Data Obfuscation Security Policy
Updated 11 June 2026
ճDWP Obfuscation Security Policyis part of a suite of policies designed to promote consistency across the Department for Work and Pensions (DWP) and supplier base with regards to the implementation and management of security controls. For the purposes of thispolicy, the term DWP and Department are used interchangeably.
Security policies consideredappropriate forpublic viewing are published on ǸԹ
Security policies cross-refer to each other where needed, so can be confidently used together. Theycontainboth mandatory and advisory elements, described in consistent language (see table below).
| Term | Intention |
|---|---|
| must | denotes a requirement: a mandatory element |
| should | denotes a recommendation: an advisory element |
| may | denotes approval |
| might | denotes a possibility |
| can | denotes both capability and possibility |
| is/are | denotes a description |
Overview
1. The DWP Data Obfuscation Security Policy outlines the enterprise level requirements for how data must be obfuscated or transformed to protect sensitive information across the Department.
Purpose
2. This policy is tomandate the high-level requirements for the type and degree of data transformationrequiredbased on data sensitivity, processing environment, and intended use, ensuring residual data riskremainswithin the Department’s acceptable tolerance.This policysupersedes the 2019 DWP Data and Analytics Data Obfuscation Policy.
Scope
1. This policy applies to:
(a) AllDWP personnel (including employees, contractors, and temporary staff)involved in the design, development, processing or management of DWP data transformation and obfuscation processes.
(b) All contracted suppliers whose systems or services store, handle, or process DWP information, or are involved in the provision and lifecycle management of hardware for the DWP; to ensure the appropriate levels of assurance for the confidentiality, integrity and availability of the DWP’s assets.
(c) All DWP data assetsincluding those managed by suppliers, across all environments (on-premise, hybrid, and cloud) and in all states (at-rest, in-motion, in-use).
(d) Personnel assigned to roles with privileged access to sensitive data assets, including those managed by suppliers or hosted offshore,musthold theappropriate levelof security clearance as defined by the DWP Vetting Policy for that specific assigned role.
2. This policy does not replace any legal or regulatory requirements.
Definitions
Acceptable Tolerance
The level of residual re-identification risk a Data Owner is willing to accept, as documented in a Data Protection Impact Assessment (DPIA) and approved by the Information Asset Owner (IAO).
Artificial Intelligence
A computer programme which “learns” from data and may perform tasks usually carried out by humans.
Anonymisation
Anonymisation is a process thatrendersindividuals not identifiable by any meansreasonably likelyto be used, therebyresidingoutside the scope of data protection law.
Data Minimisation
Theprinciple of collecting,processingand storing theminimumamount of personal datarequiredto fulfila defined purpose.
Data Masking
Replacing sensitive data with fictional or scrambled values while preserving the data’s format. Common examples include replacing names with pseudonyms or masking credit card numbers.
Encryption/Tokenisation
The process of converting information or data into a code, especially to prevent unauthorised access.
Infrastructure as a Service
A cloud model delivering virtualized computing resources – such as servers, storage, and networking – over the internet.
Irreversible Masking
A one-way substitution ofdata which can no longer bereinstated to its original form.
Mandatory Transformation Tier
Thestructured, mandatory processes ofmodifyingraw data to meet legal,securityor privacy requirements.
Motivated Intruder Test
Are-identificationrisk assessment methodidentifiedwithin theInformation Commissioner’s Office (ICO) Anonymisation Code of Practicetodetermineif a person without prior knowledge couldidentifyan individual from an anonymiseddata asset, considering all meansreasonably likelyto be used.
Obfuscation
A collective term for technical measures (for examplemasking, pseudonymisation, aggregation, anonymisation, tokenisation, encryption) that reduce the risk ofidentifyingindividuals from data. Obfuscation does not in itself remove data from the scope of data protection law unless the outcome meets the standard for anonymisation.
Platform as a Service
A cloud model where the provider manages the underlying infrastructure, allowing customers to build, deploy, and manage applications withoutmaintainingservers or operating systems.
Production DerivedDataAssets
Specialised data assets generated by applying transformations, aggregations, or calculations to raw, primary, or operational “source-of-truth” data within a production environment.
Pseudonymisation
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is subject to technical and organisational measures to keep it separate.
Record of Processing Activities (ROPA)
A formal record which documents how an organisation processespersonaldata,describingthe purpose of processing, categories of personal data and data subjects, lawfulbasisfor processing,datasharing arrangements, retentionperiodand the technical andorganisationalsecurity measures applied.
Software as a Service
A cloud service model where the provider runs an application shared between customers, who then configure and consume it, opposed to managing the underlying infrastructure.
Suppliers
Any external organisation or individual providing services, systems, or hardware to the Department under a formal agreement, including contractors and service providers.
User Acceptance Testing
A critical, final phase of assurance where end-usersvalidatethat a system or service meets their needs, functions as expected in real-world scenarios andoperateswithin defined risk appetites prior to going live.
Policy Statements
1. The principle of Data Minimisationmustbeapplied to alldata assets prior to transformation or usage.
2. All requests for access or migration of Production Derived Data Assets (PDDs) must specify the Mandatory Transformation Tier required to satisfy this policy, as mandated by the relevant Data Owner.
3. Theselectionof the Mandatory Transformation Tiermustbe documented by the Data Owner,identifyingwhich of the four protection levels (Encryption, Pseudonymisation, Irreversible Masking, or Anonymisation) isrequiredfor the specific use case.
4. Initiatives which involve transformation activities relating to personal datamustfollow the Data Protection Impact Assessment (DPIA) process and where transformation activities affect the identifiabilitycomply withthe Motivated Intruder Test. The required execution and evaluation criteria for this test will be proportionate to the identified risk and defined in DWP obfuscation procedures.
