Data Protection - Principle 7

Dear Sir or Madam,

What policy documents do the DWP have to prevent Breaches of
Principle 7 Of The Data Protection Act 1998 and to address the need
to ensure and require that internal changes and reorganisation do
not cause failures that could or should be reasonably viewed as
breaches of Principle 7?

What reporting procedures and policies do the DWP have for breaches
of the Data Protection Act in any and all forms under all
principles, and where possible please provide these policy
documents and copies of employee guidance on how to make such
reports?

On how many occasions in the last five years have the DWP breached
or believe themselves to have breached the Data Protection Act in
any way under all principles, and where possible provide breakdown
of these incidents, by benefit being processed, area/office and the
number of claimants affected as well as principle breached?

Please provide information as to the number of benefit claimants
who have been adversely affected by these breaches, the time taken
to recognise that breach and resultant effect, and the time taken
to remedy the effect and restore the claimant to the position they
should have been in should the breach have not occurred, and where
this has required the intervention of either the Tribunal Service
or The ICO please indicate this.

How many employees of the DWP have been subject to investigation
and or disciplinary action and or dismissal for breaches of the
Data Protection Act in the last five years?

Yours faithfully,

white.mark.a

Dear Sir or Madam,

Please pass this on to the person who conducts Freedom of
Information reviews.

I am writing to request an internal review of Department for Work
and Pensions's handling of my FOI request 'Data Protection -
Principle 7'.

A full history of my FOI request and all correspondence is
available on the Internet at this address:
http://www.whatdotheyknow.com/request/da...

I note that this section of the FOI Request has not been responded
to.

“What policy documents do the DWP have to prevent Breaches of
Principle 7 of The Data Protection Act 1998 and to address the need
to ensure and require that internal changes and reorganisation do
not cause failures that could or should be reasonably viewed as
breaches of Principle 7?”

Please have a response provided by the required date.

The rest of the response is less than satisfactory, indicating that
the DWP have a poor grasp of Data Protection and it's application.
In particular the responses cited from Hansard seem to only address
Physical documents as Data and ignore the Definitions of Data as
set out in the DPA 1998. Also information requested as to breaches
of the DPA under each principle has not been addressed.

I request that The DWP revisit compliance with this FOI Request as
a whole and provide the requested information. The response does
not actually provide the requested information.

To assist in this - Principle 1 of The Data Protection Act (DPA)
addresses the question as to whether a Data Controller has the
right the process data, in any form whether that is paper records,
microfiche, sound recordings, video recordings and Electronic Data
– in fact any information in physical or virtual form which is
caught under the Definitions of Data within The Act.

Damage to data can and does occur when It is processed incorrectly
or in such a manner as to make it “Inaccurate, Misleading or
Incomplete”.

For Clarity, Principle 7 states;

“Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data.”

Schedule 1 clarifies;

“Having regard to the state of technological development and the
cost of implementing any measures, the measures must ensure a level
of security appropriate to—

(a) the harm that might result from such unauthorised or unlawful
processing or accidental loss, destruction or damage as are
mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 The data controller must take reasonable steps to ensure the
reliability of any employees of his who have access to the personal
data.”

Where data in “Automatically Processed” by computer systems
operated by the DWP, and the logic and programming of these systems
makes false assumptions as to what is accurate, this causes the
extant data to become damaged and for resultant data to be
inaccurate.

I note that in a parallel FOI request the DWP have made a nonsense
response and claimed that there is no such thing as Automated
Decision Making within the DWP. This is simply false and that FOI
request has still to be complied with.
http://www.whatdotheyknow.com/request/dw...

This FOI request specifically asked;

“What policy documents do the DWP have to prevent Breaches of
Principle 7 Of The Data Protection Act 1998 and to address the need
to ensure and require that internal changes and reorganisation do
not cause failures that could or should be reasonably viewed as
breaches of Principle 7?”

