Skip to Content
Version 3.6 by Helena K. on 2026/01/27 13:18
Hide last authors
Helena K. 1.1 1 {{box title="**Contents**"}}
2 {{toc/}}
3 {{/box}}
4
5 = Document History =
6
Helena K. 2.2 7 (% style="width:1039.96px" %)
8 |Version|(% style="width:110px" %)Date|(% style="width:856px" %)Comment
9 |1.0|(% style="width:110px" %)21/8/2015|(% style="width:856px" %)Initial version.
10 |2.0|(% style="width:110px" %)7/3/2018|(% style="width:856px" %)(((
Helena K. 1.1 11 Replaced the “Embargo: Privileged access” use case confidentiality status to use CONF_STATUS:E instead of CONF_STATUS:N. When this guideline is implemented, the CONF_STATUS:N can no longer be used for this use case (the embargo time is ignored if the CONF_STATUS is N).
12
13 Clarified the document text, removed superfluous text.
14
15 Added use of time zone is recommended.
16 )))
17
18 = Introduction =
19
Helena K. 2.2 20 This paper presents use case scenarios related to confidentiality and embargo in SDMX data exchanges, and provides recommendations on how to represent these elements in the SDMX model. The aim is to provide a consistent and practical way to represent these aspects in SDMX artefacts in order to promote cross-domain consistency, and harmonise methodology and processes.
Helena K. 1.1 21
22 Confidentiality aims at protecting data from unauthorised disclosure that could be prejudicial or harmful to the interest of the source or other relevant parties.
23
24 Embargo means that data may become public only after expiry of a pre-defined date and time.
25
26 Embargo establishes a relationship between a set of data (e.g. an observation), a date/time and a group of privileged data recipients.
27
28 Disclosure of data marked as confidential or under embargo is not permitted. Procedures should be in place to prevent such disclosure, including rules for staff, aggregation rules when disseminating data, provision of unit records, etc.
29
30 There needs to be a formal agreement between organisations involved in the exchange of confidential data in order to prepare systems and workflows.
31
32 Data exchange partners are advised to agree up front on the usage of the embargo mechanism(s) for specific data messages.
33
34 The embargo CONF_STATUS value “E” is not recommended for final dissemination to users but only for data exchange.
35
36 = Use Cases =
37
Helena K. 2.2 38 This section describes the confidentiality and embargo use cases that are addressed by these guidelines. The use cases and embargo SDMX representations are summarised in annex 1:
Helena K. 1.1 39
40 == Use case 1: Non-confidential data ==
41
42 Data is available to the public immediately, meaning that data is not confidential and there is no embargo.
43
44 The data’s CONF_STATUS attribute should be set to “Free (free for publication)”.
45
Helena K. 2.4 46 {{box}}
Helena K. 2.5 47 **SDMX representation**
Helena K. 1.1 48
Helena K. 2.4 49 * **CONF_STATUS**: F
50 {{/box}}
Helena K. 1.1 51
52 == Use case 2: Confidential data ==
53
54 === Exchange of confidential data without embargo nor forwarding to secondary recipients ===
55
Helena K. 2.2 56 One or more observations in the data message are confidential. Embargo does not play a role in this scenario. Depending on arrangements between data exchange partners, this data can be made available to privileged data users.
Helena K. 1.1 57
Helena K. 2.2 58 The observation’s CONF_STATUS attribute should use a specific code denoting the confidential character of the information. Below are some examples of such confidentiality statuses{{footnote}}For a full list of confidentiality statuses, see https://sdmx.org/wp-content/uploads/CL_CONF_STATUS_1_2_2018.docx{{/footnote}}:
Helena K. 1.1 59
Helena K. 2.2 60 * **N**: Not for publication, restricted for internal use only. Used to denote observations that are restricted for internal use only within organisations
61 * **C**: Confidential statistical information (primary confidentiality) due to identifiable respondents
62 * **D**: Secondary confidentiality set by the sender, not for publication
63 * **A**: Primary confidentiality due to small counts
Helena K. 1.1 64
65 === Forwarding confidential data to secondary recipients ===
66
67 A sender sends confidential data to certain primary recipients, and allows those to forward the confidential data to a restricted and pre-defined set of secondary recipients.
