In this section
1. Scope
This policy applies to the access to all unpublished data in the Secure Research Service (SRS) for statistical research. It applies to all Office for National Statistics (ONS) staff in the provision of and others wanting:
access to ONS unpublished data managed in the SRS on behalf of the ONS
access to unpublished data managed in the SRS on behalf of other data owners
the accreditation of researchers, projects and processors through the Digital Economy Act 2017 (DEA), Statistics and Registration Service Act 2007 (SRSA) and other relevant legislation
2. Background
The Office for National Statistics (ONS) is committed to providing access to unit record de-identified data for statistical research that delivers a public benefit for the UK. Access is granted to researchers in a safe and consistent way, in line with legislation and ONS policies, where the research is in the UK public interest.
This policy sets out the principles on which the governance arrangements adopted by the Secure Research Service (SRS) for access to data for research purposes are built, including the conditions under which access is granted and the framework for accrediting researchers, research projects and data processors.
The ONS gives detailed consideration to the analytical needs of researchers. The controls governing their access to unpublished data are set according to the risk to data confidentiality. We must strike the correct balance between maximising the utility of the data and protecting the confidentiality of data subjects (individuals and organisations).
For example, the more detailed the data, the greater the risk of a person being identified and so more significant controls on data access and research outputs are applied accordingly. The risk of identification in the most detailed data means these data are considered "personal information" as defined in the Statistics and Registration Service Act (SRSA) and Digital Economy Act (DEA), and "personal data" under data protection legislation, and therefore require protection under that legislation.
To ensure there are rigorous arrangements to protect data confidentiality, the SRS has adopted a Five Safes model. The model articulates our arrangements to ensure Safe Projects, Safe People, Safe Settings, Safe Data and Safe Outputs.
The SRS adheres to the principles in the DEA Research Code of Practice and Accreditation Criteria, governing our management of research data access and the protection of data confidentiality.
In addition to the powers available under the SRSA and DEA, access to personal information may also be granted to researchers through other UK legislation, including the Statistics of Trade Act (STA) 1947. Further information on these legislation and other legal gateways is available on the ONS website.
Back to table of contents3. Policy statement
Summary of main principles
3.1 Access is only given where it is legal, in line with Office for National Statistics (ONS) and Secure Research Service (SRS) policy (including our ethics policy), approved by an appropriate person or committee and with the agreement of the data owner.
3.2 The SRS has effective, accountable and transparent arrangements in place to govern access to the secure data we manage for statistical research to help ensure data confidentiality is protected.
3.3 The ONS has effective arrangements in place to support the UK Statistics Authority to accredit researchers, research projects and data processors in accordance with the Statistics and Registration Service Act (SRSA) and Digital Economy Act (DEA).
3.4 The ONS ensures that it has sufficient policies, procedures and systems in place to be an Accredited Processor under the DEA.
3.5 The roles and responsibilities of all parties involved in access to secure data for research managed by the SRS are clearly defined and set out in appropriate documentation.
3.6 We are transparent about and demonstrate the impact of research carried out using our secure data to help provide assurance to data subjects, data owners and others that their data are being used legally, ethically, safely and in a way that delivers a public benefit.
3.7 We take transparent, consistent, proportionate and targeted action to deal with suspected breaches of lawful research data access and/or non-compliance with the conditions of data access, to help ensure data confidentiality is protected.
3.8 Where a breach of data confidentiality or non-compliance with data access policies or procedures is suspected, action may be taken and penalties imposed where an investigation concludes that it would help to protect the data.
3.9 Where possible, our arrangements for managing research data access are consistent with those adopted by other administrative research centres, data processors and data controllers.
Back to table of contents4. Policy detail
4.1 Wherever data are protected in law they are only made available for statistical research where there is a suitable legal gateway. All relevant Office for National Statistics (ONS) and Secure Research Service (SRS) policies are complied with and a designated person or panel, such as the Research Accreditation Panel for requests made under the Digital Economy Act (DEA), must make the decision to grant the access.
4.2 The confidentiality of data made available for research is protected using the Five Safes framework. A full picture of the safety of the data is built up by considering all five aspects deciding whether to allow access to data for research purposes:
Safe Projects – data are only used for valuable, ethical research that delivers clear public benefits
Safe Projects – trained and accredited researchers are trusted to use data appropriately
Safe Settings – access to data is only possible using our secure technology systems
Safe Data – researchers can only use data that have been de-identified
Safe Outputs – all research outputs are checked to ensure they cannot identify data subjects
4.3 Data owners have the right to know the purposes their data are put to and to restrict or terminate use of their data.
4.4 The SRS publishes details of access to data for statistical research on the UK Statistics Authority website and encourages researchers to publish their results where they can.
4.5 The SRS and ONS provide research services under the DEA in line with the DEA Research Code of Practice and Accreditation Criteria and provide the UK Statistics Authority with systems to support the accreditation of researchers, research projects and processors.
4.6 The SRS ensures that any request for access to data receives appropriate scrutiny before deciding whether to allow that access.
4.7 The SRS maintains adequate records of access to data for statistical research to identify who has access and to ensure that access ceases when no longer needed or authorised.
4.8 Appropriate documentation, such as contracts or data-sharing agreements, are produced, signed and retained before research access is given to data.
4.9 Wherever possible the SRS keeps its arrangements for managing research data access consistent with those adopted by other administrative research centres, data processors and data controllers.
4.10 An SRS Non-Compliance and Breaches policy is produced and published to allow researchers and the public to understand how any breach of legal requirements or conditions of access will be investigated and dealt with.
Back to table of contents5. Roles and responsibilities
SRS Team
Responsible for complying with and delivering the policy requirements in the Secure Research Service (SRS). Accountable to the Data Governance Committee and Data Owners.
Researchers
Responsible for complying with the policy. Accountable to the Office for National Statistics (ONS) and Data Owners.
Data Governance Committee
Responsible for approving, monitoring and reviewing the policy and its application. Accountable to the National Statistics Executive Group.
Senior Information Risk Officer (SIRO)
Responsible for information risk across the organisation. Accountable to the National Statistician.
Back to table of contents