Annex A

Annex A

Dear Ms Griffiths,

Thank you for your Freedom of Information request received on 05 March 2010. I apologise for the delay in replying. You asked:

“Please provide the following information regarding your responsibilities under the Data Protection Act (DPA):

1. How many requests do you get under the DPA each year?

2. How do you verify the authenticity of DPA requests?

3. Do you conduct regular DPA audits / have an auditing policy?

4. Do you maintain data on errors in information covered by the DPA? a. If so, please provide data for the past 5 years.”

I will respond to each of your questions in turn.

1. How many requests do you get under the DPA each year?

The Department for Work and Pensions (DWP) does not collate the number of requests received under the DPA each year.

We estimate that the cost of complying with this part of your request would exceed the appropriate limit of £600. The appropriate limit has been specified in regulations and for central Government it is set at £600. This represents the estimated cost of one person spending 3½ working days in determining whether the Department holds the information, and locating, retrieving and extracting the information. Under section 12 of the Freedom of Information Act the Department is not obliged to comply with your request. If you were to make a new request for a narrower category of information, it may be that we could comply with that request within the appropriate limit, although I cannot guarantee that this will be the case.

Please let us know if there is any particular area of DWP in which you are interested, e.g. a Jobcentre Plus region (such as Central London, or Greater Manchester).

2. How do you verify the authenticity of DPA requests?

DWP's Subject Access Request Guide (SARG) provides advice to DWP staff on what must be considered when verifying the authenticity of requests under the DPA (subject access requests). The verification process is the same for any correspondence received within DWP. I have attached a copy of the guidance at Annex A.

3. Do you conduct regular DPA audits / have an auditing policy?

The DPA does not require any formal audits of compliance with the legislation, nor do we have an auditing policy relating to the DPA per se. In line with Government Standards, Internal Audit supports the Department through evaluating and improving the adequacy and effectiveness of the organisation's governance, risk management and control. The provision of this independent assurance is based on a systematic, disciplined approach to evaluate and improve the policies, procedures, processes, capabilities and capacity in place, including those to support compliance with established policies, procedures, laws and regulations and to safeguard the organisation's assets and interests from losses of all kinds.

4. Do you maintain data on errors in information covered by the DPA? a. If so, please provide data for the past 5 years

No statistical data are held regarding erroneous data corrections.

However, work is undertaken to identify and correct error. For example, scans are run of DWP systems in order to create sets of data for in-house data matching/accuracy work. But the sole purpose of this work is to identify and correct error.

Data are updated or corrected as an inherent part of the Department's business. DWP uses a range of tools and techniques in order to identify and deal with error, such as automated data matching of DWP data against HMRC tax data and data from other Government departments.

The Department also provides its customers with this overview of how - among other things - data might be used for error checking purposes: www.dwp.gov.uk/privacy.asp and goes into more detail about what this might mean here: http://www.dwp.gov.uk/DWP-your-personal-information.pdf.

If you have any queries about this letter please contact me quoting the reference number above.

Yours sincerely,

DWP Central FoI Team

------------------------------------------------------------------------------------------------------

Your right to complain under the Freedom of Information Act

If you are not happy with this response you may request an internal review by e-mailing [DWP request email] or by writing to DWP, Central FoI Team, 2^nd Floor The Adelphi, 1-11, John Adam Street, London WC2N 6HT. Any review request should be submitted within two months of the date of this letter.

If you are not content with the outcome of the internal review you may apply directly to the Information Commissioner's Office for a decision. Generally the Commissioner cannot make a decision unless you have exhausted our own complaints procedure. The Information Commissioner can be contacted at: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF www.ico.gov.uk

Annex A

Confirming identity

The security requirements of the DPA impose a clear responsibility on DWP to ensure that personal information is not disclosed unlawfully. Also, the Social Security Administration Act 1992 makes it a criminal offence to disclose personal information without lawful authority. It is vital therefore to ensure that we confirm the identity of the person making the request.

When confirming identity, maximum use should be made of:

• personal identifiers such as

• first name and surname

• previous surname if necessary

• date of birth

• current/previous address

• Departmental identifiers such as

• national insurance number

• staff/pay numbers

Pension, Disability and Carers Service guidance on validating identity can be found here.

Jobcentre Plus guidance on verification of identity can be found in Business Delivery Guidance by Business Area, for example, here.

There may be other guidance about verification of identity that we have not provided links to, such as Multi Benefit Bulletins. For example, see Multi-Benefit Bulletin 2009/01 - Verification of Identity here. You will need to look at your own business specific guidance for further procedures to verify identity.

If a DWP customer says their identity has been hijacked, guidance on suspect identity - hijacked or fictitious - can be found here.

If the person making the request does not provide sufficient information to enable the customer's identity to be confirmed, the DPO should notify the requester that we will not supply the data until sufficient information has been provided. You can send a SANTA01 to obtain additional identity details.

DWP Central Freedom of Information Team

e-mail: [DWP request email]

Our Ref: VTR641

28 April 2010