About Denmark’s Data Portal
Statistics Denmark has developed a new application to provide easy, efficient and secure access to data about the Danish population for research, analysis and management. We call it Denmark’s Data Portal.
Danish social data is of great importance for the development of Danish society. Therefore, Statistics Denmark has established a data portal to provide researchers, analysts and Danish companies with a better overview of the Danish data base and thus make the overall process from application to data access easier. In other words, the project will establish one window, one access, one secure solution to service all needs for data for statistics, research, management and analysis.
The Data Portal, in cooperation with other data owners, builds on the services already available in Statistics Denmark, and we are constantly working on making our services and Denmark’s Data Portal even better.
The Data Portal is intended as a cross-cutting, collaborative national solution for the benefit of research institutions, private companies and public authorities — in line with the intentions of Denmark’s national public digitisation strategy.
Users get a clear overview of the supply of data that will be documented and quality assured. Users are also supported to find the most suitable data for their purpose. Case handling and approval of project applications is done automatically in a way that allows quick and user-managed access by fulfilling the requirements for data security and data confidentiality — with the possibility of advice and assistance along the way.
In Denmark’s Data Portal, there is a strong focus on data security and information security. Data in Denmark’s Data Portal is built in a special system, which is based on processes with high security, secure management and secure workflows.
In Statistics Denmark, we follow the Danish Public Administration Act’s requirements for equal treatment. This means that all rules and security requirements apply to all users and partners. In other words, no one gets lighter conditions or has to meet a lower level of security than others do.
Statistics Denmark’s workflows comply with the current legislation with special regard to the GDPR, which is verified via external audit, as well as the standard ISO 27001, which is the security standard for state authorities. The safety is checked annually as a result of Statistics Denmark’s ISO 27001 certification.
Statistics Denmark has developed a set of guidelines for the use of research machines that apply to all research and analysis projects carried out within the framework of Denmark’s Data Portal and Research Service. The guidelines include, among other things, the requirement to work on pseudonymised data and that Statistics Denmark’s methods of discretion should be used. Other examples are the principles of data minimisation as well as the requirement for a clearly defined organisation of emergency response and decision pathways in relation to the handling of data breaches and security incidents.
Download Statistics Denmark’s Research Service Data Security Rules
The Danish HPC centres, i.e. the High Performance Computing Centres for external IT capacity, are currently collaborating to add external computational capacity to the research and analysis projects. The collaboration is conducted by the Coordinating Body for Register Research (KOR) and Danish e-infrastructure Cooperation (DeiC) and we are currently working on making guidelines that apply to all stakeholders, collaborators and HPC facilities.
In Denmark’s Data Portal, two-factor logins are always used to the application and the research machine, as well as requirements for security of network traffic and requirements for secure network protocols, cf. Centre for Cybersecurity’s requirements and recommendations.
The application is continuously tested for attack possibilities from outside — see “Certification and external control”.
There are agreements between all research and analysis institutions and Statistics Denmark, which, among other things, focus on clarity of roles and responsibilities and ensure that the staff of research and analysis institutions handle their administration of each institution in the most appropriate way. There is regular contact via user committees, dissemination of awareness campaigns and user surveys. Researchers and analysts will be certified in a special module focusing on compliance with the rules for data processing and data security. This means that every user must periodically review a number of questions regarding data processing and GDPR in order to maintain their access to Denmark’s Data Portal and Research Service.
The workflows for both researchers and analysts, as well as the administrative staff in Statistics Denmark, are reviewed annually in the internal supervision and assessed by architects, IT managers and information security coordinators to ensure that there are no gaps or overlooked opportunities for cheating, accidental access and abuse of user roles. The detailed authorisation system in Denmark’s Data Portal has been specifically reviewed in order to verify that a multi-person authentication and update system has been established, which ensures that individuals cannot exploit or abuse the system.
Systematic system checks are carried out to ensure that research results you transfer do not contain personally identifiable or individual data, and randomised sample checks and management initiated samples based on risk assessments are carried out.
Security is continuously monitored both by Statistics Denmark’s own internal supervision and by external supervision and audits. Statistics Denmark has ongoing contact with independent external experts who assess, test and pressure tests the safety of the systems in the source code and in the workflows. The security of our pseudonymisation algorithm is checked through an external review by Centre for Cyber Security, and an executive summary on request can be provided to relevant stakeholders. Similarly, external experts have verified the check of transfer of files.
An external statement of assurance of the type ISAE3000 is prepared annually by Statistics Denmark’s Research Service, which can be provided to relevant stakeholders. The Statement of Assurance, which is accompanied by a corresponding ISAE3000 statement for the general IT environment and IT workflows, describes, among other things, a number of control areas regarding security including technical security measures, storage and processing of personal data, etc.
ISO 27001 certification
Statistics Denmark annually undergoes a process to maintain the certification obtained following an ISO certification ISO/IEC 27001:2013. The audit process is carried out by the international and independent certification company DNV-GL.
Scope, i.e. the area controlled and certified according to ISO 27001 is ‘IT and business processes in statistical production, including data collection, in accordance with the Statement of Applicability’.
Every year, Statistics Denmark receives a series of penetration tests, where external experts try to find gaps in the technical shell-proofing of systems and accesses. This leads to a continuous focus on updating to latest versions of web-facing technologies and security in the firewall. Daily monitoring is carried out for attacks from outside and continuous monitoring of network traffic in the firewall and associated systems.
Certification of users in Denmark’s Data Portal
In order to support data security, the users who will be working with data from the specific projects must also be certified to ensure that they are familiar with the data security rules under Statistics Denmark’s micro-data schemes.
In practice, the users will have to pass a test with questions about the data security rules, as described in Research Service’s Data Security Rules under the micro-data schemes to become certified. Once the test is passed, access to data is granted.
To ensure a continued high focus on data security rules, users will be recertified annually.