Protection of Confidential Data

EurostatDecember 2004

Manual for the protection of confidential data in Eurostat

PROTECTION OF CONFIDENTIAL DATA

IN EUROSTAT

December 2004

Table of contents

PREFACE

1.OVERVIEW

1.1.Introduction

1.2.Confidential statistical data

1.3.Statistical confidentiality

1.4.Main objectives of regulations 1588/90, 322/97 and 831/2002

1.5.Committee on Statistical Confidentiality

1.6.Eurostat responsibilities

1.7.Main principles and rules

1.8.Transmission of confidential data

1.9.Access to confidential data

1.9.1.Access for statistical purposes

1.9.2.Access for scientific purposes

1.10.Use of confidential data transmitted to Eurostat

1.11.Dissemination

2.TRANSMISSION OF DATA TO EUROSTAT

2.1.Format of data

2.2.Encryption of data

2.3.Transport of data

2.3.1.by mail or by an authorised person

2.3.2.by STADIUM

2.3.3.by email via Internet

2.4.Transmission of data from Eurostat to the Member States

3.Storage of data at Eurostat

3.1.Central secure area

3.1.1.Network and Firewall

3.1.2.Secure machine rooms and servers

3.2.Secure terminal rooms

3.3.Secure PCs

3.3.1.In ordinary offices

3.3.2.In secure rooms

3.4.Commission Data Centre

4.Access authorisation procedures

4.1.Access granted to Eurostat staff

4.2.Access by staff of other Directorates-General of the Commission

4.3.Access granted to contractors

4.4.Access granted to researchers

4.4.1.The legal framework

4.4.2.The research body admissibility procedure

4.4.3.The research project acceptation procedure

4.4.4.The access and processing procedures

5.Processing of confidential data

5.1.Audit trail

5.2.Output Control

5.3.Statistical protection procedures

5.3.1.Introduction

5.3.2.Microdata (individual data, primary records)

5.3.3.Tabular data (macrodata, aggregations)

5.3.4.Disclosure Avoidance Methods

5.3.5.Software for SDC

ANNEXES

PREFACE

Statistics depends on the quality and completeness of information in the raw data. Eurostat's work is based on the information transmitted by the national authorities in the Member States and confidentiality is of utmost importance in this respect since it contributes to the mutual trust not only with data subjects but also with the national authorities.

Since June 1990, with the adoption of Council Regulation 1588/90 governing the transmission of confidential data to Eurostat, a system of exchange of such data has been developed and functions satisfactorily.

Since January 1994 specific measures have been defined and formally adopted by the Committee on Statistical Confidentiality aiming to ensure the legal, physical and logical protection of confidential data transmitted by the national authorities to Eurostat.

In February 1997 Council Regulation 322/97 on Community statistics was adopted, which defines the general principles governing Community statistics, the processes for the production of these statistics and establishes detailed rules on confidentiality. Finally, in May 2002 Commission Regulation 831/2002, concerning access to confidential data for scientific purposes, set out a new set of principles with regard to this specific aspect, which complete the legal instruments on confidentiality at European level.

Consequently, the organisational measures in Eurostat had to be adapted and updated in the light of legal and technological developments as well as experience acquired over the years. This document aims to serve this purpose. It replaces the previous Manual issued in December 1996. It is addressed to the staff of Eurostat but also to people from the outside who access, according to the rules, confidential data in Eurostat.

This Manual has been presented to the Committee on Statistical Confidentiality held on the 10th of December 2004 which has delivered a favourable opinion in accordance with article 7 of the Council Regulation 1588/90.

The Director General

1.OVERVIEW

1.1.Introduction

In order to ensure the best possible quality, Community statistics shall be governed by the principles of impartiality, reliability, relevance, cost-effectiveness, statistical confidentiality and transparency. Statistical confidentiality is therefore one of the main principles to which the production of statistics shall conform.

