Collecting and using special category data for official statistics and statistical research

•  Implemented on April 2022

•  Last review in February 2026

•  Next review due in February 2027

•  Policy owner (division): Legal & Data Services

•  Main point of contact: DPO@Statistics.gov.uk

The UK Statistics Authority takes data protection seriously and adheres to the UK General Data Protection Regulation (GDPR) principles in all its business interactions involving the processing of special category personal data. The UK GDPR principles state that personal data shall be:

• processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency)

• collected only for specified, explicit and legitimate purposes (purpose limitation)

• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (data minimisation)

• accurate and where necessary kept up to date (accuracy)

• not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data are processed (storage limitation)

• processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (security, integrity and confidentiality)

We are also responsible for, and must be able to demonstrate compliance with, the data protection principles listed in this section (accountability).

The policy applies to all employees of the UK Statistics Authority and Office for National Statistics (ONS).

As part of the Office for National Statistics's (ONS's) statutory functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (GDPR) and Schedule 1 of the Data Protection Act 2018.

When the Office for National Statistics (ONS) is collecting and processing special category personal data and criminal offence data, it does so under the lawful processing condition outlined under Article 9(j) of the UK General Data Protection Regulation (GDPR): "Processing is necessary for archiving in the public interest, scientific or historical research purposes or statistical purposes based on UK law."

Examples of our processing include the collection of special category data to support the census and our work around the coronavirus (COVID-19) pandemic.

This section sets out the detail of the policy by the following practices.

Data protection by design and by default

The UK Statistics Authority ensures that the principles and practices of data protection are built into all special category processing activities, and that the rights and freedoms of individuals are given consideration at all times.

Extra protection should be provided, as necessary, to the data of individuals who may be considered vulnerable. Vulnerability can be considered to exist where circumstances may restrict an individual's ability to freely consent or object to the processing of their personal data, to understand its implications, or where there is an imbalance of power in the relationship between the individual and the UK Statistics Authority.

Data minimisation

Special category data are only processed where necessary to achieve the aims of the organisation. Only the minimum amount of special category personal data required to achieve the aim are used. Special category personal data are de-identified or anonymised at the earliest opportunity and in accordance with best practice.

Data retention

Special category personal data are held only for so long as they continue to enable or assist the UK Statistics Authority undertake its functions under Article 5(1)(e) of the UK General Data Protection Regulation (GDPR)[PL3] , which states that "personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)." The Office for National Statistics (ONS) will only continue to hold personal data where it is still used to produce statistics. In addition, the ONS will also de-identify or anonymise data at the earliest opportunity it can without compromising its utility.

Data security

The UK Statistics Authority shall implement technical and organisational measures to ensure a level of security appropriate to the special category personal data being processed. Any measures put in place are regularly reviewed.

Personal data breaches

All breaches that present a risk to the rights and freedoms of individuals, as determined by the Data Protection Officer (DPO), shall be reported to the Information Commissioner at the earliest opportunity and in any event no later than 72 hours from discovery. Where a breach represents a high risk to individuals, the UK Statistics Authority shall notify all data subjects concerned. All staff who may become aware of a personal data breach must report the breach to the Data Protection team (dpo@statistics.gov.uk) immediately and include that the data are special category data.

Records of processing activity

All information assets that contain special category personal data will be recorded on the Information Asset Register (IAR) and regularly reviewed to maintain an accurate and up-to-date record of processing activity.

Data protection impact assessments

When introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals, noting that such risk will be inherently higher where special category personal data are being processed, the UK Statistics Authority business areas will undertake an impact assessment to identify and mitigate those risks and seek guidance from the DPO if required.

Transparency

The UK Statistics Authority will provide data subjects with all the information they require to constitute fair processing, at the point of data collection. Where special category data are collected from administrative sources, this information will be provided to data subjects within one month, unless to do so would be disproportionate effort. In addition, and where possible, such information will also be published on the ONS website.

Processors

The UK Statistics Authority will only use data processors capable of providing sufficient guarantees in relation to security of personal data and data protection legislation compliance.

International data transfers

Where the UK Statistics Authority transfers personal data internationally, it will only do so where an adequacy regulation is in place, or a safeguard or derogation is used. Where derogations are used, the organisation shall seek the advice of the DPO.

Data Protection Officer

The UK Statistics Authority has in place a suitably trained and experienced Data Protection Officer (DPO) to provide advice and guidance on all matters related to data protection. The DPO will report directly to the highest level of senior management and will have no other duties that may cause a conflict of interest.

Training

All staff who process special category personal data receive adequate and regular training in data protection. Data protection training is mandatory and line managers will be responsible for ensuring their staff complete the training.

Compliance

All staff, contractors and others working on behalf of the UK Statistics Authority and its executive office, the ONS, are required to comply with this policy. Compliance with the policy will be monitored by the DPO.

The Information Commissioner

The UK Statistics Authority will provide support and assistance as required by the Information Commissioner's Office in the fulfilment of their tasks.

Failure to comply with the requirements of this policy will be handled through the mechanisms outlined in the ONS Disciplinary Policy.

UK Statistics Authority

• Responsible for: all colleagues within the UK Statistics Authority are responsible for the organisational compliance with data protection legislation

• Accountable to: Parliament

Data Protection Officer

• Responsible for: the Data Protection Officer (DPO) monitors compliance and provides advice and guidance to the organisation on all matters relating to data protection; the DPO reports to the highest level of senior management

• Accountable to: National Statistician and Permanent Secretary

Legal and Data Services

• Responsible for: the Legal and Data Services team reports to the DPO and monitors and audits the organisation's compliance with data protection; the team also provide advice and guidance to the organisation

• Accountable to: Strategy and Policy Deputy Director

Chief Security Officer

• Responsible for: the Chief Security Officer (CSO) and their team ensure organisational services utilising special category personal data are compliant and are accountable to the highest level of senior management

• Accountable to: National Statistician and Permanent Secretary

Departmental Records Officer

• Responsible for: ensuring records management, document storage and providing advice

• Accountable to: the CSO

Information Asset Owner and Data Steward

• The Information Asset Owner and Data Steward role holders are responsible and accountable for data governance activities assigned to them as part of their appointment to the role, including the following

• Responsibility for decisions on use, transfer and access requests for data assets which contain special category data, oversight around associated processing activities

• Decision-making in relation to project or user accreditation relating to access to special category data

• Ensuring a data sensitivity assessment has been undertaken for assigned data assets, which contain special category data and that associated risks are managed accordingly

• Accountable to: Knowledge Information and Management team