Principle 5 of the Code of Practice for Official Statistics requires all producers of Official Statistics to publish transparent guidance on their arrangements for protecting confidential data. The Code is at:
The Higher Education Statistics Agency (HESA) is committed to preserving the confidentiality of the data it collects, processes and disseminates, in compliance with legislation such as the Data Protection Act 1998, Principle 5 of the Code of Practice for Official Statistics and to maintain the trust and cooperation of those individuals who supply information for onward transmission to HESA.
Arrangements for preserving confidentiality are as follows:
HESA is accredited under the ISO 27001 Information Security standard. A suite of Information Security Policies is issued to HESA staff covering a wide range of areas from information handling through use, development and maintenance of IT infrastructure to mobile computing and cryptography. Adherence to these policies is subject to a regular internal and external audit programme.
All HESA staff receive appropriate training and guidance in the protection of personal information encountered during the course of their work. This training is updated every two years.
A Data Protection Policy is published on the staff intranet which details the obligations of staff in this respect. A confidentiality statement is included within the employment handbook, to which all staff must agree compliance as part of their contract of employment.
HESA employs a qualified Data Protection Officer who monitors compliance with Data Protection Policy on a day-to-day basis.
All staff are issued with lists of ISO 27001 policies that relate to their work and are required to confirm in writing that they have read and understood the requirements placed upon them.
All personal data used for statistical purposes are held on secure computer systems which are subject to stringent physical and electronic access control mechanisms. Staff access to personal data is only granted to those staff who require access for the execution of their duties. Access to personal identifiers such as names of data subjects is subject to further access restrictions and is only provided to a named subset of data analysts who require access for specific purposes. The list of staff with access to personally identifiable data is reviewed regularly.
All data transfers are made electronically using secure transfer mechanisms which use encrypted channels and may require password and/or PIN code submission. Physical transfer media such as CD, memory sticks etc. are not used to transfer personal data.
All external organisations or individuals receiving statistical data, at a level of detail at which there is risk to confidentiality of individuals, are placed under legal contracts which stipulate confidentiality requirements.
Data subjects are issued with notices which explain why data are being collected and how data will be used.
HESA operates a strategy in published and released tabulations designed to prevent the disclosure of personal information about any individual. This strategy involves rounding all counts of students or staff to the nearest multiple of 5. Percentages based on populations of 52 or fewer are suppressed, as are averages based on 7 or fewer individuals.