DWP Central Freedom of Information Team

Our Ref: VTR1267

19 December 2008

Dear White

Freedom of Information Request - VTR 1267

I am responding to your letter of 7 December in which you requested certain information in accordance with the Freedom of Information Act.

In the following, I have reproduced each of your questions as highlighted below, together with our replies.

What policy documents do the DWP have to prevent Breaches of Principle 7 of The Data Protection Act 1998 and to address the need to ensure and require that internal changes and reorganisation do not cause failures that could or should be reasonably viewed as breaches of Principle 7?

As a registered data controller, the Department is required to comply with all the Principles set out in Schedule 1 to the Data Protection Act, and we take those responsibilities very seriously. The Seventh Principle requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The many ways in which we secure compliance with that principle are not captured in a single policy document that I can usefully send you. I can, however, assure you that we always aim to ensure that no internal change or reorganisation puts personal data at risk.

I am unsure from your question as to whether you had a specific instance in mind that you might wish to bring to our attention, and if so, you might wish to let me have full details, and I may be able to offer further comments.

What reporting procedures and policies do the DWP have for breaches of the Data Protection Act in any and all forms under all principles, and where possible please provide these policy documents and copies of employee guidance on how to make such reports?

The Department follows the guidance published by the Information Commissioner on 27 March 2008, which is available by following the attached link:

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/breach_reporting.pdf

On how many occasions in the last five years have the DWP breached or believe themselves to have breached the Data Protection Act in any way under all principles, and where possible provide breakdown of these incidents, by benefit being processed, area/office and the number of claimants affected as well as principle breached?

Please provide information as to the number of benefit claimants who have been adversely affected by these breaches, the time taken to recognise that breach and resultant effect, and the time taken to remedy the effect and restore the claimant to the position they should have been in should the breach have not occurred, and where this has required the intervention of either the Tribunal Service or The ICO please indicate this.

How many employees of the DWP have been subject to investigation and or disciplinary action and or dismissal for breaches of the Data Protection Act in the last five years?

I attach a copy of each reply given to two Parliamentary Questions which address your questions.

I hope that my replies addressed the issues about which you were concerned.

If you are not satisfied with my reply to your request, please tell me why within two calendar months of the date of this letter. I will then arrange for someone to conduct an internal review of your request and my decision. The review will be conducted by another officer, usually of a more senior grade to myself. This person will have taken no part in my original decision. The reviewing officer will advise you of their decision in writing.

If you are not content with the outcome of the internal review you have the right to apply directly to the Information Commissioner to look into the way your request has been handled.

The Commissioner can be contacted at:

FoI Complaints Resolution

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Fax: 01625 524 510

email: [email address]

Yours sincerely,

Sent by e-mail

DWP Central FoI Team