Valuation Office Agency confidentiality and access policy
Published 27 March 2017
© Crown copyright 2017
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/statistics/valuation-office-agency-confidentiality-and-access-policy/valuation-office-agency-confidentiality-and-access-policy
1. Confidentiality and access – general policy statement
The Valuation Office Agency (VOA), as an executive agency of HMRC, is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA) which covers:
- the confidentiality of information held by the VOA
- when it is lawful to disclose that information
- the legal sanctions for wrongful disclosure
The VOA is not permitted to disclose information except in certain limited circumstances, including, for the purposes of its functions, where there is a legislative gateway or with customer consent.
We aim to protect and maintain the security of our data in order to fulfil relevant legal obligations and uphold our guarantee that no statistics will be produced that are likely to identify an individual unless specifically agreed with them. This is while, at the same time, taking account of our obligation to obtain maximum value from the data we hold for statistical purposes. All staff undertake mandatory data security training, including the handling of personal data under the UK General Data Protection Regulation and Data Protection Act 2018, on a regular basis.
The VOA complies with the Code of Practice for Official Statistics and the supporting guidance National Statistician’s Guidance: Confidentiality of Official Statistics.
Our arrangements for protecting confidentiality fall into the following four areas.
2. Physical security
All staff working in the VOA and all visitors to its sites require a pass to access the premises. Security classified statistical data is held in a secure environment that includes appropriate secure storage such as locked security cabinets. Access is strictly controlled in line with the VOA’s security policy.
3. Technical security
The VOA maintains a secure technical environment, including appropriate access to the Public Services Network (PSN). No data is held on unsecure standalone laptops, or kept on unprotected portable devices or storage media. All transmission of restricted micro-data takes place in a strictly controlled encrypted environment, in accordance with our security policy and standards. All confidential data used in the production of our statistical publications are stored in separate areas of the internal network and access is strictly restricted to a limited number of statistical staff who need it for statistical purposes.
4. Organisational security
The VOA uses a combination of an Information Security Manager, information management and security teams to protect and maintain our data in line with the VOA’s security policy.
The Chief Executive as the VOA Accounting Officer has overall responsibility for security and ensuring that the VOA risks are assessed and mitigated to an acceptable level.
We have a Senior Information Risk Owner at Board level who is responsible for managing all VOA information risks, including maintaining and reviewing the information risk register. For each major business area within the VOA there is an Information Asset Owner who is responsible for the confidentiality, integrity and availability of the information assets they own.
We have an Information, Law and Disclosure team who are responsible for the policies, practices and processes for the recording and exploitation of the VOA’s information.
The Security Team is responsible for providing assurance that all IT systems, services and infrastructure meet the required security standards. They also provide direction and support to the VOA in delivering some of the key security controls including IT, physical security, personnel vetting and data security.
All staff have personal responsibility for complying with VOA security policies, standards, guidance and procedures.
5. Disclosure security
We use a combination of data manipulation and/or statistical disclosure techniques before official statistics are released to meet the confidentiality guarantee. This is reviewed regularly to maintain awareness of current and best practice.
6. Arrangements for providing controlled access to micro-data
The VOA provides potentially disclosive micro-data to users from other government departments only where the confidentiality provisions of CRCA allow. No administrative data can be released without the necessary statutory legal gateway. Where such sharing occurs, VOA uses information sharing protocols, agreements and confidentiality agreements to maintain the confidentiality of the information. Non-disclosive data may be released in anonymised form by the government department where appropriate.
7. Recording the details of access authorisations
Full details of all authorised access to the organisation’s micro-data are recorded for internal and external auditing purposes.
Mark Wardell is the Lead Statistician for the Valuation Office Agency.