Standard

Confidentiality and data management policy

Updated 30 April 2026

Applies to England

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/ofsted-standards-for-official-statistics/confidentiality-and-data-management-policy

Introduction

Ofsted’s statistical practice is regulated by the Office for Statistics Regulation (OSR).

OSR sets the standards of trustworthiness, quality and value in the Code of Practice for Statistics (the code). The code requires producers of statistics to publish a series of organisational policies and statements relating to official statistics production. This statement provides an overview of our approach to the confidential handling and use of data.

Standard 4 (manage data responsibly) of the code focuses on data governance and how to ensure appropriate and responsible use of data when producing statistics.

Ofsted’s head of profession for statistics is responsible for the official statistics produced by Ofsted and for making sure they are governed in line with our data protection policies and relevant legislation.

Data sources

Internal data sources

Our official statistics are based mainly on the aggregation of the number, and outcomes, of inspections carried out, and the details of education and care providers that are registered with us. Our data on inspection outcomes is drawn from our administrative systems. Data is stored securely and access is restricted by controlled access permissions.

External data sources

We use some external data for reporting, for example from other government departments such as the Department for Education or the Office for National Statistics. As part of our production process for official statistics, we may extract data from a database into spreadsheet format and store it securely in a folder where access is restricted by controlled access permissions.

Where we collect data, for example through our fostering data collection portal, it is stored securely and access is restricted by controlled access permissions. Suppliers that share data are required to sign off the accuracy of their own data. We work with data suppliers to improve the quality of the data collected before we enter it into our systems. A series of validation checks are carried out by suppliers at source to minimise errors. We carry out additional quality assurance checks on the data we receive. 

We maintain good communication with data suppliers to make sure that we are kept informed of any issues as they arise. This allows us to manage the use of data where there are known issues. 

Quality assurance processes for data

For all data we use, several automated exception reports are in place to alert statistical staff and teams who provide data that the data may be inaccurate or incomplete. Staff carry out additional manual quality assurance checks. These may include, for example, validation against previous releases, data held in inspection databases or data held by other government departments. The quality assurance is recorded against a checklist that staff complete each time they compile official statistics.

Further information on data quality can be found in the methodology reports released alongside Ofsted official statistics.

Confidentiality 

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). GDPR places obligations on organisations to process personal information fairly and with transparency. 

Ofsted has an information rights and data protection team that provides advice on data protection and access to information. We also have a security and information management team that is responsible for policy, guidance and advice on information security and governance. Business information risk owners and information asset managers are embedded in teams that produce statistics and are responsible for the day-to-day implementation of internal policies. They make sure data resources are managed in accordance with:

  • our statutory obligations, including GDPR and the Freedom of Information Act

  • the Code of Practice for Statistics and its supporting protocols 

  • this compliance statement 

Responsible statisticians are accountable for: 

  • compiling and maintaining metadata for the life cycle of each statistical resource 

  • guarding the integrity and security of the data they hold in accordance with our policies on security and business continuity 

  • disposing of data in line with data-sharing agreements

Most of our data comes from administrative sources and management information systems. Staff who work with data receive appropriate security checks. Access to administrative systems and databases is limited to those who need access to the data. Staff receive appropriate training in data security measures, including data-handling and a mandatory ‘security and data protection’ training course. 

We publish privacy notices for the different types of personal information we collect, store and process.

Limiting access to data 

The data we hold, including internal data and data received from other government departments and external agencies, is governed by memorandums of understanding and data-sharing protocols. These agreements and protocols provide the necessary mechanisms to ensure that data is: 

  • stored, used and disposed of in a safe manner – we maintain trackers, which contain destruction logs for individual datasets 

  • accessed only by those who have signed the individual declaration form (where the data-sharing agreement requires it) and have received relevant training 

  • robust and accurate and has agreed processes for raising any issues and concerns 

  • only accessed by staff who are physically present at an Ofsted office and not at home (when data-sharing agreements stipulate this) 

  • not released ahead of official statistics, where applicable 

We control access to the data we hold by: 

  • requiring passwords to protect access to information where applicable

  • ensuring laptops and mobile devices have hard drive encryption enabled

  • using document management systems to apply encryption to information both at rest and when in transit

  • using document management systems to provide granular access controls and permissions, proportionately and appropriately following the ‘need to know’ and ‘need to share’ principles

  • periodically reviewing all access to our systems and the levels of permission granted

Teams that produce statistics carry out peer reviews of assets contained in the information asset register at least once annually.

All staff and visitors are required to wear a pass and use it to access and move around Ofsted offices. There is no public access to any part of our estate where confidential data may be held. When working from home, staff must connect to our secure virtual private network (VPN) before access is granted to administrative systems, and staff are instructed to work in an environment that maintains the confidentiality of data.

We only share data where it is necessary and in the public interest. Data-sharing agreements typically last for 12 to 24 months and are regularly reviewed and revised when necessary.

Statistical disclosure control 

We use statistical disclosure control to ensure that individuals or groups cannot be identified from statistical data. This means that: 

  • confidential information about a person or unit (such as a household or business) is not made available 

  • different outputs from the same source, or outputs from different sources, cannot be combined to reveal information about a person or a group of people 

All producers of statistics complete mandatory ‘statistical disclosure control’ training and sign a ‘declaration of confidentiality in Ofsted data and official statistics’ to confirm they understand the importance of confidentiality in their use of data.

We use suppression and rounding of data for disclosure control. For example, the cell value in a table (which may be disclosive where, for instance, the value is small) is not given. 

Secondary suppression of cells, where at least one other value in the row or column is also not given, ensures that suppressed values cannot be deduced through subtraction. Values of 0 and 100% may also be suppressed, for example where all pupils in a school are eligible for free school meals. 

Rounding of cells to a multiple of a set base, such as 5 (where, for example, a true value of 3, 4 or 6 would be shown as 5) adds uncertainty to the true values of small cells and helps avoid disclosure.

Back to top