The ONS Data sharing policy

This policy covers any sharing of personal information by the Office for National Statistics (ONS) for statistical and research purposes to an external party. Personal information means information which relates to and identifies (either alone, or together with other published information) a particular person (including a body corporate). This policy does not include the dissemination of statistics and statistical research outputs, or the dissemination of aggregated data. 

The terms "data sharing", "data discoverability", "data access", "data availability", "data portability" and "data mobility" are often used in combination and interchangeably. In this policy we use "data sharing" to refer to the process of exporting data from the UK Statistics Authority (UKSA) and the ONS estate to be subsequently processed independently by another party in accordance with all relevant legislation.

All employees of the UKSA and the ONS, including contractors, must comply with this policy.

The Office for National Statistics (ONS) collects, acquires, matches, and links a wide range of data sources to undertake statistical research and produce meaningful and engaging statistics. The ONS data estate is a valuable artefact for the UK. It enables secure access to de-identified data in the Secure Research Service (SRS) and Integrated Data Service (IDS), as well as secure access to unpublished ONS research data by government organisations for statistical research, where permitted by legislation.

The UKSA and the ONS are signatories to the Concordat on Statistics. The Concordat is an agreed framework for co-operation between the UK Government (including the UKSA and the ONS) and devolved administrations, in relation to the production of statistics, for and within the UK, statistical standards and the statistics profession. In relation to "data sharing", the Concordat sets out that:

• the administrations recognise that information they produce or hold (including both identified and aggregated or de-identified data) may be requested for statistical purposes by another administration

• subject to any legal and data protection restrictions and there being demonstrated user need, where requested, administrations will share data and other information with each other for their statistical purposes, promptly, subject to availability and agreements about cost sharing

• the administrations will seek to minimise the burden on data providers, to maximise the efficient use of existing data sources and to facilitate efficient and secure data exchange, maintaining a shared level of trust across the UK Statistical System in regard to data access

• the UK Government departments and devolved administrations will work together to ensure that where data are exchanged, they are used for statistical or research purposes only, adhering to any limitations on use set out in law and in data sharing agreements, and that the privacy of data providers, individuals and organisations is safeguarded at all times, with data handled in line with government security guidelines, recognising the importance of this for public trust in the UK Statistical System

The ONS continues to develop appropriate infrastructure to enable access to de-identified ONS data, as well as virtualisation of external data within the IDS. These developments will ensure confidentiality, individual privacy, and minimisation of risk to the ONS and respondents. This outlines the increased appetite of the ONS to enable and facilitate secure, proportionate, and transparent access to data, while safeguarding the confidentiality of individuals, businesses, charities, public bodies, and academic institutions. In accordance with legislative requirements, ethical standards and the need to ensure data are held and used safely and securely, external sharing of data will only be allowed where it will clearly benefit the public and confidentiality can be adequately protected.

Sharing of data outside of the ONS premises should be considered as a viable solution to facilitate access to data only if:

• other methods of access are proven not to be viable

• a suitable legal gateway exists

• there is a clear and proportionate public benefit to share the data for the purposes of statistics and statistical research

• the confidentiality and privacy of individuals is adequately protected

This policy, along with the accompanying Data Sharing Framework and Guidance, ensures that effective, accountable, and transparent arrangements are in place to manage sharing of data to the devolved administrations or third parties for which a specific legal gateway exists, for statistical and research purposes. These arrangements are underpinned by well-established governance, with clear roles and responsibilities, and accountabilities.

All data which could be considered identifiable to either an individual, an organisation or a business will need appropriate oversight from the Data Protection Officer and the ONS Legal Services team before it can be shared. This is to ensure appropriate consideration is given to all relevant legislation and privacy concerns. A Data Protection Impact Assessment is required where the data relate to living individuals.

Where data are not considered to be identifiable, that is where it has been sufficiently processed to ensure it is aggregated or anonymised by disclosure control experts, subject to appropriate agreements where necessary, and in accordance with the code of practice, the aim will be to publish the data.

