Central Statistics Office
Official Statistics and Data Protection Legislation
Issued September 2016
1. Role of Official Statistics
The mandate and role of official statistics is defined in the UN Fundamental Principles of Official Statistics and in the European Statistics Code of Practice. Both the UN Principles and the European Code identify the role of official statistics in a modern democracy as an impartial and accurate source of the information needed for decision-making.
The UN Principles and the European Code both recognise that the following are essential for the compilation of official statistics:
Statistical results are published in aggregate form and enable governments and citizens to make informed choices.
2. Mandate and statutory functions of the Central Statistics Office
Mandate and functions
The Central Statistics Office (CSO) is established by Section 8(1) of the Statistics Act, 1993. Section 10(1) of the Act specifies the functions of the CSO as follows:
“The functions of the Office shall be the collection, compilation, extraction and dissemination for statistical purposes of information relating to economic, social and general activities and conditions in the State.”
In exercising its functions, the CSO obtains information from a wide range of sources. Under the Statistics Act, the CSO’s mandate and the restrictions on use of information (Sections 10(1) and 32 of the Act) make it clear that the information collected by the CSO is used solely for statistical purposes. It may not be used for any other purpose.
Statistical work programme
The CSO publishes a Statistical Work Programme on its website, which contains the list of statistical outputs and projects conducted by the Office. This gives practical meaning to the functions described in Section 10(1): http://www.cso.ie/en/aboutus/governance/statisticalworkprogramme/
The Director General of the CSO has sole responsibility for and is independent in relation to the statistical methodology and professional statistical standards applied by the CSO, and the contents of statistical releases and publications, under Section 13 of the Act.
Confidentiality and use of information for statistical purposes
Information obtained under the Statistics Act is strictly confidential, under Section 33 of the Statistics Act, 1993. It may only be accessed by Officers of Statistics, who are required to sign a Declaration of Secrecy under Section 21.
The CSO only publishes aggregate statistical data; statistical tables and results may not, and do not, disclose details relating to any identifiable person or business.
The full suite of legal protections accorded to data providers is set out in Part V of the Statistics Act, 1993.
Under Section 10(2) of the Statistics Act, 1993 the CSO has the authority to co-ordinate official statistics compiled by public authorities to ensure, in particular, adherence to statistical standards and the use of appropriate classifications. Under Section 10(3) the CSO has the authority to assess the statistical potential of the records maintained by public authorities and, in conjunction with them, to ensure that the statistical potential is realised.
Under Section 31 of the Act, the Director General of the CSO may request any public authority to consult and co-operate with him for the purpose of assessing the potential of the records of the authority as a source of statistical information and, where appropriate and practicable, developing its recording methods and systems for statistical purposes. Public authorities must comply with such a request and must also consult the CSO if they propose to introduce, revise or extend their information systems or plan to conduct a statistical survey.
3. Legal mandate to collect data
The CSO collects data under Sections 24, 26 and 30 of the Statistics Act, 1993:
Traditionally, most of the statistics compiled by the CSO have been based on surveys and censuses – i.e. on information collected under Sections 24 and 26 of the Statistics Act. However, the CSO is making increasing use of administrative records to reduce costs, to reduce the imposition of surveys on data providers, and to produce new statistical analysis and outputs.
This increasing use of administrative sources for statistical purposes is founded on the powers of access under Section 30 of the Statistics Act and the provisions for co-ordination in Sections 10(2), 10(3) and 31.
The shift from survey collection to greater use of existing data sources is not unique to Ireland. This is reflected in EU legislation on official statistics: In 2015, the basic EU regulation on European Statistics was amended to enable greater access to administrative data sources for statistical purposes (Article 17a of Regulation 223/2009 as amended by Regulation 2015/759).
Worldwide, official statisticians are making increasing use of administrative data and “big data”. In some EU Member States (e.g. the Nordic countries, the Netherlands) the national statistical system relies almost exclusively on administrative data sources. In these states, data protection law derives from the same EU data protection requirements, i.e. Directive 95/46/EC. From May 2018 the General Data Protection Regulation (GDPR) will apply equally in all Member States.
Recital 29 of Directive 95/46/EC foresaw the secondary use of administrative data for statistical purposes:
“29. Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual".
Section 6 of this note gives further details of the safeguards applied by the CSO in relation to all data collected for statistical processing, including data from administrative sources.
Statistical results are aggregates: tables of statistics do not disclose identifiable information about any individual and they cannot be used “in support of measures or decisions regarding any particular individual”.
