individuals, as determined by the Data Protection Officer, shall be reported to the Information Commissioner at the earliest opportunity and in any event no later than 72 hours from discovery. Where a breach represents a high risk to individuals, the UKSA shall notify all data subjects concerned.

Data protection impact assessments

When introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals, the UKSA business areas will undertake an impact assessment to identify and mitigate those risks and seek guidance from the Data Protection Officer, if required.

Transparency

The UKSA will provide data subjects with all the information they require to constitute fair processing at the point of data collection. Where data are collected from administrative sources this information will be provided to data subjects within one month, unless to do so would be disproportionate effort. In addition, and where possible, such information will also be published on the ONS website.

Records of processing

The UKSA shall maintain up-to-date records of all the processing activities it undertakes.

Data subject rights

The UKSA shall respond to all requests made by data subjects, in relation to the rights they hold under data protection legislation, within one month.

Consent

Where the UKSA relies on consent as a lawful basis for processing, that consent shall be fully informed, freely given and as easy to withdraw as to give.

Data processors

The UKSA shall only use data processors capable of providing sufficient guarantees in relation to security of personal data and data protection legislation compliance.

Training

All staff who process personal data will receive adequate and regular training in data protection.

Data Protection Officer

The UKSA will nominate a suitably trained and experienced Data Protection Officer to provide advice and guidance on all matters related to data protection. The Data Protection Officer will be involved in all decisions related to personal data, will report directly to the National Statistician and will have no other duties that may cause a conflict of interests.

The Information Commissioner

The UKSA will provide support and assistance as required by the Information Commissioner in the fulfilment of their tasks.

Back to table of contents

5. Roles and responsibilities

National Statistician and Statistics Board

Responsible for organisational compliance with data protection legislation. Accountable to Parliament.

Data Protection Officer

Responsible for monitoring compliance and providing advice and guidance. Accountable to the National Statistician.

Data Protection Compliance and Audit

Responsible for monitoring and auditing data protection compliance and providing advice and guidance. Accountable to the Data Protection Officer.

Legal Services

Responsible for providing support to the Data Protection Officer. Accountable to the National Statistician.

Chief Security Officer

Responsible for ensuring organisational services using personal data are compliant. Accountable to the National Statistician.

Departmental Records Officer

Responsible for ensuring records management, document storage and providing advice. Accountable to the Chief Security Officer.

Back to table of contents

6. Compliance

All staff, contractors and others working on behalf of the UK Statistics Authority (UKSA) and its executive office, the Office for National Statistics (ONS), are required to comply with this policy. Compliance with the policy will be monitored by the Data Protection Officer.

Failure to comply may result in disciplinary action in line with the organisation’s Discipline Policy. Staff making a complaint in relation to the application of this policy should refer to the organisation’s Grievance Policy.

Back to table of contents

7. Definitions

Data protection legislation

This means collectively; the UK General Data Protection Regulation, and the Data Protection Act 2018.

Personal data

This means any information relating to an identified or identifiable natural living person.

Data subject

This means the natural person to which personal data applies.

Processing

This means any operation which is performed on personal data, including storage.

Data controller

This means a natural person, public authority or other body, which determines the purposes and means of the processing of personal data.

Data processor

This means a natural person, public authority or other body, which processes personal data on behalf of the data controller.

Personal data breach

This means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Back to table of contents