15 August 2014 FEASIBILITY STUDY REGARDING RESEARCH ACCESS TO NORDIC MICRODATA 1/102

Transcription

1 15 August 2014 FEASIBILITY STUDY REGARDING RESEARCH ACCESS TO NORDIC MICRODATA 1/102

2 Content Chapter 1. Chapter 2. Chapter 3. Chapter 4. Chapter 5. Chapter 6. Chapter 7. Chapter 8. Chapter 9. Chapter 10. Summary and recommendations Background Legal aspects National practices for researchers access to microdata in the Nordic countries Access to Nordic microdata for research purposes a common model of Nordic cooperation Data security - how to handle security breaches in a Nordic model of cooperation Financing (price structures) Metadata International perspective Future work 2/102

3 Appendices A. National documents on National legal framework Appendix A1- Denmark. Data protection laws and regulations Appendix A2 Finland. Data protection laws and regulations Appendix A3 Greenland. Data protection laws and regulations Appendix A4 Iceland. Data protection laws and regulations Appendix A5 Norway. Data protection laws and regulations Appendix A6 Finland. Data protection laws and regulations B. Documents on common for the model of Nordic cooperation Appendix B1 - National approval requirements Appendix B2 Application Form Appendix B3 - Security agreement between Researcher and NSI s Appendix B4 - Transfer Agreement between NSI C. Technical specification of the THREE National IT systems Appendix C1 - The Danish remote access system Appendix C2 - The Finnish remote access system Appendix C3 - The Swedish remote access system D. Price structure for researchers use of the current three remote access systems Appendix D1 Price structure in Denmark Appendix D2 - Price structure in Finland Appendix D3 - Price structure in Sweden E. Detailed proposal for application for funding of common metadata F. Glossary and definitions of terms 3/102

4 4/102

5 1 Summary and recommendations 1.1 Background In the Nordic countries there has been a long tradition of collecting data for statistical purposes from administrative systems. This tradition has led to data covering the entire national population by means of long-term data series of high quality, which are stored and used as basis for compiling statistics. All Nordic Statistical Institutions give national researchers access to de-identified microdata and register-based research is prominent in most Nordic countries. However, cross Nordic register research is still very rarely carried out. Within these premises the research community has expressed a demand for improved possibilities of joint access to Nordic microdata, which could ease the efforts necessary to carry out analyses involving register data from more than one country. The mechanism should aim to make access easier, as regards administrative procedures, communication and information about procedures, as well as technical and economic conditions. At their meeting in Rosendal August 2013, the Nordic Chief Statisticians from Denmark, Finland, Greenland, Iceland, Norway and Sweden decided that their National Statistical Institutions (NSI s) should conduct a feasibility study regarding access to Nordic microdata for research. Subsequently, the NSI s from the Nordic countries appointed a Task Force to perform this feasibility study in question. In this report the Task Force presents the results from the feasibility study. The Task Force decided from the beginning to concentrate on developing a common model of cooperation for access to Nordic social microdata 1 gathered by the NSI s themselves for statistical purposes. Thus, health data and data on enterprises are not considered in this first model of cooperation. They may, however, be included later, if desired. 1.2 The work of the Task Force As part of its work the Task Force has made a review of the legal frameworks for researchers access to microdata as well as a review of national practices for researchers access to microdata in the Nordic countries. These reviews show that the Nordic countries have a similar legal basis to give researchers access to microdata and that legislation in all Nordic countries does make it possible to give researchers access to microdata. It also allows the transfer of de-identified data from one NSI to another under certain conditions. The Nordic countries have also fairly similar authority structures and high levels of security in the way researchers are given access to microdata. Thus, in all Nordic countries access for researchers is only given to de-identified data and always after conducting a case-by-case evaluation of which data are 1 Data on demography, education, labour market, income, earnings and living condition (welfare indicators, social benefits, housing). 5/102

6 needed in the research projects (the so-called principle of need to know ) as well as the risks of damaging and harming the research objects. Likewise, the review shows that the four existing remote access systems used for research (Denmark, Finland, Sweden and Greenland) keep all microdata safely behind the firewalls of the NSI, researchers have to sign comprehensive security agreements to get access, and data can only be accessed through safe, encrypted lines. Furthermore, output is logged and controlled by the NSI s in all four countries. However, some countries still use on-site access and even hand out data to researchers but the latter ways of giving data access will probably be phased out in the years to come, e.g. Norway is making plans to implement a remote access system (the RAIRD system). However, the review also shows some differences between the Nordic systems of research services. A conspicuous national difference is seen with regard to the legal requirements for approval needed before researchers can get access to microdata (Appendix B1). In addition, the ownership of certain social data differs between the countries. Comparable data might be owned by the NSI in one country and by separate institutions in other countries (e.g. data on sick leave) with the implication that not all NSI s are able to permit research access to these data. Thus, other institutions have to be requested to give permission to access before these data can be included in a research project. Similarly, national differences are seen regarding what is considered as sensitive data that calls for approvals from ethical committees. Differences can also be seen in how the data access systems are organised in practice. For instance, some NSI s have centralised units on Research Services to handle both the requests of researchers and the extraction of the relevant data while others have a more decentralised way of handling these tasks. The differences in the access systems and the different data owners, etc. make it is very difficult for researchers to get an appropriate overview of the existing data, what permissions/notifications should be provided in advance and how to apply for them. In addition, differences in relevant registers and variables are not systematically and comparably documented in the Nordic countries. These are some of the reasons why the research society has made demands for a more user-friendly system. Via NordForsk 2, they have suggested gathering Nordic register data in a Nordic Centre from where data can be accessed directly by researchers, and reducing the number of approvals needed from data protections agencies, ethical commissions and data-owners. Both suggestions require legal changes in most Nordic countries, and are therefore outside the mandate of this report. Furthermore, a simplified approval process, where one body (NSI) could give permission to the use of cross Nordic microdata, requires that all NSI s give up their sovereignty to decide who can access their 2 NORDFORSK is an organization under the Nordic Council of Ministers that provides funding for Nordic research cooperation as well as advice and input on Nordic research policy. 6/102

7 national data and under which conditions. The Task Force has assessed that there is no basis for doing so for the time being Outcome The main outcome from the present feasibility study is a model of cooperation where certain common administrative processes and security rules are described, but were the approvals for access to data are at a national level. Together with this report the Task Force has made the following deliveries: A review of the legal frameworks for researchers access to microdata (Chapter 3) A review of the existing possibilities for access to microdata in the six Nordic countries (Chapter 4) A description of the proposed common model of cooperation for data access (Chapter 5) A draft for a common application form (Appendix B2) Drafts of two essential legal documents: Common Nordic security agreement between researcher and NSI s (Appendix B3) Data-transfer agreement between NSI s (Appendix B4) Description of some common rules for handling breaches in data security (Chapter 6) A draftproposal for funding from NORDFORSK for common Nordic Metadata related to cross Nordic research (Appendix E) 1.4 Future work The Nordic Task Force recommends that the output from this feasibility study is handed over to the Nordic Network for Microdata and that this network tests the model for a period of 2-3 years or if shorter until experiences with at least 5 cross Nordic research projects with some geographical distribution of data hosting NSI, origin of data and researcher included have been gained. The test period should be divided into the following partially parallel phases: A developing phase where a short introduction as well as guidelines to the Nordic Model of cooperation is prepared, including a list of relevant contact persons. The Task Force recommends that the research society is informed properly about this new possibility of cross Nordic research projects, e.g. by posting information at key websites and sending mails and newsletters to selected Nordic communities for register research. However, since the need and resources are different in the Nordic NSI s, the effort, intensity and dissemination strategy may differ according to National priorities. A monitoring phase where upcoming cross Nordic projects are followed continually and carefully. The aim is to have an ongoing surveillance of all new cross Nordic projects in order to monitor the strengths and weaknesses of the model, adapt it and make additional guidelines as necessary. This means that the model of cooperation should be continuously streamlined during the monitoring phase. It is also important that price structures are analyzed carefully. 7/102

8 If a new EU Data Protection Directive is adopted during this period of time, changes needed in the model of cooperation and associated documents should to be changed accordingly. For the future development of the model for access to Nordic microdata, it is also important to continue monitoring work done internationally. Especially, the work on a technical solution for remote access network that is being developed might bring new ways for simultaneous access to data at different statistical institutions. An evaluation phase, where the experience with the joint Nordic model of cooperation is compiled. Based on these compiled experiences a new recommendation to the Chief Statisticians on whether the model should continue should be made and if so, with which content and under which conditions. 1.5 Detailed recommendations from the Task Force In this section the specific recommendations of the Task Force is presented. In order to give a better overview of the recommendations they are grouped into one of the following sections: Data access, security, information to the researcher, metadata and financing. Recommendations on data access 1. The Task Force recommends that access to Nordic microdata is given through the existing remote access systems (at the moment in Denmark, Finland or Sweden), since remote access seems to be the best way to combine a high level of data security with high usability. In brief - data never leaves the Nordic NSI-system, it can only be accessed through encrypted, safe connections, it is safeguarded by our firewalls, the researchers output is logged and its content controlled. 2. The Task Force recommends that when access has been approved according to national laws and regulations in each country, all relevant data are extracted and de-identified by each NSI separately. Subsequently, all data should be transferred via a secure connection to one of the NSI s with a remote access system from where all relevant researchers will be able to access these specific project data. Thus, data will never leave the safe domains of the Nordic NSI s. Today, the Nordic countries have different requirements on how researchers may apply for access to microdata. The NSI s have different procedures and different application forms too - if any. Therefore, it seems obvious to make the process of applying for access to data more harmonized and transparent to the researchers. However, the Task Force finds it crucial that the national sovereignty to decide how researchers can get access to their microdata and for which purpose is kept unchanged. So, all decisionmaking on national data still remains within each NSI. This is considered to be especially important in order to prevent that access to data from one country becomes easily accessible through another country s NSI. Thus, the following suggestion is made: 8/102

9 3. All NSI s still have to be asked for access to their national data, but the Task Force recommends that this is done by using a common application form containing the information needed from all Nordic countries. The Task Force has made a draft for this common application form. See Chapter 5 and Appendix B2. Recommendations on data security The Task Force regards it as a prerequisite for providing access to cross Nordic microdata through one Nordic NSI that data security is given the highest priority. Thus, it is important that the most necessary underlying agreements concerning data security are put in place. 4. The Task Force recommends that a common Nordic security agreement is signed by all researchers as well as each relevant NSI. That is all the NSI s must give access to microdata for a project. The Task Force has prepared a draft for this (see appendix B3), which the Task Force recommends to be used during the trial-period to be further developed to suit all different legal situations making sure that the microdata access is properly secured. 5. The Task Force recommends that an agreement between the relevant NSI s on the data transfer to ensure that there is a common understanding of the regulatory environment, including elements on data security. The Task Force has prepared a draft for this (see appendix B4) which the Task Force recommends to be used in the future. 6. The Task Force recommends that some structures for the communication between the NSI s about data security breaches are in place. This will make it possible to deal with data security breaches: instantly, firmly and in consensus. Suggestions on this are made in chapter 6 and a reference is made on the common handling of breaches in the agreement on data-transfer (See appendix B4). 7. The Task Force recommends that all output from researchers work on the microdata is logged and controlled by the data hosting country. In the test period the Task Force finds that randomly sampled output control is not sufficient although it is what is normally done for output control in Denmark and Sweden. Recommendations on improved information for researchers One of the basic but also vital challenges that researchers meet when they consider to make cross Nordic research projects is first to get trustworthy information on whether the relevant data exist in all the relevant countries or not? What do the data precisely contain and are data comparable between the Nordic countries? Secondly, if relevant data exist, they need to know whether it is possible to get access to these data, and how the relevant approvals can be obtained: Which authorities need to be applied for permission to access the specific data? Since this may vary a great deal between the Nordic countries, a simple but still rather important step is to make it easier for researchers to get comprehensive and clear information on available data and how to get access to it. 9/102

10 8. The Task Force has prepared a step-by-step description, which aims to make it easier to overview all steps needed in the process from start to end for a cross Nordic register-based research project. The Task Force advises that each country evaluates the possibility for preparing further guiding material during the test period on how to apply for and get access to data for a Nordic research project. The material could include information on: what national data might be accessed for research purposes, what national data are regarded as sensitive, contact information for relevant national authorities, etc. Recommendations regarding metadata 9. The Task Force recommends that some action is taken to develop adequate common Nordic Metadata. That is Metadata explaining the precise content of registers and variables including changes over time series. Thus, the Task Force has prepared a proposal for funding of this metadata project. The Task Force recommends that the Nordic NSI s should apply for a grant from NordForsk, possibly within the future working program of the Norianet on registers in order to successfully complete this project 3. The application should be finalized in close cooperation with the Nordic metadata experts. Recommendations on financing In the proposed model, most of the work needed to start up a project, extract the relevant data, give guidance and support on data and documentation will still be carried out in each of the NSI s. Today, there are significant differences in the cost for comparable services in the Nordic countries. This applies to the services as well as the researchers use of the different remote access systems. The different prices reflect the different ways work is organized today as well as the different pricing structures in the Nordic countries. Therefore, the Task Force recommends that all prices are continuously handled decentralized. I.e. all costs will be calculated by and settled with the NSI providing the actual services: 10. The Task Force recommends that researchers should pay for all cost regarding start-up, extraction of data, guidance in each NSI and the accompanying metadata available according to local procedures and prices. 11. The Task Force recommends that researchers should pay for their use of the remote access system according to procedures and prices in the data hosting country. 3 According to Maria Nilsson, PhD, Senior adviser in NordForsk they will have a call for establishing Nordic Registers during the autumn of /102

11 2 Background At their meeting in Rosendal August 2013, the Nordic Chief Statisticians from Denmark, Finland, Greenland, Iceland, Norway and Sweden decided to ask the Nordic network for microdata access to carry out a feasibility study regarding access to Nordic microdata for research. In the Nordic countries there has been a long tradition of collecting data for statistical purposes from administrative systems. This tradition has led to data covering the entire national population by means of long-term data series of high quality, which are stored and used as basis for compiling statistics. All the Nordic National Statistical Institutions (NSI s) give National researchers or National Research Institutions access to de-identified microdata within the legal framework. This situation is in contrast with many other countries in Europe where the data disseminated to researchers are sample survey data gathered first hand from respondents. Nevertheless, even though register-based research is very prominent in all Nordic countries, cross Nordic research projects are seldom carried out. The biggest challenges for cross Nordic research seems to be the different legal and administrative requirements for notifications and approvals by national authorities as well as the lack of mutual agreements between the NSI s and harmonized metadata. However, the NSI s have for many years been keen to enhance the possibilities for cross Nordic register-based research. There has also been a demand from the research community, for a mechanism for joint Nordic access, which could ease the efforts necessary to carry out research involving data from more than one country. Such research is in demand, especially because it would increase the populations under observation and thus strengthen the potential to investigate hypotheses and to study rare subpopulations. The mechanism should aim to make access easier, as regards administrative procedures, communication and information about procedures, as well as technical and economic conditions. In the present report the results from the feasibility study are presented. The NSI s from the Nordic countries appointed a Nordic Task Force to perform the feasibility study in question. Since December 2013, the Task Force has held seven meetings, six in Copenhagen and one videoconference. The present report aims to summarize the outcome of these meetings, together with some associated bilateral discussions conducted over the past months. The Task Force decided from the beginning to concentrate on developing a common model of cooperation of access to Nordic social data gathered by the NSI s for statistical purposes. Thus, since health data are not gathered by all NSI s, they are not considered in the model of cooperation. 11/102

