Data Protection Policy

• Implemented on May 2018

• Last review on February 2026

• Next review due on February 2027

• Policy owner (division) Legal & Data Services

• Main point of contact DPO@Statistics.gov.uk

This policy sets out the corporate expectations that all staff must comply with regarding data protection legislation.

This policy applies to all employees of the UK Statistics Authority and Office for National Statistics (ONS).

The UK Statistics Authority and the ONS process a large quantity of personal data, principally for the purposes of producing aggregate national and official statistics, and statistical research, and all our staff will likely meet it in some way.

Our data come from a variety of sources such as mandatory and compulsory surveys, administrative sources in the public and private sectors, information we hold on behalf of other organisations, and the data we hold about our own staff and stakeholders.

We all have a responsibility to ensure that the personal data we hold are treated with respect, always kept secure and confidential, and that we comply with data protection legislation.

This policy applies to all staff, contractors and others working on behalf of the UK Statistics Authority This policy applies to all functions and activities undertaken by the UK Statistics Authority that involve the processing of personal data.

1. The UK Statistics Authority is committed to data protection and strictly adheres to the UK General Data Protection Regulation (GDPR) principles in all its interactions involving personal data processing. The UK GDPR principles state that personal data shall be all of the following.

2. Processed lawfully, fairly and in a transparent manner; aAll processing of personal data shall be in accordance with UK law, and only take place to the extent that one of the following applies:

• the data subject has given their consent

• the processing is necessary for the performance of a contract

• the processing is necessary for compliance with a legal obligation

• the processing is necessary to protect the vital interests of the data subject

• the processing is necessary either for a task carried out in the public interest or in the exercise of the data controller's official authority

• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (as the UK Statistics Authority is a public authority, it cannot rely on legitimate interests for any processing it does to perform its tasks as a public authority)

1. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

2. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

3. Accurate and, where necessary, kept up to date.

4. Kept in a form that permits identification for no longer than is necessary for the purposes for which the data are processed.

5. Processed in a manner that ensures appropriate security of the personal data.

In the UK, data protection legislation is primarily set out in the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and determines how and when organisations, such as the UK Statistics Authority, can process personal data.

This section sets out the detail of the policy by the following practices.

Data protection by design and by default

The UK Statistics Authority shall ensure that the principles and practices of data protection are built into all processing activities, and that the rights and freedoms of individuals are given due consideration at all times.

Extra protection should be provided, as necessary, to the data of individuals who may be considered vulnerable. Vulnerability can be considered to exist where circumstances may restrict an individual's ability to freely consent or object to the processing of their personal data, to understand its implications, or where there is an imbalance of power in the relationship between the individual and the UK Statistics Authority.

Data minimisation

Personal data will be processed only when necessary to achieve the organisation's objectives. We will use the minimum amount of personal data required to meet these objectives. Personal data shall be de-identified or anonymised at the earliest opportunity and in accordance with best practice.

Data retention

Personal data shall be held only for so long as they continue to enable or assist the UK Statistics Authority to undertake its functions or where legally required to retain the data. Personal data shall be disposed of appropriately and in accordance with best practice.

Data security

The UK Statistics Authority shall implement technical and organisational measures to ensure a level of security appropriate to the personal data being processed. The measures put in place shall be regularly reviewed.

Personal data breaches

All breaches that present a risk to the rights and freedoms of individuals, as determined by the Data Protection Officer (DPO), shall be reported to the Information Commissioner at the earliest opportunity and in any event no later than 72 hours from discovery. Where a breach represents a high risk to individuals, the UK Statistics Authority shall notify all data subjects concerned.

When discovering a personal data breach (or suspected breach), the DPO must be notified immediately (dpo@statistics.gov.uk) regardless of further investigations or information gathering.

Data protection impact assessments

When introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals, the UK Statistics Authority business areas will undertake an impact assessment to identify and mitigate those risks and seek guidance from the DPO if required.

Transparency

The UK Statistics Authority will provide data subjects with all the information they require to constitute fair processing, at the point of data collection. Where data are collected from administrative sources, this information will be provided to data subjects within one month, unless to do so would be disproportionate effort. In addition, and where possible, such information will also be published on the Office for National Statistics (ONS) website.

Records of processing

The UK Statistics Authority shall maintain up-to-date records of all the processing activities it undertakes.

Data subject rights

The UK Statistics Authority shall respond to all requests made by data subjects, in relation to the rights they hold under data protection legislation, within statutory deadlines.

Consent

Where the UK Statistics Authority relies on consent as a lawful basis for processing that consent shall be fully informed, freely given and as easy to withdraw as to give.

Processors

The UK Statistics Authority shall only use data processors capable of providing sufficient guarantees in relation to security of personal data and data protection legislation compliance.

International data transfers

Where the UK Statistics Authority transfers personal data internationally, it will only do so where an adequacy regulation is in place, or a safeguard or derogation is used. Where derogations are used, the organisation shall seek the advice of the DPO.

Training

All staff who process personal data will receive adequate and regular training in data protection.

Data Protection Officer

The UK Statistics Authority will nominate a suitably trained and experienced Data Protection Officer (DPO) to provide advice and guidance on all matters related to data protection. The DPO will report directly to the highest level of senior management and will have no other duties that may cause a conflict of interest.

The Information Commissioner's Office

The UK Statistics Authority will provide support and assistance as required by the Information Commissioner's Office in the fulfilment of their tasks.

Compliance

All staff, contractors and others working on behalf of the UK Statistics Authority and its executive office, the ONS, are required to comply with this policy. Compliance with the policy will be monitored by the DPO. Failure to comply may result in disciplinary action in line with the organisation's Discipline Policy. Staff making a complaint in relation to the application of this policy should refer to the organisation's Grievance Policy.

Use of artificial intelligence

All staff must ensure that data protection requirements and expectations are adhered to in the event of use of artificial intelligence (AI). Staff members are encouraged to seek specific advice on the use, development and implementation of AI through established channels, such as Legal and Data Services, the AI Leadership Group, and Security and Information Management.

Failure to comply with the requirements of this policy will be handled through the mechanisms outlined in the ONS Disciplinary Policy.