You State;

“I can, however, assure you that we always aim to ensure that no
internal change or reorganisation puts personal data at risk.

I am unsure from your question as to whether you had a specific
instance in mind that you might wish to bring to our attention, and
if so, you might wish to let me have full details, and I may be
able to offer further comments.”

I can give a real world example to assist you in clarifying which
policy documents I am seeking and to assist in further comment and
clarification being made.

The £295 million Computer System for the delivery of Employment And
Support Allowance (ESA) has not been delivered by EDS, the
Government contractor. In preparation for ESA coming in to force on
27 October 2008.

In August 2008, The DWP knowing that the system would not be
available, started to draw staff from existing work areas within
the DWP and started to have them trained in the paper
administration of ESA. This has resulted in staff cuts in a number
of areas of the DWP and increased work loads for the staff left
behind.

As a result The Computer Systems of the DWP, through their
programming and automated decision making, have routinely requested
that specific claimant be re-assessed to see if they still qualify
for benefits. The Computer systems have then requested action by
staff to facilitate this.

As the staff have had to increase work loads by up to 1000% they
have not been able to carry out these assessments within the time
limits that would apply under normal work practices with a full
compliment of staff. This has caused months of delay.

Due to this delay, the Computer Systems, following their primary
programming and following the logic of this, with the logic built
around the assumption of a full compliment of staff to meet
workloads, has concluded that a Claimant Has been Re-Assessed and
failed to meet entitlement. As A Result the Computer has
Automatically suspended entitlement. It is also noted that Claimant
have not been notified of any of this and no Statutory Notices have
been issued. Matters have only come to light when the claimants
have found themselves penniless because Benefits they had been
re4ceiving were suddenly not being paid.

The Staff in the DWP offices concerned have been most distressed to
have to deal with Claimants who have suddenly found themselves
without money, being forced into debt and suffering hardship,
having no money to pay bills and even receiving bank charges as
monies that should have been available have not been delivered, and
all because the Computer has made a decision based upon wrong data
and operational parameters and the claimant has been in total
ignorance of this.

The DWP staff have blamed themselves when the reality is It is the
DWP that is responsible as Data Controller for ensuring that this
does not occur, and even that staff are not placed in this position
and left suffering stress and anxiety and believing themselves to
be failing in their employment. Queries as to Complaince with The
Health & Safety At Work Act are all too evident as well as the
welfare and care of DWP employees who are being placed in this
situation by the DWP.

This real world example shows how the DWP are affecting individuals
/ Data Subjects where DWP reorganisation and Principle 7 of the DPA
seem to be out of sync.

The Automated processing of Data, indicating that a claimant has
been re-assessed for entitlement and failed this re-assessment is
in fact Damage To Data as the resultant data being processed by the
DWP has become “Inaccurate, Misleading or Incomplete”.

This clearly indicates that The Reorganisation of the DWP with
staff moved to administer ESA should be addressed under Principle
7.

I understand that this problem of is falling disproportionately
hard upon the long term sick and disabled as the departments within
the DWP which deal with benefits for these people have had the most
staff removed to administer ESA.

Again, I request copies of the DWP policies that are there to
ensure that when The DWP reorganise and change staff about that
there are no resultant breaches in the Data Protection Act under
Principle 7 and that - “Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing
of personal data and against accidental loss or destruction of, or
damage to, personal data.”

An example of such a policy would address who is responsible, when
reorganisation removes staff from a department and increases work
loads for existing staff, for ensuring that The Programming of
systems and the Logic used in Automated Decision Making are rapidly
assessed and altered so that incidents like the one outlined above
do not occur. It would also involve the provision for ensuring that
Statutory Notices are Automatically Issued so that Claimants as
Data Subjects are aware that Processing of Data Is Occuring and
that they are not left in Ignorance of Monies being stopped and are
able to act so as to prevent damages to their financial position.

Perhaps the information I have requested is to be found within the
Policy Documents operated by the DWP on Internal change and or
Reorganisation?