12 The main output of the feasibility study is a recommendation to a common model of cooperation presented in Chapter 5. The present report consists of the following major sections: (A) Mapping and analyses of the current national legal framework and research services (Chapters 3-4) (B) Recommended model of cooperation (Chapter 5) (C) Comprehensive explanations and considerations on central areas of the model (Chapters 6-8) (D) Perspectives and future work (Chapters 9-10) (E) Outlines for mutual agreements (Appendixes) 12/102

13 3 Legal aspects The legislation concerning confidentiality and protection of an individual s integrity is the foundation for how access to data for research is processed by the Nordic National Statistical Institutions (NSI s). The basic European legislation currently covering data protection within the EU is the Data Protection Directive 95/46/EC. In general, the laws and regulations of relevance for researchers access to microdata in the Nordic countries are the implementation of this EU Directive. However, national differences as to how the EU Directive is implemented in National laws and practices exist. In addition, other national legislation, e.g. Statistical Acts and/or acts about public information and secrecy have to be complied with. The present chapter gives a brief overview of the most important points in both the EU Directive as well as national laws. For more detailed information of National legislation, please consult the appendixes A1 A The Data Protection Directive (European Parliament and Council Directive 95/46/EC) The Data Protection Directive (European Parliament and Council Directive 95/46/EC) constitutes the foundation of data protection rules in the EU and in the individual Member States. The aim of the Directive is to remove the obstacles of the free flows of personal data within the Community, cf. Article 1 paragraph 2. However, at the same time it is also essential to protect the fundamental rights and freedoms with regard to the processing of personal data, cf. Article 1 paragraph 1. Another important point in the Directive is that according to article 6: Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. According to the European Parliament and Council Directive 95/46/EC Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life (sensitive data). The Directive was subsequently extended to all countries in the European Economic Area (EEA countries), i.e. also including Norway and Iceland. However, Greenland is considered to be a third country since Greenland is not a member of EEA, for which reason a contract, holding standard contractual clauses for the transfer of personal data to third countries (Commission Decision C(2001) 1539) will have to be approved by national Data Protection Agencies, for every case of data transfer. According to the Directive each Member State must set up a supervisory authority, an independent body that will monitor the data protection level in the Member State, give advice to the government about administrative measures and regulations, and start legal proceedings when the Data Protection Regulation 13/102

14 has been violated (art. 28). The data controller must notify the supervisory authority before processing of data is initiated. The EU Data protection legislation is currently under revision and might be changed in the near future. It is foreseen that the new legal act will be a regulation, which implies that its rules will be directly applied as laws in all member states. Once the EU Directive/Regulation has been approved, the Nordic countries will need to adapt their National laws accordingly. How this change will affect register-based research in the Nordic countries is unknown at present. 3.2 Implementation of the Data Protection Directive in the National Personal Data Acts All EEA countries have national implementations of the Data Protection Directive, which follows the principles of the EU Directive. Consequently, all EEA countries have the same level of minimum security regarding protection of personal information. The EU Directive 95/46/EC is nationally implemented in THE PERSONAL DATA REGULATIONS 4 which contains provisions on the processing of personal data. In summary, the National Personal Data Act defines, among others, the general principles on the processing of personal data in such a way that the legal rights of the individual citizen with regard to the protection and integrity are not violated. Furthermore, general rules for processing of personal data for special purposes, e.g. research, statistics are described, as well as how to handle sensitive personal data, the use of the personal identity number, and the rights of the data subject. Greenland has, for natural reasons, not implemented the EU Directive in its legislation. Greenland is, as a matter of fact, still using the former Danish Act on Public Registers from However, it is currently being examined for modernization in the near future. 3.3 The statistics Act The National STATISTICS ACT IS a general law governing the national statistical service of central government authorities. It is applied to the official statistics of central government agencies, institutions and bodies. In some countries, e.g. Iceland the Statistics Act specifies detailed rules and guidelines on how microdata released for research purposes should be prepared in accordance with the corresponding legal acts. This covers, among others, detailed guidelines and specific requirements for research applications, how the research data should be stored and the destruction of data at the end of the research project. In other countries, e.g. Denmark the Statistics Act is, however, of a more general character and does not explicitly specify rules for researchers access to register data. 3.4 Other National laws and regulation of relevance for using register data for research In all Nordic countries, other essential national laws and regulations of relevance for researchers access to de-identified microdata are implemented in ACT ON PUBLIC ADMINISTRATION (DK, NO), ACT ON PUBLIC INFORMATION AND SECRECY ACT (SE), ACT ON OPENNESS (FI) and ACT ON PERSONAL 4 In Denmark: Danish Act on Processing of Personal Data of 2000, In Finland: The Finnish Personal Data Act (523/1999), In Greenland: Danish Act on Public Registers (1978), In Iceland: Act on the Protection of Individuals with regard to the processing of Personal Data 77/2000, In Norway: The Personal Data Act - LOV nr 31: Lov om behandling av personopplysninger (Personopplysningsloven), In Sweden: The Personal Data Act (1998:204) 14/102

15 DATA FILING SYSTEM (NO). These acts are all general laws containing the provisions of secrecy and the duty of confidentiality limiting the rights to publish and communicate information. They are applied to the official statistics of central government agencies, as well as other authorities. For more detailed information of National Acts, please consult appendices A1 A The penal code and administrative sanctions When microdata are handed over or access is granted to researchers, the obligations of all the abovementioned Acts imposed on the recipient of the information apply. Breaches of the researchers obligations may in all Nordic countries be punishable pursuant of the National Penal Code. Breaches of obligations must be followed up by the prosecuting authority in the ordinary legal system. Although severe breaches have never happened in any of the Nordic countries, any breaches will be reported to the police in order to prosecute the offender. In addition, all National Statistical Institutions are able to sanction researchers or institutions for breaches of the laws concerning access to microdata. Relevant sanctions are withdrawal of data for the researcher(s) and/or the other projects that the institution and/or the researcher(s) are involved in for a specific period of time or forever. In all countries, the level of the sanctions is proportional to the extent of the breach and the damage occurred. Also breach of trust without any concrete damage is considered serious in all countries. 3.6 Administrative adaptation of laws and regulations All Nordic countries have to adopt their administrative system in a way which ensures that their National laws and National Acts are fulfilled. One measure to ensure that international and national laws are followed is by having a national Data Protection Agency, an independent authority that monitors data protection, gives advice to the government about administrative measures and regulations, and initiates legal proceedings when the Data Protection Regulation has been violated. If the Data Protection Agency discovers punishable violations of national laws the Agency is authorized to issue a ban or an enforcement notice or report the violation to the police. Another measure common among the Nordic countries is the requirement of a solid and detailed project description that has to be approved by some of the NSI s, or used by some other NSI s as an important document in considering damage and harm as part of approving the process of access on a case-by-case basis. Furthermore, the project description is used in the assessments of the data needed for project since all countries have laws stating that data access can only be allowed after the need-to-know principle, implying that researchers can only get access to the data needed in order to fulfill their research purpose. Furthermore, all Nordic NSI s have acts (or practices, following the need-to-know -principle) demanding that all data used for research have to be de-identified before they are released to the researchers, except for a few national exemptions to this general rule. A final common administrative practice is associated with the legislation that all NSI s give high priority to data security, e.g. by signing security agreements with researcher before data are released. 15/102

16 Although the National legislation in many aspects seems similar, national differences also exist as regards the adaptations of laws and regulations. Thus, a Norwegian research institution planning to process microdata on persons, is responsible for fulfilling the demands in the Personal Data Filing System Act, including reporting to the Data Protection Official (Ombudsman) or the Norwegian Data Protection Authority and, where relevant, receives a recommendation from the Ombudsman or a concession from the Data Protection Authority. Most Norwegian research institutions have appointed the Norwegian Social Science Data Services (NSD) as the Ombudsman for Privacy in Research. In contrast to the complex situation in Norway, local Finnish researchers only need an approval from Statistics Finland as long as the project only holds data owned by Statistics Finland. In most Nordic countries data concerning social living conditions are collected - often from register keepers - and controlled by the NSI. However, in Norway and Sweden several data, such as social security data are controlled by other statistical or register authorities. This means that the researcher must apply for an approval/an exemption from the duty of secrecy to each relevant register owner before the data application can be evaluated. Normally, it is the register owner's executive body that grants exemptions. In relation to sensitive data, national differences also exist and in accordance with special national conditions may apply since there is not entirely consensus on what exactly is considered as sensitive data. Thus, some countries regard, e.g. crime data and sick leave data as sensitive data whereas others countries do not. Nevertheless, processing of sensitive data for research purpose may need special notification and approvals from National bodies responsible for research ethics, such as the Regional Ethical Review Board in Sweden. As mentioned earlier, Greenland is considered as a third country (in relation to EU and national legislation) since Greenland is not a member of the EEA. However, Statistics Greenland is not planning to store Nordic data on a server in Greenland. A project with a principal Greenlandic researcher will use the remote access system at Statistics Denmark. The contract will need to be approved by the Danish Data Protection Agency and fulfill clauses set up by the Commission Decision C (2001) 1539 (standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC). An obstacle that still has to be met is that according to the Personal Data Protection Act in Iceland access cannot be given to foreign researchers, unless they have a local representative in Iceland who is responsible for the project. However, there is a high interest among researchers and within Statistics Iceland for a Nordic cooperation of register data for research. Among the Nordic countries, there are mainly three components that seem to have significant impact on the complexity of how the laws are administered and handled for research. These are (i) Approvals needed before access to microdata can be gained, (ii) the organization and ownership of register data, and (iii) special definition and notifications procedures for sensitive data. A detailed summary of the national practices for handling of the laws in relation to the use of register data for research are presented in chapter 4. 16/102

17 3.7 Conclusion Based on careful evaluations of the laws and regulations, there are some obstacles within the legal framework, but the laws also contain exceptions that can be used by the NSI s to grant access to deidentified micro data concerning social living conditions to researchers in other Nordic Countries. National requirements for approvals vary significantly between countries and have to be fulfilled in accordance with the National legislation. In addition, it is a prerequisite that the country receiving the microdata can guarantee an adequate level of data protection and that data are treated in accordance with the laws and regulations stipulated by each country s National laws. 17/102

18 18/102

19 4 National practices for researchers access to microdata in the Nordic countries All Nordic national statistical institutions (NSI) provide access to microdata for research purposes. However, there are both differences and similarities as to how the Nordic NSI s administer the researchers access to microdata. One of the Task Force s first tasks was therefore to create an overview of these differences and similarities in the Nordic research arrangements, with the purpose of constructing a common base to explore the possibilities for access to Nordic microdata. The present chapter presents the results of this work focusing on the four main points listed below that the Task Force considered having an impact on the possibilities to give simultaneous access to Nordic microdata. Type of access to microdata and administration of access o On-site/ remote access, authorization process Data security o Security agreement, sanctions by security breach, output control Administrative practice o Project application and approval, financing and support Metadata 4.1 Type of access to microdata and administration of access All the Nordic NSI s give researchers access to microdata for research purposes. Table 1 on the next page gives an overview of the countries research arrangements type of access and how the different countries administer and grant research environments and researchers access to microdata. 19/102

20 Table 1: Researchers access to microdata in the Nordic countries type of access to microdata and administration of access Provide microdata for research? Type of access to microdata Denmark Finland Sweden Norway Greenland Iceland Yes Yes Yes Yes Yes Yes Remote access Yes Yes Yes (No) Yes No On-site access No Yes No No No (No) Data handed over to researcher No Yes (Yes) Yes No Yes Administration on access Authorization needed Yes Yes Yes Yes Yes Yes National public companies Yes Yes Yes Yes Yes Yes National private companies Yes Yes Yes Yes Yes Yes Foreign research environments Individual researcher Yes, if affiliated to a Danish authorized environment Yes, if affiliated to an authorized environment Yes on site or anonymized datasets handed over to the researcher Yes on site or anonymized datasets handed over to the researcher Yes (Yes) 5 Yes, if affiliated to a Norwegian authorized environment No only research environments No(Yes) No(yes) Yes, if affiliated to an Icelandic authorized environment Yes, if affiliated to an authorized environment Type of access to microdata Access to microdata in the Nordic countries is provided as remote access, on-site access or by handing out microdata. At present, Denmark, Finland, Sweden and Greenland offer a REMOTE ACCESS solution for the researchers. Norway is also making plans in the coming years to offer a different kind of remote access solution, giving researchers remote access to conduct research and analyses based on de-identified data, but only possibility to produce and see anonymous output/results. Remote access is regarded as a very secure way of giving access to microdata, since the microdata does not leave the NSI, and all output can be controlled giving the NSI the possibility to control that the rules governing data security laid down by the NSI s and the national laws are, in general, complied with. In the Nordic countries, only Finland and partly Iceland offer ON-SITE ACCESS. Statistics Iceland only gives on-site access if Statistics Iceland is a direct member of a research project. Denmark offered on-site 5 In principle, it is Yes for Sweden, but it has never happend. 20/102

21 until 2008 when it was closed down because very few researches had used this arrangement since the introduction of remote access. Three countries hand over microdata directly to the researcher: Norway, Iceland and Finland. Sweden uses the remote-access system as standard, but in some special cases microdata are handed over to the researcher. Administration of access All Nordic countries approve or authorize research environments as well as researchers before access to microdata can be granted. In all countries, both private and public research environments can be granted access to microdata. All NSI s are able to give access to foreign research environments/researchers subject to certain conditions. But the terms are different. In Denmark the researcher has to be affiliated to a Danish research environment that is willing to be responsible for foreign researchers compliance with the security agreement. Finland gives access on-site or hands out anonymized datasets. In Sweden the access is evaluated from case-to-case and foreign researchers can be given access to microdata if working in Sweden and affiliated to a Swedish research environment (so the Swedish laws about secrecy can apply) or subject to some very special conditions in the home country. The access is given through the Mona-system in both cases. In Norway access for a foreign researcher can be on-site at the research institute where data are handed out or remote from the foreign research environment, but where the microdata stays in Norway at the research environment. In Iceland access to microdata depends on the accreditation of the researcher by Statistics Iceland and his affiliation to an Icelandic research environment. In Greenland access is decided on a case-by-case basis. 4.2 Data security One important condition for giving access to national microdata in another Nordic NSI, and thereby hand over microdata to another Nordic NSI, is that the level of security in the recipient country fulfills the requirements in the donor country. This is a legislative requirement and therefore fundamental for the possibilities of establishing a common Nordic research arrangement. Against this background, an important finding in this study is that all Nordic countries have the same high level of data security. Table 2 gives an overview of how data security is implemented in the Nordic countries 21/102

