Home » Research and resources » Continuous Mortality Investigation » CMI data » Data security

Data security

It is the CMI’s responsibility to keep data secure once it has been received, but it can only be the responsibility of the data contributor to take appropriate measures regarding the transmission of data to the CMI.

All the latest CMI coding guides include guidance regarding secure data transmission; in particular we encourage data contributors to encrypt or password-protect data and to submit the password by a different medium to the data itself. Some data contributors have gone further and we access the data via a secure web portal, set up by the data contributor.

Data submitted to the CMI, in any form, is received and held by the Secretariat, which is currently outsourced to Barnett Waddingham LLP. The legal agreement between the CMI and Barnett Waddingham LLP ensures that appropriate security measures must be taken to retain data securely, with regard to both data protection considerations and to protect the confidentiality of individual contributors’ data. In particular, “personal data” (in terms of data protection legislation) will not leave the offices of Barnett Waddingham LLP (other than in a secure form for back-up purposes) and will not be stored on laptops. The CMI would require similar commitments from any other organisation to which it chooses to outsource support in the future.

Outward transmission of “personal data” from the CMI will rarely occur. Given that the CMI will not publish or otherwise release “personal data” outside the Secretariat, even to our committees and working parties, the only circumstances in which “personal data” will be sent out from the Secretariat is if it is returned to the data contributor, perhaps in seeking to resolve queries. In such circumstances, the Secretariat seeks to de-personalise the data being returned or adopts security measures at least as strong as those used to submit the data.

It is also worth noting that even if the data submitted to the CMI is regarded as “personal data” in the context of the Data Protection Act, individuals are not easily identifiable, since we do not request names or addresses. Moreover, even if an individual can be identified from a combination of postcode and date of birth, data submitted to the CMI does not contain names and addresses or information of commercial value to fraudsters, such as bank account details or NI number.