Data Protection Policy

1. Scope

The UK Statistics Authority and its executive office, the Office for National Statistics (ONS) process a large quantity of personal data. This data are principally for the purposes of producing aggregate National and official statistics and statistical research. All our staff will likely come into contact with it in some way.

Our data come from a variety of sources. These include mandatory and compulsory surveys, administrative sources in the public and private sectors, information we hold on behalf of other organisations, and the data we hold about our own staff and stakeholders.

We all have a responsibility to ensure that the personal data we hold is treated with respect, always kept secure and confidential, and that we comply with data protection legislation.

This policy applies to all staff, contractors and others working on behalf of the UK Statistics Authority and its executive office, the ONS. This policy applies to all functions and activities undertaken by the UK Statistics Authority that involve the use of personal data.

2. Background

In the UK, Data Protection Legislation is set out in a combination of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Together, these two pieces of legislation determine how and when organisations such as the UK Statistics Authority can process personal data.

3. Policy statement

The UK Statistics Authority takes data protection seriously and adheres to the UK GDPR principles, in all its business interactions that involve the processing of personal data. The UK GDPR principles state that personal data shall be:

1. processed lawfully, fairly and in a transparent manner.

All processing of personal data shall be in accordance with UK and EU law, and only take place to the extent that one of the following applies:

  • the data subject has given their consent
  • the processing is necessary for the performance of a contract
  • the processing is necessary for compliance with a legal obligation
  • the processing is necessary to protect the vital interests of the data subject
  • the processing is necessary either for a task carried out in the public interest or in the exercise of the data controller’s official authority

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

4. accurate and, where necessary, kept up to date.

5. kept in a form that permits identification for no longer than is necessary for the purposes of which the data are processed.

6. processed in a manner that ensures appropriate security of the personal data.

4. Policy detail

Practices

The UK Statistics Authority shall ensure that the principles and practices of data protection are built into all processing activities, and that the rights and freedoms of individuals are given due consideration at all times.

Personal data shall only be processed where it is necessary to achieve the aims of the organisation. Only the minimum amount of personal data required to achieve the aim shall be used. Personal data shall be de-identified or anonymised at the earliest opportunity and in accordance with best practice.

Personal data shall be held only for so long as they continue to enable or assist the UK Statistics Authority to undertake its functions. Personal data shall be disposed of appropriately and in accordance with best practice.

The UK Statistics Authority shall implement technical and organisational measures to ensure a level of security appropriate to the personal data being processed. The measures put in place shall be regularly reviewed.

All breaches that present a risk to the rights and freedoms of individuals, as determined by the Data Protection Officer, shall be reported to the Information Commissioner at the earliest opportunity. In any event, they shall be reported no later than 72 hours from discovery. Where a breach represents a high risk to individuals, the UK Statistics Authority shall notify all data subjects concerned.

When introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals, the UK Statistics Authority business areas will undertake an impact assessment. This will be to identify and mitigate those risks and seek guidance from the Data Protection Officer if required.

The UK Statistics Authority will provide data subjects with all the information they require to constitute fair processing, at the point of data collection. Where data are collected from administrative sources this information will be provided to data subjects within one month, unless to do so would be disproportionate effort. In addition, and where possible, such information will also be published on the ONS website.

The UK Statistics Authority shall maintain up to date records of all the processing activities it undertakes.

The UK Statistics Authority shall respond to all requests made by data subjects, in relation to the rights they hold under data protection legislation, within one month.

The UK Statistics Authority shall only use data processors capable of providing sufficient guarantees in relation to security of personal data and data protection legislation compliance.

All staff who process personal data will receive adequate and regular training in data protection.

The UK Statistics Authority will nominate a suitably trained and experienced data protection officer to provide advice and guidance on all matters related to data protection. The DPO will be involved in all decisions related to personal data, will report directly to the National Statistician, and will have no other duties that may cause a conflict of interest.

The UK Statistics Authority will provide support and assistance as required by the Information Commissioner in the fulfilment of their tasks.

All staff, contractors and others working on behalf of UK Statistics Authority and its executive office, the ONS, are required to comply with this policy. Compliance with the policy will be monitored by the Data Protection Officer. Failure to comply may result in disciplinary action in line with the organisation’s Discipline Policy. Staff making a complaint in relation to the application of this policy should refer to the organisation’s Grievance Policy.

5. Roles and Responsibilities

The National Statistician and the Statistics board are responsible for the organisational compliance with data protection legislation and are ultimately accountable to Parliament.

The DPO will monitor compliance and provide advice and guidance to the organisation on all matters relating to data protection. The DPO reports to the National Statistician.

The DPCA team within Data Governance Legislation and Policy branch, reports to the DPO and monitors and audits the organisation’s compliance with data protection. The team will also provide advice and guidance to the organisation.

The CSO and their team within the Security and Information Management (SaIM)

Division ensures organisational services utilising personal data are compliant and are accountable to the National Statistician.

The Departmental Records Officer within the Security and Information Management (SaIM) division ensures records management, document storage, and provides advice on retention of personal data. They are accountable to the Chief Security Officer.

6. Compliance

All staff, contractors and others working on behalf of the UK Statistics Authority (UKSA) and its executive office, the Office for National Statistics (ONS), are required to comply with this policy. Compliance with the policy will be monitored by the Data Protection Officer.Failure to comply may result in disciplinary action in line with the organisation’s Discipline Policy. Staff making a complaint in relation to the application of this policy should refer to the organisation’s Grievance Policy.

7. Definitions

This means collectively; the UK General Data Protection Regulation, and the Data Protection Act 2018.

This means any information relating to an identified or identifiable natural living person.

This means the natural person to which personal data applies.

This means any operation which is performed on personal data, including storage.

This means a natural person, public authority or other body, which determines the purposes and means of the processing of personal data.

This means a natural person, public authority or other body, which processes personal data on behalf of the data controller.

This means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.