Legislative Safeguards
Legislative safeguards apply to all CSO staff, both permanent and temporary.
CSO Staff
- All CSO staff are Officers of Statistics under Section 20 of the Statistics Act, 1993
- All CSO staff have signed the Declaration of Secrecy under Section 21 of the Statistics Act, 1993, as required by
the Official Secrets Act
- All CSO staff are bound by the provisions of Part V “Protection of Information” of the Statistics Act, 1993
- All CSO staff are Officers of Statistics and have signed the Official Secrets Act
- All data users are obliged to register on the ADC data portal. Access is not granted to any data flow unless the user is registered for the particular data flow
In line with section 11(1) of the Statistics Act, 1993, the CSO may make arrangements with other public authorities and persons for the collection, compilation, extraction or dissemination of information for statistical purposes and may appoint them as an Officer of Statistics as per Section 20(b) of this Act. In these cases, they are required to sign the declaration of secrecy specified in Section 21 of the Statistics Act, 1993 and are bound by Section 33 of the Act, 1993 prohibiting the disclosure of information obtained under the Act which can be related to an identifiable person or undertaking.
Governance Safeguards
Governance safeguards apply to all CSO staff both permanent and temporary.
Specific safeguards re COVID-19 Health Data
- All COVID-19-related data containing personal identifiers or Special Category data must be received and
registered via the CSO Administrative Data Centre (ADC)
- Identity variables are separated at the earliest possible stage in the data processing following receipt in the CSO
- If all steps in the relevant internal approvals processes are complied with, then access to the identified datasets
only will be granted for a maximum of one year
- Every six months, registered users are required to certify that they still require access to the data and are
compliant with CSO Data Management Policy
- ADC is informed by Human Resources of all staff changes, with access of staff who leave the CSO or whose
roles have changed removed promptly
- All registered users of each ADC dataset are identified on the ADC Portal
- Access lists are regularly reviewed to ensure that access is restricted to the fewest possible number of staff
- As specified in the CSO Data Management Policy, A1 (personally identifiable) data must not be shared between
any business areas of the CSO
Physical and IT Related Safeguards
- In 2019, the CSO was audited against and passed the European Statistical System IT Security Framework
- All administrative data are stored on secure in-house servers
- CSO buildings containing the servers are protected by CCTV and alarm systems
- Entry to CSO buildings require the use of a personal ID badge which must always be worn and visible
- Automated daily checks take place to ensure only authorised CSO staff have access to administrative data stored in the ADC warehouse. Unauthorised access is addressed immediately and removed if required
Risk Assessment
A detailed Risk Assessment was completed in the preparation of this DPIA. It is not being included as part of the summary as it contains detail on operational and security measures and controls.
Risk descriptions included:
- illegitimate access,
- illegal data download,
- data breach, and
- disappearance or loss of data.
Specific use cases were considered, assigned risk owners and scored. Controls in place to mitigate the risk were outlined for each.
The scores were re-assessed based on these mitigating controls and re-scored. In addition, each use case outlined action(s) to mitigate the risk if it occurred.