22 Table 2: Measure for data security and protection of personal information Before access Restrictions on data Security agreement De-identification of data Disclosure control After access Output control Sanctions if security agreement I broken Denmark Finland Sweden Norway Greenland Iceland Yes need to know Yes researcher and research environment signs an agreement Yes need to know Yes researcher and research environment signs an agreement Yes need to know Yes researcher and research environment signs an agreement Yes need to know Yes research environment signs an agreement Yes need to know Yes researcher and research environment signs an agreement Yes need to know Yes researcher signs an agreement Yes Yes Yes Yes Yes Yes No Yes - random Yes possibilities for administrative and legal sanctions Yes for data that are handed out Yes Yes possibilities for administrative and legal sanctions Yes Yes No Yes Yes random or complete if logins from outside Sweden Yes possibilities for administrative and legal sanctions Not relevant Yes environment can lose eligibility to seek access to microdata or legal sanctions Yes on suspicion Yes possibilities for administrative and legal sanctions Not relevant Yes possibilities for administrative and legal sanctions An important aspect of data security, which is also covered by the law, is to provide researchers access to only the data they need in order to complete the study in question the need-to-know - principle. The need-to-know principle applies both to the population, registers and variables. As shown in table 2 all Nordic countries follow this practice. All researchers and/or environments have to sign a security agreement before access to microdata can be granted, making sure that the researchers/environments are fully aware of the possibilities and limitations in using microdata for research and aware of the consequences if the agreement is broken. In Sweden the security agreement is different, depending on whether the research environment is public or private/foreign (depending on whether the act on public information and secrecy is to be applied by the research environment). If the research environment is private or foreign, the security agreement needs to be legally binding. Furthermore Finland, Sweden, Norway and Iceland apply disclosure control by rounding or grouping the data and no Nordic countries give researchers access to microdata with original identifiers. They are in all countries either removed or replaced by project specific random numbers before access to data is granted. All countries with remote access apply output control on analyses performed by researchers. However, some different procedures for output control exist among the NSI s. In Finland all output is controlled before it is handed over to the researcher, Denmark and Sweden have random output control after handing over the output to the researcher. If a security breach is discovered all countries can impose sanctions, either administrative or legal depending on the type and severity of the security breach. The Task Force found it very important to 22/102

23 develop some common Nordic guidelines for how to handle security breaches as a part of a Nordic arrangement. These guidelines are discussed further in chapter Administrative practice The Nordic countries have implemented the administrative practices for researchers access to microdata, which are quite similar in many aspects, but also with some differences similar to the administration of data access and data security. Table 3 gives an overview of the organization, administrative practices and documentation in the Nordic countries. With the exception of Sweden, Greenland and Iceland, the Nordic countries have centralized their research services in one unit that handles all inquiries from the researchers. All countries, except from Sweden have a standardized application form that the researcher must fill out. All NSI s have implemented a process of evaluation and approval of each data request. Other National authorities must also approve a project, e.g. the National Data Protection Agency and/or the Ethical Committee. But the requirement for approval differs from country to country. In the case of a joint Nordic project, the Danish National Data Protection Agency must approve the transfer before Danish and Greenlandic microdata can be transmitted to another Nordic country. But, as concluded in chapter 3, these differences do not prevent exchange of microdata between the Nordic countries. In all countries, the costs of the NSI s to construct tailor-made datasets for research purposes are financially covered by the researchers. Finally, all NSI s whether organized centralized or decentralized offer support for the researchers, both advice in the use of research data and IT support also financed by the researchers. 23/102

24 Table 3: Researchers access to microdata in the Nordic countries organization and administrative practice Application for project data One centralized Research services (RS) Standardized application form Approval of microdata request By National Statistical Institution By National Data Protection Agencies Financing Denmark Finland Sweden Norway Greenland Iceland Yes Yes No Yes No No Yes Yes No Yes Partly Yes Yes Yes Yes Yes Yes Yes Only if the project contains data not included in registers placed at Statistics Denmark No Yes, but only notification and with exceptions Yes Yes No User cost Yes Yes Yes Yes Yes Yes Support and advice Advice on use of research data Support on IT Yes by RS Yes by RS and IT-department Yes by RS Yes by RS and IT-department Yes - decentralized Yes by RS Yes Yes decentralized Yes centralized Yes by RS Yes No 4.4 Metadata Except for Greenland and Iceland the other Nordic countries have documentation dealing with registers and variables, but for the major part only in their national language. In Greenland and Iceland documentation is created ad hoc for each project. Denmark and Sweden have, to a greater extent, prepared special documentation for research, while only a couple of common data files for research have been more extensively documented in Finland, see table 4 below. Table 4: Metadata Metadata Documentation on registers Documentation on variables Special prepared documentation for research Yes Yes Yes Yes, partly No No Yes Yes Yes Yes, partly No No Yes (Yes) Yes No No No Today, there exists no comparable metadata for the Nordic countries. As part of this project, the Task Force recommends applying for grants in order to create harmonized cross-country Metadata for researchers, see Chapter 8. 24/102

25 4.5 Conclusion The findings of this chapter show that the research arrangements in the Nordic countries have many similarities, especially, and very importantly with regard to the handling of data security. For example, all countries impose restrictions on access to microdata according to the need-to-know -principle, conduct output control and impose sanctions if a security breach has been discovered. There are, however, also important differences in the research arrangements of the Nordic countries. An important difference is that only four countries have a remote access system, which is regarded as the most secure way to give researchers access to microdata. Furthermore, the terms of remote access differ, e.g. a foreign researcher can have access to the Danish remote access system from abroad, if affiliated to a Danish research environment while a foreign researcher using the Finnish remote access system has to work on-site at Statistics Finland. Approvals needed for access to microdata, besides approval from the NSI s, also differ among the Nordic countries. For example, it is not a requirement in all Nordic countries that the National Data Inspection Agency must approve access to microdata for a specific project. 25/102

26 26/102

27 5 Access to Nordic microdata for research purposes a common model of Nordic corporation Based on the similarities and differences in the Nordic research arrangements, the Task Force has outlined a model of cooperation for the Nordic countries that is recommended to be tested as soon as possible. The Model of cooperation is based on the already existing national research arrangements, where the national differences are taken into account - and where there have been added common standardized procedures and agreements, ensuring that the legal framework in all countries is fulfilled. The model is constructed to give researchers access to microdata for research projects requiring simultaneous access to data from multiple Nordic countries in order to fulfill the objectives of the project. Below, the core elements of the model are outlined. Projects can only have access to microdata administered by the NSI s as well as the researchers own data 6. The model includes social data, such as demographic data, labour market data and other data concerning social living conditions. At present, the model does not take health data and data concerning enterprises into consideration. Remote access takes place through one NSI the data hosting NSI, and data from the other Nordic NSI s are transferred to the data hosting NSI. Data will only be available for the researcher through a secure remote access administrated by a data hosting NSI, which is, at present, offered by Statistics Denmark, Finland and Sweden. The researcher who applies for remote access to Nordic microdata, the principal researcher, must initially apply for access from the NSI in the country where the institution of the principal researcher is located the local NSI, and the other participating NSI s. The data hosting NSI is then determined by the local NSI in corporation with the other possible data hosting NSI s. The choice of data hosting NSI depends on the composition of the research group and the data applied for. The main principle is that access should be given from the country where the principal researcher is situated, if possible. 6 Iceland has no experience in combining researchers own data with microdata from Statistics Iceland. 27/102

28 All datasets should be prepared and de-identified in each NSI according to their National rules for confidentiality, before data are transferred to the data hosting NSI, and all researchers output is subject to output control by the data hosting NSI, prior to data delivery. 5.1 Step by step procedure In the model of cooperation, the progress of a Nordic research project includes some basic steps, which have to be fulfilled before access to data can be established. Due to slightly different administrative rules in the Nordic countries - the order of the steps may differ. The steps are listed below and the content of each step is described in the subsequent text. Step no. Description (1) Approval/Authorization of researcher and/or research environment (2) A project application for access to microdata for a specific research project is received (3) Security agreements between researchers and data hosting NSI (4) Approvals from national authorities (5) Evaluations and approvals from involved NSI s (6) National costs are calculated and contracts between principal researcher and NSI s are signed (7) Data exchange agreements are signed between NSI s (8) Extraction of data (9) Disclosure control (10) Data transfer (11) Access to data (12) Output Control (13) Handling of security breaches (14) Closing the project STEP 1: APPROVAL/AUTHORIZATION OF RESEARCHER AND/OR RESEARCH ENVIRONMENT Access can be granted to research environments and researchers approved by all the NSI s from which data are applied from as well as the country where the researcher/research environment is situated. If a research environment or researcher is not already approved in a country, an approval must be granted by the NSI in the relevant country. There are different procedures for granting data access. Thus, Norway requires authorization of the research environment, Denmark and Finland require authorization of both the research environment as well as the researcher, whereas authorizations/approvals in the other countries are granted to individual researchers only, or as in Sweden where the research environment is evaluated case by case as part of the approval process for a request for microdata for a research project. Therefore, since there is no common approval process in the Nordic countries approvals must follow the procedures of each country. But all countries from which data are applied must approve. Since the approval process differs in the Nordic countries, a description of the research environment must be 28/102

29 included in the standard application for access to microdata,cf. (2). Public as well as private institutions are welcomed to apply for data access. STEP 2: STANDARD APPLICATION FOR ACCESS TO MICRODATA FOR A SPECIFIC RESEARCH PROJECT CASE BY CASE EVALUATION The researcher must for each research project submit an application for data access to all the participating NSI s. For each NSI s, there will be a case-by-case evaluation of the project in question. It is, therefore, possible for a NSI to refuse a joint application for access to the country s microdata. If approvals are needed from other authorities, these approvals must be granted before the NSI s accept to receive the application. A list of authorities that must accept data access in each country is shown in appendix B1. In order to facilitate the approval process in a way so all national requirements will be meet, a standard application form has been outlined (Appendix B2). Thus, for each project an application must, as minimum, contain the following information: Title of the Project Principal researcher contact person o Contact information on the principal researcher of the project (Title, Name, Institution, Country, Phone number and address). Research Group o Contact information on all researchers who need access to data (Title, Name, Institution, Country, Phone number and addresses). Research Environment o Description of the research environment of the principal researcher and any research Institution that will be affiliated with the project as well as name and contact information for a responsible manager of all research institutions involved. In most cases the research institution appoints the Head of the Department as their responsible manager. In the description of the institution s information on ownership (Public, Private), educational standard among the staff as well as research experiences in working with National microdata must be included. Purpose of the research proposal o Short description of the objectives of the research project. From the description it should be clearly explained why the purpose of the project cannot be fulfilled using data from each Nordic country separately. 29/102

30 Population o A description of the population to be studied. If complete population is needed, it must be argued why this will improve the value of the project in contrast to only a sample of the complete population. Dataset to be used o For each Nordic country for which data is applied, a list of subject-areas to be used has to be included (e.g. Population, Housing Social conditions, Education, Labour market, Income, etc.) Selection of variables o Based on the chosen datasets the researchers must select the specific variables needed for the project, including the study period. Design and expected outcome of the study o A short description of the design of the study has to be included, together with a short description of the expected outcome and dissemination of the results. Approvals o Approvals from relevant authorities must be included, e.g. National Data protection agencies and approvals from relevant data owners, Regional Ethical Committee and National Bioethics Committee, etc. The approvals needed vary from country to country. A detailed overview can be seen in appendix B1. Time period o Period of time in which access to data is needed before the project is completed. The application should be signed and submitted by the principal researcher to the local NSI with cc to all other involved NSI s. The NSI s will, if needed, assist the researcher in completing the project application, including the selection of the specific variables and provide relevant documentation for the data. This can be a time-consuming task. Consequently, each NSI will charge the researcher for this service as part of calculating the total costs for the project, see Chapter 7. 30/102

31 STEP 3: SECURITY AGREEMENT BETWEEN RESEARCHER AND STATISTICAL INSTITUTION DATA HOSTING NSI The principal purpose of the security agreement is that all researchers applying for access to microdata are made aware of the confidentiality rules and regulations governing the use of microdata. All researchers applying for access to microdata therefore have to sign a security agreement that includes a pledge of secrecy (see Appendix B3 Security agreement between Researcher and NSI s). Since it is important for all participating NSI s (those NSI s whose data will be used) to know exactly which researchers are gaining access to microdata, each NSI must approve access, by signing the agreement, not only for local researchers, but also for researchers who apply from other Nordic countries. In addition, the head of the researchers institution must also sign an agreement with all the participating NSI s. Access can only be granted if all NSI s approve access. In some countries, the security agreement is signed after the approval of access to microdata (step 5). The agreement must, for every researcher applying for remote access, be signed by: Each participating NSI The researcher The head of the research environment A draft for a common security agreement can be seen in appendix B3 Security agreement between Researcher and NSI s. STEP 4: APPROVAL FROM NATIONAL DATA PROTECTION AGENCIES, ETHICAL COMMITTEES AND DATA OWNERS The researchers need to obtain all relevant approvals from national authorities before final approval by the NSI s can be granted. The National requirements for approvals differ both in regard to the number of authorities that need to approve the project, the required documents that have to be submitted with the application as well as whether the researcher or the NSI has to submit the application. In appendix B1 the National requirements are listed. STEP 5: EVALUATION AND APPROVALS FOR THE MICRODATA ACCESS FROM INVOLVED NSI S All required national approvals as well as specific variable lists have to be submitted to all NSI s for the evaluations (including the consideration of the risk of damage and harm) and approvals. Approvals are made in accordance with national laws and regulations and have to be granted at the appropriate level and in the relevant sections in each NSI. All approvals by the NSI s have to be forwarded to the data hosting NSI, where approvals will be archived. This rather complex approval procedure should also prevent that access to data from one country could be easier obtained through another NSI. 31/102

32 STEP 6: NATIONAL COSTS ARE CALCULATED AND CONTRACTS BETWEEN PRINCIPAL RESEARCHER AND NSI S ARE SIGNED When all needed approvals are in place as well as detailed variables lists have been constructed by each NSI, a price is calculated by each NSI and a contract for establishing a research dataset is signed by the researcher with each NSI. A description of the principles of financing is presented in chapter 7. STEP 7: DATA EXCHANGE AGREEMENTS ARE SIGNED BETWEEN NSI S Before data can be transferred between the NSI s, an agreement between all participating NSI s and the data hosting NSI must be signed, cf. appendix B4. STEP 8: EXTRACTION OF DATA Data are extracted and de-identified according to national practice of each NSI. STEP 9: DISCLOSURE CONTROL If data are controlled for disclosure before transfer, the disclosure control follows the procedures in each NSI; see Chapter 4 for an overview of the Nordic NSI s procedures on disclosure control. STEP 10: DATA TRANSFER When transfer agreements are signed, encrypted data are sent to the data hosting NSI by a secure line, e.g. FTP. STEP 11: ACCESS TO DATA The data for the joint Nordic project are made available in the data hosting NSI by remote access. Access to data from a joint Nordic project can only be granted from a Nordic country and access can only be granted from the researchers local workplaces. This means that researchers, as it is possible in Denmark, are not allowed to use the remote access from a foreign country. STEP 12: OUTPUT CONTROL Output control is a paramount tool for the NSI s to control that the rules laid down in the security agreement are kept by the researchers. In Nordic projects, the Task Force recommends that all outputs should be controlled by the data hosting NSI during the trial period. After the trial period, the output control will be revised based on the experience of the output control in the test period. Furthermore, it must be possible to forward all the researchers output to other participating NSI on request. STEP 13: HANDLING OF SECURITY BREACHES It is important that security breaches are handled immediately and that there are some common rules for handling breaches in the Nordic NSI s. 32/102

