Is it legal for a data producer to disseminate microdata files? There is no single answer to that question. Legislation under which a data-producing agency works is specific to each country and program framework. Disseminating microdata is, in some cases, a legal obligation. But in most cases, legislation will produce restrictions, not obligations, and a country’s microdata dissemination policies will be shaped by its legislative framework. It is crucial for data producers to “ensure there is a sound legal and ethical base (as well as the technical and methodological tools) for protecting confidentiality. This legal and ethical base requires a balanced assessment between the public good of confidentiality protection on the one hand, and the public benefits of research on the other. A decision on whether or not to provide access might depend on the merits of specific research proposals and the credibility of the researcher, and there should be some allowance for this in the legal arrangements.” (UNECE, Conference of European Statisticians 2007. “Managing Statistical Confidentiality and Microdata Access: Principles and Guidelines of Good Practice”)
“Data access arrangements should respect the legal rights and legitimate interests of all stakeholders in the public research enterprise. Access to, and use of, certain research data will necessarily be limited by various types of legal requirements, which may include restrictions for reasons of:
- National security: data pertaining to intelligence, military activities, or political decision making may be classified and therefore subject to restricted access.
- Privacy and confidentiality: data on human subjects and other personal data are subject to restricted access under national laws and policies to protect confidentiality and privacy. However, anonymization or confidentiality procedures that ensure a satisfactory level of confidentiality should be considered by custodians of such data to preserve as much data utility as possible for researchers.
- Trade secrets and intellectual property rights: data on, or from, businesses or other parties that contain confidential information may not be accessible for research. (...)”
[National Center for Health Statistics (NCHS). 2002. “Policy on Micro-data Dissemination”]
United Nations Fundamental Principles of Official Statistics
Since many countries referred to the United Nations Fundamental Principles of Official Statistics when setting up their legislation, it is useful to review these principles as they pertain to statistical confidentiality.
The following text is taken from United Nations Economic Commission for Europe (UNECE), Conference of European Statisticians 2007. “Managing Statistical Confidentiality and Microdata Access: Principles and Guidelines of Good Practice.”
The sixth principle governing International Statistical Activities states: “Individual data collected by statistical agencies for statistical compilation, whether or not they refer to natural or legal persons, are to be strictly confidential and used exclusively for statistical purposes.”
Any principles for microdata access must be consistent with this recommended principle or the principles contained in the NSOs’ enabling legislation. The following points should be considered for managing the confidentiality of microdata.
Principle 1: Appropriate use of microdata
“It is appropriate for microdata collected for official statistical purposes to be used for statistical analysis to support research as long as confidentiality is protected. (...)
Making microdata available for research does not contradict the sixth UN Fundamental Principle as long as the data makes it impossible to identify an individual. Principle 1 does not constitute an obligation to provide microdata. The NSO should decide whether or not to provide microdata.
There may be other concerns (e.g., quality) that make it inappropriate to provide access to microdata. Or there may be specific persons or institutions to whom it would be inappropriate to provide microdata.””
Principle 2: Microdata should only be made available for statistical purposes
“For Principle 2, a distinction has to be made between statistical or analytical uses and administrative uses. In the case of statistical or analytical use, the aim is to derive statistics that refer to a group (be it of persons or legal entities). In the case of administrative use, the aim is to derive information about a particular person or legal entity to make a decision that may bring benefit or harm to the individual. For example, some requests for data may be legal (a court order) but inconsistent with this principle. It is in the interest of public confidence in the official statistical system that these requests are refused. If the use of the microdata is incompatible with statistical or analytical purposes, then microdata access should not be provided. Ethics committees or a similar arrangement may assist in situations where there is uncertainty whether to provide access or not.
Researchers are accessing microdata for research purposes but to support this research they may need to compile statistical aggregations of various forms, compile statistical distributions, fit statistical models, or analyze statistical differences between sub-populations. These uses would be consistent with statistical purposes. To the extent that this is how the microdata are being used, it could also be said to support research purposes.”
Principle 3: Provision of microdata should be consistent with legal and other necessary arrangements that ensure that confidentiality of the released microdata is protected
“With respect to Principle 3, legal arrangements to protect confidentiality should be in place before any microdata are released. However, the legal arrangements have to be complemented with administrative and technical measures to regulate the access to microdata and to ensure that individual data cannot be disclosed. The existence and visibility of such arrangements (whether in law or supplementary regulations, ordinances, etc) are necessary to increase public confidence that microdata will be used appropriately. Legal arrangements are clearly preferable but in some countries this may not be possible and some other form of administrative arrangements should be put in place. The legal (or other arrangements) should also be cleared with the privacy authorities of countries where they exist before they are established by law. If such authorities do not exist, there may be NGOs who have a ‘watchdog’ role on privacy matters. It would be sensible to get their support for any legal or other arrangements, or at least to address any serious concerns they might have.
In some countries, authorizing legislation does not exist. At a minimum, release of microdata should be supported by some form of authority. However, an authorizing legislation is a preferable approach.”
Principle 4: The procedures for researcher access to microdata, as well as the uses and users of microdata should be transparent, and publicly available
“Principle 4 is important to increase public confidence that microdata are being used appropriately and to show that decisions about microdata release are taken on an objective basis. It is up to the NSO to decide whether, how and to whom microdata can be released. But their decisions should be transparent. The NSO web site is an effective way of ensuring compliance and also for providing information on how to access research reports based on released microdata.”