Kindly provide the Requested Information by the specified Time
Limits under the FOI Request.

Your assurance that the DWP Aim to comply with the Data Protection
Act is not reassuring at all. I would also point out that “Taking
Aim” does not mean that the archer has the ability to hit the
target, never mind place the required action within the Bulls Eye.
I understand that the Data Protection places the obligation for
Hitting the Target every time upon the DWP and this is clear under
Principle 7 and even how this is interpreted within the Data
Protection Act itself.

Yours sincerely,

white.mark.a

Martin Dillon
Head of the DWP Central FoI Team
Dear DWP Adelphi Freedom-of-Information-Request,

Dear Sir

I acknowledge your response and explicitly note that it is again
evasive and has not provided the requested information!

Your response is inadequate and also “False” as to fact and
reality!

I also note that your response meets the Definitions of
"Maladministration" operated by the DWP and which can be found at
http://www.dwp.gov.uk/publications/dwp/2...

I fear that the DWP have such a poor grasp of Data Protection and
The Data Protection Act of 1998, that the required information may
be poorly known within the DWP and therefore difficult for your
office to locate. I invite you again to locate it and provide it.

I have requested the identity of the officer of the DWP who can
provide a full and lawful response to “A Subject Access Request”
under Section 7 of the Data Protection Act 1998, referencing upon
section 7(1)d which states;

"(d) where the processing by automatic means of personal data of
which that individual is the data subject for the purpose of
evaluating matters relating to him such as, for example, his
performance at work, his creditworthiness, his reliability or his
conduct, has constituted or is likely to constitute the sole basis
for any decision significantly affecting him, to be informed by the
data controller of the logic involved in that decision-taking."

http://www.opsi.gov.uk/Acts/Acts1998/ukp...

You claim that the DWP has no such person.

You have also claimed that there is no such person required as the
DWP have No Automated Decision making.

Your assertions are false.

The Information Commissioner does provide the following information
- Automated decision-taking  - any decisions affecting individuals
made solely on processing by automatic means.

The DWP do process Data concerning claimants and the computer
systems operated by the DWP do “STOP” payment of Benefits
“Automatically”, making “AUTOMATED DECISIONS” under the computer's
programming and associated logic. Where a Computer system,
Independent of human input, “Automatically” stops paying benefits
due to DWP staff failing to provide input... well that is by
definition “AUTOMATED DECISION MAKING”.

It may be that some employees of the Government are so unfamiliar
with such matters, as they are most unlikely to be affected by
them.

You make mention of triggers for staff to take action. It is noted
that where these employees fail to take action the DWP Computer
Systems take matters into their own hands and Decide to stop
Benefit Payments and even entitlement. This is by definition
“Automated Decision Making” and is fully caught under a Lawful
Subject Access Request under Section 7,(1)d.

You should also consider that it is relevant whether it is the
intent of the systems owner for “Automated Decision Making” to
occur. Where it does occur, even with the Data Controller claiming
ignorance, the matter is still caught under the provisions of
Section 7(1)d of the DPA. It should always be considered that
“Ignorance” is no excuse in sight of The Law!

Provide the identity and contact details of the DWP
Officer/Employee who is empowered to provide the required
Information as per section 7,(1)d of the Data Protection Act 1998.

Thank you for clarifying explicitly that the Data Controller for
the DWP is The Rt Hon James Purnell MP, Secretary of State for Work
and Pensions, Caxton House,Tothill Street, London, SW1H 9DA.

Are you indicating that I should ask The Rt Hon Gentleman to
provide the required information himself?

If that should be your intent, can you state so explicitly?

I also note that you have recommended to any dispute over your
response be referred to the Information Commissioner, and this may
well occur, but only after The DWP have been offered and failed to
avail themselves of any and all reasonable possibility of provide a
lawful and valid response to the original request.

Have your valid and correct response with me within 5 working days.