When requesting data to be shared from the ONS to a third party, the requesting party is responsible for providing:

• a justification for requesting the data share

• the intended use of the data

• the public benefits anticipated to be realised by the use of the data

• reassurances around security and confidentiality and refrainment from further onward sharing of the data

The requesting party is responsible for providing sufficient and truthful information to allow the ONS to explore other routes of data access and ascertain that data sharing is the most viable option. A triage between the main services, including, but not limited to, the Information Asset Owner, Data Access and Operations, Data Protection, Security, Legal Services, Ethics and the ONS Communications would assess the risks and benefits of sharing a dataset, considering any precedents, if applicable. The Data Governance Committee retains oversight and accountability of data sharing activities at the ONS.

Any third party receiving ONS data will need to comply with the conditions listed in the Data Sharing Agreement. The ONS retains the right to ascertain whether an external party complies with the controls set in the Data Sharing Agreement.

To ensure the transparency of all governance arrangements and reinforce the relationship of trust between the different components of the wider statistical system and the public, the ONS will maintain administrative records and documents. These include Data Sharing Agreements, Memorandums of Understanding, Data Protection Impact Assessments and Ethical Self Assessments.

The ONS is committed to publishing all data shares, subject to specific exceptions (for example, national security, confidentiality of data subjects and commercial interests). In line with best practice, external parties using ONS data to produce statistics and statistical research are required to share the public benefits of using ONS data and encouraged to provide links to published outputs using ONS data.

Any exceptions to this policy are to be authorised by the National Statistician, for example, the use of ONS data for administrative purposes.

ONS staff engaged in data sharing

The ONS staff engaged in data sharing are responsible for:

• complying with the data sharing policy

• following best practice when sharing data

• liaising with requesting bodies and assess the information provided by the latter in their business cases (first screening)

• providing unbiased scrutiny to data sharing business cases

• producing and disseminating regular and ad hoc reports on the data shares

• reporting any risks and incidents related to the sharing of data\ Accountable to the Chief Data Officer.

Data Sharing Working Group

The Data Sharing Working Group are responsible for:

• providing unbiased scrutiny to data sharing artefacts (for example, business cases and Data Sharing Agreements) (second screening)

• reaching informed recommendations on data shares that advise the Deputy Director of Data Acquisition and Operations and Data Growth and Operations, to approve data shares or, escalate to the Data Governance Committee as and when required

• ensuring that a sufficient amount of information, of high quality and within specific timeframes, is provided for the transparency registers

• ensuring the ONS staff are aware of the data sharing framework and guidance\ Accountable to the Chief Data Officer.

Chief Data Officer

The Chief Data Officer is responsible for:

• ensuring that all staff involved in data sharing comply with the data sharing policy

• ensuring systems and metrics are in place to monitor data shares across the ONS data estate 

• escalating any risks and incidents related to the sharing of data\ Accountable to the Data Governance Committee.

Information Asset Owner (IAO)

The IAO is responsible for:

• an information or data asset, including any sharing of this asset

• updating the ONS Information and Data Asset Register and ensuring its accuracy

UK Statistics Authority - Data Governance Legislation and Policy team

The UK Statistics Authority - Data Governance Legislation and Policy team are responsible for:

• providing independent scrutiny and assurance against the policy

• providing independent scrutiny of ethical self-assessments

• ensuring that data sharing activities remain transparent

• collating and quality assuring information for the transparency registers (third screening)

• set out, monitor and assess the requirements for the transparency register\ Accountable to the Data Governance Committee.

ONS Legal Services

The ONS Legal Services are responsible for providing legal advice and scrutiny to all data shares.

Data Protection Officer

The Data Protection Officer is responsible for providing advice and scrutiny to Data Protection Impact Assessments when personal data information is involved.

The ONS Communications and Digital Publishing

The ONS Communications and Digital Publishing team are responsible for reviewing the suitability and accessibility of the information published on transparency registers and assist in the publication of the transparency registers.

Data Governance Committee

The Data Governance Committee are responsible for:

• monitoring and reviewing how this policy is implemented to ensure that no gaps or lapses of controls occur

• approving complex data shares as and when required

• mitigating risks and assessing the mitigating actions for incidents related to the sharing of data\ Accountable to the National Statistician.

Security and Information Management Team (SaIM)

SaIM are responsible for: 

• the oversight of all data management activities

• providing oversight on the sensitivity of the data, transfer and protection mechanisms

Accountable to the Chief Security Officer.