33 There are two types of Security breaches. Breach of laws, e.g. where researchers deliberately try to use microdata to identify specific persons Violation of the security agreement e.g. handing over a personal password to another researcher or accessing data from a country outside the Nordic Countries No matter what kind of security breach a researcher commits, it is important that all NSI s react immediately and in consensus. Chapter 6 describes in details how to treat security breaches in a Nordic model of cooperation. Handling of breaches is also a part of the transfer agreement between the datahosting NSI and the NSI delivering data to a specific project, see Appendix B4: Transfer Agreement between Statistics [XX] and Statistics [YY]. STEP 14: CLOSING THE PROJECT The data hosting NSI deletes or closes the access to all the microdata of the project and informs the other participating NSI s, when the deadline stated in the security agreement is reached. The possibilities to delete data when a research project is completed in Sweden, depend on the rules of archiving and thinning applicable to statistics authorities, authorities and other providers of research. 5.2 Conclusion The model outlined makes it easier to give researchers access to microdata for research projects requiring data from multiple Nordic countries from one Nordic NSI. The model is based on the present national research arrangements in the Nordic countries with some new standard procedures in handling a research requests for data from several Nordic countries. An important element of the model is that it ensures a high level of data security. In the model, data can only be accessed from an NSI s with a remote access system and a common security agreement is drafted, an application form, and agreement for exchange of data between the NSI. Furthermore, common guidelines in handling security breaches have been agreed upon by the NSI s. The model also ensures a high level of cooperation and communication between the Nordic NSI s when handling a cross Nordic research project. 33/102

34 34/102

35 6 Data security - how to handle security breaches in a Nordic model of cooperation An important precondition for a safe exchange of data within a common Nordic model of cooperation is that the Nordic NSI s have the same level of data security when giving researchers access to microdata. The Nordic countries have fairly similar legal regulations on data protection and for what purposes and to what extent microdata might be used to enlighten scientific questions. Microdata used for research purposes is, as a minimum, de-identified and can only be accessed through a remote access system protected by a wide range of embedded security arrangements. These include: Procedures for the approvals of researchers as well as research projects access to microdata, signing of security agreements, assignment of personal ID s and passwords, the use of firewalls (see appendix on the technical solutions in the three relevant countries in Appendices C1-C3), logging of all output created by the researchers through the research process and subsequently control of this output. Beside this, the Task Force finds it very important that breaches of data security will be handled in a reassuring and uniform way regardless of which Nordic country is hosting the data for a research project. This chapter describes what is meant by security breaches, and discusses how breaches should be handled in the common Nordic model of cooperation in order to make the model trustworthy. 6.1 Breaches Breaches of data security happen very rarely. However, they may occur. It is, therefore, crucial that the participating Nordic countries agree on how a breach is dealt with and that relevant interventions are made quickly and coordinated. There are two different kinds of breaches: 1) breaches of law and 2) Violations of security agreements in the country where the microdata is hosted Breaches of law A BREACH OF LAW is a breach perceived as any attempts to or actual identification of individual persons or individual firms directly or indirectly. This is prohibited by law in all Nordic countries. Breaches of law might be extremely harmful, e.g. if a researcher deliberately tries to identify specific persons in the dataset in order to use this information against the person. This is the worst-case scenario for security breaches. In such cases, the offending researcher should be prosecuted (sued) according to the law by the country where the breached data comes from as well as the county hosting the data. 35/102

36 However, breaches of law may in other cases be of far less harm, calling for only administrative sanctions rather than a lawsuit. This could be the case if a researcher by accident sends microdata from the remote access system to his personal computer in a form where they cannot identify any actual persons. The administrative sanctions in such cases might be to exclude the researcher in question from using microdata in any of the Nordic countries for a specified period of time Violations of security agreements VIOLATIONS OF SECURITY AGREEMENTS in the country where the microdata is hosted refer to situations where microdata itself is not being displayed, but existing security rules are being neglected or bypassed. This could be a researcher using the personal passwords of another researcher, or accessing the data from a country outside the Nordic countries. In these cases, the offending researcher will not be prosecuted, but immediate administrative sanctions should be taken. This would call for sanctions, such as exclusion of the researcher, the whole group of researchers working on the project or even the whole research institution of the violating researcher from the use of microdata in all Nordic countries permanently or for a period of time. 6.2 How to handle breaches within the Nordic Model It is not meaningful to try to agree in advance on some detailed sanctions to different kinds of hypothetical data breaches. Breaches and the circumstances under which they might be committed are far too diverse for this. But on the other hand, the Task Force finds it both important and useful that we agree on both some important common statements of intention and also some common procedures on how breaches should be dealt with within the frames of the national laws and regulations in our Nordic Model of cooperation before the model is implemented. Breaches should be dealt with instantly, firmly and in Nordic consensus. The following actions should be taken if a breach occurs: Whenever a breach is discovered, the data-hosting NSI immediately informs all other Nordic NSI s about the breach together with information about the relevant researcher, research institution and the research project in question. If the breach is discovered by another NSI than the data-hosting NSI, the data-hosting NSI must immediately be informed, and will then take action as described. All NSI s will instantly stop all activity related to the researcher in question. The data-hosting NSI will promptly ask the researcher for an immediately written explanation of the breach. A copy of this will be sent to the principal researcher of the project and to the head of the research institution to which the researcher in question is affiliated. 36/102

37 All NSI s will participate in a meeting where the breach will be discussed and a common decision will be made on which sanctions should be imposed on the researcher, the research team and possibly on the research institution of the researcher as well. All NSI s are committed to follow the common decision. The agreed sanctions should be considered as a minimum. If any country assesses that there is a need for more strict national sanctions, they are free to impose such sanctions. In the case of a serious breach of law (e.g. if a researcher deliberately tries to identify specific persons in the dataset in order to use this information against the person), the offending researcher should be prosecuted (sued) according to the relevant laws. Thus, the data-hosting NSI and the NSI whose data has been offended will notify the police. The National Data Inspection Agency must also be informed of the breach. All NSI implement the decided sanctions or if there is no real content of the suspicion the researcher s access to data is opened again. The data-hosting NSI inform the researcher, etc. about the common decision The collected procedures regarding breaches that the Task Force find important to agree on before the model is implemented. Based on these procedures, the Task Force finds it essential that the participating countries use the trial period to discuss and develop these procedures as we gain more experience with common research projects. And if a breach should happen during this period, it will of course be crucial that the breach is evaluated as described. 37/102

38 38/102

39 7 Financing (price structures) The overall payment principle in the proposed model for researchers access to microdata is that data are free of charge, but the researchers must cover the National Statistical Institutes (NSI s) costs, directly or indirectly, for all the services they receive from each NSI associated with the research project in question, e.g. the time used by a NSI to extract microdata for a project. In the proposed model, we recommend that calculations of costs for a project are handled in a decentralized manner. I.e. all costs will be calculated by and settled at the NSI providing the service. There are national differences in the researchers costs of using the research arrangement. This reflects the different ways work is organized today, as well as the different pricing structures in the Nordic countries. The significant price differences make it difficult to harmonize prices across the Nordic countries in the short run. 7.1 Core elements The costs the researchers have to pay to complete a Nordic register-based research project consist of four core elements: Costs for the administrative work needed to start up a project in each relevant country, including relevant advice relating to this process Costs for data extraction in each relevant country Costs for advice and support on data and documentation in each relevant country Costs linked to the use of the remote access system in the data-hosting country, including output control The first three core costs are all related to the process of getting data from each of the desired NSI s: First, the payment must include the costs for the administrative work needed to start up a project, getting the relevant approvals; receiving information and guidance, etc. (Note: in some countries this work is partly subsidized by the government). Secondly, the payment must include the costs related to the data extraction from each of the NSI s, which need to provide data for a project. Thirdly, it must include the support and advice through the whole project period from each NSI on the national data and documentation that may be attached to the data. Since this might in some cases include support and advice to foreign researchers who are not familiar with national data and documentation, it 39/102

40 must be possible to charge the researchers for their actual time used by the NSI s (Note: in some countries this work is also partly subsidized by the government). These three types of costs will be calculated based on local procedures and local prices. Consequently, each NSI from which the researcher needs data are paid for in accordance with the time needed to fulfill the task and according to the national price structure. These prices cannot necessarily be standardized within the single country but must often be based on a case-by-case estimation. The costs will be priced by each relevant NSI, which will also send invoices to the principal researcher. Fourthly, the researchers have to pay for use of the IT system applied in their analyses, i.e. the "Research Servers" in the data hosting NSI. If, for example, Statistics Sweden is the data hosting NSI, the researchers will have to pay the prices that apply to the Swedish remote access system (Mona). We also recommend that the costs of using the IT system is calculated by and settled with the data hosting NSI. The prices for using the three remote access systems currently available for researchers differ significantly. While this service is partly subsidized in Sweden and Denmark, researches using the Finnish remote access system have to pay the operating costs for the use of the system. See appendix D for further details. These costs are likely to have an impact on where researchers want their data to be located and also on the services provided by the systems (what analysis tools are available, i.e. SAS, STATA, ). It will, therefore, be an important future challenge, if possible, to develop more comparable price structures. However, the Task Force recommends that these differences are accepted during the test period, though it might give researchers a biased economic incentive in the decision of where their data should be hosted. But during this period, it should be examined if a more equal price setting might be possible in the long run, e.g. based on, if the national laws allow them to, a more equally organized research services in the Nordic countries. 7.2 Conclusions We recommend that all prices are as a starting point based completely on local procedures and local prices. Today, these prices cannot necessarily be standardized within the single country but must be based on a case-by-case estimation. Additionally, the price differences between the countries reflect different ways to organize the work and different pricing structures. Consequently, prices for services that might look comparable may differ between the Nordic countries. The Task Force recommends that the test period of the model is used to look further into the reasons behind the different prices for services to researchers in our countries. This will, among other things, be important because it will make differences in prices more transparent and explanatory to the researchers. 40/102

41 8 Metadata Metadata can be thought of as any form of data whose primary function is to describe numerical data. For National Statistical Institutions (NSI s), it is possible to distinguish between two forms of metadata: (1) Metadata concerned with the official statistics disseminated by the NSI s; can be called macrometadata; (2) Metadata dealing with microdata hosted by the NSI s; can be called micro-metadata. These two types of metadata have different scope as well as being (for the most part) intended for different audiences. While the former is first and foremost intended for users of published official statistics, the latter is intended for the users of microdata, i.e. the research community. As a consequence, micro-metadata are generally more detailed than macro-metadata as its goal is to describe data at the level of individual variables, while macro-metadata are more of an overview of the data, which is used to compile the official statistics in question. The quality and availability of micro-metadata is an important issue for researchers to be able to use microdata effectively and in order to combine or compare data from different countries. It also facilitates the communication between researchers and NSI s, for example, with regards to the application process for microdata access. 8.1 Micro-metadata at the Nordic NSI s There is a tradition of cooperation between the Nordic NSI s with regards to macro-metadata with the aim of providing support and backing harmonized efforts for registering metadata for official statistics in the Nordic NSI s, e.g. through Nordic metadata experts, who meet approximately once every year. Other macro-metadata initiatives, which have included the Nordic-NSI s (along with other European NSI s), are linked to guidelines and standards laid down by Eurostat, which has put resources and effort in designing metadata standards and reporting systems for use in the European Statistical System. With regards to micro-metadata in the Nordic NSI s the situation is different: There is no coordination or cooperation between the countries in the construction of metadata describing microdata for research purposes. This has resulted in an un-harmonized construction of metadata with the resulting danger that metadata from different NSI s might not be comparable and reducing the usability of data from different NSI s in cross Nordic research. 41/102

42 In order to rectify this problem, three main elements of cross Nordic micro-metadata would need to be addressed: (1) The availability of micro-metadata in the Nordic NSI s varies widely. Two extreme examples are Statistics Denmark, which has published micro-metadata for a number of individual variables on its website, in some cases for so-called high quality variables referring to variables which the NSI guarantees have high quality documentation associated to the variables. Another extreme case is Statistics Iceland which does not disseminate any micro-metadata. The only form of micrometadata that is currently available at Statistics Iceland is performed on a post-hoc basis, i.e. when researchers have gained access to microdata for scientific purposes the relevant expert who is responsible for the data at Statistics Iceland constructs metadata to accompany the microdata in question. The situation in the other Nordic NSI s can be characterized to lie somewhere on this continuum, from the no-micro-metadata end of Statistics Iceland to the disseminated-on-the-webmicro-metadata of Statistics Denmark. For researchers, it is also instrumental to have information for which years specific data is available and which changes have happened to the variable (how the data has been collected, different laws, changes in classifications, etc.) over time. (2) The comparability of metadata from different NSI s is currently unknown. When metadata has been constructed for microdata in the Nordic NSI, no cooperation has existed between and no harmonized structure has been agreed upon for their construction. It is, therefore, possible that in cases where metadata for certain variables is available from more than one NSI, a researcher would not be able to assess the similarity of the variables because the descriptions of the variables are not comparable, bringing the research project in question at risk. This would not pose a problem if the variable definitions were harmonized for all countries. This is, however, not the case. For example, in a research project that used Danish and Swedish data on second generation immigrants (descendants), it was evident that the definition of a second generation immigrant differed between the two countries. In the Danish definition a descendant is defined as a person born in Denmark whose parents (or one of them if there is no available information on the other parent) are either immigrants or descendants with foreign citizenship. If there is no available information on either of the parents and the person in question is a foreign citizen, the person is also defined as a descendant. If an immigrant changes his citizenship to Danish later in life his/her life and his/her children will change to Danish origin. In Sweden, a descendant is defined as children born in Sweden but with at least one parent born abroad. Another difference that can arise is for categorical variables where the numerical values can differ between countries, for example, in the population registers. An example of this can be seen in the population registers of Iceland and Denmark. From the documentation of Statistics Denmark it is possible to see that gender has two values: 1 is for men and 2 for women. In Iceland, however, the gender variable from the national registry has four values: 1=men which have reached 18 years of age; 2=women which have reached 18 years of age; 3=men, 17 years old and younger; 4=women, 17 years old and younger. In order for the researcher to understand this difference it is imperative to have access to comparable detailed information. 42/102

43 (3) Microdata access in the Nordic NSI s has traditionally been granted almost exclusively to local researchers. Accompanying metadata has consequently been constructed in the language of the NSI in question. This reduces the accessibility of foreign researchers to cross Nordic microdata as they would have to understand all the Nordic languages in order to have full understanding of the metadata. From these three points, it is clear that an increased accessibility of researchers to cross Nordic microdata from the Nordic NSI s would be attained by ensuring the availability of English micrometadata in the Nordic NSI s, which was constructed by using a common metadata framework. 8.2 Conclusions The availability, quality and comparability of micro-metadata are essential elements for efficient and effective access of researchers to microdata. The Task Force, therefore, recommends that the Nordic NSI s should increase the availability of micro-metadata constructed by using some form of a harmonized framework. The Task Force suggests a three-stage project (with the participation of all of the Nordic NSI s, except for Statistics Norway) to reach this goal: 1) Develop the framework and finalize it; 2) Implement the framework in the business processes of the NSI s; 3) Construct and register metadata in accordance with the framework. The Task Force recommends that the Metadata experts will supervise and cooperate. Statistics Norway will follow the work closely. But due to lack of human resources (the relevant resources are prioritized to the ongoing RAIRD-project) they will not at the present time be able to take directly part in the project. As this is resource-heavy work for the NSI s, every effort should be made to secure funding from the research community for this project. The Task Force recommends that the Nordic NSI s should apply for a grant from NordForsk, possibly within the future working program of the Norianet on registers in order to successfully complete this project 7. The Task force, in close cooperation with the Nordic metadata experts, will work on a proposal for funding from NordForsk for this project (A preliminary draft of this application can be found in Appendix E). The Task Force aims to have a final proposal ready to be presented to the Chief Statistician of the Nordic NSI s in the beginning of September Maria Nilsson will discuss the possibility for funding with the Director of NordForsk. So far the response from Maria Nilsson is positive and she suggests that NordForsk might start funding the working group activities with a small amount and then later think of how it can be funded through the NF board. 43/102

