Your feedback can help us improve and enhance our services to the public. Tell us what matters to you in our online Customer Satisfaction Survey.
The Central Statistics Office (CSO) is Ireland’s National Statistical Institute and the functions of the Office are to collect, analyse and make available statistics describing Ireland’s people, economy, society and environment through verifiable data and accurate information, while providing impartial insight. Our statistical products are freely accessible, and our outputs are a public good; our work complies with the highest international standards for the compilation of Official Statistics and we are legally obliged, and therefore guarantee, to only ever use data provided to us for statistical purposes. By act of law, no information provided to the CSO for statistical purposes may be shared in a personally identifiable format with any third party. This assurance underpins everything we do.
The legal basis directing the work of the CSO is set out in domestic legislation through the Statistics Act, 1993, while our activities as a National Statistical Institute under the European Statistical System (ESS) are regulated by EU Regulation 223/2009, as amended by EU Regulation 759/2015. These statutes underscore the fundamental principles of independence and data subject confidentiality, which are the bedrock of the production of Official Statistics in the European Union. The CSO produces Official Statistics for Ireland and co-ordinates the production of Official Statistics compiled by other public authorities.
At national level, CSO Official Statistics inform decision-making across a range of areas including construction, health, welfare, the environment and the economy. At European level, they provide an accurate picture of Ireland’s economic and social performance and enable comparisons between Ireland and other countries.
The CSO’s statistical expertise may be leveraged, consistent with data protection and other relevant law as may apply, to inform and support the Government, government agencies and offices in their response to key issues of public importance, but only consistent with the fundamental obligations of confidentiality and independence inherent in the mandate of the Office. The Director General of the CSO has sole responsibility for, and is independent in the exercise of, the functions of deciding the methodology, professional standards, content, timing and mechanisms for statistical releases and publications.
The following Summary DPIA sets out the legal basis and public policy rationale for the CSO to provide approved researchers from registered research organisations with access to specified flows of pseudonymised data in support of Ireland’s health research under Health Research Regulation.
The purpose for the processing of the data flows set out in this DPIA is to provide a secure, data protection compliant repository of pseudonymised public health data sets, for use by the CSO and other approved health researchers. It sets out the key regulatory and governance arrangements applying to this statistical exercise, in order to protect the personal data rights of data subjects and to ensure compliance with the Statistics Act, 1993 and applicable Data Protection law. The CSO has consulted with the Office of the Data Protection Commissioner in relation to this statistical processing. More information can be found in related Transparency Notice.
The necessity for Ireland to have an effective data-driven public policy response whilst vindicating the data protection rights of the individual has driven the development of the HRDC. This project, to allow controlled RMF based access to data for the purpose of health research, is being undertaken by the CSO in collaboration with the Health Research Board (HRB) as well as the DoH, and HSE to achieve the stated purpose using a mechanism best suited to protecting the fundamental rights and freedoms of the individual. It is overseen by the Health Data Liaison Group, a group comprised of senior officials of the CSO, DoH and HSE, and jointly chaired by the CSO and HSE.
Public health data falls into a specific category of personal information that requires exacting data protection, access controls and processing security, as provided for under Article 9 of the General Data Protection Regulation (GDPR), and as further set out in the Data Protection Act 2018 and the Health Research Regulations 2018 (SI 314 of 2018). The CSO is the National Statistical Institute for Ireland. Given its legal status and the existing technical and statistical structures in place for the secure processing of large volumes of data, including special category data, the Office was identified as the appropriate organisation to lead the rapid development of such a mechanism. Furthermore, CSO Officers of Statistics are subject to personally, as well as organisationally, binding legal obligations of confidentiality, attaching to the processing of data, both personal and non-personal, for statistical purposes.
Data flows collected by the CSO under the Statistics Act are transferred to the CSO using advanced secure and encrypted transmission methods. This data is received in the CSO by a dedicated business unit called the Administrative Data Centre (ADC), which is a specialist team responsible for decrypting, processing, pseudonymising and storing the records in a format accessible for statistical analysis (hereafter termed the statistical datasets). Access to the raw data is confined to a limited number of ADC staff for processing purposes only. Specific detail on the technical aspects and methods used to process the data within the CSO is not outlined in this summary DPIA for operational and security reasons but has been included in the internal use operational DPIA and shared with the Office of the Data Protection Commissioner.
In the pseudonymisation process, all direct identifiers such as names and addresses are removed by CSO. Additionally, once in receipt of HSE data, the CSO converts the identifier numbers in each dataset that remain to a Protected Identifier Key (PIK). PIKs are unique and non-identifiable numbers which are internal to the CSO. Using PIKs enables the CSO and approved researchers to link and analyse data for statistical purposes, while protecting the security and confidentiality of the individual data.
