Data Ethics Framework: legislation and codes of practice for use of data
Updated 16 September 2020
漏 Crown copyright 2020
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: [email protected].
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at /government/publications/data-ethics-framework/data-ethics-framework-legislation-and-codes-of-practice-for-use-of-data
You must be aware of legislation and codes of practice that apply to your use of data. This includes knowing about:
- legislation that applies to your proposed data use
- how to produce statistics
- data protection by design
- data minimisation
- information governance
Other important pieces of central government guidance that are helpful for using data and designing projects in the public sector include:
- The Civil Service code
- HM Treasury Aqua Book: guidance on producing quality analysis for government
- HM Treasury Magenta Book: guidance for evaluation
What the law says
Here are some important pieces of legislation that typically apply to using data. If you are unsure how relevant laws might affect your work, speak to a legal adviser within your organisation.
Personal data
If you are using personal data, you must comply with the principles of the and which implements aspects of the GDPR and transposes the into UK law. It also provides separate processing regimes for activities which fall outside the scope of EU law.
Personal data is defined in (a wider explanation is detailed in ).
Equality and discrimination
Analysis or automated decision making must not result in outcomes that lead to discrimination as defined in the .
Sharing and re-use of data
When accessing or sharing personal data, you must follow the which should be read alongside the . This code of practice is due to be updated to align with the new Data Protection Act 2018.
When accessing and sharing data under powers in Part 5 of the , you must follow the relevant codes of practice.
When re-using published and unpublished information relating to public tasks, you must follow the .
Copyright and intellectual property
Copyright and intellectual property are often governed by combinations of statutes.
When using data, respect copyright laws and database rights, covered in part by the .
When procuring software, consider potential intellectual property constraints covered in the .
Freedom of information
Your use of data may be subject to the . You should also consider the wider publishing of datasets released following a Freedom of Information request, in accordance with the .
Sector specific legislation
Specific sectors like finance and health have further data use legislation and frameworks, including those relating to the use of non-personal data. Health research has its own drafted by the . The NHS HRA also provides specific guidance for health researchers on the new data protection principles being introduced by the .
Statistics
When using or producing statistics, you must follow the .
The provides independent and transparent ethical assurance that the access, use and sharing of public data for research and statistical purposes is ethical and for the public good. The can work with statisticians and researchers to identify potential ethical issues in their research and guide them through the .
Information governance
Organisations have a responsibility to keep both and non-personal data secure.
How personal data should be collected, stored, shared, processed and deleted is covered by the and the .
Government departments, services and public bodies set out how they use, store and share personal data - including how data subjects can exercise their rights - in their personal information charters or service privacy notices. Personal information charters contain guidance on how people can access their data, as prescribed in . See:
- an example of a personal information charter from the Department for Work and Pensions
- an from the Verify service
The Security Policy Framework requires that risk assessments are carried out to 鈥榠dentify potential threats, vulnerabilities and appropriate controls to reduce the risks to people, information and infrastructure to an acceptable level鈥�.
Information assurance (IA) helps do this by:
- assessing the information risks
- helping to define the appropriate measures required to reduce those risks to levels acceptable to your organisation鈥檚 risk appetite
- ensuring that contracts provide the required measures
You should engage as early as possible with your IA specialists so they can provide effective support through all stages of your work.
In many organisations information risk is overseen by a Senior Information Risk Owner (SIRO). Usually your organisation will have a risk appetite statement that sets out how information risk is managed. You should consult with your information assurance team when you need to delete data.