Reporting breaches of the Code of Practice for Statistics

Policy details

Metadata item Details
Publication date:22 February 2018
Author:Good Practice Team
Approver:Statistical Policy and Standards Committee
Who this is for:Members of the Government Statistical Service
Type:Guidance
Contact:

gsshelp@statistics.gov.uk

Review frequency:

This guidance is reviewed annually.

Updates:

On 12 May 2020, this guidance was updated to include the new breach reporting template and an update of some of the common breach examples.

  • If you would like us to get in touch with you then please leave your contact details or email gsshelp@statistics.gov.uk directly.
  • This field is for validation purposes and should be left unchanged.

Breach report template download

Download the breach reporting template (ODT, 23 KB).

Back to top of page

What is a breach?

A breach is caused when an organisation producing official statistics fails to meet the standards outlined in the Code of Practice for Statistics.

Reporting breaches means being open about mistakes and the actions being taken to correct them. It is important for building public trust in statistics and for producers of statistics to learn and improve. Being open about breaches of the Code of Practice for Statistics enhances the transparency and public accountability of the statistical system. Transparency about the circumstances when things go wrong and drawing attention to the improvements made consequently are positive ways to improve trustworthiness.

The United Kingdom Statistics Authority has a statutory obligation under the Statistics and Registration Service Act 2007 to promote and safeguard good practice in relation to official statistics. Producers support and uphold this principle by reporting breaches of the Code of Practice for Statistics.

Back to top of page

Is it a breach?

The Code of Practice sets out the principles and practices that ensure that official statistics demonstrate trustworthiness, quality and public value. If these practices are not followed then a breach of the code may occur.

Potential breaches should be discussed as soon as possible with the departmental Head of Profession for Statistics or Lead Official to decide whether further actions are required. Breaches should then be reported to the National Statistician via the GSS Good Practice Team. This applies to National Statistics and official statistics, including experimental statistics.

The GSS Good Practice Team can advise producers on whether a breach may have occurred if you are unsure.

 

Common examples of breaches

Some common examples of breaches, alongside the relevant sections of the Code of Practice are presented in this section. Breaches of the code in respect of orderly release are the most commonly reported. This includes pre-release data being sent out early, pre-release data forwarded to somebody that does not have permission to see it or statistics not being published at the required time of 9:30am.

Code of Practice principleExamples of breach
Principle T1 – Honesty and integrity

Practice T1.2 - the collection, access, use and sharing of statistics and data should be ethical and for the public good. Those producing and releasing statistics should be free from
conflicts of interest, including political and commercial pressures, that may influence the production, release and sharing of the statistics and data.
A statistical team is asked to move the release date of official statistics to reduce the likelihood of negative media coverage.


An individual uses information to be published in a forthcoming market sensitive statistical report to, for example, play the stock market.
Principle T2 – Independent decision making and leadership

Practice T2.1 – the Chief Statistician or Head of Profession for Statistics should have sole authority for deciding on methods, standards and procedures and on the content and timing of the release of regular and ad-hoc official statistics.
The Head of Profession or Lead Official is put under pressure to release data before they are ready and/or when they are of poor quality.

Statistics are leaked (wholly or partially) to the
press or another third party prior to the scheduled publication time.
Principle T6 – Data governance

Practices T6.1, T6.2, T6.3 and T6.4 - confidential (disclosive) information is inadvertently or inappropriately made available to unauthorised persons.
Raw data files with identifiable information are accidentally uploaded to the internet and become publicly available.

A disk containing disclosive statistical information is left on a train by a departmental employee.

Disclosive information is sent in error to another government department.
Back to top of page

How to report a breach

The producer responsible for the statistical release should ensure that the relevant Head of Profession (HoP) or Lead Official (LO) is notified of a potential breach straight away. This may mean alerting the HoP or LO in more than one department, or the Chief Statistician of one or more devolved administrations.

If a breach occurs, the producer of the statistics will need to complete the breach reporting template and submit it to the National Statistician by emailing goodpracticeteam@statistics.gov.uk. This should be done on the day of the potential breach or as soon as is practically possible.

If you’re unsure whether or not a breach has occurred the Good Practice Team will provide support and advice and can confirm whether it is necessary to submit a breach report. They can also provide advice on what level of detail should be included.

If you are confident that a breach has occurred and that you have all the necessary information to hand, a written breach report may be completed and provided to the Good Practice Team on first contact.

Back to top of page

Who is responsible?

The responsibility for reporting a breach lies with the “responsible person”, usually the Head of Profession for Statistics or Lead Official of the producer department. For example, if statistics are sent to eligible persons in another department under pre-release access but the recipient disregards one of the rules or principles, the Head of Profession of the producing department must report the breach. It is their statistics that are the subject of the breach and it is that Head of Profession’s responsibility to ensure that those granted pre-release access comply with legal requirements.

Back to top of page

Should I inform my users?

The Good Practice Team will advise if the producer needs to issue a more timely public statement explaining the breach, in advance of the publication of the breach report. This is usually good practice. Such statements would normally be released in the same place that the statistics have been or are to be published.

If a publication is going to be released after 09:30am, how should this be reported to users?

