Monday, February 23, 2015

Will refusing to share sensitive personal data impact your #UC claim?

If you claim Universal Credit (“UC”) the DWP intends to share your most sensitive personal data with local authorities, citizens advice bureaux, credit unions, social landlords and relevant registered charities:

  • Full name (including initials)
  • Contact details including: address, email, telephone.
  • Details of others in household, in relation to the relevant Benefit Unit.
  • Type of accommodation – private / social rented, owned, none etc.
  • Gender
  • Ethnicity *.
  • National Insurance Number.
  • Date of birth / age range.
  • Employment status / earning.
  • Debts / arrears/rent payable.
  • Benefits received including: level of payment, copy of documents (e.g. claimant commitment).
  • Health conditions / disabilities *
  • Caring responsibilities.
  • Qualifications / training status.
  • Transport situation e.g. able to drive /access to car or easy access or public transport.
  • Barriers to work.
  • Languages spoken.
  • Access to financial products such as bank / building / credit union / Post Office card account / credit card.
  • Level of personal budgeting.
  • Access to computer and internet.
  • Level of digital skills.

On the 10th December 2014 the DWP quietly published a consultation document (see link below). This does seem to be a strange time to launch a consultation exercise given the proximity of the Christmas and New Year holidays. People would be forgiven for wondering if the DWP was attempting to sneak this out without anyone finding out until it was too late.

Controlling and processing any personal data like that listed above is subject to the Data Protection Act 1998 (“DPA”). In the UK we have an organisation called the Information Commissioner (“ICO”) which has a statutory role in regulating the DPA. The DWP knows this as it has consulted with it on other matters. Did the DWP invite the ICO to take part in the consultation process? It probably won’t come as a surprise to many people to hear that the DWP didn’t invite the ICO to take part and as a result people would be forgiven for wondering how seriously the DWP takes its obligations under the DPA when dealing with sensitive personal data.

When I heard about the DWP proposals I sent a copy to the ICO as I wasn’t happy with the type of information being shared and the fact that the DWP included a threat against claimants if they weren’t willing to share their data. In section 4.4 of its consultation document the DWP states:

Objecting to information sharing may, of course, have the potential to undermine an individual’s claim – claimants will therefore need to be advised about the possible adverse consequences of objecting to information sharing.”

It seems that the DWP just can’t help itself. If it doesn’t get its own way it automatically wants to punish members of society who face the most barriers and disadvantages.

Despite having a huge workload, the ICO acted quickly and issued a response to the DWP consultation document (see link below):

It is obvious from its response that the ICO is very unhappy about the DWP proposals and the fact that it wasn’t invited to take part in the consultation. The following extracts give you a taste:

The Information Commissioner is surprised and disappointed not to have also received a copy of this consultation or his officials alerted to the proposals given his Office’s role in regulating the Data Protection Act and also having issued a statutory code of practice on data sharing – We have been consulted in the past on data sharing initiatives arising from the Welfare Reform Act such as the Troubled Families initiative and have worked closely with the Department and local support agencies in advising on data sharing and helping to overcome perceived barriers. Additionally the shortness of the consultation period, and falling over the holiday period, has meant that we have been unable to give as much consideration to the content of the consultation as we would have wished. We would welcome the opportunity to meet with the Department to discuss in further detail the data protection and privacy issues arising from the regulations which we note are intended to come into force on 13 February 2015 and be implemented the following month.”

The document further states that ‘objecting to the sharing may have the potential to undermine an individual’s claim and so claimants will need to be advised about the possible adverse consequences of objecting to information sharing’. The Information Commissioner’s view is that consent is not appropriate where it cannot be freely given and where the data sharing is to take place regardless of the wishes of an individual or where a sanction could be imposed if agreement is not forthcoming. In this context it is also important to clarify that there is no legal opt out under the DPA but any such arrangements should be as transparent as possible and that individuals affected should be aware that the processing will be taking place.”

With so much personal data being collected and used by large organisations these days, some people may be wondering if any of this really matters. I think it does matter and that as a society we are sleep walking into a data protection nightmare. It isn’t just companies trying to sell us goods that make use of data about us. There can be some very unpleasant consequences of allowing organisations access to our sensitive data and have free reign to do what they want with it. What about if:

  • The data being shared about you is wrong and it results in the wrong decisions being made about you? (e.g. you get refused credit, your insurance costs go up or landlords won’t rent to you).
  • It allows unscrupulous companies to target members of society who face the most barriers and disadvantages and steal from them?
  • The organisations lose your data and it enters the public domain. You could end up suffering verbal or physical abuse as this Government’s ongoing demonization of people claiming benefits makes this a sad and worrying possibility.
  • You simply don’t want these organisations to know so much about you? After all it’s your life and your data.
  • The data isn’t used solely for the purposes claimed? Sharing such sensitive information as part of your UC claim relies on you being able to trust the DWP and the organisations listed.

Only you know if you are happy to share your information so widely, which is why the DPA states that each of us must give our consent for our data to be shared. However, some of the data on the DWP is treated differently and is called sensitive personal data (“SPD”). For this to be shared the DWP needs your explicit consent. This means you have to freely agree (i.e. not subject to threat or other coercion) in unambiguous terms that you are happy for specific data to be shared for specific purposes.

The ICO data sharing code of practice defines consent as:

Consent (explicit consent for sensitive personal data) is one of the conditions the DPA provides to legitimise processing. The Data Protection Directive on which the UK’s DPA is based defines ‘the data subject’s consent’ as: ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. “There must therefore be some form of active communication where the individual knowingly indicates consent. Whilst consent will provide a basis on which organisations can share personal data, the ICO recognises that it is not always achievable or even desirable. If you are going to rely on consent as your condition you must be sure that individuals know precisely what data sharing they are consenting to and understand its implications for them. They must also have genuine control over whether or not the data sharing takes place. It is bad practice to offer individuals a ‘choice’ if the data sharing is going to take place regardless of their wishes, for example where it is required by statute or is necessary for the provision of an essential service.

The DPA definition of what counts as SPD is shown below. The data items marked with an “*” in the list of data that the DWP intends to share is SPD. Other data (e.g. language spoken) could also be SPD if they also disclose information listed below:

  1. the racial or ethnic origin of the data subject,
  2. his political opinions,
  3. his religious beliefs or other beliefs of a similar nature,
  4. whether he is a member of a trade union (within the meaning of the M1TradeUnion and Labour Relations (Consolidation) Act 1992),
  5. his physical or mental health or condition,
  6. his sexual life,
  7. the commission or alleged commission by him of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

I believe that allowing organisations to have access to SPD is as much a matter of trust as anything else. Do you trust the DWP to do what it says and only use the data for what states in the consultation document? Personally I don’t trust the DWP due to its historic behaviour and how it plans to share your data with these organisations using a new IT system...