Back to Top

 Skip navigation

How the CSO meets GDPR and other legal requirements to protect your data

Trust has always been the foundation of how the CSO operates. Without trust, we are unable to do our job. A cornerstone of that trust is the legal protections we provide. The CSO is authorised to gather, analyse, and publish statistical information and reports about Ireland’s people, society, and economy. By law, the CSO must protect the confidentially of the information provided to us. The CSO is subject to, and complies with, data protection law and is regularly reviewed by a team of international experts to ensure our data collection methods meet the highest standards.

What you need to know

  • We are legally obliged under Irish and European law to protect all the data provided to us
  • Protecting confidentiality and privacy is at the heart of everything we do
  • No individual, household, or enterprise will be identified from the data we publish
  • We have been trusted for 75 years to gather sensitive information from the public and from enterprises to reflect Irish life and society

Our Approach to Protecting Data

Here we answer some of your questions about our approach to data protection.

Is my data protected?

Yes. All data obtained by the CSO is treated as strictly confidential and protected by law. Under Section 21 of the  Statistics Act, 1993, all CSO staff are designated as Officers of Statistics which means every staff member is legally bound to uphold the confidentiality of the data they have access to.

 All Officers of Statistics must sign a declaration of secrecy which means they cannot share or discuss confidential data and are subject to the provisions of the Official Secrets Act, 1963. Data can only be accessed by Officers of Statistics and can only be used for statistical purposes. Statistical results may not disclose details of any identifiable person, household, or enterprise.

How can the CSO collect data and publish reports?

The Statistics Act, provides the legislative basis for the collection, compilation, extraction, and dissemination of official statistics. The Act protects the confidentiality of the information provided to the CSO, which may only be used for statistical purposes; and may not be shared with third parties, including Government Departments or bodies. The production and dissemination of statistics is also covered by European legislation.

What legal right does the CSO have to gather data?

Many of the statistics published by the CSO are based on surveys and censuses – i.e. on information directly collected by us under Sections 24 and 26 of the Statistics Act.  However, the CSO can also legally make use of other data sources which include administrative data such as records collected by other Government Departments or agencies. We do this to reduce costs, to lessen the imposition of surveys on data providers, and to produce new and more timely statistical analysis and outputs.
 
This increasing use of administrative data sources such as official records for statistical purposes is founded on the powers of access under Section 30 of the Statistics Act, and the provisions for co-ordination in Sections 11 and 31.

The shift from survey collection to greater use of administrative data sources is not unique to Ireland and is already used by a number of countries in the EU in the publishing of official statistics.

Is the CSO General Data Protection Regulation (GDPR) compliant?

Yes. The CSO is subject to, and complies with, the GDPR. GDPR sets the principles relating to the processing of personal data, including when it is used for statistical purposes. Data protection law places an emphasis on lawful processing and appropriate security, which are cornerstones of the CSO’s work.

Under the GDPR (Article 5) the CSO must: 

  • Process data lawfully, fairly, and transparently 
  • Collect data for specified, explicit, and legitimate purposes  
  • Keep data adequate, relevant, and use only what is necessary for that specific purpose 
  • Keep data accurate, and where necessary up to date  
  • Keep data in an identifiable form only for as long as is necessary  
  • Ensure appropriate security of the data  
  • Be able to demonstrate compliance with these principles

The CSO adheres fully to the GDPR’s principles and articles which allow for the use of data gathered for one purpose to be subsequently used for statistical purposes. GDPR requires that where data is collected and processed for statistical purposes, necessary safeguards to protect the individual must be put in place. The CSO complies with this obligation.

What else do I need to know about the CSO and GDPR?

When the CSO uses data, we must provide certain information. This requirement is set out in the GDPR. In particular, we must clearly detail:  

  • Our identity and contact details  
  • Our Data Protection Officer’s contact details  
  • The purposes and legal basis for our processing  
  • The data’s recipients if any 
  • Whether data is transferred out of the European Union  
  • The data’s storage period  
  • Your access, rectification, erasure, restriction, objection, and portability rights  
  • Your right to complain to the Data Protection Commissioner 
  • Whether you are required to provide data  
  • The categories of data concerned  
  • The source of the data if it was not collected from an individual  
  • Whether or not the data informs automated decision-making

The CSO provides the above information in the form of a Transparency Notice, which are published on our website for each of our statistical products. 

Are any other risk assessments needed under GDPR?

A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible with a new project.  

The GDPR requires a DPIA for new, high-risk, use of data – particularly if a project involves: 

  • Systematic and automated individual evaluation with legal or similar effects  
  • Large-scale processing of sensitive data  
  • Large scale monitoring of a publicly accessible area

Risks cannot always be completely eliminated, but a DPIA informs decisions about treatment, mitigation, and acceptability of this risk. If a DPIA finds that high-risk cannot be reduced, the CSO must consult with the Data Protection Commission