Who has access to the data I gave to the NSO?
When you provide data to the National Statistics Office, access to your personal information is strictly regulated by law and limited to authorised personnel for clearly defined purposes.
Here’s who can access your data and under what conditions:
Authorised NSO Staff Only
Only trained and authorised NSO employees have access to your identifiable data. These staff members are bound by confidentiality agreements and legal obligations under the Malta Statistics Authority Act (Cap. 422). All NSO employees are required to take an oath of secrecy when they join the NSO. Access is given only to those who need it to perform their duties, e.g., for data processing, quality checks, or analysis. Data is not shared with any other Government Entity or Private Body.
Your personal data is never shared with:
- Tax authorities (e.g. Commissioner for Revenue),
- Law enforcement,
- Other government departments,
- Private companies,
- Marketing or advertising agencies.
The Malta Statistics Authority Act expressly prohibits this kind of data sharing.
Once anonymised and aggregated, your data may be included in published statistical reports, open data portals, or shared with the public.
For example: “15% of households in Gozo have three or more children.” — This is statistical data, not personal data.
Anonymised and aggregated data may be shared with Researchers (Under Strict Conditions). In some cases, external researchers (such as academics or institutions) may be granted access to anonymised microdata. This access:
- Requires strict data protection safeguards
- Is granted only under data sharing agreements
- Is often supervised and can occur only on secure platforms.
Data is anonymised and is not identifiable.
Emphasising on IT Governance and Security Framework
Our IT operations are governed by a robust IT framework designed to ensure transparency, data protection, and compliance with all relevant legal and ethical obligations. Our practices are rooted in the core principles of confidentiality, integrity, and availability ensuring that information security is embedded in our infrastructure, processes, and culture.
Core IT security controls:
- Encrypted hardware: All endpoints and storage devices are encrypted using industry-standard encryption protocols to safeguard data at rest.
- End-to-End encryption: All data in transit (internal or external) is secured through end-to-end encryption to maintain confidentiality and data integrity.
- Network security (firewall): Our systems are protected by enterprise-grade firewalls and intrusion prevention systems to monitor and mitigate unauthorized access and potential threats.
- Role-based access control: Information access is strictly enforced on a need-to-know basis, supported by policies and periodic access reviews.
- 24/7 Security Operations Centre: We are affiliated with Malta Information Technology Agency (MITA) which provides support and also continuously monitor our systems by a dedicated team of people, enabling real-time threat detection, analysis, and response around the clock.
Governance, Compliance and Culture
- ISO 27001 certification: NSO maintains ISO 27001 certification, demonstrating our compliance with international best practices for information security management. This includes rigorous annual internal and external IT audits to validate the effectiveness of our Information Security Management System.
- ESS IT security framework alignment: In parallel, we adhere to the ESS (European Statistical System) IT Security Framework, which enhances our governance posture and complements the ISO standard.
- Continuous security awareness training: We believe in continuous improvement by fostering a culture of security awareness across all staff levels within the entity. Regular training, simulated threat scenarios, and ongoing education initiatives are implemented to ensure all employees understand their role in maintaining a secure environment.