Yours sincerely,

white.mark.a

CC

Andrew George MP

Lord McKenzie Of Luton - Minister DWP - Parliamentary Under
Secretary of State (Lords)(Freedom Of Information & Data
Protection)

Mr Phil Weeks, DWP Area Manager, Devon and Cornwall

Rob Molan
DWP Information and Devolution policy
DWP Adelphi Freedom-of-Information-Request,

Dear Mr Molan

Thank you for your latest response which is most improper.

I again point out that your response meets the definitions of
“Maladministration” that are operated by the DWP and which can be
found here http://www.dwp.gov.uk/publications/dwp/2...

You appear to have made a great many assumptions which are wrong
and inaccurate.

I am presently formulating a full response, However I Note that
neither you nor you colleague Mr Martin Dillon have responded
correctly to this part of my FoI request.

“What reporting procedures and policies do the DWP have for
breaches of the Data Protection Act in any and all forms under all
principles, and where possible please provide these policy
documents and copies of employee guidance on how to make such
reports?”

Could you pleases provide copies of the employee guidance on how to
report an actual or suspected breach of Principle 7 of the Data
Protection Act 1998 – or any guidance on what employees should do
where any manifest breach of the DPA is suspected or known to be
occurring!

For clarity Principle 7 of the DPA states;

"Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data."
http://www.opsi.gov.uk/Acts/Acts1998/ukp...

A fuller correction of the erroneous response you have made will
follow so as to allow The DWP to provide a valid and lawful
response.

In the mean time I would appreciate an equally prompt response of
less than 24 hours as you have made to my correction of Mr Dillon's
response.

Yours Faithfully

White.Mark.A

CC

Andrew George MP

Lord McKenzie Of Luton - Minister DWP - Parliamentary Under
Secretary of State (Lords)(Freedom Of Information & Data
Protection)

Mr Phil Weeks, DWP Area Manager, Devon and Cornwall

Dear DWP Adelphi Freedom-of-Information-Request,

I would welcome your prompt attention and response on the matters
covered in my FoI Request which has still not been complied with1

Yours sincerely,

white.mark.a

CC

Andrew George MP

Lord McKenzie Of Luton - Minister DWP - Parliamentary Under
Secretary of State (Lords)(Freedom Of Information & Data
Protection)

Mr Phil Weeks, DWP Area Manager, Devon and Cornwall

Dear DWP Adelphi Freedom-of-Information-Request,

Sir

I will correct your errors.

The Information that has been requested and which has still to be
formally supplied or denied under the FoI request was not asked for
on 21 January 2009 but in fact on 07 December 2008 with a due
response of 20 Working days later!

Please do not misreport facts in official communications or induce
errors in responses! They are both tiresome and unprofessional!

I can see no reason as to why further clarification would be
required from myself as the request is quite clear and on point. I
await a rational and focused response that answers the question
asked 09 December 2008;

“What reporting procedures and policies do the DWP have for
breaches of the Data Protection Act in any and all forms under all
principles, and where possible please provide these policy
documents and copies of employee guidance on how to make such
reports?”

Should the DWP believe that the requested information requires a
careful balance between Public Interest and simple Publication that
will be up to the DWP to explain and justify to the ICO.

It seems odd that seeking clarification that the DWP do in fact
have Policies and guidance for staff as to how to report and to
whom to report Breaches of The Data protection Act when they occur
would require consideration of Public Interest.

Personally, I would think the DWP would be more interested in
assuring the Public that Such Polices do exist and are there to be
used so as to inspire Public Confidence in the DWPs compliance with
the Data protection Act 1998!

I await your prompt response at your earliest convenience.

Yours sincerely,

white.mark.a

CC Andrew George MP
Lord McKenzie of Luton - DWP Minister Data Protection
Mel Groves - Acting Chief Exec DWP

Dear Smith Carol LEGAL GROUP INFORMATION AND DEVOLUTION POLICY,

Thank you for belatedly supplying a response that answers some of
the original FOI request of 07 December 2008.

