Data management in official statistics policy
Updated 1 April 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/ukhsa-official-statistics-compliance-documents/data-management-in-official-statistics-policy
Summary
This policy is to be read alongside the UK Health Security Agency (UKHSA) privacy notice and is specific to UKHSA’s official statistics products.
We anonymise our data to ensure confidentiality in our statistics.
We conduct disclosure risk assessments on our official statistics to evaluate the level of statistical disclosure control required, if any.
We apply statistical disclosure control methods to ensure that data subjects cannot be identified within a data set, or by combining data sets.
Breaches of disclosure in official statistics must be reported to the Head of Profession for statistics and, in the case of a serious breach, the Director General for Regulation at the Office for Statistics Regulation.
Breaches of disclosure may result in a statistics release being temporarily withdrawn while statistical disclosure control methods are applied.
Policy statement
This policy sets out UKHSA’s approach to elements of data management specific to the production and dissemination of official statistics, such as disclosure control and our breach procedure.
This policy applies to all UKHSA employees and third-party staff (e.g. consultants, contractors, temporary employees) who contribute to the production of our official statistics products – hereafter referred to as producers of official statistics.
The purpose of this document is to provide transparency and clarity as to the handling of data for official statistics, in accordance with our Code of Practice for Statistics obligations.
This document is intended as a companion to the UKHSA Privacy Notice, where all general information on our handling of personal data can be found.
You can find a full list of our official statistics products on GOV.UK. Any UKHSA analytical products not on this list are not in scope of this policy.
Terminology
The key words ‘must’, ‘must not, ‘should’ and ‘should not’ are interpreted as follows:
- must: indicates a mandatory requirement of this policy
- must not: indicates an absolute prohibition
- should: indicates a recommendation subject to context
- should not: indicates a discouraged practice unless justified
Roles and responsibilities
Producers of UKHSA official statistics are responsible for handling data in accordance with this policy.
The Head of Profession for statistics is responsible for handling breaches of this policy, further detailed in Section 8 below.
Confidentiality in our official statistics
UKHSA is committed to protecting confidentiality when producing official statistics.
Data used in our official statistics is anonymised, meaning that identifying information has been removed, obscured, or sufficiently aggregated to minimise risk of identification.
We also apply methods of disclosure control to ensure that data subjects are not identifiable, even when multiple data sets are combined.
We take a balanced assessment of risk and publish the most granular data we can whilst ensuring that we minimise disclosure risks, applying ISB1523: anonymisation standard for publishing Health and Social Care data where appropriate.
Statistical disclosure control
Statistical disclosure control is the process by which we modify data sets, removing or ‘suppressing’ figures which may lead to data subject identification. Accidental disclosure of a data subject’s identity could cause harm and distress to individuals, cause reputational damage to UKHSA, and even result in legal challenges or sanctions from the Information Commissioner’s Office (ICO).
To protect against these risks, we follow the Data Protection Act (2018) principle of “data protection by design and default”, building disclosure control into our ways of working and quality assurance processes.
The best way to implement disclosure control is often subjective, as it depends on factors such as the nature and sensitivity of the data being communicated. It is also important that disclosure control does not unnecessarily limit the usefulness of a release for users, as this would limit the value of the statistics for its users.
To maintain a careful balance between the need for confidentiality and the need for value in our statistics, we take a risk-based approach to disclosure control.
Our disclosure risk assessment
There is no one-size-fits-all approach to disclosure control, and it is rarely possible to completely remove the risk of disclosure. All risk of disclosure needs to be considered in relation to the potential value of the data to the public.
When choosing an appropriate disclosure control method, our aim is to select a method which would sufficiently reduce disclosure risks while still ensuring that the release would be useful to users.
Our disclosure control risk assessment takes the following into consideration: - user requirements - characteristics of the data and where disclosure risk may be present - the likelihood and impact of a disclosure risk
Statistical disclosure methods
When choosing a statistical disclosure control method, we consider several different options.
Our preferred first option is table redesign, which involves increasing the size of the populations at risk: - it is our preferred option as it does not suppress or alter the underlying data in the same way that rounding or suppression would, just the way it is presented - we may collapse groups across table rows or columns, leading to a higher level of aggregation. For example, combining age groups, combining categorical variables, or presenting data at a higher geographical area. We may use ‘Top or bottom coding’ to mask outliers, for example by creating an ‘aged 10 years and under’ or ‘aged 60 years and over’ age category - for longitudinal data, we may combine years to derive 3-year aggregates, for example, which adds uncertainty both in terms of the total value in each year and in which year each data subject appeared - we may split a table with multiple different dimensions into separate tables. In this scenario, we take care that the tables cannot be easily re-linked, which could allow for re-calculation of the original values via differencing
Another option we consider is rounding, whereby all values within a data set are rounded to a specified base, such as to the nearest 3, 5, or 10: - we may round to base 3 to avoid isolating individuals in counts of 1 or counts of 2 where one individual might recognise the other - we may round to base 5 or 10 for greater protection where this feels more appropriate following our risk assessment - simple rounding may mean that totals no longer equal the sum of values. We may use controlled rounding to account for this, enabling the additivity of the totals to be preserved
Following a risk assessment, we may decide that neither table redesign nor rounding is suitable as they would still lead to the presence of unsafe cells. In this scenario, we may use primary and secondary cell suppression: - when suppressing data, we will replace small numbers with the symbol ‘[c]’ for confidential, making sure that this is explained in the release - suppression may also involve using ranges such as ‘1 to 4’, however it differs from rounding because the rest of the data set would not be rounded - suppressing the potentially disclosive numbers directly is known as primary suppression, but we may then also need to use secondary suppression. This involves suppressing other cells in the same table to prevent disclosure by differencing
Other methods which we may consider include record swapping, record removal, and Barnardisation, which involves randomly applying a +1, 0, or -1 to cells in a data table. We avoid these methods as they are more destructive than the three listed above and may be more difficult to explain to users.
Where other methods are used, these will be clearly explained in the relevant release.
Handling of breaches
Where a breach of this policy is identified and results in disclosure of confidential information, the person who identifies the issue must immediately report this to the Head of Profession for statistics.
We must record the breach in our internal issue log and, if the Head of Profession for statistics judges the breach to be a serious concern, we must report it to the Director General for Regulation at the Office for Statistics Regulation and UKHSA’s security incident reporting team.
We may issue revisions and corrections to the official statistics release in question to apply an appropriate statistical disclosure method. We may also take down the official statistics release in question for a proportionate period of time while we carry out this work.
If you believe that personal information has been disclosed in our official statistics, you should immediately email our data security team (security@ukhsa.gov.uk) and our Head of Profession for statistics (UKHSA_HOPSTATS@ukhsa.gov.uk) with as much information as you have.
Related legislation, standards and guidance:
UK General Data Protection Regulation (UK GDPR)
ISB1523: Anonymisation Standard for Publishing Health and Social Care Data - NHS England Digital