About Denmark’s Data Portal
Statistics Denmark has developed a new application aimed at providing easy, efficient, and secure access to Danish societal data for research, analysis, and management. We call it Denmark's Data Portal (Danmarks Datavindue).
Danish societal data plays a significant role in the development of the Danish society. Therefore, Statistics Denmark has established a Data Window designed to offer researchers, analysts, and Danish businesses a better overview of the Danish data foundation, streamlining the entire process from application to data access. In other words, the project seeks to establish One portal, one access point, one secure solution to serve all data needs for statistics, research, management, and analysis.
The Data Portal, in collaboration with other data owners, builds upon the services already available at Statistics Denmark, and we continuously strive to improve our services and Denmark's Data Portal.
Collaborative Solution
The Data Portal is envisioned as a cross-cutting, collaborative national solution benefiting research institutions, private companies, and public authorities – fully aligned with the objectives of Denmark's national public digitization strategy.
Users will have a clear overview of the data offerings, which will be well-documented and quality-assured. Users will also receive support in finding the most suitable data for their purposes. Processing and approval of project applications will be automated in a way that provides quick and user-driven access while meeting the requirements for data security and confidentiality – with the option for guidance and assistance along the way.
Data Security
In Denmark's Data Portal, there is a strong focus on data security and information security. Data within Denmark's Data Window is built in a special system based on processes with high security, secure management, and safe workflows.
At Statistics Denmark, we adhere to the requirements of the Administrative Procedure Act, which means that all rules and security requirements apply equally to all users and collaborators. In other words, no one receives preferential treatment or needs to meet lower security standards than others.
The workflows at Statistics Denmark comply with the current legislation, with particular regard to GDPR, which is verified through external auditing, as well as the ISO 27001 standard, which is the security standard for government agencies. Security is reviewed annually as a result of Statistics Denmark's ISO 27001 certification.
Statistics Denmark has developed a set of guidelines for the use of research machines, applicable to all research and analysis projects conducted within the framework of Denmark's Data Window and Research Service. In these guidelines, you will find requirements such as the need to work with pseudonymized data and the use of Statistics Denmark's methods for anonymization. Other examples include principles of data minimization and requirements for a clearly defined emergency organization and decision-making processes in handling data breaches and security incidents.
Statistics Denmark's Research Service Data Security Rules
Currently, collaboration is underway with Danish HPC centers, which are High-Performance Computing centers providing external IT capacity for research and analysis projects. This collaboration is carried out under the auspices of the Coordinating Body for Register Research (KOR) and Danish e-infrastructure Cooperation (DeiC), and efforts are being made to ensure that these guidelines apply to all stakeholders, partners, and HPC facilities.
In Denmark's Data Portal, a two-factor login is always used for both the application and the research machine, in addition to requirements for security in network traffic and the use of secure network protocols, as per the Center for Cybersecurity's requirements and recommendations.
The application undergoes continuous testing for external attack possibilities – see more details under "Certification and External Control."
There are agreements in place between all research and analysis institutions and Statistics Denmark, which focus on clarity of roles and responsibilities and ensure that the employees of research and analysis institutions manage their institution's administration in the most appropriate manner. Regular contact is maintained through user committees, the distribution of awareness campaigns, and user surveys. Researchers and analysts are certified through a special module that emphasizes compliance with data processing rules and data security. This means that every user must periodically answer a series of questions regarding data processing and GDPR to maintain their access to Denmark's Data Window and Research Service.
The workflows for both researchers and analysts, as well as the administrative staff at Statistics Denmark, are reviewed annually through internal oversight and assessed by architects, IT managers, and information security coordinators to ensure that there are no gaps or overlooked opportunities for fraud, unauthorized access, and misuse of user roles. The detailed authorization system in Denmark's Data Window is specifically reviewed to verify that a multi-person approval and update system is established to prevent individuals from exploiting or abusing the system.
Systematic system checks are performed to ensure that research results do not contain personally identifiable or individual data, and random sample checks and management-initiated samples are conducted based on risk assessments.
Security is continuously monitored both through Statistic’s Denmark internal supervision and external inspections and audits. Statistics Denmark maintains regular contact with independent external experts who assess, test, and pressure-test the security of the systems, source code, and workflows. The security of our pseudonymization algorithm has been verified through an external review by the cybersecurity department, and an executive summary of this can be provided upon request to relevant stakeholders. Likewise, the so-called home-sending control has been verified by external experts.
External Audit
Statistics Denmark Research Service annually obtains an external audit statement of the ISAE 3000 type, which can be provided to relevant stakeholders. The audit statement, which is accompanied by a corresponding ISAE 3000 statement for the general IT environment and IT processes, describes a range of security-related control areas, including technical security measures, storage, and processing of personal data, and more.
ISO 27001 Certification
Statistics Denmark undergoes an annual process to maintain the achieved certification following an ISO certification ISO/IEC 27001:2013. The audit process is conducted by the international and independent certification company DNV-GL.
The scope, i.e., the area controlled and certified under ISO 27001, is "IT and business processes in statistical production, including data collection, in accordance with the Statement of Applicability."
Penetration Tests
Statistics Denmark conducts a series of penetration tests each year, where external experts attempt to find vulnerabilities in the technical shell security of systems and access points. This leads to a continuous focus on updating to the latest versions of web-facing technologies and security in the firewall. Daily monitoring is in place for attempts at external attacks, and there is ongoing surveillance of network traffic in the firewall and associated systems.