This information sets out the principles and procedures that we follow to manage the data used to produce the statistics we publish on our website.

We produce official statistics in line with the Code of Practice for Official Statistics 3.0 (‘Code 3.0’ or ‘the Code’).

Standard 4, Practice 1 of the Code states: ‘Be ethical in how you collect, access, use and share data to serve the public good and be transparent about your approach in a published data management policy.’

Five Safes

We manage our data using the principles set out in the Office for National Statistics’ (ONS) Five Safes framework.

Safe people

Everyone in our data and analytics team has appropriate, up-to-date organisational IT and data protection training, and ONS safe researcher training.

It is crucial that staff maintain the highest level of confidentiality when working with official statistics. They must sign an agreement at the start of each annual publication cycle in which they agree to:

  • share data or statistics only with people named on the production list

  • present the statistics in a way that does not reveal personal information

  • keep personal information and data secure, and use it only to produce statistics

  • share personal information and data used to produce aggregated official statistics only with people named on the production list and to do so with the greatest consideration for confidentiality and security

Safe projects

When analytical staff consider new collections of externally sourced data, they work with data governance colleagues to produce a data privacy impact assessment (DPIA). They then discuss the safety of the new collections with relevant internal groups.

We share data with external bodies, such as the Scottish Government, and UK university researchers. To do this safely, we draw up data sharing agreements that set out the legal basis and conditions for sharing. We discuss these with our data governance colleagues, who sometimes decide that we need to put a DPIA in place before we share the data, to identify and minimise the data protection risks.

Safe data

We process our statistical data in line with the General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018 legislation.

We publish a privacy notice to let individuals know we are using our data.

We have procedures in place to manage information security incidents.

Safe outputs

We publish statistics in line with our Confidentiality policy, so that they do not disclose identifiable information about individuals.

Safe settings

We have security measures in place to ensure we store our statistical data securely, and that only authorised staff in our Data and Analytics team and specified IT staff can access it.

To further protect this data and the individuals to which it refers, we do not publish details of our security measures.

Compliance

The head of profession (our head of data and analytics) has the final decision on any action necessary to comply with these procedures.

Questions or comments?

We want this information to be as helpful as possible. Please email us at data.analytics@qualifications.gov.scot with questions or general comments.

Our statistical practice is regulated by the Office for Statistics Regulation (OSR). OSR sets the standards of trustworthiness, quality and value in the Code. You can also email us at data.analytics@qualifications.gov.scot with your comments on how we’re meeting these standards, or you can contact OSR by email at regulation@statistics.gov.uk, or through the OSR website.