44 44/102

45 9 International perspectives The situation in the Nordic Countries with similar statistical systems based largely on register data, possibilities to link data to produce datasets for researchers, developed practices for disseminating microdata to researchers, and similar legal frameworks, calls for possibilities for good cooperation between the Nordic Statistical Institutions (NSI s) when it comes to finding ways to make access to Nordic microdata easier for researchers. The fact that researchers can have access to register-based databases, gathered on the total population in the Nordic countries, poses both big possibilities for researchers, but at the same time puts pressure on the NSI s for very good data protection procedures. Although, the Task Force acknowledges these special elements of Nordic cooperation it is also important to monitor other international initiatives dealing with developing better cross-border access to microdata for researchers. This chapter gives an overview of some of the current initiatives of increasing researchers accessibility to microdata in different countries. Within the international projects much emphasis has been put on developing the technical aspects of access to data but also on developing better metadata and ways to have it readily available for researchers. 9.1 Eurostat In 2012 Statistics Finland participated in the work done by the European Statistical System Committee for the purpose of developing a Commission Regulation on access to confidential data for scientific purposes. The work aimed at implementing the Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to Eurostat s confidential data for scientific purposes. The Regulation takes into account new technologies and states on-site or remote access as the only ways for researchers to gain access to microdata were only directs identifiers have been omitted. Eurostat has also looked at different measures to sanction researchers from different countries violating statistical confidentiality in the European Statistical system. The topic of remote access to EU microdata is covered by two projects. One is an internal Eurostat project called the Vision Infrastructure Project on Secure Infrastructure for Confidential Data Access (VIP- SICON- project), which is going to deliver the access server provider. The other project is the ESS-net Decentralized and Remote Access to Confidential data in the ESS, which deals with the implementation of remote access from safe centers in the NSI s to Eurostat. The projects were started in 2011 and the pilot phase is about to start. No Nordic country has participated in the projects, but Statistics Finland is interested in taking part in the pilot phase. Eurostat has in 2012 set up a working group on ESS Security and Secure Exchange of Data. Statistics Finland and Denmark are members of this working group. The objectives of the group are to improve the communication in the European Statistical System (ESS) and within the NSI s on information security and cross national exchange of information as well as discuss and stimulate new developments and functionalities in view of security and communication aspects. The group should, e.g. agree on security 45/102

46 level of shared applications, services and processes as well as on common rules, guidelines and standards for data storage/exchange/transfer in order to build mutual trust. 9.2 Data without boundaries The EU-funded project ( ) Data without Boundaries (DwB) aims to develop new and better ways for researchers from different countries within Europe to gain access to micro-level data stored at Data Archives and Statistical Offices and Agencies. The project has been divided into 12 work packages. Four of these work packages describe somewhat similar work which is being carried out in the Nordic Task Force for Joint Microdata Access. These work packages comprise: WP3 Enhancing legal, information security and researcher accreditation frameworks for access to data, WP4 Improving Access to Official Statistics Microdata, WP7 Standards development, regarding metadata and WP12 Implementing Improved Resource Discovery for Official Statistics Data The objective of the DwB project s work package 4 (WP4) is to examine how existing e-technology based remote access environments may be instrumental in widening and enhancing data access across the European Research Area. The project is looking into possibilities of building a network of the different remote access systems already developed in the separate countries and. provide models for simultaneous use of data from different countries. The Netherlands, England and Germany are working on a pilot for this kind of use. As a separate initiative outside of DwB, the Netherlands and Sweden are also developing and testing a pilot project for remote access networks. DwB looks not only into possible technical solutions, but also legislative issues and the administration structure of such a network system. Plans are for the network to be expandable into a broader network, becoming in time a harmonized system for accessing transnational data, with a harmonized metadata data system, and a well-established secure and certified information system between the remote access centers. There are 29 institutions (11 Data Archives, 10 National Statistical Institutions and 8 Research organizations) taking part in the project. From the Nordic countries the Data Archives of Denmark, Finland and Sweden and the Swedish Statistical Institute are taking part in the project. The Norwegian Data Archive is, although not a member, very active in the work packages on metadata improvements. 9.3 OECD The OECD has recognized the increasing need of researchers to use the microdata available at statistical and other governmental organizations. In 2009 the OECD Committee for Statistics set up an Expert Group for International Collaboration on Microdata Access. The aim of the group is to facilitate National Statistical Organizations working together on practical steps to advance cross-border access and analyses of microdata, taking into account the needs of researchers and policy makers, while complying with legislative requirements for confidentiality. The OECD group is also looking into a common metadata format for describing the available microdata. Statistics Sweden, Denmark and Norway are members of the group. 46/102

47 9.4 IPUMS An international example of a research infrastructure providing good metadata and microdata for researchers is IPUMS-International. The IPUMS-International is a project dedicated to collecting and distributing census data from around the world. Its goals are to: collect and preserve data and documentation harmonize data disseminate the data free of charge. The IPUMS project is a collaboration of the Minnesota Population Center, National Statistical Offices, and international data archives. On its web pages ( it is described as an effort to inventory, preserve, harmonize, and disseminate census microdata from around the world. The database currently describes approximately 480 million persons recorded in 211 censuses taken from 1960 to the present. The database includes censuses from 68 countries. No Nordic country has, however, chosen to disseminate Census data through the IPUMS site. The IPUMS metadata catalogue gives a good idea as to how diverse and dynamic metadata of longitudinal data can be made available for research purposes, and serves as a good example ofo a joint metadata catalogue. The data documentation goes to variable levels and presents for each country and time point the variables and codes that are used, stating clearly also the different versions of the same variable (e.g. education). 9.5 Nordforsk NordForsk initiated for the project NORIA-net on Registries with the aim to increase the use of the unique data registries and biobanks in and between the Nordic countries, and thereby strengthening Nordic cooperation on registry-based research. Activities within the NORIA-net has had the aim to increase coordination and accessibility of registries to the different research communities, map national working plans, as well as to investigate potential limitations (legal, ethical, political, etc.) impeding cooperation and to propose ways to overcoming these. The aim has been to coordinate activities targeting statistical authorities, data inspection boards and ethical committees. NorskForsk finances research on Nordic data through the Nordic Societal Security Programme and the Nordic Programme on Health and Welfare. The final report is expected to be published in the coming months. 9.6 Conclusions For the future development of the Nordic model for access to Nordic microdata it is important to continue monitoring work done in the mentioned projects. Especially, the work on a technical solution for remote access network that is being developed might bring new ways for simultaneous access to data at different statistical institutions that this model should adopt. The work already carried out within the Data without Boundaries projects on metadata and the IPUMS site should give a good starting point for the metadata work proposed in this project. The role of NordForsk and NORIA-net as an instrument for increasing the 47/102

48 cooperation between the NSI s has been crucial. Closer cooperation in the future with NordForsk on research projects using Nordic microdata from NSI s will be fruitful. NordForsk might be able to take a leading role in coordinating agencies to develop the proposed model to include health data. 48/102

49 10 Future work 10.1 Future work in the development of the model of cooperation The Nordic Task Force recommends that the output from this feasibility study is handed over to the Nordic Network for Microdata and that this network tests the model for a period of 2-3 years or if shorter until experiences have been gained with at least 5 cross Nordic research projects with some geographical distribution of data hosting NSI, origin of data and researcher included. During that time period the consequences of the model will be monitored closely and changes in the model will be made along the way if needed. Finally, the model will be evaluated based on the gained experiences. During the test period it is recommended that certain issues need to be developed further. These are: Guidelines aimed for the research society Standardized procedures for all processes included in the model, including descriptions of code of conducts, especially regarding disclosure and output control Common metadata for research Communication between the Nordic NSI s when handling a Nordic research project Inclusion of other data, e.g. business data Furthermore, the flowing issues should be monitored: Strengths and weaknesses of the proposed model Legal changes (e.g. change of the EU Directive) Developments in price structures International work on researchers access to microdata National needs for data from other organizations that are linked to data from the NSI s It is recommended that The Nordic Network for Microdata should both develop common practices further, as well as monitor the strengths and weaknesses of the proposed model. The network should follow all new Nordic projects during the test period and discuss all relevant issues. They should meet at least once a year in order to discuss relevant issues. Finally, this Network should also be able to react promptly in the case of breaches and also be in dialogue with researchers in order to incorporate their experiences and wishes into to the model Phases included the future work The Nordic Task Force recommends that the test period is divided into the following partially parallel phases: A developing phase where a short introduction as well as guidelines to the Nordic Model of cooperation is prepared including a list of relevant contact persons. The Task Force recommends that the research society is informed properly about this new possibility of cross Nordic research 49/102

50 projects, e.g. by posting information at key websites and sending mails and newsletters to selected Nordic communities for register research. However, since the need and resources are different in the Nordic NSI, the effort, intensity and dissemination strategy may differ according to Nationals priorities A monitoring phase where upcoming cross Nordic projects are followed continually and carefully. The aim is to have an ongoing surveillance of all new cross Nordic projects in order to monitor the strengths and weaknesses of the model, adopt it and make additional guidelines as necessary. This means that the model of cooperation should be continuously streamlined during the monitoring phase. It is also important that price structures are analyzed more carefully. If a new EU Data Protection Directive is approved during this period of time, changes needed in the model of cooperation and associated documents should to be changed accordingly. For the future development of the model for access to Nordic microdata, it is also important to continue monitoring work done internationally. Especially, the work on a technical solution for remote access network that is being developed might bring new ways for simultaneous access to data at different statistical institutions. An evaluation phase, where the experience with the joint Nordic model of cooperation is compiled. Based on these experiences a new recommendation to the Chief Statisticians on whether the model should continue should be made and if so, with which content and under which conditions Future work in the development of common Metadata The Task Force recommends that some action is taken to develop adequate common Nordic Metadata. That is Metadata explaining the precise content of registers and variables, including changes over time series. The Task Force recommends that the Nordic NSI s should apply for a grant from NordForsk, possibly within the future working program of the Norianet on registers in order to successfully complete this project. The application should be finalized by the Nordic Network for Microdata in close cooperation with Nordic experts on metadata. 50/102

51 Appendices 51/102

52 52/102

53 Appendix A1 Denmark - Data protection laws and regulations 1. Summary of national legislation relevant to access to microdata for researchers The Data Protection Directive (European Parliament and Council Directive 95/46/EC) is the foundation of data protection rules in the EU and in the individual Member States. It was adopted with the aim to protect the fundamental rights and freedoms with regard to the processing of personal data. Furthermore, the aim was to remove the obstacles to flows of personal data within the Community, cf. Article 1 paragraphs 1 and 2, and the recitals The Directive was subsequently extended to all countries in the European Economic Area (EEA countries), i.e. the EU plus Norway, Iceland and Liechtenstein. All EEA countries have national implementations of the Data Protection Directive, which follows the principles of the EU Directive. Consequently, all EEA countries have (formally) the same level of security and transfer of data which in the Nordic countries is not considered as disclosure to a third country. Equally, there are in general the same standards for treatment of microdata in the countries participating in the Nordic research arrangement. However, Greenland is considered as a third country since Greenland is not a member of EEA. The Directive has been implemented in Denmark with the Danish Act on Processing of Personal Data of The Danish Act on Processing of Personal Data makes it possible - that the processing of personal information taking place in Denmark could also be allowed in other Member States, if they comply with the same rules and have the same level of security as in Denmark. Provisions of the Danish Act on Processing of Personal Data, which are relevant for a research arrangement, are as follows: Information specified in the Danish Act on Processing of Personal Data 7, para. 1, 8 (ethnic, political, religious background, etc.) can be processed for statistical or scientific purposes of significant public importance. see the Danish Act on Processing of Personal Data 10 paragraph 1. A very important consequence of this paragraph is that the processing of the data for statistical purposes can be made without the consent of the data subject. Information collected for statistical or scientific purposes must not be used or processed for other purposes, cf. the Danish Act on Processing of Personal Data 10 paragraph 2 and the Public Administration Act 30. A special provision of the Danish Act on Processing of Personal Data permits information collected for statistical purposes to be disclosed for use in other statistical or scientific contexts after obtaining permission from the Danish Data Protection Agency, cf. the Danish Act on Processing of Personal Data 10 paragraph 3. The Public Administration Act 27 states that individuals who have access to microdata for research purposes are bound by professional secrecy. It also ensures that individuals, typically researchers from private companies, who are not part of the public administration, are also bound by professional secrecy. A breach of professional secrecy may be punishable by fine or imprisonment for up to 6 months (2 years in particularly aggravating circumstances) in accordance with the Penal Code 152. Statistics Denmark must as a data controller ensure that microdata handed over to a research project is treated in accordance with the law as stipulated in the Danish Act on Processing of Personal Data 41 paragraph 3. More specific rules for these responsibilities are set out in Executive Order No. 528 of 15 June 2000 on security measures for the protection of personal data processed for the public sector management. Statistics Denmark will make some additional demands on the processing of the personal data which aim to ensure that the processing is done in accordance with treatment of microdata in Denmark, see section 2 below. When providing microdata to other Nordic countries, Statistics Denmark must ensure that similar rules apply in the recipient country. 53/102

54 Thus, it is Statistics Denmark's assessment that there are no legal obstacles for Statistics Denmark to participate in a Nordic joint system for access to microdata for research purposes. 2. Current requirements for access to microdata for researchers from other Nordic countries The legal requirements for disclosure of microdata specified in Section 1, including: Danish Data Protection Agency must approve the transfer of micro data to the other Nordic countries After the transfer from Statistics Denmark, data must only be used in the specific research project and not passed on to other projects Statistics Denmark is controller of data received from the other Nordic countries. Access to these data has been granted by the Danish Data Protection Agency through the general permission to use register data for research purposes through Statistics Denmark s research arrangement, provided that the data does not contain information on ethnic, political or religious background. Conditions for joint access to microdata must be approved by the Danish Data Protection Agency and Statistics Denmark and conditions will be determined when there is a proposal for a joint Nordic model for the exchange of microdata. The following requirements therefore represent the expected requirements from the Danish Data Protection Agency and the minimum requirements by Statistics Denmark, to approve transfer of microdata for research projects in the other Nordic countries. Expected requirements of the Danish Data Protection Agency It will be critical to the Danish Data Protection Agency that the recipient country follow the rules of the recipient countries Act on Processing of Personal Data and in accordance with the security measures for protection of personal data An application to the Danish Data Protection Agency regarding transferring of data from Statistics Denmark to researchers from another Nordic country must be accompanied by a copy of the recipient's permission for the research project in the recipient country, or, alternatively, other evidence that the access to microdata will be treated in accordance with the law of the receiving country Data may only be used for the specific project and not used in other scientific context or passed on to third parties Published material must be aggregated to the extent that no risk of direct or indirect identification of individuals or companies is possible Provided data shall be deleted after completion of the project. In case of serious breaches of the Danish Act on Processing of Personal Data the Danish Data Protection Agency must be notified. The breach will be reported to the police by Statistics Denmark. This also includes breaches in relation to data from the other Nordic countries. Expected requirements from Statistics Denmark The researchers' access should only take place on-site at premises of the statistical institution or by an approved remote access solution and the access must be covered by the terms and conditions applicable for the Danish entry The data set does not include directly identifiable information, for example, original person identification numbers, names, addresses and CVR numbers (business identification number) Research data sets must not leave the statistical institution Output is logged and checked for a randomly selected sample of outputs A project description must be submitted to Statistic Denmark, which states the project objectives and renders it possible to select the data required for successful project execution A Security agreement between researcher and NSI, stating that the researcher will comply with the security rules laid down by the NSI, must be signed, see the agreement in Appendix B3. 54/102

