Skip to content
Search dst.dk

    Sanction rules

    It is important that you familiarise yourself with and comply with Statistics Denmark’s transfer and data security rules. If you do not comply with the rules, you risk suspension of you or your entire institution with Statistics Denmark. Read about our sanction rules and case processing in case of data breach.

    Users of Statistics Denmark’s researcher machines are responsible for complying with our transfer and data security rules. This means that you, as a user, are responsible for: 

    1. Your work on the researcher machines being compliant with Statistics Denmark’s data security rules. Read more under Rules for working with microdata 
    2. Transferring analysis results and materials in compliance with Statistics Denmark’s transfer rules. Read more under Rules on transfer of analysis results 
    3. Notifying Research Services immediately if you realise that you have failed to comply with Statistics Denmark’s data security or transfer rules.

    For more details, read Statistics Denmark’s guideline material:

    Rules for data safety under the microdata schemes (pdf)

    Breach of the rules? This is how you handle it

    If you have broken Statistics Denmark’s rules or suspect that you have, you have a duty of notification. Complying with the duty of notification in relation to breach will be considered a mitigating circumstance.

    Please notify both the person responsible for authorisation in your institution and Research Services; the latter by sending an email to FSEHjemtag@dst.dk with the following: 

    • Your ident and the authorisation number of the institution you are associated with
    • Project number, if any
    • A description of the breach or where you suspect a breach
    • Date and time of the breach 

    If the breach involves files, for example files you have transferred, image files on your computer, in your mail box or similar, you must delete them immediately from your PC, Denmark’s Data Portal, mail folders etc. and inform about this in your email to Research Services.

     

    Statistics Denmark’s sanction rules

    If there is a breach of Statistics Denmark’s transfer rules or data security rules, Statistics Denmark can sanction users and, worst-case-scenario, entire institutions. Statistics Denmark’s sanction rules will be deployed if: 

    1. A user breaks the rules for working with microdata on Statistics Denmark’s researcher machines, for example by taking a screendump or transcribing from the researcher machine, or
    2. A user has transferred data with microdata, for example transferred a file with pseudonymised key variables from BOPIKOM

    Note: An isolated breach of the rules of statistical disclosure control will not result in sanctions. In case of repeated non-compliance, however, it can result in sanctions for the institution.

    Sanctions in case of breach - Assessment of severity and scope

    Statistics Denmark makes decisions about sanctions. We distinguish between less severe and severe breaches: 

    • Less severe breaches: Thoughtless action or accident – for example identification in connection with troubleshooting
    • Severe breaches: Conscious action – for example conscious attempt to identify individuals or enterprises in data 

    Statistics Denmark decides whether a breach is categorised as less severe or severe. In the assessment of the severity of a breach, we take the following into account:

    1. Was it a thoughtless or conscious action?
    2. Has the user detected the breach himself, and if so, observed his duty of notification?
    3. In connection with transfer: How large a volume of microdata has the user transferred?
    4. In connection with transfer: Has the transfer tool in Denmark’s Data Portal been used for the transfer, and if so, has the user ignored the transfer module’s warning? 

    In case of isolated, less severe breaches, the sanction will target the user and the project where the breach has happened. This means that the project where the breach took place will be temporarily closed for everybody and the user’s access temporarily closed, so that he or she cannot access his or her projects. In case of severe or repeated breaches, i.e. where breaches have previously been registered on the institution number, the sanctions will be more rigorous. See the overview of sanctions below.

    Note: If Statistics Denmark has previously registered a breach for an institution, breaches dating back more than 2 years will not be taken into consideration. This means that any new breaches will be handled as first-time-breaches.

    Overview of sanctions 

    Sanction system for the researcher scheme

     

    Sanction against user and project
    Access is closed for user and access to the project is closed

    Sanction against institution
    Access is closed for all users and access to all projects is closed

    Occurrence First time Second time
    in 2 years    		 Third time
    in 2 years    		 Fourth time
    in 2 years

    Less severe
    breach

    Until report can be approved*

    1-month suspension*

    3-month suspension*

    Concrete
    assessment*
    Potential termination of the institution’s authorisation agreement

    Severe breach

    3-month suspension*

    3-month suspension*
    Potential termination of the institution’s authorisation agreement and/or specific user agreement

    6-month suspension*

    Concrete evaluation of the institution’s authorisation agreement and potential termination of the institution’s authorisation agreement*

    Sanction system for the authority scheme

     

    Sanction against user 
    Access is closed for user

    Sanction against scheme
    Access is closed for users of the scheme
    Occurrence First time Second time
    in 2 years    		 Third time
    in 2 years    		 Fourth time
    in 2 years

    Less severe
    breach

    Until report can be approved*

    1-month suspension

    1-month suspension

    Concrete assessment
    Potential termination of authorisation agreement

    Severe breach

    3-month suspension

    3-month suspension
    Potential termination of authorisation agreement and/or user agreement

    3-month suspension

    6-month suspension
    Potential termination of authorisation agreement

    * When Statistics Denmark detects a breach that comes under the sanction rules, the user and the project where the breach occurred will be temporarily suspended, until Statistics Denmark has processed the case and made a decision. This applies regardless if it is an isolated breach or repeated breaches within two years. 

