Sanction rules
It is important that you familiarise yourself with and comply with Statistics Denmark’s transfer and data security rules. If you do not comply with the rules, you risk suspension of you or your entire institution with Statistics Denmark. Read about our sanction rules and case processing in case of data breach., Users of Statistics Denmark’s researcher machines are responsible for complying with our transfer and data security rules. This means that you, as a user, are responsible for: , Your work on the researcher machines being compliant with Statistics Denmark’s data security rules. , Read more under Rules for working with microdata, , Transferring analysis results and materials in compliance with Statistics Denmark’s transfer rules. , Read more under Rules on transfer of analysis results, , Notifying ,
Denmark’s Data Portal immediately if you realise that you have failed to comply with Statistics Denmark’s data security or transfer rules., For more details, read Statistics Denmark’s guideline material:, Rules for data safety under the microdata schemes (pdf), Breach of the rules? This is how you handle it, If you have broken Statistics Denmark’s rules or suspect that you have, you have a duty of notification. Complying with the duty of notification in relation to breach will be considered a mitigating circumstance., Please notify both the person responsible for authorisation in your institution and
Denmark’s Data Portal; the latter by sending an email to , FSEHjemtag@dst.dk, with the following: , Your ident and the authorisation number of the institution you are associated with, Project number, if any, A description of the breach or where you suspect a breach, Date and time of the breach , If the breach involves files, for example files you have transferred, image files on your computer, in your mail box or similar, you must delete them immediately from your PC, DDP App, mail folders etc. and inform about this in your email to Denmark’s Data Portal., , Statistics Denmark’s sanction rules, If there is a breach of Statistics Denmark’s transfer rules or data security rules, Statistics Denmark can sanction users and, worst-case-scenario, entire institutions. Statistics Denmark’s sanction rules will be deployed if: , A user breaks the rules for working with microdata on Statistics Denmark’s researcher machines, for example by taking a screendump or transcribing from the researcher machine, , or, A user has transferred data with microdata, for example transferred a file with pseudonymised key variables from BOPIKOM, Note, : An isolated breach of the rules of statistical disclosure control will not result in sanctions. In case of repeated non-compliance, however, it can result in sanctions for the institution.,
Sanctions in case of breach - Assessment of severity and scope, Statistics Denmark makes decisions about sanctions. We distinguish between less severe and severe breaches: , Less severe breaches, : Thoughtless action or accident – for example identification in connection with troubleshooting, Severe breaches, : Conscious action – for example conscious attempt to identify individuals or enterprises in data , Statistics Denmark decides whether a breach is categorised as less severe or severe. In the assessment of the severity of a breach, we take the following into account:, Was it a thoughtless or conscious action?, Has the user detected the breach himself, and if so, observed his duty of notification?, In connection with transfer, : How large a volume of microdata has the user transferred?, In connection with transfer, : Has the transfer tool in DDP App been used for the transfer, and if so, has the user ignored the transfer module’s warning? , In case of isolated, less severe breaches, the sanction will target the user and the project where the breach has happened. This means that the project where the breach took place will be temporarily closed for everybody and the user’s access temporarily closed, so that he or she cannot access his or her projects. In case of severe or repeated breaches, i.e. where breaches have previously been registered on the institution number, the sanctions will be more rigorous. See the overview of sanctions below., Note, : If Statistics Denmark has previously registered a breach for an institution, breaches dating back more than 2 years will not be taken into consideration. This means that any new breaches will be handled as first-time-breaches.,
Overview of sanctions , Sanction system for the researcher scheme, , Sanction against user and project, Access is closed for user and access to the project is closed
, Sanction against institution,
Access is closed for all users and access to all projects is closed
, Occurrence, First time, Second time,
in 2 years, Third time,
in 2 years, Fourth time,
in 2 years, Less severe ,
breach, Until report can be approved*, 1-month suspension*, 3-month suspension*, Concrete, assessment*, Potential termination of the institution’s authorisation agreement, Severe breach, 3-month suspension*, 3-month suspension*,
Potential termination of the institution’s authorisation agreement and/or specific user agreement, 6-month suspension*, Concrete evaluation of the institution’s authorisation agreement and potential termination of the institution’s authorisation agreement*, Sanction system for the authority scheme, , Sanction against user , Access is closed for user , Sanction against scheme,
Access is closed for users of the scheme, Occurrence, First time, Second time
,
in 2 years, Third time
,
in 2 years, Fourth time ,
in 2 years, Less severe ,
breach, Until report can be approved*, 1-month suspension, 1-month suspension, Concrete assessment,
Potential termination of authorisation agreement, Severe breach, 3-month suspension, 3-month suspension,