55 Appendix A2 Finland - Data protection laws and regulations 1. Summary of national legislation relevant to access to microdata for researchers Statistics Act The Statistics Act is a general law governing the national statistical service of central government authorities. It is applied to the official statistics of central government agencies, institutions and organs. The Statistics Act defines: - the procedures and principles to be followed in data collection - the processing of data and the compilation of statistics - the confidentiality and release of data - the obligation to provide data to Statistics Finland Basic statistical data are confidential. Permission to use data can be granted for scientific research and statistical surveys by means of the user license procedure. Permission to use data can be given so that data enabling direct identification of the statistical unit have been removed. Statistics Finland may release data, inclusive of identification data on age, gender, education, socio-economic group and occupation, provided that the recipient of the data is entitled to collect such data by virtue of the Personal Data Act. Exceptions to secrecy are public data in the Business Register and public data describing the activity of central and local government authorities. Personal Data Act The Personal Data Act is based on Directive 95/46/EC on the protection of personal data. It is applied alongside the Statistics Act whenever personal data are processed. It defines, i.a. the general principles with regard to the processing of personal data, the processing of personal data for special purposes (e.g. research, statistics), sensitive personal data, the use of the personal identity number, and the rights of the data subject. Act on Openness of the Government Activities Under the Act of Openness everyone has the right to obtain information from official documents in the public domain. Official documents are in the public domain unless specifically otherwise provided for. The principle of openness thus prevails in Finland. According to the Act on Openness (Act on the Openness of Government Activities) a public authority, such as Statistics Finland, must prepare and allow public access to descriptions of the information systems that are maintained by Statistics Finland, indicating the purpose of the information systems and the data contained therein, as well as their confidentiality and the grounds of these. Act on Openness of the Government Activities stipulated that the data collected for statistical purposes are confidential. It also stipulates the expiry of the secrecy period and defines further conditions for data release. 1. Current requirements for access to microdata for researchers from other Nordic countries Statistical authorities may release confidential data collected for statistical purposes for scientific research and statistical surveys concerning social conditions. For data collected by Statistics Finland for statistical purposes, it is always Statistics Finland (and only Statistics Finland) that makes the decision to release data and grant permission. Permission to use data can be given for data where information enabling direct identification of the statistical unit has been removed. If the data makes it possible to make an indirect identification, Statistics Finland requires that the data should be used via remote access or in the safe center where all outputs are checked for potential disclosure. Statistics Finland wants to put more emphasis on schooling researchers to produce output where this is no risk of disclosure and thus be able to only carry out output control occasionally. For remote access an agreement has to be signed between the institution 55/102

56 where the researcher works and Statistics Finland. In the permit for data it is stated that the researcher is obliged to follow the rules and regulations of the Research services. There are no constraints in the Statistics Act stating that data cannot be released abroad. The Personal Data Act states that personal data may be transferred outside the EU or the European Economic Area, if the country guarantees an adequate level of data protection. From this can be derived that releasing personal data within the EU or EEA countries is possible without special guarantees. Statistics Finland has not so far granted permission for use of data abroad through the remote access system. We have, however, had several foreign researchers working on-site at our research laboratory, and foreign researchers working in a Finnish research institute / university have been granted permission to use data via our remote access system. Only anonymized data (data where not even indirect identification is possible) has been released abroad. Statistics Finland may release data including identification data on a person s age, gender, education, socio-economic group and occupation, but we have the principle not to release data including identifiers abroad. Expected requirements for use of de-identified Finnish data in another Nordic Country access is only granted through an approved remote access system or on-site the researcher must have a permit from Statistics Finland to use the data the researcher submits an application: a permit is only given for a certain data set, for a certain project, for a certain time period to certain researchers. the researcher commits to data protection procedures stated in the rules and regulations or in the agreement e.g. outputs must not enable the identification of individuals, and only those who have a permit to handle the research data set may access and view the data output is checked (not necessarily before the researcher receives the output himself/herself) access to data is terminated when the researcher s permit to use the data expires (maximum 5 years) the researcher commits in an agreement to pay for the data if using the Finnish remote access system an agreement is made with the organization where the researchers works on upkeeping a remote access connection stating the responsibilities of the organization as well as the price for the service the researcher commits in an agreement to pay a monthly fee for using the remote access service 56/102

57 Appendix A3 Greenland - Data protection laws and regulations 1. Summary of national legislation relevant to access to microdata for researchers 13 of the Greenlandic Statistical Act prohibits all disclosure of microdata. The wording in Danish is: 13. Oplysninger om enkeltpersoner eller enkelte virksomheder, som Grønlands Statistik modtager i henhold til bestemmelserne i 10 og 11 må ikke videregives til andre. There are no exceptions to this. If we were to pass on identifiable microdata even for research purposes we would need to change the Statistical Act. Today, we allow research on de-identified microdata to be carried out via remote access to a private, sealed area on our server ( Tailor-made datasets can be analyzed by a researcher with a signed contract between a research institution and Statistics Greenland. Some variables can only be accessed categorized, for instance: income is rounded in thousands. All communication between the server and surroundings is under surveillance. Any attempt to pass on microdata from the server violates the contract, and if it occurs the Research institution will be excluded from further access immediately. Up until now, there have been no violations. We have a similar closed set-up for our law model. In some few cases, information has been extracted from our registers. For instance, personal identifiers have been randomly selected for surveys conducted by private companies. In those cases, permission from the Danish Data Protection agency to pass on information is needed. The permission will state under which conditions data can be passed on and set rules for storage and deletion. In Greenland the current act on data protection is a former Danish act from It is being examined for modernization in the near future. 2. Current requirements for access to microdata for researchers from other Nordic countries No existing guidelines. Output from this taskforce is expected to help us establish guidelines of our own. They will, to a great extent, hinge on best practices in the Nordic countries. 57/102

58 58/102

59 Appendix A4 Iceland - Data protection laws and regulations 1. Summary of national legislation relevant to access to microdata for researchers The Statistics Act (163/2007) states that Statistics Iceland should promote the use of its data for scientific research. In order to fulfill this, Statistics Iceland can provide accredited or credible researchers access to data or deliver micro-data along with general information on individuals or enterprises to the researchers in question. The delivery or usage of these data are subject to the condition that direct identifiers for individuals or enterprises have been deleted or concealed and that measures have been taken to decrease, to the greatest possible extent, the likelihood of indirect identification. If Statistics Iceland accepts proposals for access to micro-data regarding sensitive personal data (according to definitions in the Data Protection Act) it should be in accordance with conditions in the Data Protection Act. When dealing with health-related data, the Icelandic Data Protection Agency shall be made aware of the project in question. The Statistics Act specifies that detailed rules and guidelines on how micro-data are released for research purposes should be prepared by Statistics Iceland in accordance with the corresponding legal acts. This covers application forms for micro-data access, the purpose of the research, the research proposal, the relationship between the research questions and the amount of data requested, how the data are stored and the destruction of data at the end of the research project. Data Protection Act The Data Protection Act (77/2000; based on Directive 95/46/EC), with regards to Statistics Iceland, is applied whenever sensitive personal data are processed. The law defines sensitive personal data, the rights of the individuals on whom the information is based, the obligations of the processor, when processing of personal data are permitted, along with other related subjects. 2. Current requirements for access to micro-data for researchers from other Nordic countries If a foreign researcher applying for micro-data access is affiliated with an Icelandic researcher (which is responsible for the use of the micro-data), access to micro-data can be accepted. This is stated in the Icelandic Data Protection Act. Currently, the situation has not arisen where foreign researchers apply for access to micro-data from Statistics Iceland. In accordance with the Data Protection Act, foreign researchers can only be given access to micro-data from Statistics Iceland, if they have a local representative who can guarantee their application. Statistics Iceland has the obligation to approve each project and each application for micro-data access. The involvement of other authorities or institutions is not needed, when the data in question is hosted by Statistics Iceland. 59/102

60 60/102

61 Appendix A5 Norway - Data protection laws and regulations 1. Summary of national legislation relevant to access to microdata for researchers General provisions for gaining access to micro-data from Statistics Norway To get an overview of the relevant legislation for access to micro-data from Statistics Norway, EU law implemented in the Personal Data Act must be supplemented by the Statistics Act and Statistics Norway s guidelines for micro-data access safeguarding trust in Statistics Norway and the confidentiality of statistical data. Due to 3-1 ( The duties of Statistics Norway ), in the statistics Act from 1989, Statistics Norway shall provide information for statistical use for research purposes and for public planning within the framework of 2-5 of the Act, stating that Statistics Norway`s use of the information for other purposes than official statistics shall be approved by the Data Protection Authority. The Authority has given a general permission to Statistics Norway to provide access to micro-data for research purposes and for public planning. Due to 2-5 (2), Statistics Norway may stipulate conditions concerning access, use, storage and return/destruction, etc. of borrowed data. Data for research purposes can exclusively be lend to approved research institutions. Researchers without formal connection to an approved research institution will not get access to micro-data from Statistics Norway. Institutions established pursuant to the Act relating to universities, university colleges and research institutions covered by guidelines for state financing of research institutions are, due to their legal basis, automatically approved to apply for access to micro-data from Statistics Norway. Other institutions must apply to be approved as a research institution before they can apply for access to micro-data. Institutions can, however, apply for access to data for specific projects without having been approved as a research institution by Statistics Norway, in cases when the research projects are financed by the Research Council of Norway, by other national or international research programs or on commission from a public institution that uses the Government s standard contract for commissioned research. Statistics Norway keeps a list of approved research institutions, which at the moment exclusively contains Norwegian institutions. No foreign institution has so far applied to be approved as a research institution to receive micro-data from Statistics Norway. Every micro-data loan from Statistics Norway is regulated in a written agreement between Statistics Norway and the research institution. The agreement must be signed by the head of the researcher unit and not by the researcher. Every dataset is given a unique serial number and can only be used for the purpose of a definite research project and within the stipulated project period. Security breaches When micro-data are handed over to researchers, the obligation of secrecy pursuant to the Statistics Act 2-4 apply also for the recipient of the information. All researchers given access to micro-data must, therefore, sign a declaration of secrecy that is to be returned to and stored by Statistics Norway. Breaches of the obligation of secrecy may be punishable pursuant to 121 of the Penal Code, which is also applicable when the breach is committed abroad by a foreigner. Breaches of obligations of secrecy pursuant to the statics Act must be followed up by the prosecuting authority in the ordinary legal system. 61/102

62 Statistics Norway is able to sanction researchers or institutions in the case of breaches of the duty of secrecy or other breaches of agreements concerning micro-data access. Relevant sanctions are withdrawal of data and/or blacklisting of the institution and/or the researcher(s) involved from receiving data from Statistics Norway for a specific period of time or permanently. Reporting to the police in order for them to be able to prosecute would be considered. The level of the sanctions shall be proportional to the extent of the breach and the damage incurred. Also breach of trust without any concrete damage would be considered serious. Approvals from other national authorities than Statistics Norway A Norwegian research institution planning to process micro-data on persons, is responsible for fulfilling the demands in the Personal Data Filling System Act, including reporting to the Data Protection Official (Ombudsman) or the Norwegian Data Protection Authority and, where relevant, receive a recommendation from the Ombudsman or a concession from the Data Protection Authority. Most research institutions in Norway have appointed the Norwegian Social Science Data Services (NSD) as the Ombudsman for Privacy in Research. Where data are subject to confidentiality, the researcher must also apply for an approval/ an exemption from the duty of secrecy to each relevant register owner before the data application can be evaluated. Normally, it is the register owner's executive body that grants exemptions. Current conditions for micro data access from Statistics Norway for institutions established in other Nordic countries Foreign researchers can get access to data from Statistics Norway if they are formally and legally connected to a Norwegian institution fulfilling the general conditions for receiving data as described above. The data can in those cases only be processed by equipment owned and controlled by the institution responsible or by secure remote access without any local loading function. Under the Statistics Act, de-identified data normally cannot be supplied to researchers abroad. However, case by case when special requirements are met, a foreign research institution can get access in accordance to special provisions where a foreign national statistical authority, following a written formalized co-operation with Statistics Norway, makes data available for researchers in their own country pursuant to their own legislation and national conditions, and where their confidentiality regulations correspond to those in Norway. This procedure has so far only been used in some few cases in collaboration with Statistics Sweden and Statistics Denmark and after an overall evaluation of the application, the other country s national law, internal guidelines and data access system. Statistics Norway is considered to have legal authority based on the Statistics Act to receive and send de-identified micro-data for research purposes to another Nordic statistical institution. If the general requirements for the processing of personal data given in Directive 95/46/EC are complied with, the Norwegian Data Protection Authority will not be consulted prior to transmission of personal data from Statistics Norway to the national statistical authority of another Nordic country. Likewise, Statistics Norway would not need to consult the Norwegian Data Protection Authority prior to receiving personal data from the National Statistical Authority of another Nordic country. The researcher/the research institution would, however, need to apply for and get exemptions from the duty of secrecy from relevant register owners. If the institution is established in Norway, also necessary notifications/approvals from the Data Protection Officials/the Data Protection Authority are needed. 62/102

63 Appendix A6 Sweden - Data protection laws and regulations 1. Summary of national legislation relevant to access to microdata for researchers in Sweden and other Nordic countries Data confidentiality is guided by two major aspects, which are necessary in order to meet access requests from researchers: 1. General rules (guidelines, screening procedures, contracts, regulations and laws, etc.) 2. Technical and practical measures. The legislation concerning confidentiality and protection of individual s integrity establishes the criteria to provide access to microdata: it sets the limits for release of data, for example, for research purposes, and provides the legal foundation for administrative and technical safeguards. Specific legislation of importance are the Statistics Act, the Public Access to Information and Secrecy Act and the Personal Data Protection Act. In addition, the current EU legislation on statistical confidentiality is also relevant. The protection measures applied to confidential data obtained for statistical purposes are based on several legal acts and directives. However, it should be noted that access to statistical microdata for research or other purposes is part of SCB s duty service and not an obligation established by legislation on the use of statistical information. In Sweden, the Statistics Act regulates the use of statistical information. Data collected for statistical purposes, in accordance with any prescribed obligation to provide information, or which is given voluntarily, should in principle only be used for the production of statistics. There are exceptions enabling access to data for research purposes and public planning. However, one condition of the use for research is that there is no incompatibility between the purpose of such processing and the purpose for which the data were collected. The processing of data, which includes release of data, must also be in accordance with the regulation concerning protection of individual s integrity. Besides the Statistics Act, there is a specific Personal Data Act that applies to the production of statistics and the release of microdata. The Act is based on the Data Protection Directive and contain rules about the fundamental requirements concerning the processing of personal data. These demands include, inter alia, that personal data may only be processed for specific, explicitly stated and justified purposes. Very stringent rules apply to the processing of sensitive personal data. They may be processed for research and statistics purposes, provided the processing is necessary and the public interest in the project manifestly exceeds the risks of violation of personal integrity. Furthermore, processing of sensitive data for research purposes needs approval. A scientific project involving processing of sensitive personal data are subject to notification to and approval by the Data Inspection Agency before such processing can commence. This applies to all surveys, whether conducted by a public administration, individuals or enterprises. In Sweden, the approval of the National Data Inspection Agency is not necessary, if a research committee has approved the processing. If the research committee approves the processing, personal data may be provided to be used in research projects, unless otherwise provided by the rules on confidentiality. This implies that SCB may take other issues into consideration even if the research committee has approved the processing of data. Data obtained for statistical purposes are declared as confidential, when they allow statistical units to be identified, directly or indirectly and thereby disclosing individual data. Also anonymous data can be considered confidential. Statistical data are confidential irrespective of their source. Moreover, data 63/102