All access requests for analysis purposes are with respect to pseudonymised data only. Descriptors of data flows
and datasets involved are registered on the internal ADC Data Portal, though the data itself is neither viewable nor accessible from this Portal. Approved CSO statisticians may make an application for access for defined statistical purposes, as may approved epidemiologists/researchers who have been appointed as Officers of Statistics pursuant to a Section 11 agreement governing co-operation and liaison with other public authorities and persons, under either Section 20(b) or of the Statistics Act, or under Section 20(c) of the Act, whereby persons may be authorised in writing by the Director General to perform, for a specified period, particular statistical analysis which necessitates access to data collected under the Act. In the case of Researchers applying for Officer of Statistics status under Section 20 (c) of the Statistics Act, a bespoke authorisation process necessary to establish the clinical bona fides of their research is required under the Health Research Regulations 2018, SI No.314 of 2018. No application will be approved by the CSO in the absence of this approval, which involves a three pronged process involving the Research Ethics Committee of the relevant research establishment and the recommendation and approval of the Research Data Governance Board and the Health Research Consent Declaration Committee respectively. This process is illustrated in detail here: (pdf chart)
In all cases, Officers of Statistics are bound by the stringent confidentiality obligations provided for under Part V of the Act at sections 32 to 34.
For Officers of Statistics who are not staff of the Central Statistics Office acting under the direction of the Director General, access to the statistical datasets, if approved, is controlled via a secure read-only CSO access mechanism, the Researcher Data Portal (RDP). The Researcher Data Portal operates under the control of the Office’s Researcher Coordination Unit (RCU). Researchers access the CSO RDP via a Citrix connection, which uses two factor authentication as well as a unique username and a password, which must be reset at time of first login. The microdata at all times remains on a CSO server. Copying or removal are prohibited; Access Control Lists are used, and subject to systematic oversight and review. Only final output records are available for further use, and these outputs are subject to detailed Statistical Disclosure Control (SDC) oversight by designated CSO statisticians. The term Research Microdata File (RMF) is used to describe such pseudonymised statistical datasets. More information about the RCU and RMF mechanism are available here.
The CSO operates in compliance with Article 32 of the GDPR, regarding security of processing, and, having regard to the Office’s state of the art technology, costs of implementation, and the nature, scope, context and purposes of processing, operates a stringent regime of technical and organisational measures to ensure a level of security and data protection appropriate to the sensitivity and personal nature of the records concerned. Suitably processed versions of these data, presented in pseudonymised RMF format, are collated for use by approved researchers, subject to the multi-lateral approvals processes set out in this DPIA.
The principal role holders for the Health Research Data Centre (RDC) are the RCU, CSO Statistician(s) and approved Researchers affiliated with registered Research Organisations which have been rigorously assessed and sanctioned for access to the RMF process. Information in individual data flows received by the CSO is safely receipted by the Office. Individual personal information will never be shared; only aggregate outputs will be accessible beyond a strictly delimited cohort of authorised CSO staff, whose specific role is to prepare pseudonymised data sets for use by approved personnel and researchers, safeguarding the security and confidentiality of administrative data gathered by the Office for statistical purposes. The underlying data, once received by the CSO, never leaves the Office and access to the pseudonymised data sets (RMFs) is possible only via a secure access-controlled portal, with full traceability.
Research projects will involve statistical and geospatial analysis of the agreed RMF datasets. No directly identifiable data relating to individuals will be made available to researchers, and no identifiable data can be made available to any stakeholders or other persons by the project team under Section 34 of the Statistics Act. RMFs are not statistical products. Unlike statistical products which relate to aggregated statistical analysis, RMFs are not published or made available to the general public.
The (add pdf chart) illustrates the path of an application for access to Health RDC. The researcher, in the centre of the five “swim lanes”, is responsible for driving the process. This is illustrated in the actions where the researcher submits their application to the Research Data Governance Board (RDGB), the sponsoring Institution’s Research Ethics Committee (REC) and the overarching Health Research Consent Declaration Committee (HRCDC). The RDGB will convene to assess the application against agreed criteria, before being in a position to confirm for the CSO that the application is for an eligible health research project and is in-scope as a health research project. Following a positive recommendation by the RDGB, and if the researcher provides evidence to the RDGB of approval from the REC and HRCDC, the application will be forwarded to the CSO for final approval using the RMF process. All of the necessary protocols and safeguards to ensure compliance and best practice under the Statistics Act, the Data Protection Act/Health Research Regulations are purposely integrated into this integrated, collaborative process.
The context for this processing operation is heavily influenced by the need for centralised data repository for health research purposes. Data for analysis and decision making is required to be processed swiftly and as efficiently as possible, whilst remaining compliant with law, including in respect of the necessity and proportionality of the processing.
