Guidance

Ministry of Defence: disclosure and confidentiality policy – identifiable survey data

Updated 30 January 2024

Purpose

We hold identifiable personal data collected from Ministry of Defence (MOD) civilian and armed forces employees in surveys. We have an obligation to act ethically and safeguard the confidentiality of individuals. We must also be fully compliant with the Data Protection Act 2018 (DPA18[footnote 1]), and the Freedom of Information Act 2000 (FOIA).

We must adhere to the UK Statistics Authority Code of Practice for Statistics. We must also comply with the United Nations Economic Commission for Europe Fundamental Principles of Official Statistics.

We must comply with:

  • JSP 440: The Defence Manual of Security
  • JSP 400: Disclosure of Information
  • JSP 200: Statistics

We must ensure that we do not inadvertently disclose the identities of people in our published statistics and thus potentially infringe their right to privacy under the Human Rights Act 1998, the DPA18, or in common law.

Data includes photographs, videos, and sound recordings, as well as words and numbers. Data may be held in manual form such as forms and letters or their electronic counterparts.

Analysis Directorate policy

We need to obey the law by protecting the privacy of the people and enterprises whose data we hold.

We obtain, hold and use personal data on the armed forces and civilian workforce and this is covered by the Secretary of State’s entry in the Data Protection Register. We must not use the data for any purpose other than those stated in the Register.

All surveys and censuses undertaken by the Analysis Directorate are based on the principle of informed consent – participants must be made aware of why data are being collected in advance of completing and submitting the questionnaire, and the data must only be used for that purpose.

Where data are to be linked to other data at individual level, for example, from HRMS or JPA, or data collected in earlier surveys, participants are to be made aware of which data will be linked and why prior to completing the questionnaire.

Confidentiality

Respondents to surveys and censuses must be made aware of how confidentiality will be maintained. According to Principle T6: Data Governance of the Code of Practice for Statistics organisations should be transparent and accountable about the procedures used to protect personal data when preparing the statistics and data, including the choices made in balancing competing interests.

Any variations to these arrangements (including for legal or public interest purposes) must be authorised in advance by the MOD Head of Profession for Statistics and the National Statistician. All authorisations for such variations must be published.

Storage, analysis and transmission of identifiable survey data

Except as described below, identifiable survey data (including sample lists and individual responses) must only be held and analysed on the Analysis Directorate network or officially provided laptops with encrypted hard disk drives.

Identifiable survey data must be stored only on network drives or on encrypted hard disks on officially provided Analysis Directorate laptops. Access to the survey data will be restricted to the Analysis Directorate Surveys team and Corporate Systems staff who administer the Analysis Directorate Network and the databases held on the network. Access will be controlled by means of permissions and MOD compliant passwords.

The distribution of survey questionnaires and the collection of survey responses is contracted to Membership Engagement Services (MES), 33 Clarendon Road, London N8 0NW. MES must maintain security standards equivalent to those described above. Compliance will be audited by the Analysis Directorate Data Manager and the HIS Enabling Team Leader on a regular basis.

Identifiable AFCAS data will be shared with single service researchers to enable additional analysis to be undertaken to develop and monitor the effectiveness of personnel policies. Prior to the provision of data, a signed Data Access Agreement must be returned to the Analysis Directorate listing the data to be provided, the purpose for which it will be used and the names of all persons with access to the data. This use must be consistent with the ethical approval for AFCAS. Data provided must only be used by the persons listed in the Data Access Agreement for the purpose listed in the agreement. Any breach of the agreement must be reported to the National Statistician.

All identifiable survey data must be treated as “protect personal” and managed accordingly. The Analysis Directorate procedure for the Transfer of Survey Data must be complied with whenever data are transferred: data transfer must be over secure MOD networks or by means of encrypted USB storage devices.

Analysis Directorate staff

Analysis Directorate staff must not misuse the systems to derive sensitive information about individuals. Any attempt to do so is a disciplinary offence.

