Information security and data confidentiality
Strong protection of personal data is essential for the population and the corporate sector to trust Statistics Denmark. This fundamental relationship of trust is necessary for us to collect information for the official statistics, which is indispensable in an open democratic society.
Accordingly, Statistics Denmark has extensive procedures and systems to protect the information on Danish citizens and enterprises in our systems, and we focus on continuously ensuring maximum data security.
Our measures are aimed at two types of risks; external, e.g. hackers, and internal, i.e. from our employees and from users with special permission to use data with us.
To protect against external parties gaining access to confidential information, we do the following:
- We never store confidential information outside our security zone, and we use encrypted or secure lines when we retrieve or receive information.
- We use state-of-the-art IT security solutions and professional advisers.
- We continuously update our security solutions in accordance with good practice, including ISO 2700x and requirements from the Danish Agency for Digitisation and the Danish Centre for Cyber Security.
- We continuously maintain the competencies of our employees regarding IT security.
- Independent supervisors perform tests attempting to break our security. In this way, we are able to prevent security issues and immediately bridge any security gaps.
To ensure that our employees and authorised users comply with the rules, we do the following:
- We make sure that our employees know our rules on data confidentiality and information security, that all employees have signed a non-disclosure agreement and that non-compliance will have serious consequences in terms of employment.
- On a regular basis, we check that the employee has access to nothing but information that is strictly necessary for their tasks.
- We register (log) which data sets each employee uses. In 2015, we have extended the logging of searches in data, as directed by the Data Protection Agency in July 2014.
- External users, e.g. research scientists, must be approved and only have access to information where civil registration numbers (CPR nos) etc. have been replaced with serial numbers that do not allow you to identify people.
- When external users use Statistics Denmark’s data, we continuously log and check if they comply with data confidentiality requirements. Non-compliance may result in exclusion from using data in Statistics Denmark.
In 2020, Statistics Denmark has completed an ISO certification process and have been certified in accordance with the so-called ISO/IEC 27001:2013 by the international and independent certification body DNV-GL.
The scope, i.e. the area that has been checked and ISO 27001 certified, is “IT and business processes in the statistics production, including data collection, in accordance with Statement of Applicability”.
With the ISO 27001 certification and the continuous audit reviews with accompanying audit reports (ISAE 3000 reports) in a number of different customer focused business areas, Statistics Denmark has external and independent documentation for a unique and systematic focus on data confidentiality and information security.
In this way, the certification and the audit reports reflect what characterises Statistics Denmark: a public organisation that lives, thinks and practises information security – every day without exception.
About ISO 27001
ISO 27001 is an international management standard for information security, the purpose of which it is to e.g. set up systems for the protection of valuable information and personal data in a secure and reliable way. Among other things, ISO 27001 sets requirements to risk management, documentation of processes as well as the distribution of roles and responsibilities for information security. Furthermore, the purpose of ISO/IEC 27001 is to achieve efficient information security management as well as secure processes for continuous improvement. It means that the information security is constantly updated.
Data confidentiality policy
Confidentiality in the handling of statistical products and other data materials is about protecting the statistical units against disclosure of information requiring confidentiality. This applies with respect to the surrounding world as well as Statistics Denmark’s employees.
Rules to maintain data confidentiality are implemented in the data confidentiality policy with associated disclosure and statistical confidentiality guidelines as well as in the fixing of individual access rights to confidential information in Statistics Denmark.
Information security policy
In Statistics Denmark, we focus much attention on meeting the European General Data Protection Regulation (GDPR) and the Danish Data Protection Act, which supplements GDPR.