In processing administrative data , the CSO acts under Article 6(e) of GDPR - task carried out in the public interest or in the exercise of official authority vested in the Controller (Statistics Act, 1993), while in respect of special category data such as applicable here, it is acting under Article 9(2)(i) – public interest in the area of public health and Article 9(2)(j) – processing is necessary for statistical purposes in accordance with Article 89(1) of GDPR. No alternative sources of this data are available and the data is available only in the current format, due to the ongoing operational emergency.
All CSO activities are undertaken in the context of the Statistics Act, 1993. All staff dealing with the health data are appointed as Officers of Statistics under Section 20 of this Act and operate under strict obligations of confidentiality, including signing the Declaration of Secrecy specified under Section 21 of the Statistics Act, 1993.
Extensive legal protections exist to govern access to, and use of, personal data, defined at Article 4(1) GDPR, data concerning health set out under Article 4(15) GDPR, and special categories of personal data as addressed by Article 9 GDPR. Data controllers and data processors are required to comply with their legal obligations, both under the GDPR and as set out in applicable national legislation. The Office of the Data Protection Commissioner exercises oversight and regulatory authority for compliance with these data protection requirements and has been consulted in the preparation of this DPIA.
At this time, no applicable approved Codes of Conduct, as provided for under Section 5 GDPR apply, however, the European Statistics Code of Practice is a possible code of practice that may be approved in the future by the Data Protection Commission, European Data Protection Board (EDPB) and European Commission (as the code is EU wide). The CSO adheres both to the European Statistics Code of Practice (Regulation 223/2009 on European statistics)
https://ec.europa.eu/eurostat/web/quality/european-statistics-code-of-practice and the Irish Statistical System Code of Practice https://www.isscop.ie/. The CSO also adhere to the United Nations Fundamental Principles of Official Statistics - see https://unstats.un.org/unsd/dnss/gp/fundprinciples.aspx
In addition to the foregoing, all ADC and RCU staff sign up to, and abide by, the CSO Data Management Policy as approved by the Office’s Confidentiality and Data Security Committee (CDSC). Stringent confidentiality rules apply under the Statistics Act to all staff of the CSO, who are designated as Officers of Statistics under Section 20(a) of the Statistics Act, 1993. All RMF researchers are designated as Officers of Statistics as per Section 20(c) of the Statistics Act, 1993 and abide by the rules and protocols with respect to researcher access to data.
All RMF researchers agree to carry out research in accordance with the RMF Policy.
The Transparency Notice, linked below, states that data processing and analysis is taking place in accordance with the Statistics Act, 1993, with the written permission of the Minister for Health and consistent with the provisions of the GDPR and the Data Protection Act 2018.
The CSO will be the Data Controller for the data as long as it is stored in the CSO. The organisation that employs the researcher is the data controller of the research study for which the RMFs are being used. Researchers are deemed to be data processors in respect of their individual projects.
Articles 15 to 22 GDPR provide for specific Data Subject rights. Certain derogations may apply, for example where data is processed for scientific research or statistical purposes, but these derogations are subject to strict conditions. These rights and any related derogations as they apply to the present data processing are set out here:
Article 15 – Right of Access by the Data Subject
All data on the Health Research Data Centre are pseudonymised and therefore personal data cannot be identified in this location. A right of access to the data flows, relevant for the health research under Health Research Regulation and containing personal data is possible.
Article 15 of the GDPR provides a right of access by the data subject. Article 89 (2) GDPR provides that where personal data are processed for scientific or historical research purposes or for statistical purposes, this right of access may be derogated from in so far as such a right is likely to render impossible or seriously impair the achievement of the specific purposes for processing, where the derogation is necessary for the fulfilment of this purpose.
Article 16 - Right to Rectification
Due to the statistical and research purposes of the data being processed, and the risk that the exercise of this right could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the permissible derogation to Article 16 provided for under Article 89(2) GDPR.
Article 17 – Right to Erasure
Due to the statistical and research purposes of the data being processed and the risk that the right to erasure could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the permissible derogation to this right under Article 17(3)(d) of GDPR.
Article 18 - Right to Restriction of Processing
Due to the statistical and research purposes of the data being processed and the risk that the exercise of this right could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the Article 89(2) derogations to this right. The right of restriction of processing is further invoked under Section 61(2) of the Data Protection Act, 2018.
Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
In light of the CSO’s proposal to invoke derogations permissible where processing is for statistical or scientific research purposes in relation to Article 16, 17(1) and 18 rights, this Article does not apply.
Article 20 – Right to Data Portability
The right to portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, as is the case here, per Articles 17(3)(c) and 20(3) GDPR.
Article 21 – Right to Object
Due to the statistical and research purposes of the data being processed and the risk that the right to object could render impossible or seriously impair the achievement of the specific purposes, the CSO proposes to invoke the derogation to this right provided for under Article 21 (6).
