Thank You for Your Letter of 19 December 2008, Requesting an Internal Review Into This

Whatdotheyknow.com21 January 2009

FoI 1335/08

Dear Mr White,

Thank you for your letter of 19 December 2008, requesting an internal review into this Department’s handling of your request for information of 7 December 2008. That request related to aspects of the Department’s policies and procedures associated with its obligations under the Data Protection Act to which we responded on 19 December.

I am a senior civil servant and deputy director of the Department’s Information and Devolution policy division. In accordance with the Department’s policy on conducting internal reviews of FoI requests I was not connected with the initial decision on your request and have considered it afresh.

In your request for a review you specifically mention that you consider one element of your request has not been dealt with. Specifically:-

“What policy documents do the DWP have to prevent breaches of Principle 7 of the Data Protection Act 1998 and to address the need to ensure and require that internal changes and reorganisation do not cause failures that could or should be reasonably viewed as breaches of Principle 7”

In the Department’s earlier response to you of 19 December on this aspect you were asked to supply specific details of any instance of reorganisation that you had in mind. You have now clarified this and point to the introduction of Employment and Support Allowance (ESA). As background, a detailed explanation of the delivery of ESA is available on the Department’s website at

I also attach additional background information on ESA at Annex A which you may find helpful.

You suggest that the way the Department is administering the ESA

is contrary to Principle 7 of the Data Protection Act which relates to the security of personal information. In particular you contend that the “Automated processing of data, indicating that a claimant has been re-assessed for entitlement and failed this re-assessment is in fact Damage to Data as the resultant data being processed by the DWP has become ‘Inaccurate, Misleading or Incomplete’”

As you know the Department does not carry out any automated data processing. In any event ESA is a new benefit affecting new claimants only so any reassessments that you refer to are not relevant here.

I am satisfied that ESA procedures and the processing of ESA claims is DPA compliant. This was confirmed at the High Level Business Design stage and the business requirements signed off by the Jobcentre Plus Chief Executive. The Departmental Security Team has accredited the Customer Account Manager system used to administer ESA claims which confirms that schedule 7 of DPA is adhered to.

You go on to request copies of DWP policies that specifically ensure that when the DWP reorganises there are no security breaches in relation to customer data. Large scale delivery of policy changes are normally delivered by projects which routinely take into account the Data Protection Act aspects of any changes that may affect the handling of customer information. I can only reiterate that a Data Protection Act policy document focusing solely on the implications of organisational change is not held in that format. The implications of the Data Protection Act are instead embedded in project management and staff procedures.

In your review request you yourself suggest that the information you seek here may be found within the policy documents operated by the DWP on internal change and or reorganisation.

The Data Protection Act is routinely taken into account at all stages of the DWP lifecycle which is used to implement all change. At the initial design stage for any change theHigh Level Business Requirement formalises the business requirement, in order for the solution providers to have a clear understanding of the requirements which must be delivered. This document is be used to inform high-level estimations, high level solution design and initial testing plans. I have attached a word file copy of the document,which include reference to the Data Protection Act, for information.

Turning to the other elements of your request.

What reporting procedures and policies do the DWP have for breaches of the Data Protection Act in any and all forms under all principles, and where possible please provide these policy documents and copies of employee guidance on how to make such reports?

You were pointed to the Information Commissioner’s website for the guidance that the Department follows in relation to policies and procedures for dealing with breaches of the Data Protection Act. I confirm that this guidance represents the Department’s approach when dealing with any such breaches.

You also asked:-

On how many occasions in the last five years have the DWP breached or believe themselves to have breached the Data Protection Act in any way under all principles, and where possible provide breakdown of these incidents, by benefit being processed, area/office and the number of claimants affected as well as principle breached?

Please provide information as to the number of benefit claimants who have been adversely affected by these breaches, the time taken to recognise that breach and resultant effect, and the time taken to remedy the effect and restore the claimant to the position they should have been in should the breach have not occurred, and where this has required the intervention of either the Tribunal Service or The ICO please indicate this.

How many employees of the DWP have been subject to investigation and or disciplinary action and or dismissal for breaches of the Data Protection Act in the last five years?

The definition of what is a “breach”of the Data Protection Act can be very broaddepending on the circumstances involved. Breaches by Government Departments of the Data Protection Act 1998 can be dealt with formally by the Information Commissioner or the Courts; or by Departments at an informal local level. The information you seek in the format requested here is not held centrally and could only be provided at disproportionate cost.

We estimate that the cost of complying with this part of your request would exceed the appropriate limit of £600. The appropriate limit has been specified in regulations and for central Government it is set at £600. This represents the estimated cost of one person spending 3½ working days in determining whether the Department holds the information, and locating, retrieving and extracting the information. Under section 12 of the Freedom of Information Act the Department is not obliged to comply with your request and we will not be processing it further.

I note that we have already provided you with the information in this area that is readily available and which consists of earlier replies to two related Parliamentary Questions.

If you are not content with the outcome of my internal review you have the right to apply directly to the Information Commissioner to look into the way your request has been handled.

FoI Complaints Resolution

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Fax: 01625 545 510

email:

However, if you wish to continue corresponding about aspects of ESA delivery because you need better to understand details of the operational aspects of its introduction please let me know and I will forward your correspondence on to the relevant ESA officials here in DWP.

Rob Molan

DWP Information and Devolution policy

Annex A

Background information on Employment and Support Allowance

ESA is a new allowance which includes a clear framework of rights and responsibilities delivered using an enhanced regime of work-focused interviews, with a firmer conditionality regime. ESA was introduced on the 28 October 2008. From this date any new customer wishing to make a claim on the grounds of ill health or disability is able to contact Jobcentre Plus to make a claim for ESA and the new business and IT systems are in place to support this.

With ESA Jobcentre Plus has introduced an end-to-end ESA customer service supported by an initial business operating model and supporting IT. All ESA claims will be taken in one of the six Contact Centres that will handle ESA customers’ claims. The full integrated IT system will be tested through the trailblazer in TeesValley, in its Benefit Delivery Centre and associated Jobcentres. The rest of the Benefit Delivery Centre and Jobcentre network will operate an interim process to provide an opportunity for DWP to learn from initial deployment to ensure a fully optimised system rolls out nationally.

ESA and the supporting IT was delivered on time and to budget. The full delivery approach was discussed at the Work and Pension select committee in July 2008 and the full record of the evidence given can be found at:

An additional 2,000 staff were recruited to support the introduction of ESA.In addition, as is normal with any significant change to the benefit system, existing staff were trained, where appropriate, to handle ESA claims. Overall Jobcentre Plus is resourced to deliver its full range of services.