I have to state that both the delays and lack of clarity in getting
a lawful response are tedious and do not paint the DWP in a good
light.

I wonder if you would kindly clarify some points that remain
unclear, and others which have become unclear in light of your
latest response and the delivery of “Extracts from Security
Guidance on DWP Intranet as at[sic] January 2009”.

The DWPs previous responses appear to now be in conflict with each
other and other public resources!

The Guidance - Policy Document is most impressive, even if it
appears to have been hastily drafted and not to the normal standard
expected of the DWP. It appears to have been written with a focus
upon the Physical World and appears to have missed the full scope
of Data Protection as set out in The Act. Myopic could be applied
readily as a suitable description.

Principle 7 of The Data Protection Act 1998 has a wider remit than
simple security as it also deals with the need to protect data from
damage in all forms and data may become damaged in ways that
require no physical action. Principle 7 states;

"Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data."
http://www.opsi.gov.uk/Acts/Acts1998/ukp...

However, one principle can not be read in isolation and there are
clear implications under Principle 7 that arise from Principle 4;

“Personal data shall be accurate and, where necessary, kept up to
date.”

The use of the word “shall” makes the matter mandatory obligation
and not optional.

It is an obligation under principle 7 to ensure that appropriate
technical and organisational measures exist to ensure that the
processing of data does not cause data to become damaged or made
inaccurate by processing – or that data is not made inaccurate by
being handed to a third party at a time and in a manner that was
never designed for, and through that disclosure for inaccuracy to
be created.

Neither of these have anything to do with physical destruction, yet
they relate to the risk of damage to data as defined in the Act's
Principles. Both are security risks to the data, the reputation of
the DWP and the Public Purse, where such damage raises the risk of
Litigation and Damages, including Putative Damages.

Failure to recognise this and address it correctly as a Security
Issue is Myopic.

It is a matter of Public Record that others have been seeking
information from the government concerning compliance with the Data
Protection Act 1998.

Garlik, the on-line security company http://www.garlik.com ,have
issued press releases citing their use of Freedom Of Information
requests in 2007 and 2008.

If you are unfamiliar with them they can be checked here,
http://www.garlik.com/press.php?id=368-G..., and also here,
http://www.garlik.com/press.php?id=156-G....

In particular, the last Garlik report in January 2009 specifically
reported that following FoI requests issued since September 2008,
the DWP had;

1) no written data correction policy or protocol in place;

2) no allocated funds to the effort to correct erroneous data;

3) no statistical data regarding erroneous data correction;

4)never having been subject to an independent audit in order to
prove compliance with the Data Protection Act.

I believe that the DWP were asked to verify the veracity of the
Garlik publication in January 2009, as is standard practice where
press and publicity is concerned and in lines with best practice to
avoid accusations of Libel and Slander.

The parallels between the FoI requests made by Garlik, responses
published in Hansard and my own FoI requests lead to a need to
clarify a number of points that arise as a direct result of your
latest response and the content of “Extracts from Security Guidance
on DWP Intranet as at[sic] January 2009”.

In particular it is normal for a Data Contoller such as The DWP in
complying with Principle 7 to have in place policies, procedures
and protocols for the correction of inaccurate data (complying with
Principle 4) so that Principle 7 obligations are also met.

I am therefore struck that when Garlik made their FoI requests
between September and November 2008 the “Extracts from Security
Guidance on DWP Intranet as at[sic] January 2009” were not provided
and cited as compliance with the Data Protection Act. The correct
reporting by the DWP would have ensured that the DWP did not find
themselves being reported as having no Policies on the Correction
of Inaccurate Data. It would seem that the failure to disclose
prior to 10 Feb 2009 was an own Goal and not in the best interests
of the DWP.

The document now provided also states;

“WHO SHOULD READ THIS GUIDE?