Article 22 – Automated individual decision making, including profiling
As the operation of the Statistics Act, 1993 provides that the present data may be processed for statistical purposes only, no automated individual decision making or profiling is permissible, by law.
Data access is restricted to approved researchers who are appointed as Officers of Statistics under Section 20(c) of the Statistics Act, 1993. This appointment is granted for a specific period only and researchers must request a renewal of their access should they require same beyond the initial period granted. Officers of Statistics are bound by Sections 33 and 7 of the Statistics Act, 1993
• Section 33 prohibits the disclosure of information obtained under the Act which can be related to an identifiable person or undertaking
• Section 7 provides that all information provided to the CSO before the commencement of the Statistics Act, 1993 either voluntarily or in compliance with orders made under the previous legislation are subject to the same protection and provisions as if such information was collected under the Statistics Act, 1993
Governance safeguards apply to all CSO staff both permanent and temporary.
The RDGB has been established as an additional safeguard in the process to act as a central point for application receipt, screening, review and prioritisation of all requests to access data in the Health Research Data Centre. It is an independent body established jointly by the Health Research Board (HRB) and the CSO in close collaboration with the Department of Health (DOH) in Ireland. Members of the RDGB are appointed jointly by the HRB and the CSO based on their complimentary skills, expertise and experience deemed most relevant for making robust decisions and considering gender balance as well as the geographical spread.
The RDGB oversees a transparent process to facilitate secure and controlled access to the data for the purposes of conducting sttistical analysis to facilitate research. Only applications that have been approved by the RDGB and where evidence of Research Ethics Committee (REC) approval and Health Research Consent Declaration Committee (HRCDC; www.hrcdc.ie) approval is received by the RDGB will be recommended to the CSO. The CSO will issue final approval for access to relevant data.
Researchers are required to have a declaration from the HRCDC when personal data is processed but where obtaining the explicit consent of the data subject is neither possible nor practicable. The HRCDC was established as part of the Health Research Regulations made under the Data Protection Act, 2018 and allows for use of personal data for health research that is of high public importance, and where obtaining consent from the research participant is not possible. A consent declaration shall only be made by the HRCDC for a research study when it is satisfied that all the data protection safeguards and technical and organisational measures have been met, and the public interest in carrying out the health research significantly outweighs the public interest in requiring the explicit consent of the individual who owns the personal data. For more information, please visit www.hrcdc.ie.
Governance safeguards apply to all RMF researchers. Applications for RMF access are accepted only from eligible researchers from registered research organisations.
Access to RMFs will only be given when:
All RMF researchers must complete an RMF training course provided by CSO, a reinforcement of the terms and conditions of the RMF Standard Agreement to which researchers agree to abide. Failure to comply with the protocols, terms and conditions specified in the standard agreement may have implications for the individual and the organisation/institute for whom they work. These sanctions may include but are not limited to:
The CSO reserves the right to apply other sanctions, up to and including prosecution under the Statistics Act, 1993, where appropriate. All researcher outputs are checked by the data custodian in the CSO and must be compliant with CSO’s Statistical Disclosure Control policy.
Access to RMFs will only be given when:
All RMF researchers must complete an RMF training course provided by CSO, a reinforcement of the terms and conditions of the RMF Standard Agreement to which researchers agree to abide. Failure to comply with the protocols, terms and conditions specified in the standard agreement may have implications for the individual and the organisation/institute for whom they work. These sanctions may include but are not limited to:
The CSO reserves the right to apply other sanctions, up to and including prosecution under the Statistics Act, 1993, where appropriate. All researcher outputs are checked by the data custodian in the CSO and must be compliant with CSO’s Statistical Disclosure Control policy.
In 2019, the CSO was audited against and passed the European Statistical System IT Security Framework. CSO technology, in facilitating secure access to microdata, is in keeping with best practice internationally. CSO has a secure remote access system in place for access to RMFs as well as an application process which involves researcher and research organisation registration before an application for access to RMF data will be considered. The secure remote access Researcher Data Portal (RDP)) is a locked-down Citrix system from which no data can be extracted without the approval of CSO. The RDP was developed under the headings of the Five Safes:
The datasets remain on a CSO server at all times. Secure access to microdata is through the CSO RDP. The RDP is a locked-down Citrix environment from which it is not possible for the researcher to export or import data. There is no email facility or internet access from the RDP.
A detailed Risk Assessment was completed in the preparation of this DPIA. It is not being included as part of the summary as it contains detail on operational and security measures and controls.
Risk descriptions included:
Specific use cases were considered, assigned risk owners and scored. Controls in place to mitigate the risk were outlined for each. The scores were re-assessed based on these mitigating controls and re-scored. In addition, each use case outlined action(s) to mitigate the risk if it occurred.