Community acts dealing with statistical confidentiality are the following:

• Council Regulation (EEC, Euratom) No 1588/90 of 11 June 1990 on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities[1] (Annex 2).
• Council Regulation (EC) No 322/97 of 17 February 1997 on Community Statistics[2] (Annex 3 and Annex 4).
• Commission Regulation (EC) No 831/2002 of 17 May 2002 implementing Council Regulation 322/97 on Community Statistics, concerning access to confidential data for scientific purposes[3] (Annex 5).

All these acts specify the scope of the statistical confidentiality principle and its impact on the whole statistical production process (collection, storage, processing, compilation, analysis, access to and dissemination of the statistical information).

These regulations only apply to statistical confidentiality. Legal obstacles to the transmission of information to Eurostat which are caused by provisions other than statistical confidentiality are not affected (e.g. tax secrecy, social secrecy, medical secrecy).

A list of acronyms is given in Annex 1.

1.2.Confidential statistical data

Confidential statistical data - data used by the national authorities and the Community authority for the production of Community statistics shall be considered confidential when they allow statistical units to be identified, either directly or indirectly, thereby disclosing individual information.

Direct identification means the identification of a statistical unit from its name or address, or from an officially allocated and published number.

Indirect identification refers to the possibility of deducting the identity of a statistical unit other than from the direct identification means. To determine whether a statistical unit is identifiable, account shall be taken of all means that might reasonably be used by a third party to identify the said statistical unit.

1.3.Statistical confidentiality

Statistical confidentiality shall mean the protection of data related to single statistical units which are obtained directly for statistical purposes or indirectly from administrative or other sources. It implies the prevention of non-statistical utilisation of the data obtained and unlawful disclosure.

The confidential handling of data in Eurostat aims to guarantee that the data concerned will be protected against unauthorised disclosure. Though there are two other main subjects in data protection (integrity = the prevention of unauthorised modification of the information and availability = the prevention of unauthorised withholding of information), the main aspect in the context of' statistics is confidentiality, which has an internal and an external dimension:

• Inside Eurostat
  Access to confidential data must be restricted to authorised personnel only, i.e. those who need such access in order to perform their work. Access to the data must be made impossible for unauthorised persons or so difficult that it is not worth the effort and risks involved.
• Outside Eurostat
  Dissemination of information must be restricted to non confidential data, with the possible exception of granting access to confidential data for scientific purposes. Unauthorised access by force or stealth must be made impossible or so difficult that it is not worth the effort and risks involved.

One should keep in mind however that confidentiality, integrity and availability measures are very much interrelated so that each one contributes to the strength of the others.

1.4.Main objectives of regulations 1588/90, 322/97 and 831/2002

In order to carry out the duties entrusted to it by the Treaties, the Commission must have full and reliable information. Thus, Eurostat must be able to obtain all the national statistical information necessary in order to prepare Community statistics and carry out the necessary analysis.

The first main aim of the regulations is therefore to remove the legal obstacles which may have hindered Member States in transferring statistical information due to national confidentiality rules. To achieve this, rules on statistical confidentiality must no longer consider Eurostat as an “outside” or “third” party. Under these regulations, Eurostat has the same role within the statistics' production process as the national statistical authorities themselves, insofar as the treatment of confidential data is concerned.

The second main aim is to protect confidential statistical data. The incorporation of Eurostat into the internal area protected by statistical confidentiality means that within this area a high level of protection is to be applied.

The third aim is to ensure that Eurostat and the national authorities apply the same principles and minimum standards for avoiding disclosure of confidential Community statistical data. In relation to external use as regards dissemination and publication, it is to be guaranteed that the statistical results contain no data subject to statistical confidentiality.

Given the specific interests of the scientific community, Regulation 831/2002 aims at establishing the conditions under which access to confidential data may be granted to researchers.