1.7 All staff should be made aware of and have the opportunity to
read this guide. In particular Unit Heads, Managers, Security
Advisors, Internal Fraud Service, Investigations Managers, HR
Business Partners and other relevant personnel should be aware of
these procedures.”

Given that “All Staff” are to be aware of it, I am surprised that
multiple FoI request and Parliamentary Questions have failed to
reveal it, it's contents or it's consequences earlier than your
response of 10 February 2009.

My own FoI request 17 November 2008 also bears close scrutiny given
that the responses to it failed to cite or provide copies of
“Extracts from Security Guidance on DWP Intranet as at[sic] January
2009”
http://www.whatdotheyknow.com/request/dw...
which would have gone some way to providing lawful answers.

For clarification;

First.

Damage to Data can occur in many ways, not just fire, flood, theft
and other matters covered in this extract form “Security Guidance
on DWP Intranet as at[sic] January 2009”.

The Data protection Act of 1998 makes no distinction between data
being destroyed due to (a) the physical destruction of or damage to
storage media, equipment or facilities and (b) damage to data as it
is processed due to faulty systems, programming and faulty
procedures. One may be highly visible and the other virtual – but
both are damage.

Pleases note that The Act defines processing to also mean
recalling, displaying and obtaining Data.

The Act under Principle 7 requires that;

“Appropriate technical and organisational measures shall be taken
against … damage to, personal data.”
http://www.opsi.gov.uk/Acts/Acts1998/ukp...

The Act itself does not define the term damage as the standard
common sense usage of the word applies.

A) May it be taken that when a DWP employee should discover that
the actual operation of DWP systems, following the systems
programming and logic, is causing data to become inaccurate and
therefore damaged, that this system failure is to be reported as a
“Security Incident” under this policy? If it is not caught and
reported under this policy how should it be reported and to who?

B) More specifically, should the discovery of data that is
Inaccurate and which by it's processing is likely to damage more
data be reported as a Security Risk under this policy? If it is not
caught and reported under this policy how should it be reported and
to who?

Where accurate data is processed so as to make it inaccurate in any
way, the data has become damaged and can not be relied upon. I am
mindful of case law which holds that Evidence from a Data Printout
can not be taken as valid where it is contradicted by Oral
evidence! It would seem that this potential is already accepted in
relevant Judicial circles such as the Commissioners in hearing
appeals against the Secretary of State for the Department of Work
and Pensions. I have to wonder if the Commissioners have not in
fact been ahead of the DWP in dealing with Data Protection problems
and its implication on legislation. CF/13/92
Oral evidence prevails over computer print-out.

I am obliged to point out that where the very programming of
systems and their operation causes damage to data, by making it
inaccurate, that would be a Breach of Principle 7 as well as a
breach of Principle 4. Should the Inaccurate data then be further
processed the matter becomes far more serious and may lead to the
Data Subject suffering Damage and Distress as well as a prima
fascia Breach of Principle 4.

C)Does this Policy Document Extract at[sic] January 2009 extend to
any such incident or incidents caused by faulty programming, errors
in programming and or errors in system operation which cause data
to become Inaccurate and therefore damaged and leading to potential
risks that can and would arise? If it is not caught and reported
under this policy how should it be reported and to who?

Second.

I am also mindful of repeated incidents of DWP computer systems
terminating long standing claimants entitlement to benefit, without
review and or appeal, and the decision not being made know to the
claimant in any way, in spite of the obligation upon the DWP to
issue Statutory Notices which would have advised of these review
and appeal rights.

Such Automated Termination of Entitlement (Automated
Decision-Taking) has been traced to failures in the processing of
claims with the DWP computer systems, where staff have failed to
input correct data or ensure that the computer systems are notified
of delay due to staff shortages.

The Computer has progressed with it's programming assuming that
lack of staff input means that no input is required from staff and
that these staff agree with the computers intended action under
it's programming.

