At the Office for National Statistics (ONS), we collect, store, process, and generate a wide range of data to produce over 600 statistical releases a year. That requires a huge amount of data. Making sure these data are safe and secure is our top priority.
Why it is important to keep data safe
We have a legal obligation to protect personal information. It is a criminal offence to improperly disclose information held by us that identifies a person or business.
Data are our most valuable resource and we could not create the statistics that help organisations and individuals understand the UK's economy, society and population without them. So, we must protect them.
Data need to be protected against loss, theft or manipulation. We must also maintain the confidentiality, integrity and availability of our data, because they are the basis of the statistics that we produce.
We follow the Code of Practice for Statistics, which makes sure we are ethical, honest and reliable when we produce statistics.
It is important that we have the public's trust in our statistics, so they can be used to make decisions about things that affect us all.
How we store our data and keep it secure
We use a range of methods to keep our data secure, including dedicated data protection policies.
Government Security Classifications
We comply with the Government Security Classification system. This makes sure all data have suitable protection for their level of sensitivity, categorising information as:
official
secret
top secret
There is also an extra classification of "sensitive", and other labels to make it clear if information contains personal data.
Retention periods
All our data are assigned a retention period. This makes sure they are only kept when there is a requirement to support a business need or comply with legal or regulatory requirements. If there is no requirement, data are either suitably archived, or securely disposed of.
Our Data Protection team
We have a trained Data Protection Officer (DPO), supported by a team who are responsible for providing guidance on all matters related to data protection. They work to make sure we comply with UK General Data Protection Regulation (GDPR) and Information Commissioners Office guidance.
Staff clearance and training
All our staff must complete mandatory data protection and security education training, so they know how to manage data securely.
All staff who handle data must hold security clearance at the appropriate level for the information they are working with.
To avoid any risks, users of any ONS system must read, understand and comply with our policies, procedures and instructions. This includes our policies dedicated to data protection.
How we make sure someone's personal information cannot be seen
We only process personal data where it is necessary and we only use the minimum amount of information that is needed.
Only people with a business need to access the data can do so. We also de-identify and anonymise personal data at the earliest opportunity, so that personal information cannot be seen by anyone looking at the data.
In any instances where data have not been anonymised, we use different protections appropriate to the sensitivity of the data.
Find out more about de-identification and why it is so important.
Steps we take to keep personal information anonymous
To keep personal information anonymous, we use a "defence in depth" strategy.
This means we layer multiple security measures to prevent anything happening to the data. These measures use a combination of three controls, which include:
administrative controls, such as the organisational policies all staff follow to work securely
physical controls, such as how we secure access to our offices, so that only individuals with a legitimate requirement can enter
technical controls, such as how we protect our network of software, hardware, tools and programmes
Our Security Operations Centre offers rigorous cyber security monitoring and threat detection. We also follow guidance from organisations such as the National Cyber Security Centre (NCSC).