Spotlight on T6: Data Governance

Data governance sits within the Code’s Trustworthiness pillar. T6 Data Governance encompasses a wide range of practices involved in data management to support the growing use of data sharing and linkage, while also requiring identifiable data be protected. The need for transparency is emphasised throughout to ensure accountability.

T6.1 sets the foundation for statistical practice in data governance by emphasising the importance of producer organisations transparently committing to achieving the legal requirements that underpin data collection, handling and release, such as, under:

• Data Protection Act 2018
• General Data Protection Regulation 2018
• Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002
• Statistics and Registration Services Act 2007
• Statistics of Trade Act 1947 and Statistics of Trade and Employment (Northern Ireland) Order 1988
• Digital Economy Act 2017

The relevant legal requirements and data ethics standards must be met. National and international guidelines also provide useful approaches for statistics producers – a range of relevant material is given in the helpful resources section for this principle. Data ethics guidance is available from the Department for Digital, Culture, Media and Sport’s Data Ethics Framework, and from the National Statistician’s Data Ethics Advisory Committee. These provide practical guidance and a framework for self-assessment. The Open Data Institute has produced a Data Ethics Canvas which helps organisations to identify and manage data ethics considerations.

T6.2 requires producers to think about the ‘rights’ of the living people whose data are being collected. This shifts the emphasis from focusing on data to focusing on the individuals providing their information. It is important for producers to be transparent about their actions and decisions, including about the purposes for collecting the information and how the personal data will be protected. There are some statistical exemptions that can apply when using the data for statistical purposes which have been detailed in GSS GDPR guidance.

T6.3 focuses on keeping personal data safe and secure – this requires the organisation to ensure a safe setting for data handling at all stages of the statistical production process. These actions require adopting security standards in the technical systems, as well as for staff. It can be best achieved through a culture that promotes a strong awareness of the need for, and ways of, maintaining a safe setting. This practice is closely related to practice T5.4 and the need for providing training on secure data handling – it should be sufficient for the nature of the data use.

T6.4 addresses the need for the safe release of data and statistics, ensuring that the personal data are appropriately protected, for example by using statistical disclosure control techniques. This can involve making sure that identifiable data are safe, i.e. that they are made anonymous and that published aggregate data cannot be brought together by users to re-identify a person. The practice also requires that safe access is provided to individual-level (micro) data through using protocols such as adopted by the Office for National Statistics’ Secure Research Service and HMRC’s Datalab. The practice stresses the importance of transparent processes. We encourage producers to publish materials related to data shares, for example, mandatory and voluntary Data Protection Impact Assessments, public benefit assessments, and records of decisions taken about data share requests. The Wellcome Trust’s guidance in its Understanding Patient Data programme can help producers explain complex issues, such as, data anonymity and identification risk.

T6.5 emphasises that solutions should be sought across the organisation, rather than just for individual data sources, and that the solutions should be reviewed regularly. Data management may be subject to frequent change in an evolving environment. It requires a conscious effort to ensure that the arrangements remain robust.