68
Helena K. 2.2 69 The observation’s CONF_STATUS attribute should be marked as “Not for publication, restricted for internal use only”. An additional observation-level attribute: CONF_REDIST, defines the secondary recipient(s) to whom the sender allows the primary recipient to forward confidential data{{footnote}}Example: National statistical institute XX reporting data to Eurostat indicates that Eurostat can forward those data to the ECB, IMF and OECD.  More complex use case: The reporting organization specifies that Eurostat can forward those data only to the ECB Statistics Department, thus excluding all other organisations as well as all other ECB departments.{{/footnote}}. See section **Use of the CONF_REDIST attribute** for the appropriate coding of this attribute.
Helena K. 1.1 70
71 The forwarding of confidential data is represented as follows in SDMX:
72
Helena K. 3.6 73 {{box}}
74 **SDMX representation**
Helena K. 1.1 75
76 * **CONF_STATUS**: N;
77 * **CONF_REDIST **(Observation, Conditional): [Organisation(s)];
Helena K. 3.6 78 {{/box}}
Helena K. 1.1 79
80 === Adding embargo information to a data message ===
81
82 Following the definition of embargo, the recipient must keep the data confidential until a pre-defined point in time (embargo) when it becomes public.
83
84 Two cases can be distinguished:
85
86 * Allowing privileged access to embargoed data
87 * Enabling the frontloading of data into systems
88
89 **//Allowing privileged access to embargoed data//**
90
91 If the goal is to allow the data recipient to have privileged access to embargoed observations in a data message (message), the embargoed observation’s CONF_STATUS attribute should be coded as “E: Not for publication until the embargo time expires; free for publication after the embargo time expires.” with an observation level attribute EMBARGO_TIME (date/time/time zone).
92
Helena K. 3.3 93 {{box}}
94 **SDMX representation**
Helena K. 1.1 95
96 * **CONF_STATUS**: E;
97 * **EMBARGO**_**TIME** (Observation, Conditional): [timestamp]
Helena K. 3.3 98 {{/box}}
Helena K. 1.1 99
Helena K. 2.2 100 Including a time zone is strongly recommended and the best case is to use the UTC (Coordinated Universal Time) time standard. However, if no time zone is provided then the time zone of the recipient is assumed.
Helena K. 1.1 101
102 These two examples represent the same time for a recipient established in the Central European time zone (e.g. Germany, Norway, Gibraltar):
103
104 * (Recommended) With UTC indicator: 2017-12-15T14:02:29Z
105 * With timezone indicator: 2017-12-15T15:02:29+01:00
106
Helena K. 3.6 107 === //Enabling the frontloading of data into systems// ===
Helena K. 1.1 108
Helena K. 2.2 109 If the goal is to allow frontloading of a whole data message into systems so that the data can be made visible to users at the expiry of the embargo date/time, the header section of the message should contain an embargo date/time attribute. This implies that all information in the data message is under the embargo date/time set in the header. The header attribute EmbargoDate with format date/time/time zone indicates until when the whole data message received cannot be shared with any recipient users.
Helena K. 1.1 110
111 Once the EmbargoDate in the header elapses, each observation’s confidentiality status becomes that which is marked in the CONF_STATUS attributes.
112
Helena K. 2.2 113 Note that this scenario presumes that all data in the message cannot be viewed before the header EmbargoDate, and that there is no privileged access before this time. However, observations may be marked with any other confidentiality status that is valid after the frontloading EmbargoDate elapses.
Helena K. 1.1 114
Helena K. 3.3 115 {{box}}
Helena K. 2.1 116 SDMX Representation
Helena K. 1.1 117
118 * **CONF_STATUS**: <Set to the required confidentiality status after the embargo time elapses>; <Header>\<EmbargoDate>: [timestamp]
Helena K. 3.3 119 {{/box}}
Helena K. 1.1 120
Helena K. 2.2 121 The two ways of representing embargoed data exist to provide efficiency in the exchange, allow for differentiating data intended to be frontloaded and data aimed to be provided in advance to a restricted audience, and provide flexibility when few observations need to be embargoed in a large data message. The trade-off is the complication of system implementation to support the two representations of embargo, which has to be done locally on a case-by-case basis.
Helena K. 1.1 122
123 = Additional recommendations and examples =
124
Helena K. 2.2 125 In data flows that feature confidential data, CONF_STATUS is highly recommended to be a mandatory attribute. However, if CONF_STATUS is optional in the DSD and missing from an observation, it is always implied to be “F” (free).