5. Data protection for operational systems, including Critical National Infrastructure (CNI) systems hosted in the Cloudmustbe primarily secured via strong access controls and encryption, in line with theDWPCryptographic Key Management PolicyandSS-007: Use of Cryptography.
6. For non-production cloud environments (Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS)), encryption at rest (SS-007: Use of Cryptography) is a mandatory baseline butmust notbe used as a substitute for irreversible masking. Non-production environments arestrictly prohibitedfromcontainingunmasked sensitive production data.
7. Whereadocumented business requirement for individual identification exists (for examplefor social research sampling or fraud targeting),data assets may be exempt from the Irreversible Masking mandate if hosted within a Protected Analytical Environment. These environments must implement production-equivalent security controls, including granular Role-Based Access Control(RBAC) and comprehensive auditing.
8. Where a business requirement exists to perform individual identification or selection within a secondary environment (for examplefor cohort targeting), the datamustbe hosted in a Protected Analytical Environment. These environments are not subject to obfuscation mandates but must implement production-equivalent controls, including strict RBAC, full auditing, and adherence to the record indistinguishabilitymanual.
9. Policy implementationmustensure that data transformationmaintainssufficient utility for analytical modelling and social research (for examplepreserving event ordering and precision for business-critical variables), provided re-identification riskremainswithin tolerance.
10. Any display-level (dynamic)maskingused within operational user interfaces (for exampleto confirm bank details)mustbe implemented at the application tier and must not alter the underlying data at rest.
11. IrreversibleMaskingmustbe performedon allhighly sensitivepersonaldataprior tocopying, migration, orprovisioninginto any non-production, development, orUser Acceptance Test (UAT)environment.
12. Protectionmustbe applied toArtificial Intelligence(AI)andmachinelearning training pipelines to prevent accidental data exposure via membership inference or model outputs.
13. Non-productionDatabase Management Systems (DBMS)mustimplementtechnical ingress controls(for examplepre-restoretriggers) toprohibit the restoration or importingof unmasked production data, in compliance withSS-005:Database Management System.
14. Data used for statistical publication or shared with external research bodies must achieve a verified level of anonymisation (for example K-Anonymity, Differential privacy) to prevent re-identification and reconstitution attacks. The Department must ensure that no form of differential data masking or obfuscation applied to data in operational services compromises the requirement for sensitive records to remain indistinguishable.
15. Wherepseudonymisation isrequiredtomaintaindata linkage in analytical platforms, the methodmustadhere to the cryptographic hashing, salting (“Pepper”), secure key management requirementsdefined in supporting DWP technical products, standards, and patterns.Additionalinformationmustbe logically and physically separated with accessstrictly limited.
16. Where privilege access isrequiredto administer, transform, migrate,restoreor manage sensitive data assets this mustcomply withDWP Privileged Users Security PolicyandSS-001-2: Privileged User Access.
Accountabilities and Responsibilities
(a) The DWP Chief Security Officer is the accountable owner of the DWPObfuscation Security Policyandis responsible forits maintenance and review, through the DWP Deputy Director for Security Policy andCentral Services.
(b) The Data Owner is accountable for the anonymised / pseudonymised outcome for each data asset, ensuring the lawful basis, purpose limitation and data minimisation principles are applied and documented, and accepts any residual re‑identification risk within the DPIA /Record of Processing Activities (ROPA)before authorising onward use or disclosure.
(c) The Information Asset Owner(or equivalent role as defined by the ChiefData Office)is accountable for the information asset’s management and protection, maintaining theInformation AssetInventory(also referred to in security standards as the Information Asset Register or IAR), setting and monitoring access, sharing, retention and disposal controls, and providing assurance that controls are appropriate and proportionate.
(d) Product / System Owneris responsible forimplementing and enforcing the approved outcomes by encryption and other controls for obfuscated data.
(e) Suppliers that cannotcomply withthe security policy must request a security policy exception. All exceptions, security gaps, or use of non-standard access (such as generic accounts) must be risk-assessed and ratified by theappropriate formalgovernance board (for example, the Digital Design Authority or Policy and Standards Review Group (PSRG)) prior to Senior Responsible Owner (SRO) acceptance.
Compliance
(a) All DWP employees, whether permanent or temporary (including DWP’s contractors) have security responsibilities and must be aware of, andcomply with, DWP’s security policies and standards.
(b) Many of DWP’s employees and contractors handle sensitive information dailyand so need to be enactingminimumbaseline behavioursappropriate tothe sensitivity of the information.Most security incidents and breaches relate to information security.
(c) Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal. A security incident is the attempted or actual unauthorised access, use, disclosure, modification,lossor destruction of a DWP asset (or a supplier asset that provides a service to the Authority) in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible. Suppliers must follow the DWP Security Incident Management Standard (SS-014).
(d) DWP’s Security and Data Protection Team will regularly assess for compliance with this policy and may need to inspect physical locations, technology systems,designand processes and speak to people tofacilitatethis. All DWP employees, agents, contractors, consultants, businesspartnersand service providers willbe requiredtofacilitate, support, and when necessary,participatein any such inspection. DWP Collaboration and Communication Services will use software filters to block access to some online websites and services.
(e) Any exemption to this policymustbe formally risk-assessed and approved by theappropriate governanceboard (for example the Digital Design Authority (DDA) or PSRG), rather than solely by the project Senior Responsible Owner (SRO). If an individual is aware of an activity that falls into this category, they should notify the Security Policy and Standards Teamimmediately.