Potential termination of authorisation agreement and/or user agreement, 3-month suspension, 6-month suspension,
Potential termination of authorisation agreement, * When Statistics Denmark detects a breach that comes under the sanction rules, the user and the project where the breach occurred will be temporarily suspended, until Statistics Denmark has processed the case and made a decision. This applies regardless if it is an isolated breach or repeated breaches within two years. , Statistics Denmark makes a decision based on a report and a plan that must be presented to Statistics Denmark by the institution with which the user is associated. Statistics Denmark will not commence the processing of the case, until we have received an adequate report and plan. Statistics Denmark estimates whether the report and plan of an institution is adequate or should be rewritten. , You can read more about Statistics Denmark’s case processing and the requirements to the report and the plan under ”Statistics Denmark’s case processing in connection with breach of rules - guide”., , Statistics Denmark’s case processing in connection with breach of rules - guide, When Statistics Denmark receives a notification, or we find out ourselves that a user has not complied with Statistics Denmark’s data security and transfer rules, the user in question and the project where the breach has taken place will be temporarily suspended. The suspension lasts until Statistics Denmark has received an adequate report about the incident and a plan for prevention of similar breaches in future, and Statistics Denmark has processed and decided the case., The case processing step-by-step , The process takes place in the following steps:, Step: Presentation and demand for report and plan, When Denmark’s Data Portal receives a notification, or find out themselves that a user has not complied with Statistics Denmark’s rules, the user in question and the person responsible for authorisation in the institution will be notified by email., Denmark’s Data Portal informs about the date of the suspension of the project and of the user in question, and they will request an adequate report about the incident and the scope of the breach as well as an adequate plan for preventing similar breaches in future. Both the report and the plan must be completed in the standard template provided by Denmark’s Data Portal., The person responsible for authorisation in the institution is responsible for the report and the plan being prepared and sent to Denmark’s Data Portal., Presentation and plan – demand for “adequacy”, With the demand for adequacy, Denmark’s Data Portal asks for an adequate report about the incident and the scope of the breach. By an adequate plan is meant a report and any documentation for appropriate technical, organisational and/or staff-related measures the institution has implemented in the light of the breach. The plan can consist of e.g.:, A brief account of the current rules and practice in the institution that may be relevant for the case, A presentation of what the institution has done in connection with the breach, for example, which consequences it has had for the user, A plan for what the institution is going to do to prevent similar breaches in future, It is important that it is not statements of intent. This means that the institution must account for the initiatives that they have already implemented or will implement, and describe the process behind it. Examples could be:, Has the person responsible for authorisation held a meeting with relevant stakeholders in the institution about the breach? (Indicate: Who? When? Which proposals/decisions were made?). Attach any resolution minutes., Has the person responsible for authorisation made proposals or suggested solutions to a relevant committee, the executive board, the governing body or similar? (Indicate: Who? When? What is/was on the agenda? What was decided?). Attach the agenda and/or resolution minutes., Has a decision been made in the institution to enhance for example the communication, instructional materials, code of conduct or similar? (What? How? When? Who is the target group?)., Has the institution adopted or made any other efforts to prevent similar breaches in future? (What? How? When? Who is the target group?)., If Denmark’s Data Portal estimates that the report, plan or both are inadequate, Statistics Denmark will notify you about it and request a new one., Step: The case processing in Statistics Denmark, When Statistics Denmark estimates that the report and plan we have received are adequate, Denmark’s Data Portal will prepare the case for Statistics Denmark’s Supervisory Board and Director General. You can expect the case processing to take approximately 8 working days from we receive the adequate report until we send our decision., Step: Decision, When Statistics Denmark has made a decision of the case, we send a decision letter by email to the person responsible for authorisation. The letter contains the final decision from Statistics Denmark’s Director General, including the reason for the decision and information on whether the temporary suspension of the project and the user is lifted or whether further sanctions are imposed on the user or the institution., Guides, agreements and documents in relation to data security and responsibility, Statistics Denmark’s data security rules under the Microdata schemes, Rules for data safety under the microdata schemes (pdf), Statistics Denmark’s information security and data confidentiality policy , Information security and data confidentiality policy – Statistics Denmark, Agreements (in Danish), Autorisationsaftale (pdf), Databehandleraftale (pdf), Tilknytningsaftale (pdf), Brugeraftale (pdf)
https://www.dst.dk/en/TilSalg/data-til-forskning/regler-og-datasikkerhed/sanktionsregler