64 taken from public administrative sources are confidential while they are in the possession of SCB. The confidentiality rules are the same irrespective of whether data concerns individuals or enterprises. In accordance with the main rules, access may be granted in forms which do not allow direct or indirect identification of people or other data subjects such as enterprises. Confidential data may be released to a third party for the purpose of statistical surveys and scientific research. According to the legislation in Sweden, statistical data may even be released with identification data for these purposes. One condition is that access to confidential data for statistical or research purposes must not cause any damage or be detrimental to the data subjects. In practice, this means that SCB only provides access to anonymous data or de-identified data. When data have been collected through a voluntary survey, respondents must give consent to the release of the data. It is entirely SCB that decides whether data may be released for research purposes. In Sweden, it is not possible to impose restrictions when data are released to another agency. Therefore, it is important for SCB to take into consideration if the data will be treated as confidential, according to the Public Access to Information and Secrecy Act, also by the agency receiving data. If not, anyone who so desires could have access to the data because of the agency s obligation under Chapter 2 of the Freedom of the Press Act to provide personal data that are not confidential. For that reason, there are rules providing that confidentiality accompanies data to another agency in special situations; for instance, if an agency, for research purposes, receives information from another agency where the data are confidential, the confidentiality will apply also within the receiving agency. 64/102

65 Appendix B1 National approval requirements This appendix contains a list of approvals needed before the NSI s can accept an application for data access Denmark 1) Data are hosted by another NSI a. All data are owned by Statistics Denmark Approval from The Danish Data Protection Agency (Has to be submitted by Statistics Denmark and need to include a project description and security agreements) Approvals from all NSI s involved b. Both data from researcher and Statistic Denmark Approval for the use of external data: The Danish Data Protection Agency (Has to be submitted by the researcher before own data are transferred to Statistics Denmark and need to include a project description Approval for use of data owned by Statistics Denmark: Approval from The Danish Data Protection Agency (Has to be submitted by Statistics Denmark and need to include a project description and security agreements) Approvals from all NSI s involved 2) Data are hosted by Statistic Denmark a. All data are owned by Statistics Denmark Approvals from all NSI s involved b. Both data from researcher and Statistic Denmark Approval for the use of external data: The Danish Data Protection Agency (Has to be submitted by the researcher before own data are transferred to Statistics Denmark and need to include a project description Approvals from all NSI s involved Finland 1) Data are hosted by another NSI a. All data are owned by Statistics Finland A notification of the research data set should be sent to the Data Protection Agency b. Both data from researcher and Statistic Finland Before issuing the approval Statistics Finland makes sure that the subjects, who have given their information to the researcher, know that the information will be linked to register data (informed consent) c. Other special conditions None 2) Data are hosted by Statistic Finland a. All data are owned by Statistics Finland A notification of the research data set should be sent to the Data Protection Agency. 65/102

66 b. Both data from researcher and Statistic Finland Before issuing the approval Statistics Finland makes sure that the subjects, who have given their information to the researcher, know that the information will be linked to register data (informed consent). c. Other special conditions None Greenland 2) Data are hosted by another NSI a. All data are owned by Statistics Greenland Approval from the Danish Data Protection Agency (Has to be submitted by Statistics Greenland and need to include a project description and security agreements) Approvals from all NSI s involved b. Both data from researcher and Statistic Greenland Approval for the use of external data: The Danish Data Protection Agency (Has to be submitted by the researcher before own data are transferred to Statistics Greenland and need to include a project description Approval for use of data owned by Statistics Greenland: Approval from the Danish Data Protection Agency (Has to be submitted by Statistics Greenland and need to include a project description and security agreements) Approvals from all NSI s involved c. Other special conditions As being considered third country with respect to EU directive 95/46/EF a contract following the Commission decision C(2001) 1539 has to be agreed upon and approved by the Danish Data Protection Agency Iceland 2) Data are hosted by another NSI a. All data are owned by Statistics Iceland Approval from Statistics Iceland is needed b. Both data from researcher and Statistic Iceland Until now, data from Statistics Iceland has not been used for linking with data collected by the researcher. This has not beentested, but using a remote access system should be sufficient for a permission for linking researchers own data with data from Statistics Iceland c. Other special conditions In the case of sensitive data, the Icelandic Data Protection agency will be notified of the research project Health data are also a special condition which would require an approval from the Icelandic Directorate of Health 66/102

67 Norway 1) Data are hosted by another NSI a. All data are owned by Statistics Norway Where data are subject to confidentiality due to a Norwegian legal provision, the researcher must attach the request for data and the approval (exemption from the duty of secrecy) from the administrative authority having the legally ownership to the relevant data ( the register owner ) Approvals from all NSI s involved The host NSI must ensure that the data access is in compliance with national rules implementing the EU directive 95/46/EC. Statistics Norway requires from the research institution a copy of the notification/approval from its country s relevant authority according to national law implementing the Data Protection Directive. As an example: in the event that a Finnish institution wants access to Norwegian data through Statistics Denmark, an approval from the Finnish data protection authorities will be needed b. Both data from researcher and Statistic Norway Where data are subject to confidentiality due to a Norwegian legal provision, the researcher must attach the request for data and the approval (exemption from the duty of secrecy) from the administrative authority having the legally ownership to the relevant data ( the register owner ) If data from researcher are to be merged to data from Statistics Norway, a copy of information must be provided to the respondent on how the researcher`s data are to be used (informed consent) Approvals from all NSI s involved The host NSI must ensure that the data access is in compliance with national rules implementing the EU directive 95/46/EC. Statistics Norway requires from the research institution a copy of the notification/approval from its country s relevant authority according to national law implementing the Data Protection Directive. As an example: in the event that a Finnish institution wants access to Norwegian data through Statistics Denmark, an approval from the Finnish data protection authorities will be needed c. Sensitive data are included Where data are subject to confidentiality due to a Norwegian legal provision, the researcher must attach the request for data and the approval (exemption from the duty of secrecy) from the administrative authority having the legally ownership to the relevant data ( the register owner ) Approvals from all NSI s involved The host NSI must ensure that the data access is in compliance with national rules implementing the EU directive 95/46/EC. Statistics Norway requires from the research institution a copy of the notification/approval from its country s relevant authority according to national law implementing the Data Protection Directive. As an example: in the event that a Finnish institution wants access to Norwegian data through Statistics Denmark, an approval from the Finnish data protection authorities will be needed. 67/102

68 d. Other special conditions Statistics Norway requires adequate documentation to assess the applicant`s mandate and the organization of the institution s research activity Sweden 1) Data are hosted by another NSI a. All data are owned by Statistics Sweden Only approval from Statistics Sweden b. Both data from researcher and Statistic Sweden Information on how the study persons have been informed about how the researcher s data are to be used incl. the use of register data (informed consent) c. Sensitive data are included Approval that the research project is approved from an ethical perspective, in Sweden this approval is done by the Regional Ethical Review Board d. Other special conditions If register data from another authority approval to give access to micro data from that authority 2) Data are hosted by Statistic Sweden a. All data are owned by Statistics Sweden Approval from Statistics Sweden Approvals from all NSI s involved b. Both data from researcher and Statistic Sweden Information on how the study persons has been informed about how the researchers data are to be used, including the use of register data (informed consent) c. Sensitive data are included Approval that the research project is approved from an ethical perspective, in Sweden this approval is done by the Regional Ethical Review Board d. Other special conditions If register data from another authority approval to give access to micro data from that authority 68/102

69 Appendix B2 Application form for Nordic Research projects Reference number: Date TITLE OF THE PROJECT Please specify project title PRINCIPAL RESEARCHER CONTACT PERSON Contact information on the principal researcher of the project (Title, Name, Institution, Country, Phone number and address). RESEARCH GROUP Contact information on all researchers who need access to data (Title, Name, Institution, Country, Phone number and addresses). RESEARCH ENVIRONMENT Description of the research environment of the principal researcher and any research institution that is to be affiliated with the project as well as name and contact information for a responsible manager of all research institutions involved. In most cases, the research institution appoints the Head of the Department as their responsible manager. In the description of the institution, information on ownership (Public, Private), educational standard among the staff as well as research experiences in working with National microdata must be included. PURPOSE OF THE RESEARCH PROPOSAL Short description of the objectives of the research project. From the description it should be clearly explained why the purpose of the project is improved using data from each Nordic country separately. POPULATION A description of the population to be studied. If full population is needed it must be argued why this will improve the value of the project in contrast to only a sub-sample of the full population. DATASET TO BE USED For each Nordic country for which data are applied, a list of subject-areas to be used has to be included (e.g. Population, Housing Social conditions, Education, Labour market, Income, etc.), including time series for the data. VARIABLES Please include a list of specific variables needed for the project. National Statistical Institutions will assist in the selection of their National variables. 69/102

70 DESIGN OF THE STUDY A short description of the design of the study has to be included, together with a short description of the expected outcome of the study. DISSEMINATION OF THE RESULTS Please specify the planned dissemination of the results (Names of Scientific Journals, etc.). APPROVALS Approvals from relevant authorities must be included, e.g. National Data protection agencies and approvals from relevant data owner, Regional Ethical Committee and National Bioethics Committee, etc. The approvals needed vary from country to country. A detailed overview can be seen in Appendix B1. Please list and attach all approvals/notifications REGISTER YEAR(S) Please specify register years needed for the project. ACCESS POINT As a general rule data will always be hosted in the country of the principal research institution, except for Icelandic, Greenlandic and Norwegian research projects, where data will be hosted by Finland, Sweden or Denmark. ACCESS TIME Period of time for which access to data are needed. RESEARCH PLAN A detailed research plan needs to be appended. Please specify the name of the document. SIGNATURES AND DATE: The principal researchers SIGNATURES AND DATE: The head of the research environment 70/102

71 Appendix B3 Security agreement between Researcher and NSI s [Text in red placed in square brackets has to be filled in with relevant information for the specific project]. AGREEMENT between Statistics [Insert name of NSI] and [Insert name of the researcher] has been concluded on access to selected de-identified datasets for research purposes in relation to the project [Insert reference number and title of the specific project]. Access will be given for the following time period: [Insert start and end date] The agreement is subject to the following terms: 1. The data sets to which access is given shall be treated as confidential information in accordance with [Insert relevant laws]. 2. Data may only be used for the specific project and not used in other scientific contexts or passed on to third parties. 3. Access to data will be granted through a secure on-line remote access to [NSI]. 4. Access to data can only take place from the researcher s workplace. It is not allowed to access data from a foreign country. 5. Processing of the data may only be conducted from [Insert the research environment for which the authorisation has been granted] to a computer [linked up to NSI via a secure remote on-line access to NSI-line]. 6. Connection shall be completely turned off or disconnected, when the computer is not used, i.e. protected against unauthorized use. 7. Passwords, which are supplied by [NSI] for the project, are strictly personal and shall not be passed on to any third party. 8. Access is only granted to data with de-identified variables. The data set does not include directly identifiable information, for example, original person identification numbers, names, addresses and CVR numbers (business identification number). 9. Basic data as well as derived data sets shall not, neither directly nor indirectly, be downloaded or printed. 10. All transfers of output (tables, analytical results), etc. for printing or for further statistical processing shall only take place in accordance with the guidelines and methods determined by [NSI]. 11. A logging of these transfers is conducted by [NSI] and all outputs are controlled by [NSI] at a regular basis. 12. Confidential data shall not be printed, including data at the level of individuals or firms, and all outputs shall be aggregated in such a manner that identification of individual persons or individual firms directly or indirectly is impossible. Attempts at identifying individual persons or firms are not permissible. 13. If the project is completed before deadline, it is the duty of the researcher to inform the [NSI]. 14. No information from the project in which it is possible to identify an individual person or individual firm may be published. 15. Published information from the project shall be submitted to [all NSI s that have provided data for the project for scrutiny]. A breach of the provisions of this agreement will imply that access to the data are immediately denied. Furthermore, the person who has signed this agreement will in future be excluded from using any of the research schemes of National Statistical Institutions in the Nordic countries [or at least all NSI s that have provided data]. In the case of minor breaches, the person will be excluded from services provided by Statistical Institutions in the Nordic countries temporarily. 71/102

72 This agreement may be terminated by either party at 3 months notice. Signatures and date: The researchers The head of the research environment Participating NSI 72/102

73 Appendix B4 Transfer Agreement between Statistics [XX] and Statistics [YY] AGREEMENT Text in red placed in square brackets has to be filled in with relevant information for the specific project. 1. Parties to the agreement Statistics [XXX] and Statistics [YYY] 2. Definition of the duties Statistics [XXX] will provide de-identified datasets for [Insert reference number and title of the specific project] to be kept and made available to the researchers in the project through a secure on-line remote access [at Statistic YYY]. Statistics [XXX] will provide information on the terms governing the use of the dataset (accredited users, termination date of project). 3. Conditions The delivered datasets may not be used for any other purpose than the above mentioned. The datasets can only be handled at Statistics [YYY] by [named persons involved in the technical maintenance of data files on the remote access system]. The researcher s access to the data files will be terminated in accordance with the information submitted by Statistics [XXX]. Statistics [YYY] will destroy the dataset (and all safety copies made of it) within one year after the permit to use the data has expired. 4. Terms of delivery The datasets will be sent via [Specify] secure file transfer. 5. Special conditions for remote access Access will only be allowed from the researcher s work computer. Statistics [YYY] will monitor that the security agreement for the use of remote access is followed. Statistics [YYY] is obliged to inform Statistics [XXX] of any changes concerning data security measures of the remote access system. All outputs will be logged by Statistics [YYY]. 6. Output control Statistics [YYY] performs output control on all outputs sent home by the researcher. Outputs made by the researcher will be sent to Statistics [XXX] for disclosure control on demand. 7. Handling in the case of breaches If a breach is discovered, Statistics [YYY] (the data-hosting NSI) will immediately inform all other participating NSI s about the breach, together with information about the relevant researcher, research institution and the research project in question. If the breach is discovered by a secondary NSI, Statistics [YYY] must immediately be informed, and will then take action as described. 73/102

74 In the case of a breach by a researcher the following actions will be taken: Statistics [YYY] will instantly stop all activity related to the researcher in question. Statistics [YYY] will promptly ask the researcher for an immediately written explanation of the breach. A copy of this will be sent to the principal researcher of the project and to the head of the research institution to which the researcher in question is affiliated. All NSI s will participate in a meeting where the breach will be discussed and a common decision will be made on which sanctions should be imposed on the researcher, the research team and possibly on the research institution of the researcher as well. All NSI s commit to follow the common decision. The agreed sanctions should be considered as a minimum. If any country assesses that there is a need for more strict national sanctions, they are free to impose such sanctions. In the case of a serious breach by law (e.g. if a researcher deliberately tries to identify specific persons in the dataset in order to use this information against the person), the offending researcher should be prosecuted (sued) according to the relevant laws. Thus, Statistics [YYY] and the NSI whose data has been offended will notify the police. The National Data Inspection Agencies must also be informed of the breach. All NSI s implement the decided sanctions or if there is no real content of the suspicion the researcher s access to data are opened again. Statistics [YYY] informs the researcher, etc. about the common decision This agreement is subject to Statistics [XXX] general delivery terms concerning information service agreements. Contact person of Statistics [YYY] Contact person of Statistics [XXX] This agreement is made out in two (2) copies, one for each party. STATISTICS [YYY] STATISTICS [XXX] Place xx.xx.20xx Place xx.xx.20xx Name clarification Position Name clarification Position Name clarification Position Name clarification Position 74/102

