Privacy in Scotland’s Census 2021

In this section you can find out more about how we protect the confidentiality of census data and ensure transparency and confidence in all that we do.

NRS has published the first version of the Scotland’s Census 2021 Privacy Impact Assessment . More details can be found in the relevant section below

Scroll down or select a category to find out more:

Background

In all of our work, we fully recognise the importance of privacy and confidentiality.

All work undertaken as part of Scotland’s Census 2021 will be governed by various statutory requirements including the Census Act 1920, the Data Protection Act 2018, the General Data Protection Regulation and the Code of Practice for Official Statistics. Our work depends upon the participation of individuals and as a result the maintenance and preservation of their privacy underpins everything that we do. Individuals responding to the census need to know that their information will be safe and secure, who will have access to it and how it will be used. We adhere to guidelines laid down by the Information Commissioner’s Office (link to Information Commissioner's Office website) and will work with them as we progress towards 2021.

Relevant Legislation

Access to census data that can identify households or individuals is strictly controlled. The Census Act 1920 (link to Legislation.gov.uk) made it a criminal offence to unlawfully disclose confidential census data. The Census (Confidentiality) Act 1991 (link to Legislation.gov.uk) extended this to people and businesses working as part of the census. Anyone who unlawfully discloses census data can be fined up to £10,000 or sent to prison for up to two years, or both.

It is important to note that no one can get personal census data through a Freedom of Information request. This is set out in sections 38 and 58 of the Freedom of Information (Scotland) Act 2002 (link to Legislation.gov.uk), which states that personal census data is exempt from disclosure for 100 years.

The Data Protection Act 2018 (link to Legislation.gov.uk) controls how organisations can use personal data they hold. It requires everyone who collects data to follow strict rules to keep that data safe.

The General Data Protection Regulation (link to Information Commissioner's Office website) came into force on 25 May 2018 with the intention to strengthen and unify data protection for individuals within the European Union. The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens' data privacy and to reshape the way organisations across the EU approach data privacy. NRS has been working in collaboration with our partners in government and other sectors to implement the Regulation and to ensure that all of our policies and guidance are compliant with it.

You can get more information from the Information Commissioner’s Office (link to Information Commissioner's Office website).

Privacy Impact Assessment

Data Protection Impact Assessments (DPIAs) have replaced Privacy Impact Assessments as a process which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. The Information Commissioner’s Office maintains a DPIA code of practice to promote good practice. It is Scottish Government policy that a DPIA is conducted for all projects that involve personal data. DPIAs are a mandatory requirement when there is a high risk to the freedoms of the individual. A DPIA helps an organisation to ensure they meet an individual’s expectation of privacy.

A DPIA seeks to identify the privacy considerations of a policy, project or programme of work in collaboration with those stakeholders who have an interest in it. It should be considered a process which is documented and regularly reviewed and updated as discussions take place and plans develop over time. This approach is essential in order to respond effectively to changing conditions and attitudes, the development of work plans, methods or approaches and technological advances and also any legislative, data security or handling requirements.

The first version of the Scotland’s Census 2021 Privacy Impact Assessment , published in January 2017, reflects that the programme is at an early stage of design and planning and many specific processes, procedures and operational aspects are not yet fully defined. We have begun to explore the various issues and would very much welcome comments and feedback from stakeholders who may help us to identify any privacy concerns, so please do not hesitate to get in touch if you have an interest in this work. You can find our contact details in the Get Involved section.

Protecting your data

We understand that people need to be confident their personal data will be held securely, so we protect it with strict security measures. Access to personal census data is tightly controlled and we keep the number of people who see it to a minimum. All NRS staff who will have access to personal census data are subject to rigorous security clearance checks.

We have our own security team, which applies UK government security standards to all areas of the census operation. We regularly review our security measures and update them when necessary.

For information about how we protected the data provided to us in Scotland’s Census 2011, see Protecting your data in the Scotland’s Census 2011 section of the website.

Get in touch

If you want to get in touch with us about any privacy or confidentiality issues, you will find our contact details from the Get Involved section.