Helena K. 1.1 126
Helena K. 3.5 127 == Use of the CONF_REDIST attribute ==
Helena K. 1.1 128
Helena K. 2.2 129 The CONF_REDIST attribute defines the secondary recipient(s) to whom the sender allows the primary recipient to forward confidential data. It is recommended to be an optional attribute at observation level. Ideally it should reference a shared code list containing standard organisation codes. To allow several secondary recipients there are these possibilities:
Helena K. 1.1 130
Helena K. 2.1 131 Use a code that represents multiple organisations, or;
Helena K. 1.1 132
Helena K. 2.2 133 Use several CONF_REDIST attributes to portray the multiple recipients. Each attribute represents one recipient and references the same codelist. This implementation is cleaner than the above point 1, though this will require adding as many attributes to your DSD as there are potential recipients of the redistributed confidential data.
Helena K. 1.1 134
135 If the EMBARGO_TIME and CONF_REDIST attributes are both used:
136
137 1. Data is available only to the organisations in CONF_REDIST until EMBARGO_TIME
138 1. Data is available to the public after EMBARGO_TIME
139
140 |(% colspan="3" %)(((
Helena K. 2.1 141 (% class="wikigeneratedid" id="HPrivilegedAccess" %)
142 Privileged Access
Helena K. 1.1 143 )))
144 |**Use case**|**No forwarding**|**Forwarding**
145 |**Embargo**|(((
146 CONF_STATUS: E
147
148 EMBARGO_TIME
149 )))|(((
150 CONF_STATUS: E
151
152 EMBARGO_TIME
153
154 CONF_REDIST
155 )))
156 |**No embargo**|CONF_STATUS: N|(((
157 CONF_STATUS:N
158
159 CONF_REDIST
160 )))
161
162 === An example of sending data for privileged access with data forwarding information ===
163
164 This example describes a case where data needs to be embargoed until a certain date and time, and may be sent to certain other organisations in a single transmission without modification of the data or attributes.
165
166 This example is based on the exchange of sector accounts statistics within the European statistical system.
167
168 * The national statistical institutes send data to Eurostat, and allow the data to be shared with the ECB for statistical coproduction
169 * The data may only be shared with the public on the next day
170
171 **CONF_STATUS:**E**;**
172
173 **CONF_REDIST: **ECB**;**
174
175 **EMBARGO_TIME=<**T+1 day**, **e.g.** **2017-12-15T10:00:00Z>
176
Helena K. 2.2 177 The solutions suggested above aim at covering the most common confidentiality and embargo use cases within a single transmission from the primary reporter to the primary recipient. However, for some more complex scenarios it might still be required to make multiple transmissions.
Helena K. 1.1 178
179 It is strongly recommended that use cases are specified in an agreement between organisations involved in regular transmissions up-front in order to avoid unnecessary delay in data publication or – much worse – confidentiality breaches.
180
181 **Annex 1: SDMX Representation of the confidentiality use cases**
182
183 |(((
Helena K. 2.1 184 (% class="wikigeneratedid" id="HUsecase" %)
185 Use case
Helena K. 1.1 186 )))|(((
Helena K. 2.1 187 (% class="wikigeneratedid" id="HCONF_STATUS28Observation29" %)
188 CONF_STATUS (Observation)
Helena K. 1.1 189 )))|(((
Helena K. 2.1 190 (% class="wikigeneratedid" id="HAdditionalattributes" %)
191 Additional attributes
Helena K. 1.1 192 )))|(((
Helena K. 2.1 193 (% class="wikigeneratedid" id="HRemarks" %)
194 Remarks
Helena K. 1.1 195 )))
196 |(((
Helena K. 2.1 197 (% class="wikigeneratedid" id="HNon-confidentialdata" %)
198 Non-confidential data
