This Statement is issued in conformance with the requirements set out in Principle T6: Data governance of the Code of Practice for Statistics.
It sets out the arrangements we have put in place to:
- protect the security of our data holdings and uphold our guarantee that no statistics will be produced that are likely to identify an individual or organisation(a)
- while at the same time; obtaining maximum value from these micro-data, once obtained, by extending appropriate access to bona fide and authorised third parties
(a) In very exceptional circumstances we may contact an organisation to request their permission to identify them within one of our statistical outputs.
The Welsh Government Statistical Services and Social Research divisions hold and process various data which are sensitive because they are either personal or commercially sensitive.
Specific measures are taken to preserve their confidentiality and security:
- legislation and codes of practice governing the collection, storage and use of confidential data are strictly observed
- we only publish statistics after careful consideration of the risk of releasing confidential information to ensure no individual or organisation can be identified
- staff members receive appropriate training in information security measures, and in the importance of accessing confidential data appropriately, and only when necessary
- data access arrangements must be signed by any external researchers and contractors who may be allowed access to confidential data, while confidentiality declarations are made by internal colleagues who work outside the Welsh Government Statistics and Research team
- all confidentiality undertakings are respected when data are received from other organisations
2. Information security
The Welsh Government Statistics and Research team aims to ensure that it has the required policies, systems and culture in place in order to meet international standards on information security management systems.
Staff members receive appropriate training in IT security measures including the mandatory 'Responsible for Information' course developed by the Cabinet Office and Civil Service Learning.
The Welsh Government has designated Information Asset Owners across the organisation and senior managers have responsibility for:
- identifying and recording information assets
- ensuring staff who manage information assets in the Department are appropriately trained
- managing risk relating to information assets
- ensuring information is passed to third party suppliers with appropriate governance and security in place, and third party suppliers managing any of our information are aware of their responsibilities
The Information Asset Owner for The Welsh Government Statistics and Research team is the Chief Statistician, who is supported in this role by the Chief Social Research Officer with respect to social research projects.
3. Organisational protocols
All staff working in this organisation and all visitors to its sites require a pass to access the premises. There is no public access to any part of the organisation where confidential statistical data may be held.
Our corporate network is in scope of a compliance certificate with the Public Services Network (PSN). No sensitive or confidential statistical data are held on laptops or any other portable devices or kept on unencrypted portable storage media. All transmission of data pertaining to individuals, households or businesses is conducted within the corporate network or else shared via authorised secure channels, such as the Egress Switch, PGP software and secure web-portals.
We use a combination of survey project managers and data managers (sometimes referred to as data custodians) to protect and maintain our data and Welsh Government Statistics and Research team staff are trained in the importance of accessing confidential data appropriately, and only when necessary. Further, and as recommended in the 'Privacy and data confidentiality methods' we use the Declaration of Confidentiality when sharing individual or personal data with non-Welsh Government Statistics and Research staff within the organisation.
We comply with data protection law, including the General Data Protection Regulation, and privacy notices are used for relevant data collections to ensure data subjects and suppliers are aware of the purposes of the collection and how their data will be used. When contractors undertake work on our behalf, the contract we have with them includes conditions around the security and protection of personal and confidential data.
We regularly assess the risk of the accidental disclosure of an individual’s information in each of our relevant outputs, and the statistical disclosure techniques used to mitigate these risks are tailored for each output to meet the confidentiality guarantee. These risk assessments are reviewed regularly to ensure they provide the necessary balance between management of the risk and data usability.
4. Data exchange
We may provide micro-data for statistical and research purposes to bona fide researchers in the academic sector, to local authorities, Welsh Government Sponsored Bodies, medical researchers, other government departments and devolved administrations, and Eurostat. Data may be released under arrangements described in a formal Data Access Arrangement (or occasionally via a Service Level Agreement, a Concordat, or a contract). We will ensure that unless it is otherwise absolutely necessary, non-personal data are shared or we provide access to anonymised personal data through an appropriate secure research environment. We will only share identifiable personal data where there is a clear legal gateway and a relevant purpose for doing so, in line with legislation.
In every case, a prospective user must make an application for approval for release to the Chief Statistician. In some circumstances the Chief Statistician will delegate this approval to another senior statistician or the Chief Social Research Officer.
Details of the data to be shared, the agreed uses of the data, the legal basis for the data share, the data transfer mechanism and an expected date of destruction are set out in the agreement to be signed by the requesting body. The Agreement must have the Chief Statistician’s approval to give the business area the authority to release the data. Full details of all authorised access to the organisation’s data pertaining to individuals, households or businesses are available on request from the Chief Statistician.
All beneficiaries of access are required to sign a Security Aspects Letter confirming their agreement to appropriate technical and physical security standards. We currently use two secure systems (AFON, DEWI) for data collection and sharing, alongside corporate tools which allow the secure sharing of various file types. These systems enable secure movement of different types of data between the Welsh Government and its data providers or users.
The Chief Statistician (in consultation with the National Statistician as necessary) must authorise any exceptions to the principle of confidentiality protection prior to any data being released. Records of any authorisations are kept in a registered file by the Welsh Government Statistical Services and Social Research and Information divisions.