4. Statistics and Data Protection Law
Data protection law places an emphasis on fair obtaining and data security. These requirements apply equally to statistical processing of personal data.
The use of information for statistical purposes only, as required by Section 32 of the Statistics Act, reflects the fair obtaining requirement of the Data Protection Act. The information is only used for the purpose for which it was obtained, i.e. the processing of statistics.
Similarly, statistical confidentiality as required by Section 33 of the Statistics Act matches the requirement in data protection law to respect data security.
The Data Protection Act also recognises the use of data for statistical purposes and includes the following specific provisions relating to statistics:
5. How the CSO upholds the principles of Data Protection
At the heart of data protection is the protection of fundamental rights and freedoms of data subjects – i.e. rights of individual persons. In every step of processing data for statistical purposes, the CSO aims to uphold these rights.
In particular, this means the following:
6. Safeguards in place to protect data collected by the CSO
Confidentiality is a core value of the CSO. The Office places a very high value on its obligation to respect statistical confidentiality and has put an extensive system of safeguards in place to protect the data which the Office receives.
Legal: All information obtained by the CSO under the Statistics Act is strictly confidential and may only be used for statistical purposes. This is specified in Sections 32 and 33 of the Act; any breach of those sections is an offence subject to significant penalties.
Personnel: All staff of the CSO are Officers of Statistics under the Statistics Act 1993 and have signed a Declaration of Secrecy under the Act. The data provided to the CSO may only be processed by Officers of Statistics and only for statistical purposes. All staff must attend regular training on statistical confidentiality and data security, including mandatory refresher courses.
Governance: The CSO’s governance structure for data protection comprises: the Confidentiality and Data Security Committee (CDSC) which reports to the Management Board; the Data Protection Officer at Director level who oversees compliance with statistical confidentiality and data protection requirements; and the Data Office which provides support in relation to policies, awareness, training and compliance.
Data Office: The CSO’s Data Office has the pivotal role of managing policies in relation to data protection and statistical confidentiality, promoting awareness, providing training, and assuring compliance. The Data Office provides advice to CSO statistical areas on all issues related to data protection and statistical confidentiality.
Policies: The CSO has a comprehensive suite of policies in relation to roles, responsibilities and corporate rules in relation to statistical confidentiality, data security and data protection. These policies are currently being consolidated into a single Data Management Policy, which will be a central reference point for all statistical processing.
Data Classification Scheme: This is a corporate confidentiality classification system that allocates a confidentiality level (A to D) to all data held by the CSO. Detailed management rules and procedures are assigned depending on the level given. Statistical micro-data has the highest level of security (A) and the strictest rules and procedures with regard to processing of the data.
Access limitations: Staff access to CSO buildings is controlled electronically. Visitors to the CSO must be signed in and accompanied at all times.
IT Security: Staff access to IT systems is password-controlled. Staff only have access to the data or systems relevant to their work and these access rights are regularly reviewed. The IT systems and hardware are thoroughly protected by firewall and anti-virus security. No external access is allowed.
Tables and publications: The CSO implements thorough Statistical Disclosure Control procedures to ensure that the tables and reports it publishes do not identify any individual or business.
Administrative Data Centre: All administrative data received by the CSO is transmitted via a secure IT link to the CSO’s Administrative Data Centre (ADC). In the ADC, identifying details such as name, address, date of birth, PPSN are removed before the data is used for statistical analysis. The statisticians processing the data work with anonymous data and do not see the person’s identity.
Data Lifecycle: When survey forms or other data records are no longer required for statistical purposes, they are securely destroyed. The only identifiable records retained by the CSO are Census of Population forms – under Section 35 of the Statistics Act, these become public records after 100 years. All other forms are securely destroyed.
Data Linkage: All statistical projects that involve linkage between administrative data sources are subject to the CSO’s Data Linkage Policy and must meet a Privacy Impact Assessment. The CSO publishes a register of all projects in which it links administrative data.
Formal Assessment Processes: The CSO undertakes a Data Necessity and Proportionality Assessment for each source of personal data used in the production of statistics. In addition, the CSO undertakes a Privacy Risk Assessment for each stage of statistical collection and processing of personal data, using the UN GSBPM as a standard template. The aim of these two assessment processes is to identify risks at each stage and make sure that confidentiality and data protection are respected and well-managed at every stage of collecting and producing statistics.
7. Further information or assistance
For further information or assistance on matters relating to Official Statistics and Data Protection Legislation within the CSO contact:
Data Office, Central Statistics Office, Skehard Road, Cork, T12 X00E. Tel +353 (21) 453 5386 or +353 (21) 453 5387