Helena K. 1.1 199 )))|(((
Helena K. 2.1 200 (% class="wikigeneratedid" id="HF" %)
201 F
Helena K. 1.1 202 )))|(((
203 == ==
204 )))|(((
205 == ==
206 )))
207 |(((
Helena K. 2.1 208 (% class="wikigeneratedid" id="HConfidentialdatawithnoembargo" %)
209 Confidential data with no embargo
Helena K. 1.1 210 )))|(((
Helena K. 2.1 211 (% class="wikigeneratedid" id="HC3BD3BS3BA3BO3BT3BG3BM3BN" %)
212 C;D;S;A;O;T;G;M;N
Helena K. 1.1 213 )))|(((
Helena K. 2.1 214 (% class="wikigeneratedid" id="H-2" %)
215
Helena K. 1.1 216 )))|(((
Helena K. 2.1 217 (% class="wikigeneratedid" id="HCONF_STATUSwillusuallybeCbutmayalsobeD3BS3BA3BO3BT3BG3BM3BNdependingontherequiredstatusandconfidentialityreason.A0SeetheCL_CONF_STATUScodelistfordetails5B35D" %)
Helena K. 2.2 218 CONF_STATUS will usually be C but may also be D;S;A;O;T;G;M;N depending on the required status and confidentiality reason. See the CL_CONF_STATUS code list for details{{footnote}}https://sdmx.org/wp-content/uploads/CL_CONF_STATUS_1_2_2018.docx{{/footnote}}
Helena K. 1.1 219 )))
Helena K. 2.1 220 |(((
221 **Forwarding of confidential data**
222 )))|(((
223 N
224 )))|(((
Helena K. 1.1 225 CONF_REDIST: (Observation, Conditional)
226
227
228 )))|CONF_REDIST may represent multiple organisations
229 |(((
Helena K. 2.1 230 (% class="wikigeneratedid" id="HEmbargo:Privilegedaccess" %)
231 Embargo: Privileged access
Helena K. 1.1 232 )))|(((
Helena K. 2.1 233 (% class="wikigeneratedid" id="HE" %)
234 E
Helena K. 1.1 235 )))|(((
Helena K. 2.1 236 (% class="wikigeneratedid" id="HEMBARGO_TIME28Observation2CConditional29" %)
237 EMBARGO_TIME (Observation, Conditional)
Helena K. 1.1 238
239
240 )))|Only the observations with an EMBARGO_TIME attribute are embargoed. After the embargo time elapses, the data are free for publication (equivalent to F status).
241 |(((
Helena K. 2.1 242 (% class="wikigeneratedid" id="HEmbargo:Privilegedaccesswithforwarding" %)
243 Embargo: Privileged access with forwarding
Helena K. 1.1 244 )))|(((
Helena K. 2.1 245 (% class="wikigeneratedid" id="HE-1" %)
246 E
Helena K. 1.1 247 )))|(((
248 EMBARGO_TIME (Observation, Conditional)
249
Helena K. 2.1 250 (% class="wikigeneratedid" id="HCONF_REDIST:28Observation2CConditional29" %)
251 CONF_REDIST: (Observation, Conditional)
Helena K. 1.1 252 )))|(((
Helena K. 2.1 253 (% class="wikigeneratedid" id="HOnlytheobservationswithanEMBARGO_TIMEattributeareembargoed.Aftertheembargotimeelapses2Cthedataarefreeforpublication28equivalenttoFstatus29." %)
Helena K. 2.2 254 Only the observations with an EMBARGO_TIME attribute are embargoed. After the embargo time elapses, the data are free for publication (equivalent to F status).
Helena K. 1.1 255
Helena K. 2.1 256 (% class="wikigeneratedid" id="HCONF_REDISTmayrepresentmultipleorganisations" %)
257 CONF_REDIST may represent multiple organisations
Helena K. 1.1 258 )))
259 |(((
Helena K. 2.1 260 (% class="wikigeneratedid" id="HEmbargo:Frontloading" %)
261 Embargo: Frontloading
Helena K. 1.1 262 )))|(((
Helena K. 2.1 263 (% class="wikigeneratedid" id="HSettotherequiredconfidentialitystatusaftertheembargotimeelapses." %)
264 Set to the required confidentiality status after the embargo time elapses.
Helena K. 1.1 265 )))|(((
Helena K. 2.1 266 (% class="wikigeneratedid" id="H3CHeader5CEmbargoDate3E:5Btimestamp5D" %)
267 <Header\EmbargoDate>: [timestamp]
Helena K. 1.1 268
269
Helena K. 2.1 270 )))|(((
271 There is no EMBARGO_TIME attribute as the whole message is embargoed with no privileged access.
272 )))
Helena K. 1.1 273
274 ----
275
Helena K. 3.2 276
277 {{putFootnotes/}}
© Semantic R&D Group, 2026