75 Appendix C1 Description of the Danish remote access system The Danish remote access system was implemented in The underlying principle of the remote access system is that researchers can handle confidential data, and for which they have obtained a permit through a secure connection to a server at Statistics Denmark. The researcher can access the de-identified micro data on the remote desktop and performs analyses with the help of the programs available, but cannot copy the data from the system. 1 Location for remote access Remote access can take place from anywhere in Denmark. See figure below: 75/102

76 Statistics Denmark opens its firewall to connections from all Danish-owned IP-addresses. Direct connections from outside Denmark are not allowed. The users will then have to log on via a server belonging to the (Danish) Institution that has signed the security agreement (see figure below): Statistics Denmark requires that the remote use workstation's data security updates, as well as the virus and firewall protection must be up-to-date. 2. Network connections and encryption The remote access system is based on a number of Microsoft Windows servers. The servers are placed within Statistics Denmark s environment. The remote access system is running on Windows Server 2008 Standard (64 bit). The servers make up a separate network isolated from the Statistics Denmark network area. The clientless remote access F5 FirePass SSL VPN Solution, based on tokens is responsible for connection to the system from the Internet. The system s data communication passes along the normal Internet connections of Statistics Denmark and the traffic is encrypted between the user and the system with the HTTPS protocol. The users connect to the system by means of Microsoft Remote Desktop. 3. User authentication and user rights Access to micro data can be granted to researchers and analysts from research environments approved in advance by Statistics Denmark. Authorizations can be granted to public research and analysis environments (e.g. in universities, sector research institutes, ministries, etc.) and to research organizations as part of a non-profit foundation. Within the private sector, the following user groups can be granted authorization if they have a stable research or analysis environment (with a responsible manager and with a group of researchers/analysts): 1. Non-governmental organizations 2. Consultancy firms 3. Enterprises. However, single enterprises cannot have access to micro data with enterprise data In order to grant an authorization, Statistics Denmark will evaluate the proposed organization carefully and, especially when it is an organization or firm within the private sector, Statistics Denmark takes the credibility of the applicant into consideration (among others, ownership, educational standard among the staff) 76/102

77 Statistics Denmark will not grant authorization to single persons. The authorized environment must for each research project submit an application for data access and Statistics Denmark decide on a case-by-case evaluation if the data access can be approved. Access to data are given according to a so-called need-to-know principle implying that researcher can only get access to the data needed to fulfill their research purposes and the data must only be used for the purpose accepted in the decision. The user is ed a user id and a password. The user logs on to the remote access system from the user's own workstation, using the Remote Desktop Connection. The user needs to log in to Internet Explorer, from which he is transferred to the TS Web Access service. The user enters his username and password after which the system prompts the user for a code, which he receives by text message to a pre-agreed mobile phone. The code can only be used once, and it is received as a flash message and will not be saved on the phone. Alternatively the researcher can read a user code from a personnel entrust token provided by Statistic Denmark the code is changed every other minute. All log-ons to the research server are monitored and logged. 4. Managing access to data The Application servers share a common File server. Each research project has its own area on the File server, to which the members of the project are included. After the user has logged on to F5 Firepass with a user-specific Username, the user opens a Remote Desktop and logs on to a Frontend server with a user- and project-specific Username. From the Frontend server the user logs on to one of the Application servers. After this, the virtual desktop access opens up for the user and the Windows 2008 Server operating system stripped-down desktop view is displayed. All the necessary programs and folders have been stored as icons on the user's desktop. The user cannot manually edit this view and does not have access to other applications than those displayed on the desktop. File transfers from the user s different projects are blocked. Each research project has a working directory into which the researchers, who have a permit to handle the project s data, are allowed to write. In the directory, users can set up their own work folders as well as share files with other users within the same project. For outputs meant to be mailed home by the system, there is a separate output folder. The system automatically sends mails out every five minutes. All output is logged. In addition, metadata are incorporated in their own folder. All data transfers into the remote access system are handled by personnel at the research services or the IT-support at Statistics Denmark. When the researcher stops working he can either disconnect from the system or log out of the session. When disconnected, the applications that were open still remain open. Thus, the user can leave long-lasting runs running in the system without having to keep the connection open. In addition, the connection is automatically terminated if the user is not active within a particular time period. When logging off, in turn, the applications that have been opened will close. 5. Storing files The update and backup services are part of Statistics Denmark s normal maintenance routines. Backups of the contents of the file server are copied weekly. 6. Output control According to the obligation to maintain secrecy, the researcher must ensure that the research results contain no unitlevel data or possibility of their disclosure. Researcher services apply a random screening process of all files mailed out by the researcher, which ensures the implementation of data protection in the print-outs produced by the researcher from the data. 77/102

78 7. Data and software Research data are usually delivered in SAS 7 format (.sas7bdat). The data can be transferred into the desired format using the Stat/Transfer software. The following software are available in the system: Statistical programs: SAS 9.3 SAS 9.3, TS1M2 64-bit o Base SAS software o SAS/STAT 12.1 o SAS/GRAPH o SAS Workspace Server for Local Access Stata/MP 13.1 for Windows 64-bit x86-64 (limited number of users) IBM SPSS Statistics Version 19 for Windows, Release (limited number of users) Gauss for Windows (grafisk), Kernel Rev , GUI Rev bit Gauss (kommandobaseret), Rev bit Gaussx for Windows bitGauss 9 WPS Workbench, version WPS 3 aml, version 2.09 GAMS Integrated Development Environment, version LatentGOLD version Mplus Version 6.12 Demo SCD/DIGRAM, Version SPSSToDigram R, version (64-bit) R, version (64-bit) R, version (64-bit) Rstudio Version SPAD File converting programs: Stat/Transfer (grafisk), Version Stat/Transfer (kommandobaseret), Version Programs for file compression: WinZip, version 11.0 (7313) Microsoft: Microsoft Calculator, Version 6.1 (7601) Microsoft Wordpad, Version 6.1 (7601) Microsoft Paint, Version 6.1 (7601) Word processors: GNU Emacs, version gvim - VIM - Vi IMproved, version 7.1 Tinn-R, version MiKTeX TeXworks, version r.857 (MiKTeX 2.9) MiKTeX Previewer, Yap - Yet Another Previewer Statistics Denmark does not offer support for the applications in use. 78/102

79 8. Hosted servers If the research environemts wish to have their own server - Statistics Denmark allow the envoronment to host their server for an annual fee. 79/102

80 80/102

81 Appendix C2 Description of the Finnish remote access system The Finnish remote access system was implemented in The underlying principle of the remote access system is that researchers can handle confidential data for which they have obtained a permit through a secure connection to a server at Statistics Finland. The researcher can see the micro data on the remote desktop and performs analyses with the help of the programs available, but cannot copy the data from the system. 1 Location for remote access Remote access use must take place from the premises of the customer who has signed the user license. Remote access can only be made from the IP address specified by the customer. The organization fills out a form stating the data protection procedures of the organization and describing the physical work environment of the researchers who obtain remote access. Statistics Finland checks that they are in compliance with the terms of use. Statistics Finland requires that the remote use workstation's data security updates, as well as the virus and firewall protection must be up-to-date. 2. Network connections and encryption The remote access system is built on a Microsoft Windows Terminal Services (TS) platform. The servers are virtualized within the Statistics Finland VMware environment. The remote access system has a total of eight virtual servers running on Windows Server 2008 Standard (64 bit). The servers make up a separate network isolated from the Statistics Finland network area. The TS Gateway server is responsible for the system s connection to the Internet. The server has a TS Web Access service through which users log on to the system. The system s data communication passes along the normal Internet connections of Statistics Finland and the traffic is encrypted between the user and the system with the HTTPS protocol. Data protection is composed of settings made and maintained by means of GPO technology. The base for the settings is built on the Security Configuration Wizard tool that is part of the operating system. Statistics Finland opens its firewall to connections from IP-addresses provided by the users in the contract. Connections cannot be made from other IP-addresses. 3. User authentication and user rights The use of unit-level data is subject to a user license. Only the person who has been granted a user license is permitted to use the data and the data can only be used for the purpose accepted in the decision. The user is sent by encrypted an user id and by text message a password. The user logs on to the remote access system from the user's own workstation, using the Remote Desktop Connection. The user needs to log on to Internet Explorer, from which the user is transferred to the TS Web Access service. The user enters his/her username and password after which the system prompts the user for a code, which he/she receives by text message to a mobile phone number agreed in advance. The code can only be used once, and it is received as a flash message and will not be saved on the phone. This system uses a so- called strong authentication, where in addition to the ID - password pair to log in, there is a requirement for something available to the user (e.g, key card, certificate or the phone s SIM card). Both TS servers include the Terminal Services Log (TSL) software that allows flexible collection of information resources used by the user. TSL uses a SQL database for storing settings. The database stores the log data of the applications used 81/102

82 by the users as well as used processor time and memory. For this database the system has a Microsoft SQL Server. The Active Directory Server (AD) provides the name and directory services needed by the TS environment. 4. Managing access to data The system s file servers includes the data to be used over remote access and the user s disk space. The rights to the files are defined with the help of AD groups. Each research project has its own group to which the members of the project are included. After the user has logged into the system, the user selects, if he/she has several research project ongoing from the TS Web Access-service the research project on which the user wishes to work. After this, the virtual desktop access opens up for the user and the Windows 2008 Server operating system stripped-down desktop view is displayed. All the necessary programs and folders have been stored as icons on the user's virtual desktop. The user cannot manually edit this view and does not have access to other applications than those displayed on the desktop. File transfers from the user s different projects are blocked. Each research project has a working directory into which the researchers, who have a permit to handle the project s data, are allowed to write. In the directory, users can set up their own work folders as well as share files with other users. If the project has a license to some of the basic material (so-called ready-made files), they are available to the user from their own directory of SAS files. Otherwise, the project data is stored in the working folder. For outputs meant to be checked, there is a separate output folder. In addition, metadata, operating guides for the system and rules are incorporated in their own folder. All data transfers into or out from the remote access system are handled by personnel at the research services or the ITsupport at Statistics Finland. The data or outputs are transferred by using WinSCP for secure file transfer between the local and remote computers. When the researcher stops working he/she can either disconnect from the system or log out of the session. When disconnected, the applications that were open still remain open. Thus, the user can leave long-lasting runs running in the system without having to keep the connection open. In addition, the connection is automatically terminated if the user is not active within a particular time period. When logging off, in turn, the applications that have been opened will close. 5. Storing files The researcher can access the research project s files for the duration of the permit. Files containing only data from Statistics Finland are stored after the permit has expired for possible reuse by the project (needing a new permit). Data from other register providers are sent back or destroyed when the permit expires. The update and backup services are part of Statistics Finland s normal maintenance routines. Backups of the contents of the file server are copied on tape nightly. Research projects can also be filed on tape. The backup of the operating system is performed by means of VMware's own work equipment. Copies are made after software updates and configuration changes. 6. Security checks 6.1. IP-addresses The IT-support follows up from what IP-addresses access has been obtined and cross checks the addresses against the IPaddresses for the organizations 82/102

83 6.2. Output control According to the obligation to maintain secrecy, the researcher must ensure that the research results contain no unit-level data or possibility of their disclosure. Researcher services apply a screening process of research results, which ensures the implementation of data protection in the print-outs produced by the researcher from the data. All outputs are screened and after screening sent to the researcher by 6.3 Auditing The system was audited by an outside company before the production phase. 7. Guiding and education on data protection for users All users of the remote access system are required to follow the Guidelines of the research services. The document is published on the internet (in Finnish, English version will be published soon). Seminars and separate courses on legal issues as well as data protection practices are held at Statistics Finland 2-3 times a year. Especially, the contact persons from the organizations are expected to participate in these events. 8. Data and software Research data are in SAS 7 format (.sas7bdat). The data can be transferred into the desired format using the Stat/Transfer software. The following software are available in the system: Stata 12 SE (64-bit) and 13 MP (limited number of users) SPSS Statistics 22 (limited number of users) R R 2.15 and R 3.01 SAS 9.3 Stat/Transfer 12 Open Office (word processing and spreadsheet program) Rstudio Notepad ++ Statistics Finland does not offer support for the applications in use. 83/102

84 84/102

85 Appendix C3 Description of the Swedish remote access system Mona The Swedish remote access system was implemented in The underlying principle of the remote access system is that researchers can handle confidential data for which they have obtained a permit, through a secure connection to a server at Statistics Sweden. The researcher can see the micro data on the remote desktop and performs analyses with the help of the software available, but cannot copy the data from the system. 1 Location for remote access The use of the remote access system must take place in Sweden or in the country where the disclosure has been permitted. 2. Network connections and encryption In MONA external users can access micro data via the Internet. MONA Security Gateway ensures a secure connection without requiring users to install any software; it only assumes that Java is installed on the user s computer and the possibility to use a remote desktop. The platform consists (May 2014) of 17 operational servers that are used for different purposes. The user works interactively on terminal servers, where the common software is available. Most statistical software programs are also available on batch servers for users who want to perform more extensive operations. The micro data are usually accessed in SQL format from an SQL server. Statistics Sweden use SQL because the data from SQL server can be downloaded from the most used statistical software programs as, STATA, SAS and SPSS. But micro data can also be delivered in other formats on a file server. 85/102

86 3. User authentication and user rights Any person who is permitted to have access to the data in MONA must first sign a user certificate. With the signing of the certificate the user commits to: not copy micro data from the MONA system to their own computer not use MONA from a third country, i.e. a country outside the EU that lacks the level of protection equivalent to that required within the EU or in other ways use MONA from another place than was specified at the time for the decision of access not to reveal their username or password (login information) to anyone else immediately report any misuse of login credentials to MONA support at Statistics Sweden not record or store login credentials in such a way that another person can access login information. The user is also informed that he is responsible for his authentication solution. One user certificate must be signed per user. When signing the certificate the user gets access to the credentials needed. Logging in is divided into two steps. Initially a VPN tunnel will be created which requires the user to enter username and a one-time password, either from an app in a smartphone or from a special security card the MONA support provides. The second step requires a login by using the username and password (always the same). All log-on to the research server are monitored and logged. 4. Managing access to data MONA is a closed system where the user has no access to the Internet and cannot himself insert his own data. The user can only add code, statistics or other in the MONA platform by asking Statistics Sweden to add them, which Statistics Sweden can do after scrutiny. For security reasons, users can not copy information between their own computer and MO- NA. Instead, each user has his own storage space for result files, code libraries and other user-created files. Each research project has a working directory into which the researchers, who have a permit to handle the project s data, are allowed to write. In the directory, users can set up their own work folders as well as share files with other users within the same project. In order to download these files from MONA, the Outbox folder is used from where files are automatically sent to a user s designated mail account. The system is zipping and protecting files with the user s password and send zipped files as attachments in an , every three minutes, to the address provided by the user. 5. Storing files The researcher can access the research project s files for the duration of the permit. Research projects are normally active during several years. 86/102