|Implemented on||May 2018|
|Last review on||February 2021|
|Next review due on||February 2022|
|Policy owner (name)||Ross Young|
|Policy owner (division)||Data Governance Legislation and Policy|
|Main point of contact||DPO@Statistics.gov.uk|
The UK Statistics Authority (UKSA) and its executive office, the Office for National Statistics (ONS) process a large quantity of personal data, principally for the purposes of producing aggregate national and official statistics and statistical research, and all of our staff will likely come into contact with it in some way.
Our data comes from a variety of sources such as mandatory and compulsory surveys, administrative sources in the public and private sectors, information we hold on behalf of other organisations and the data we hold about our own staff and stakeholders.
We all have a responsibility to ensure that the personal data we hold is treated with respect, kept secure and confidential at all times, and that we comply with data protection legislation.
This policy applies to all staff, contractors and others working on behalf of the UKSA and its executive office, the ONS. This policy applies to all functions and activities undertaken by the UKSA that involve the use of personal data.Back to table of contents
In the UK, Data Protection Legislation is set out in a combination of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Together these two pieces of legislation determine how and when organisations such as the UK Statistics Authority can process personal data.Back to table of contents
The UK Statistics Authority (UKSA) takes data protection seriously and adheres to the UK General Data Protection Regulation (GDPR) principles, in all its business interactions that involve the processing of personal data. The UK GDPR principles state that personal data shall be:
1.Processed lawfully, fairly and in a transparent manner.
All processing of personal data shall be in accordance with UK and EU law, and only take place to the extent that one of the following applies:
- the data subject has given their consent
- the processing is necessary for the performance of a contract
- the processing is necessary for compliance with a legal obligation
- the processing is necessary to protect the vital interests of the data subject
- the processing is necessary either for a task carried out in the public interest or in the exercise of the data controller’s official authority
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Accurate and, where necessary, kept up to date.
5. Kept in a form that permits identification for no longer than is necessary for the purposes for which the data are processed.
6. Processed in a manner that ensures appropriate security of the personal data.Back to table of contents
Data protection by design and by default
The UK Statistics Authority (UKSA) shall ensure that the principles and practices of data protection are built into all processing activities, and that the rights and freedoms of individuals are given due consideration at all times.
Personal data shall only be processed where it is necessary to achieve the aims of the organisation. Only the minimum amount of personal data required to achieve the aim shall be used. Personal data shall be de-identified or anonymised at the earliest opportunity and in accordance with best practise.
Personal data shall be held only for so long as they continue to enable or assist the UKSA undertake its functions. Personal data shall be disposed of appropriately and in accordance with best practise.
The UKSA shall implement technical and organisational measures to ensure a level of security appropriate to the personal data being processed. The measures put in place shall be regularly reviewed.
Personal data breaches
All breaches that present a risk to the rights and freedoms of individuals, as determined by the Data Protection Officer, shall be reported to the Information Commissioner at the earliest opportunity and in any event no later than 72 hours from discovery. Where a breach represents a high risk to individuals, the UKSA shall notify all data subjects concerned.
Data protection impact assessments
When introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals, the UKSA business areas will undertake an impact assessment to identify and mitigate those risks and seek guidance from the Data Protection Officer, if required.
The UKSA will provide data subjects with all the information they require to constitute fair processing at the point of data collection. Where data are collected from administrative sources this information will be provided to data subjects within one month, unless to do so would be disproportionate effort. In addition, and where possible, such information will also be published on the ONS website.
Records of processing
The UKSA shall maintain up-to-date records of all the processing activities it undertakes.
Data subject rights
The UKSA shall respond to all requests made by data subjects, in relation to the rights they hold under data protection legislation, within one month.
Where the UKSA relies on consent as a lawful basis for processing, that consent shall be fully informed, freely given and as easy to withdraw as to give.
The UKSA shall only use data processors capable of providing sufficient guarantees in relation to security of personal data and data protection legislation compliance.
All staff who process personal data will receive adequate and regular training in data protection.
Data Protection Officer
The UKSA will nominate a suitably trained and experienced Data Protection Officer to provide advice and guidance on all matters related to data protection. The Data Protection Officer will be involved in all decisions related to personal data, will report directly to the National Statistician and will have no other duties that may cause a conflict of interests.
The Information Commissioner
The UKSA will provide support and assistance as required by the Information Commissioner in the fulfilment of their tasks.Back to table of contents
National Statistician and Statistics Board
Responsible for organisational compliance with data protection legislation. Accountable to Parliament.
Data Protection Officer
Responsible for monitoring compliance and providing advice and guidance. Accountable to the National Statistician.
Data Protection Compliance and Audit
Responsible for monitoring and auditing data protection compliance and providing advice and guidance. Accountable to the Data Protection Officer.
Responsible for providing support to the Data Protection Officer. Accountable to the National Statistician.
Chief Security Officer
Responsible for ensuring organisational services using personal data are compliant. Accountable to the National Statistician.
Departmental Records Officer
Responsible for ensuring records management, document storage and providing advice. Accountable to the Chief Security Officer.Back to table of contents
All staff, contractors and others working on behalf of the UK Statistics Authority (UKSA) and its executive office, the Office for National Statistics (ONS), are required to comply with this policy. Compliance with the policy will be monitored by the Data Protection Officer.
Failure to comply may result in disciplinary action in line with the organisation’s Discipline Policy. Staff making a complaint in relation to the application of this policy should refer to the organisation’s Grievance Policy.Back to table of contents
Data protection legislation
This means collectively; the UK General Data Protection Regulation, and the Data Protection Act 2018.
This means any information relating to an identified or identifiable natural living person.
This means the natural person to which personal data applies.
This means any operation which is performed on personal data, including storage.
This means a natural person, public authority or other body, which determines the purposes and means of the processing of personal data.
This means a natural person, public authority or other body, which processes personal data on behalf of the data controller.
Personal data breach
This means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.Back to table of contents