Authorisation of institutions

The below environments located in the Danish Realm may be considered for authorisation, if these comply with the application criteria:

• The user group is defined under the framework agreement between Statistics Denmark and Danish e-infrastructure Cooperation (DeiC): Publicly funded research and analysis environments (i.e. university departments, government research institutes, ministries, government agencies etc.) as well as charitable foundations in Denmark.
• In the private sector, the following Danish organisations are eligible for authorisation:
• Interest organisations. In this case (and in the case of enterprises), it is relevant to look at the ownership, the staff (education) as well as the tasks solved for public customers in particular. It may be necessary to make inquiries with these customers to get an opinion.
• Consultancies. However, consultancies cannot get access to business data. The director general may grant an exemption to consultancies allowing them to gain access to business data when carrying out fact-finding or research on business data for a public authority or an interest organisation, provided that this happens with the authority or organisation as data controller.
• Other enterprises may be authorised but may not get access to data that includes business data.

According to the General Data Protection Regulation, the Faroe Islands and Greenland are third countries, which is significant in terms of obtaining authorisation:

• The Faeroe Islands has obtained an adequacy decision by the European Commission, which means they can be approved as a secure third country. Institutions and enterprises from the Faeroe Islands can thus obtain authorisation on an equal footing with those from Denmark.
• Greenland has not obtained an adequacy decision, which is why Greenlandic institutions must enter into transfer agreements to obtain authorisation. Until Greenland is approved as a safe third country, authorisation can only comprise public institutions.

For both the Faroe Islands and Greenland, the authorised institution must obtain approval from the Danish Data Protection Agency if it wants access to sensitive data according to the Danish Data Protection Act.

In order to be eligible for authorisation, your institution must have a high and sustained focus on data security. Statistics Denmark has determined four requirements that you must be able to meet:

1. In the research/analysis environment, there must be a personnel manager who accepts the responsibility for the authorisation and for overseeing that the rules in the authorisation agreement are kept. This includes continuously ensuring that all persons in need of access are familiar with the rules on access to data and the rules on transfer of results.
2. As a minimum, there must be at least three people in the environment with specific experience in handling large data volumes and solid knowledge of our data security rules. Experience may have been gained, for example, through previous access to pseudonymised data under Statistics Denmark’s microdata schemes, or experience otherwise gained with the handling of register data.
3. For private environments, the research/analysis environment must be at least one year old to be considered for authorisation.
4. The environment must appear from the institution website.

If you are a public institution, and your research/analysis environment does not meet the requirements, you can consider commissioning an already authorised private consultancy to solve the analytical task for you. For this, you need a client authorisation. Read more under ‘Requirements to application for client authorisation’.

If you have questions about the application for authorisation, please contact FSEautorisation@dst.dk. Please write ’Re. application for authorisation’ in the subject field.

To be considered for client authorisation, you must enter a cooperation agreement with a private consultancy that already holds an authorisation. In that case, the analytical task will be carried out at your/the client’s responsibility, but based on the specialised environment at the consultancy charged with the task.

Client authorisations are only offered to public institutions and require that the authorisation of the consultancy charged with the task grants them access to all the data that you need. Please inquire with the consultancy if this is the case before you apply for a client authorisation.

Note: If you need business data with limited access, and the consultancy charged with the task does not have access to it, you can apply for an exemption on behalf of the consultancy. Read about applying for an exemption under Access to business data.

You cannot apply for an exemption until you have been client authorised.

Guide to application for client authorisation

To apply for a client authorisation you must use the same form as for an application for authorisation (bottom of the page).

All fields in the form must be completed as specified, except for these six:

• Under ’Name of institution’ you must add ’- Client authorisation’ [Example: Agency for xxx - Client authorisation] 
  Under ‘Name of person responsible for authorisation (head of staff)’, you enter the name of the head of staff in your institution who is going to act as the person responsible for authorisation. For the person in question, this involves e.g. assigning roles in Denmark’s Data Portal and acting as data controller without any supervisory obligation. The supervisory obligation lies with the consultancy charged with the task. Read more about the division of roles under User roles.
• Under ’Brief description of your research/analysis environment’, you must state the name and authorisation number (1-3 digits) of the consultancy charged with the task [Example: Name of consultancy, 123]
• Under ’Number of researchers in your research/analysis environment’, you must enter ’0’
• Under ’Number of people in the environment who have specific experience in handling register data/large volumes of data, you must enter ’0’
• Under ’Link to the environment website’, you must enter your institution website.

If you have questions about the application for client authorisation, please contact FSEautorisation@dst.dk. Please write ’Re. application for client authorisation’ in the subject field.

Assessment of application for authorisation

To assess whether you can be authorised, we make a specific assessment based on your research/analysis environment. In doing so, we focus on your competences in data management and your knowledge of the data security rules that apply for access under Statistics Denmark’s microdata schemes.

All authorisations need approval from the director general of Statistics Denmark.

If you are approved for authorisation, you must enter into a data processor agreement with Statistics Denmark.

Assessment of application for client authorisation

To obtain a client authorisation, your research/analysis environment does not need to be assessed by Statistics Denmark. This is because your analytical tasks will be handled by an authorised consultancy.

In the assessment of your application for a client authorisation, Statistics Denmark focuses on whether you are a public institution and whether you have appointed a head of staff as responsible for authorisation.

If you are approved for a client authorisation, you must enter into a data processor agreement with Statistics Denmark.

Read about the rules on transfer of analysis results

Please refer to Statistics Denmark’s Data confidentiality policy and Information security policy