1. Securing our end to end data journey


Figure 1 illustrates our data security, governance and legislation policies that secure our end to end data journey.

Back to table of contents

2. Legislation on data access and use

Policy statement

ONS complies with the following legislation governing how we can use data:

  • the Statistics and Registration Service Act (SRSA) 2007 created the UK Statistics Authority (referred to as the Statistics Board in the Act), with the statutory objective of promoting and safeguarding the production and publication of official statistics that serve the public good; Office for National Statistics is the Authority’s executive office

  • the Act protects personal information by making its disclosure a criminal offence, except in certain prescribed circumstances

  • in 2017, the Digital Economy Act amended the SRSA, providing ONS with permissive and mandatory gateways to receive data from all public authorities and Crown bodies, and new powers to mandate data from some UK businesses; in limited circumstances data held by ONS may also be shared with the devolved administrations solely for statistical purposes

  • the Pre-Release Access to Official Statistics Order 2008 (made under the powers in the Statistics and Registration Service Act 2007) provides the rules under which pre-release access to statistics is granted; separate Orders apply to statistics specific to the devolved administrations

  • Data Protection Legislation (including the General Data Protection Regulation and Data Protection Act 2018) outlines our obligations in relation to the processing of personal data, and the principles that need to be followed in order for such processing to be lawful; also provides some exemptions for the processing of personal data solely for statistical purposes.

  • the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Protection of Freedoms Act 2012 together set out information that we must proactively publish and requirements to make information available on request

  • the Public Records Act 1958 provides a framework for the retention and destruction of public records

  • the Reuse of Public Sector Information Regulations 2015 removes barriers that hinder, and actively encourages, the making available of public sector information for reuse

ONS complies with the following legislation governing access to data:

  • the Statistics and Registration Service Act 2007 allows ONS to obtain information relating to births and deaths, and NHS registration, and some HM Revenue and Customs (HMRC) information

  • the Census Act 1920 makes provision for the taking of a census and obtaining statistical information in relation to the population of Great Britain

  • the Statistics of Trade Act 1947 allows ONS to run mandatory surveys of businesses and in limited circumstances to share the data received with other government departments

  • the Value Added Tax Act 1994 allows ONS to obtain VAT data from HMRC and in limited circumstances to disclose that data onward to other government departments

  • the Finance Act 1969 allows ONS to receive employer information from HMRC and in limited circumstances to disclose that information onward to other government departments

  • the Social Security Information Act 1992 allows ONS to receive information relating to pay contributions held by HMRC

  • the Agricultural Statistics Act 1979 allows ONS to obtain information on agricultural matters

  • the Employment and Training Act 1973 allows disclosure of business data in limited circumstances, for example to local authorities for planning purposes

Back to table of contents

3. Data security

At ONS, we treat the data we hold with respect, keeping it secure and confidential.

The statistics we publish are aggregated from individual records which may contain personal or commercial information. We recognise that we are being trusted with others’ data, and we take our commitment to keep that data secure very seriously.

As a data controller, we have a legal obligation to protect personal data under the Data Protection Legislation. Furthermore, the Statistics and Registration Service Act 2007 makes it a criminal offence to improperly disclose information held by ONS that identifies a person or business.

Given the potential sensitivity of the data we hold at ONS, we adopt security measures designed to preserve data confidentiality and ensure data is accessible only by authorised people and only as needed.

Summary of key principles:

  • The unlawful disclosure of personal information held by ONS is a criminal offence. We require all staff, contractors and service providers to confirm they understand their obligations by signing a confidentiality declaration.

  • To protect the data we hold, we maintain a security regime consistent with government policy, including the Government Security Policy Framework, and good industry practice.

Our security regime includes:

  • physical measures to restrict who can access places where data is stored

  • protective measures for all data-related IT services

  • measures to restrict who can access systems and data held by ONS

  • controls to guard against staff or contractors misusing their legitimate access to data, including vetting to an appropriate level for the sensitivity of data they might have access to

To avoid compromising their effectiveness, we do not make public specific details of the security measures we have in place, however an accreditation process ensures these measures comply with the standards and guidance set out by the Cabinet Office.

Back to table of contents

4. Data protection

The General Data Protection Regulation and the Data Protection Act 2018 together determine how, when and why any organisation can process personal data. Personal data is any information that can identify a living individual. These laws exist to ensure that individuals data are managed safely and used responsibly. ONS is committed to complying fully with Data Protection Legislation by

  • Ensuring all of our processing of personal data is fair, lawful, necessary and proportionate

  • Being fully transparent and accountable

  • Appointing an independent data protection officer

  • Undertaking data protection impact assessments where required

  • Having due regard to guidance and best practice issued by the Information Commissioner

Further information, including our privacy statement and data protection policy can be found on our data protection homepage.

Back to table of contents

5. Data access and accreditation

ONS supports researchers to realise the potential public benefit from data, while safeguarding individuals' confidentiality.

The data we hold are a rich resource for analysis. We are committed to maximising the public benefit that can be derived from data, while protecting the confidentiality of the people and businesses it concerns.

We produce and publish a wide range of statistical tables in open formats online, however, statistical research sometimes requires access to datasets with a higher level of granularity.

Summary of main principles:

  • ONS is committed to maximising the public benefit of the data it holds, subject to maintaining the confidentiality of data subjects

  • access to unpublished de-identified data will only be granted in a safe, secure and lawful way, in accordance with the Statistics and Registration Service Act 2007 and digital economy act 2017.

  • access to unpublished de-identified data will only be permitted through the “Approved Researcher” scheme if ONS is satisfied that:

    • the researcher meets the set criteria of professionalism and competence
    • the proposed statistical research meets the set criteria for serving the public good
    • access will not compromise subject confidentiality
    • the data are appropriate for the proposed use and openly available data cannot be used instead
  • unpublished data held by ONS will only be made accessible to researchers following an assessment of the risk of statistical disclosure, which will inform proportionate conditions for access

Publishing some data openly would breach respondent confidentiality, however, legislation allows ONS to offer strictly controlled access to unpublished data in certain circumstances.

Specific permissions exist for central and local government, as well as health bodies, so they can do the detailed analysis they need to plan effectively. In addition, other users can apply for limited access to de-identified unpublished data for statistical and research purposes.

In all cases, it is our policy only to permit access to de-identified unpublished data for statistical research purposes that serve the public good, and only when access does not compromise the guarantee of confidentiality provided to respondents.

Where ONS holds data gathered by other government departments, we will only provide access where it is provided for in legislation, with the department’s consent, and in accordance with their protocols.

The principal process for accessing de-identified unpublished data is through the Approved Researcher scheme. Access is subject to a process of accreditation for both the researcher and their research proposal. The full criteria and process are set out on the relevant pages of the website.

Once the research is complete we review the final results to ensure there is no risk to the confidentiality of the data subjects, and we require that all research outputs are published to maximise their public benefit.

Back to table of contents