You should alert users to the late release of a publication as soon as possible, with an indication of a resolution time. Consider all appropriate means of communication, including social media, sending an email to all known users (perhaps forwarding an electronic version of the statistics) and posting a statement on the relevant web page inviting users to contact the producer to receive a copy of the statistics via email. Your response should be proportionate to the nature of the breach and the affected statistics and provide appropriate reassurance to users, describing the steps that will be taken to improve the department’s statistical processes.

Back to top of page

What happens next?

The Good Practice Team will review the report and may make further contact with the producer to discuss the content and ask for additional information. This may include checking that the proposed corrective actions are sufficient and focussed enough to address the root cause of the breach.

The report will be discussed with the Office for Statistics Regulation. This may result in additional information being requested. Other follow up action by the Office for Statistics Regulation will depend on the nature and severity of the breach and the risk posed to public trust in official statistics.

Back to top of page

Where are breach reports published?

Breach reports are published on the United Kingdom Statistics Authority website. Depending on the severity of the breach, the Office for Statistics Regulation and the Authority will consider on a case-by-case basis whether a further statement or other intervention is needed.

Back to top of page

Step-by-step guide

Step 1

The producer responsible for the statistical release should ensure that the relevant HoP or LO is notified of the potential breach and contact the Good Practice Team as soon as is practically possible, ideally on the day of occurrence. If the producer is unclear whether a breach has occurred they should contact the Good Practice Team who will confirm if further action is required.

Step 2

The producer department should complete a breach report. This should normally be submitted to Good Practice Team within one working day. If needed, they will provide advice and support on completing the breach report template.

Step 3

The Good Practice Team will review the breach report and request any additional information needed. They will liaise with the Office for Statistics Regulation as appropriate. The producer should respond to this request within two working days if possible.

Step 4

The final breach report will be reviewed by the Good Practice Team and the Office for Statistics Regulation and, once signed off by both, will be published on the United Kingdom Statistics Authority website. It is important to provide timely information on breaches, to ensure transparency for users and to build and maintain trustworthiness. We aim for completed breach reports to be published within 10 working days of the initial report.

Back to top of page

Publishing an interim report

In some complex circumstances, it may take longer than usual to provide all the required information about why a breach occurred and the steps that will be taken to mitigate against recurrence. In these cases, the producer must keep in regular contact with the Good Practice Team.

In rare cases, the Good Practice Team may advise the producer that an interim breach report should be completed and published to ensure transparency to users. This will be considered after six weeks from the initial breach notification.

Back to top of page

How to complete the breach report

Core information

Please provide the name and contact details of the person who is best placed to deal with any correspondence relating to the breach. You will also need to include the name and contact details of the Head of Profession for Statistics.

Published statements about the breach may not be available at the time of reporting, in which case this box can be left blank.

Circumstances of breach

Please indicate which part(s) of the Code of Practice the breach relates to e.g. ‘Principle T2, practice T2.3’. This will help us to monitor which parts of the Code the most common breaches relate to.

Provide details of the nature and circumstances of breach in a way that will be clear to a user of the statistics. You should explain clearly how and why the breach occurred and include references to previous breaches of the same type where relevant. The level of detail needed will depend on the exact circumstances, but for minor breaches (e.g. related to minor delays to publication) brief details will be sufficient.

Impact of the breach

Please give brief details of the consequences of the breach, covering impacts both inside and outside the producer body.

The information supplied will depend on the type of breach. For example where the breach relates to accidental or wrongful release you should include the number of people who had access to the statistics and whether any press reports were published before the official release.

Corrective actions (taken or planned) to prevent re-occurrence

Please provide as much detail as possible to help users and the United Kingdom Statistics Authority to understand how the breach has been addressed and what mitigation will be put in place to prevent recurrence.

Appropriate actions will depend on the circumstances and severity of the breach. As a guide, some examples of considerations and suitable actions for the most common types of breach are given in the table.

Breach typeConsiderationsPossible corrective actions
Accidental or wrongful early release (Principle T3, Practices T3.3, T3.4, T3.6)How sensitive are the statistics and how long is it before the scheduled publication date?

How many people are likely to have accessed the statistics?

Has pre-release access to the statistics been restricted? Should you ask people with pre-release access not to disclose or discuss the statistics until further notice?
Withdraw the data as soon as possible

Bring forward the time of the general release

Issue a statement on your organisation’s website alerting users to the problem
Pre-release statistics shared outside the pre-release list (Principle T3, Practices T3.3, T3.4)How many people received the statistics in error and who?

Are the statistics high profile or market sensitive?

How long have the recipients had access to the data before the error was discovered?

Have the recipients shared or discussed the data with others?

Can the offending email or statistics be recalled or deleted?

Was the correct security marking applied to the pre-release access email?
Recall the data

If the statistics have been forwarded by somebody that was eligible to receive pre-release access, consider removing their pre-release access

Remind staff about correct pre-release protocol

Strengthen the wording of all text accompanying pre-release material

Consider further training to educate staff on their obligations under the Code of Practice

Increased management control of the processes

Should stronger words be used in the text that is sent out with pre-release access?
Statistics published after 9.30am (Principle T3, Practice T3.6)How sensitive are the statistics and how long is the delay likely to be?

Has pre-release access to the statistics been restricted? Should you ask people with pre-release access not to disclose or discuss the statistics until further notice?

Can social media channels be used to acknowledge or apologise for the delay?
Consider emailing key users a copy of the release

Issue a statement on your organisation’s website alerting users to the problem

Consider whether there is another way to publish the release
Back to top of page