Trust has always been the foundation of how the CSO operates. Without trust, we are unable to do our job. A cornerstone of that trust is the legal protections we provide. The CSO is authorised to gather, analyse, and publish statistical information and reports about Ireland’s people, society, and economy. By law, the CSO must protect the confidentially of the information provided to us. The CSO is subject to, and complies with, data protection law and is regularly reviewed by a team of international experts to ensure our data collection methods meet the highest standards.
Here we answer some of your questions about our approach to data protection.
Yes. All data obtained by the CSO is treated as strictly confidential and protected by law. Under Section 21 of the Statistics Act, 1993, all CSO staff are designated as Officers of Statistics which means every staff member is legally bound to uphold the confidentiality of the data they have access to.
All Officers of Statistics must sign a declaration of secrecy which means they cannot share or discuss confidential data and are subject to the provisions of the Official Secrets Act, 1963. Data can only be accessed by Officers of Statistics and can only be used for statistical purposes. Statistical results may not disclose details of any identifiable person, household, or enterprise.
The Statistics Act, provides the legislative basis for the collection, compilation, extraction, and dissemination of official statistics. The Act protects the confidentiality of the information provided to the CSO, which may only be used for statistical purposes; and may not be shared with third parties, including Government Departments or bodies. The production and dissemination of statistics is also covered by European legislation.
Many of the statistics published by the CSO are based on surveys and censuses – i.e. on information directly collected by us under Sections 24 and 26 of the Statistics Act. However, the CSO can also legally make use of other data sources which include administrative data such as records collected by other Government Departments or agencies. We do this to reduce costs, to lessen the imposition of surveys on data providers, and to produce new and more timely statistical analysis and outputs.
This increasing use of administrative data sources such as official records for statistical purposes is founded on the powers of access under Section 30 of the Statistics Act, and the provisions for co-ordination in Sections 11 and 31.
The shift from survey collection to greater use of administrative data sources is not unique to Ireland and is already used by a number of countries in the EU in the publishing of official statistics.
Yes. The CSO is subject to, and complies with, the GDPR. GDPR sets the principles relating to the processing of personal data, including when it is used for statistical purposes. Data protection law places an emphasis on lawful processing and appropriate security, which are cornerstones of the CSO’s work.
Under the GDPR (Article 5) the CSO must:
The CSO adheres fully to the GDPR’s principles and articles which allow for the use of data gathered for one purpose to be subsequently used for statistical purposes. GDPR requires that where data is collected and processed for statistical purposes, necessary safeguards to protect the individual must be put in place. The CSO complies with this obligation.
When the CSO uses data, we must provide certain information. This requirement is set out in the GDPR. In particular, we must clearly detail:
The CSO provides the above information in the form of a Transparency Notice, which are published on our website for each of our statistical products.
A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible with a new project.
The GDPR requires a DPIA for new, high-risk, use of data – particularly if a project involves:
Risks cannot always be completely eliminated, but a DPIA informs decisions about treatment, mitigation, and acceptability of this risk. If a DPIA finds that high-risk cannot be reduced, the CSO must consult with the Data Protection Commission.
Protecting your confidentiality and privacy is at the heart of everything we do