    Statistics Denmark makes a decision based on a report and a plan that must be presented to Statistics Denmark by the institution with which the user is associated. Statistics Denmark will not commence the processing of the case, until we have received an adequate report and plan. Statistics Denmark estimates whether the report and plan of an institution is adequate or should be rewritten.  

    You can read more about Statistics Denmark’s case processing and the requirements to the report and the plan under ”Statistics Denmark’s case processing in connection with breach of rules - guide”.

     

    Statistics Denmark’s case processing in connection with breach of rules - guide

    When Statistics Denmark receives a notification, or we find out ourselves that a user has not complied with Statistics Denmark’s data security and transfer rules, the user in question and the project where the breach has taken place will be temporarily suspended. The suspension lasts until Statistics Denmark has received an adequate report about the incident and a plan for prevention of similar breaches in future, and Statistics Denmark has processed and decided the case.

    The case processing step-by-step 

    The process takes place in the following steps:

    1. Step: Presentation and demand for report and plan

      When Research Services receives a notification, or find out themselves that a user has not complied with Statistics Denmark’s rules, the user in question and the person responsible for authorisation in the institution will be notified by email.

      Research Services informs about the date of the suspension of the project and of the user in question, and they will request an adequate report about the incident and the scope of the breach as well as an adequate plan for preventing similar breaches in future. Both the report and the plan must be completed in the standard template provided by Research Services.

      The person responsible for authorisation in the institution is responsible for the report and the plan being prepared and sent to Research Services.

      Presentation and plan – demand for “adequacy”

      With the demand for adequacy, Research Services asks for an adequate report about the incident and the scope of the breach. By an adequate plan is meant a report and any documentation for appropriate technical, organisational and/or staff-related measures the institution has implemented in the light of the breach. The plan can consist of e.g.:

      • A brief account of the current rules and practice in the institution that may be relevant for the case
      • A presentation of what the institution has done in connection with the breach, for example, which consequences it has had for the user
      • A plan for what the institution is going to do to prevent similar breaches in future

      It is important that it is not statements of intent. This means that the institution must account for the initiatives that they have already implemented or will implement, and describe the process behind it. Examples could be:

      • Has the person responsible for authorisation held a meeting with relevant stakeholders in the institution about the breach? (Indicate: Who? When? Which proposals/decisions were made?). Attach any resolution minutes.
      • Has the person responsible for authorisation made proposals or suggested solutions to a relevant committee, the executive board, the governing body or similar? (Indicate: Who? When? What is/was on the agenda? What was decided?). Attach the agenda and/or resolution minutes.
      • Has a decision been made in the institution to enhance for example the communication, instructional materials, code of conduct or similar? (What? How? When? Who is the target group?).
      • Has the institution adopted or made any other efforts to prevent similar breaches in future? (What? How? When? Who is the target group?).

      If Research Services estimates that the report, plan or both are inadequate, Statistics Denmark will notify you about it and request a new one.

    2. Step: The case processing in Statistics Denmark

      When Statistics Denmark estimates that the report and plan we have received are adequate, Research Services will prepare the case for Statistics Denmark’s Supervisory Board and Director General. You can expect the case processing to take approximately 8 working days from we receive the adequate report until we send our decision.

    3. Step: Decision

      When Statistics Denmark has made a decision of the case, we send a decision letter by email to the person responsible for authorisation. The letter contains the final decision from Statistics Denmark’s Director General, including the reason for the decision and information on whether the temporary suspension of the project and the user is lifted or whether further sanctions are imposed on the user or the institution.

    Guides, agreements and documents in relation to data security and responsibility

    Statistics Denmark’s data security rules under the Microdata schemes

    Rules for data safety under the microdata schemes (pdf)

    Statistics Denmark’s information security and data confidentiality policy 

    Information security and data confidentiality policy – Statistics Denmark

    Agreements (in Danish)

    Autorisationsaftale (pdf)
    Databehandleraftale (pdf)
    Tilknytningsaftale (pdf)
    Brugeraftale (pdf)

    Contact

    Forskningsservice
    Phone: +45 39 17 31 30