1.5.Committee on Statistical Confidentiality

In order to assist Eurostat in its tasks related to the required protection of confidential data, a Committee on Statistical Confidentiality has been set up, composed of representatives of all the Member States and chaired by the Director General of Eurostat or a person designated by him (Article 7, paragraph 1 of Regulation 1588/90 and Article 20 of Regulation 322/97). The tasks of the Committee are as follows (Annex 6):

• The Committee shall deliver its opinion on the draft of measures to be taken as referred to in Article 4 (3) and 5 (3) of the Regulation 1588/90 (see Article 7, paragraph 2) and Article 20 of Regulation 322/97.
• The Committee shall examine questions relating to the implementation of the Regulation 1588/90 (see Article 8) and Regulation 322/97 (see Article 20).
• The Committee shall be consulted in matters of establishing the arrangements for the internal organisation of Eurostat to ensure the protection of confidential data transmitted to Eurostat (see Article 5, paragraph 1 of Regulation 1588/90 and Article 20 of Regulation 322/97).

1.6.Eurostat responsibilities

To ensure the confidential handling of statistical data, all necessary regulatory, administrative, technical and organisational measures are to be put into effect by Eurostat on behalf of the Commission. These measures include the procedures for a secure transmission, the internal data processing and its organisation, the internal rules of access, the protection against access from the outside and the standards for compiling and dissemination of the results.

In that respect, the Director-General of Eurostat has been instructed by the Commission to ensure the protection of data transmitted to Eurostat.

This covers notably the following functions:

• legal aspects and general security
• control and audit of confidentiality at Eurostat
• access authorisation

In these functions the Director-General is assisted by the Legal Adviser and by the LISO (local informatics security officer) in their respective capacities. They are also responsible for advice, training and support of Eurostat's personnel. The Director-General can delegate his functions to one of the Directors of Eurostat.

For each data collection containing confidential data, a Data Collection Responsible Officer (DCRO) is nominated by the competent Director. The DCRO shall ensure the confidentiality of these data.

1.7.Main principles and rules

The handling of confidential data within Eurostat is implemented along the following principles:

Operability versus confidentiality

Trade-off between operability and confidentiality: although the implementation of protective measures adds some operational constraints, the objectives of confidentiality will never be compromised. Design of imaginative solutions allows for a reasonable level of user-friendliness.

Confidentiality level

The level of confidentiality and security achieved is at least as high as the level achieved in the Member States when dealing with confidential data.

Four-eyes principle

Access to confidential data is limited to the minimum number of persons required. However, confidential data are not left to the custody of a single person. The agreement of two or more persons is required before access is granted.

Domain responsibility

The responsibility for the confidential data is primarily attributed to an official responsible for the domain or for the data collection. For each data collection, a Data Collection Responsible Officer (DCRO) is nominated.

Independence of functions

Several functions are participating in the implementation of the Confidentiality Regulation. They are and should remain independent of each other. These functions are addressed in § 1.6.

The main rules to protect confidentiality are:

a.To limit drastically access to confidential data. Confidential data may only be treated in a secure environment. The secure environment is separated from the normal environment.

b.To pre-process confidential data in a secure environment with appropriate andagreed disclosure avoidance methods to turn confidential data into non-confidential one before release. The disclosure avoidance method is to bedetermined by the DCRO after the consultation with the parties involved.

c.To avoid as much as possible modifying the “normal processing” of the data as long as it does not process confidential data.

d.To reserve the access to the secure area to authorised persons when they need to work on confidential data, for specific requests.

e.The use of other Eurostat systems or systems administered by other servicesof the Commission for confidential data is not allowed. Systems administered by the Data Centre of the Commission can be used subject to strong agreed confidentiality and monitoring procedures.

f.The strict separation between the functions of 1) authorising the access 2) theapplication uses and 3) developing the tools to control the access or other securityfacilities.

1.8.Transmission of confidential data

One of the risk areas is the transportation of data between the MemberStates and the Eurostat premises.

Methods of transportation should be decided on an individual basis, by the Member States concerned. The details of the implementation should follow the recommendation laid down in Chapter 2 of this Manual. Member States should be informed of their responsibility to choose the appropriate method.

1.9.Access to confidential data

The protection measures apply to all confidential data, regardless of whether they have been transmitted to Eurostat on a voluntary basis or in fulfilling an obligation to do so under an EC legal act governing specific Community statistics.

1.9.1.Access for statistical purposes

Confidential statistical data shall be accessible only to the officials of Eurostat and, under certain conditions (e.g. specific authorisation, commitment on statistical confidentiality) and in special cases, to other staff of Eurostat and other natural persons working on the premises of Eurostat under contract (Article 5, paragraph 3, of Regulation 1588/90).

