Statistical Policy Statement on Confidentiality and Access

This confidentiality statement is issued in accordance with the requirements set out under Principle 5 of the Code of Practice for Official Statistics.  It sets out how Project Support Analysis Branch (PSAB) within the Department of Health, Social Services and Public Safety (DHSSPS) will carry out its responsibilities for handling confidential information.

DHSSPS has its own code of practice, and guidance for staff, on protecting the confidentiality of service user information, the main aim of which is to support all those staff involved in health and social care to make good decisions about the protection, use and disclosure of service user information.

DHSSPS also has its own internal IT security operating procedures that cover all aspects of the use, maintenance and operation of an IT system and its component parts.  These procedures are an integral part of normal day-to-day working practice.

DHSSPS has its own security arrangements.  All staff working in the Department and all visitors to the Department require a pass to access the premises.  There is no unaccompanied public access to any part of the premises where confidential data may be held.

Staff in DHSSPS have access to the secure network facilities of the IT Assist network which is formally accredited to store and process data and information up to the “Restricted” Protective Marking.  Business areas are able to store data on dedicated areas of the network; secure back ups are taken on a daily basis, and access to the data is limited as required by the business area.

Staff gain access to the IT Assist network facilities using official desktops and laptop computers and individual network log-on accounts and passwords.  Laptops and Ironkey USB storage devices encrypted to UK Government security standards are deployed where necessary to provide additional protection to information and data.  The use of any other unencrypted USB devices and the storage of official data on unapproved devices such as mobile phones, personal memory sticks, PDAs. digital cameras, memory cards, home computers is prohibited as per Circular DHSSPS SEC 2/2010.

Data security is a key Departmental priority and DHSSPS adheres to the principles of the Data Protection Act for the protection of sensitive and personal data.  Data Protection Officers (DPO) and Data Protection Liaison Officers (DPLO) are appointed within Directorates to provide advice to staff and ensure compliance with the eight principles of the Data Protection Act.  Information and Analysis Directorate (IAD) has a dedicated DPLO.

An Information Asset Owner (IAO) has also been appointed to IAD. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good, and provide written input annually to the Department SIRO on the security and use of their asset.

All staff within DHSSPS are required to complete a form to record their agreement to adhere to the principles of the Data Protection Act.  In addition, staff in PSAB are fully instructed on their obligations to protect the confidentiality of any identifiable information to which they have access to and have received online Data Protection training.

To ensure that details relating to an identifiable person are neither directly nor inadvertently divulged, PSAB adhere to the strict disclosure guidelines set out by the Office of National Statistics in the following paper:

(a) Review of the Dissemination of Health Statistics: Confidentiality Guidance (2006):

All statistical tables are processed for confidentiality in accordance with the methodology issued.  These methods are sufficient to protect the privacy of individual information, but not so restrictive as to limit unduly the practical utility of the statistics produced by PSAB.

All requests for information are compliant with the key principles of the Data Protection Act 1998 and the Freedom of Information Act 2000 (FOIA). While requests under FOIA are treated on a case-by-case basis, the presumption is that requests for individual records will be rejected. The legislation contains exemptions and processes that protect confidential information.