DWP repeatedly failed to provide data requested by DNS and others, says regulator

The Department for Work and Pensions (DWP) has repeatedly breached data protection regulations by failing to provide benefit claimants and others – including Disability News Service (DNS) – with the information it holds about them.

The huge backlog dates back months before the start of the COVID-19 pandemic, and DWP has repeatedly been informed by the Information Commissioner’s Office (ICO) that its failure to provide this information is a clear breach of the General Data Protection Regulation (GDPR).

The existence of the backlog has emerged while DNS has been trying for more than 16 months to obtain copies of emails and letters exchanged among DWP communications staff about DNS editor John Pring, through what is known as a subject access request (SAR).

Despite DNS twice narrowing its SAR to make it easier and less time-consuming for DWP to respond to, the department is still refusing to provide the information.

The latest request was submitted on 23 January – well before the onset of the pandemic caused a significant increase in the department’s workload – and it now relates solely to emails sent or received by staff on the disability desk* in DWP’s press office through 2019.

Data protection regulations state that DWP should provide the information requested through a SAR within just one calendar month in most cases.

But DWP has so far refused to communicate with DNS by email, or even acknowledge the 23 January request.

The last letter – sent by post to Pring’s previous home address – was sent by DWP’s “right of access manager” more than six months ago.

ICO has told DNS it is sending fresh batches of overdue SARs to DWP every month.

The DNS request was included in the batch sent by ICO to DWP on 27 March, a few days after the country began its first national lockdown.

In that batch of SARs, DWP was told by ICO that it appeared to have used the excuse that DNS’s request was “excessive” when the ICO said it “doesn’t appear to be”.

It also pointed out that DWP had “incorrectly” used the Freedom of Information Act to justify refusing to provide information requested by DNS, when the relevant legislation was the Data Protection Act and GDPR.

An ICO case officer told DNS in March: “I have considered the information available in relation to this complaint and I am of the view that DWP has not complied with its data protection obligations.

“This is because it did not provide you with an appropriate response to your SAR within one calendar month.

“Also DWP have incorrectly quoted extracts of the Freedom of Information Act (FOI), when in fact your request was for a SAR, which comes under the Data Protection Act (DPA)/and General Data Protection Regulation (GDPR).

“I also consider that you have been willing to limit and reduce your SAR and that DWP have not made any attempt to work with you and provide at least some readily available data, but instead applied a seemingly blanket response.”

He said in March that ICO would be “contacting DWP about your complaint, and asking it to deal with your SAR as a matter of urgency”, and then said again in early October that he had asked DWP to look at the DNS complaint, and promised to do so yet again earlier this month.

He also said: “By sending details of your complaint we have informed DWP of a breach in late SAR response, as they are receiving complaints in batches each month from us.

“We are of course monitoring their overall performance and retain details of all complaints on our system, to help with any potential future action we may take.”

An ICO spokesperson refused this week to provide an approximate figure for the size of the DWP SAR backlog, despite ICO’s role as the UK’s “independent body set up to uphold information rights”, because she said it “requires a certain amount of work which can’t be dealt with as a media enquiry”.

She suggested that DNS should submit a freedom of information request for that information.

But she confirmed that the backlog pre-dated the pandemic, although its “efforts to clear this have been impacted by it”.

She said ICO was continuing to work with DWP to ensure it responded to outstanding SARs “as soon as possible”, despite the “unprecedented demand for its services”.

She said: “The ICO takes all matters relating to people’s right to access their personal information under GDPR very seriously and works closely with organisations to help them meet their obligations.”

DWP refused to comment, or to say how large the backlog was, or why it was allowed to build up, and refused to explain the lack of communication with DNS over its SAR.

*There is no suggestion or evidence that any members of DWP’s disability desk have behaved unprofessionally in discussing the work of DNS or its editor. DNS is hoping instead to uncover a clearer picture of the department’s views of key issues around disability equality, benefit reform and how it views DNS’s coverage of those issues

A note from the editor:

Please consider making a voluntary financial contribution to support the work of DNS and allow it to continue producing independent, carefully-researched news stories that focus on the lives and rights of disabled people and their user-led organisations.

Please do not contribute if you cannot afford to do so, and please note that DNS is not a charity. It is run and owned by disabled journalist John Pring and has been from its launch in April 2009.

Thank you for anything you can do to support the work of DNS…