This provision clarifies once more the point that all other Directorates-General and services of the Commission and other organs of the Communities have no access to confidential statistical data. In the sense of statistical confidentiality they are to be regarded as “third parties”.

1.9.2.Access for scientific purposes

Article 17 of Regulation 322/97 allows, under certain circumstances, access for scientific purposes to confidential data, which do not permit direct identification, transmitted to Eurostat. Regulation 831/2002 defines these conditions under which access to confidential data transmitted to the Community authority may be granted:

• Article 3 defines the categories of research bodies to which access to confidential data may be granted by the Community authority.
• Article 4 defines strict conditions to be satisfied to access confidential data for researchers and additional conditions to be satisfied to access confidential data on premises of Community authority.
• Articles 5 and 6 defines categories of data which could be accessed by researchers.

Regulation 831/2002 confirms the principle defined in Regulation 322/97 that the data accessed shall not contain information allowing the direct identification of the statistical units concerned.

1.10.Use of confidential data transmitted to Eurostat

Confidential statistical data must be used exclusively for statistical purposes (Article 5, paragraph 2 of Regulation 1588/90 and Article 15 of Regulation 322/97) unless the respondents have unambiguously given their consent to the use for any other purposes, i.e. use exclusively for the compilation of statistical tables or for statistical economic analysis. That excludes any use of such data for administrative, legal or tax purposes or for verification against the units surveyed.

1.11.Dissemination

Confidential statistical data in the possession of Eurostat may be disseminated only when combined with other data in a form which ensures that statistical units cannot be identified either directly or indirectly.

Disclosure control is the responsibility of the DCRO.

2.TRANSMISSION OF DATA TO EUROSTAT

Concerning transport of confidential data, before reception by Eurostat, the following recommendations are applicable.

It should be understood that in the real world there is always some risk of disclosure: “zero risk” is not possible. The purpose of this recommendation is to reduce the risk as far as possible; it is based on an assessment of all currently feasible scenarios for the transmission of confidential data to Eurostat.

All confidential data entering Eurostat go through a single entry point that authenticates the sender, acknowledges and registers reception, notifies the relevant recipients in Eurostat of the arrival and transfer to the secure area.

Eurostat offers several options for reaching this single entry point, the most traditional being STADIUM Client (or STADIUM Web Application) associated with Statel.

Confidential data sent directly to the units in Eurostat, notwithstanding the previous paragraph, are transferred personally to the Local Information Security Officer (LISO) in Eurostat without undue delay. Transmission of data by e-mail directly to units should be avoided.

Units receiving copies of confidential information must not leave it accessible to unauthorised persons.

2.1.Format of data

Member States shall transmit to Eurostat the data and metadata in electronic form, in conformity with an interchange standard format proposed by Eurostat.

2.2.Encryption of data

The recommended use of STATEL and/or the TESTA network for transmitting data to Eurostat includes data encryption. However, this ensures confidentiality only on the network between the relevant national authority and Eurostat. The sender may consider this inadequate with regard to the transmission of confidential data.

Encryption by the sender and decryption by the receiver of the data are the only means of ensuring end-to-end confidentiality (from statistician to statistician or from application to application). Decryption must take place in Eurostat’s secureenvironment under the responsibility of the DCRO.

The sender will have to reach agreement with the receiving unit at Eurostat on a file encryption method, preferably based on asymmetrical keys (public key for encryption and private key for decryption). Eurostat recommends the use of open-source encryption software such as WinPT, which is Windows freeware based on the GNUPG open-source portable software application (see Annex7).

If e-mail is used for file transmission - although this should be avoided if at all possible - the asymmetrical encryption described above is essential in view of the complete lack of security of this medium of transport (it is once again pointed out that the transport of confidential data to Eurostat is the responsibility of the Member States). Senders also have the option of encrypting fully and directly the message and the file attachment by means of the Commission’s secure e-mail tool (SECEM), which also uses asymmetric keys.