Contractors and consultants are treated as if they were Analysis Directorate staff. Thus, contractors and consultants retained by the Analysis Directorate are the Analysis Directorate’s responsibility and similar ‘need to know’ restrictions should be placed on their access to personal data. Usually, their ‘need to know’ will be a lot less than for many Analysis Directorate staff with ongoing responsibilities.

Publication of data

While the Analysis Directorate may hold identifiable survey responses, confidentiality must be maintained in all published results (including drafts released to customers) through the application of methods of disclosure control. Further information about the use of disclosure control is set out in the MOD: Disclosure control and rounding policy.

Requests for data

The Data Protection Act 2018 allows the Analysis Directorate to pass personal data to a third party for research purposes; (in this case, Part 2 Chapter 2 Section 8d & 10e applies).

Where datasets are requested for research purposes, anonymised datasets will be made available subject to consent by the data owner.

Datasets must be anonymised by removal of any unique identifier and ensuring that it is not possible to identify any individual by cross tabulation of demographic data items in the dataset.

Prior to the release of any dataset, a signed Data Access Agreement must be returned to the Analysis Directorate listing the data to be provided, the purpose for which it will be used and the names of all persons with access to the data. Data provided must only be used by the persons listed in the Data Access Agreement for the purpose listed in the agreement.

For student research projects the Data Access Agreement must also be signed by the academic tutor supervising the research. Any breach of the agreement must be reported to the National Statistician.

Data owner and custodians

The survey data are owned by the organisation commissioning the research. The data owner will decide who may access the data and receive analyses based on the survey data.

The Head of the Analysis Directorate Surveys Branch is responsible for ensuring that this policy is complied with and the confidentiality of identifiable survey responses is maintained. This responsibility takes precedence over requests and instructions from the data owner.

The Head of Analysis Directorate Corporate Systems is the Information Asset Owner (IAO) responsible for the security and safe keeping of all of the Analysis Directorate’s data including the survey data held on behalf of the Data Owner. Any queries regarding the Information Assurance of the data held should be directed to the IAO.

For the purposes of the DPA18, the Ministry of Defence is a single legal entity and the Secretary of State for Defence is its data custodian.

Implementation

This policy takes immediate effect. Every person working on identifiable survey data in the Analysis Directorate is expected to adhere to this policy.

Annex A

List of special category personal information

Data items listed in this section are deemed ‘sensitive’ by the Analysis Directorate and particular care should be taken not to reveal them directly or indirectly about an individual. Items marked with an asterisk (*) are defined as special category personal data relating to the data subject (individual) by the European General Data Protection Regulation.

  1. Any data collected where a guarantee of confidentiality was given
  2. Racial or ethnic origin*
  3. Nationality
  4. Political opinions*
  5. Religious or similar beliefs*
  6. Whether a member of a Trade Union*
  7. Physical or mental health or condition, including disability status*
  8. Sexual life*
  9. Commission or alleged commission of an offence*
  10. Biometrics*
  11. Age
  12. Marital status
  13. Cause of death, where this is not a matter of public record[footnote 2]
  14. Benefit claims history or entitlement
  15. Photographs, videos or sound recordings in which individuals can be identified
  16. Genetics*
  17. Any other data whose disclosure would cause the data subject embarrassment or distress and which they could reasonably have expected to remain private

The following data items are not considered sensitive on their own:

  1. Sex
  2. Rank or grade
  3. Whether working full-time or part-time

Owner: Director for Analysis

Author: Analysis Directorate

Issue Date: August 2020

  1. The Act applies only to living persons, but there is a residual duty of confidentiality in common law to deceased individuals. 

  2. Reporting causes of death as recorded on death certificates would not be disclosive, since death certificates can be obtained by the general public from the General Register office. However, reporting that someone has died of, for example, ‘an AIDS related illness’ when the death certificate showed only ‘respiratory failure’ would be disclosive, and the data should be protected in accordance with the common law duty of confidentiality. This is also done for the sake of surviving relatives.