The payment of benefit has automatically been stopped without
notice to the claimant and caused claimants to be placed in debt
leading to the DWP facing claims of maladministration and
compensation being sought under the DWP “Guide to Financial Redress
for Maladministration”
http://www.dwp.gov.uk/publications/dwp/2... .

D)Would such an incident, which causes The DWP to have to pay
compensation due to incorrect processing of data, be listed and
reported as a Security Risk under this guidance at[sic] January
2009 – given the risk to the Public Purse? If it is not caught and
reported under this policy how should it be reported and to who?

Third.

E) Why has it not been possible for this “Policy Document”
(Extract) at[sic] January 2009” to be provided earlier and without
repeated prompting?

I note that the extract provided states that it “replaces all
previous guidance”, and this is made clear at Para 1.4.

This indicates that suitable guidance was extant and known to the
DWP prior to this extract being provided at[sic] January 2009 and
it therefore should have been provided far earlier in response to
this FoI Request and in December 2008.

F) The Policy Document Extract is identified by your response as
being from the DWP intranet at[sic] January 2009 – and yet it was
not supplied at the correct time under this FOI request. Could you
please explain why?

G) If this policy Document has been available via the DWP intranet
prior to at[sic] January 2009, why was it not provided in the
responses dated 19 December 2008 – 19 January 2009 – 21 January
2009 ?

F) May I take it that the Policy was unknown on the DWP intranet
until after 21 January 2009, and that is the cause of the earlier
failures to supply it earlier?

Fourth.

The Policy Document extract also states;

“1.3 Incidents are monitored to identify trends and to ensure that
remedial action, where appropriate, is taken.”

However, I have previously asked for this reported Monitoring
Information and been told that it does not exist. I have been
provided with copies of extracts from Hansard, 22 October 2008 –
Mark Williams MP Lib Dem - Ceredigion , where responses to
Parliamentary Question states;

“Because of the nature of a Department which handles data relating
to millions of individual customers on a daily basis, small
localised instances involving personal data loss—for example the
loss of an individual's papers—are not recorded centrally by the
Department or its agencies, and the details of such individual
instances could be provided only at disproportionate cost.”

The Policy extract says;

“1.1 Central Government requires that all Departments should have
processes in place to enable the types, volumes and costs of
security incidents and malfunctions to be recorded and monitored.
The information gathered is used to identify and analyse any
trends, to identify potential process weaknesses and identify where
there is a need for additional or enhanced controls.

1.2The Department for Work and Pensions (DWP) therefore has a duty
to capture all relevant information involving security incidents.
Departmental Security Group acts as the focal point within the
Department.”

The Policy extract further states that “Loss of customer records or
supporting documents” would be a security breach that would have to
be recorded and yet this can not agree with the contents of the
Parliamentary record from October 2008 and the answer provided to
Mark Williams MP.

It is quite reassuring that the DWP have recognised that the Data
Protection Act 1998 does extend to physical documents, but it is of
some concern that loss of such data is apparently not monitored for
trends, so that lessons can be learned and where necessary shared
across all DWP departments and offices.

The Quoted response to James Brokenshire MP - Hornchurch & Rainham
– Con dated 2 Jun 2008 was equally off topic and less than
informative. It only addressed the number so DWP staff who had been
disciplined, regarding breaches of the Data Protection Act, and
revealed nothing as to the True Number of incidents including those
that had nothing to do with staff activity.

Whilst staff disciplin is a required part of Principle 7, so is the
ability to know the nature of incidents, their origins, whether
cause by staff or not and for lessons to be learned and Breaches of
The Data Protection Act prevented.

Disciplining and firing staff will be of no value if the problem
lies with delinquent Computer Programs that can not be subject to
Disciplinary Action – though of course contractors who have
supplied the delinquent programs/systems can be subject to
contractual obligation and even removed from preferred contractor
status.

If the DWP state that they have a “duty to capture all relevant
information involving security incidents” it is astonishing that
this duty does not extend to knowing how many there actually are
and being able to promptly report them to MPs without claims of
disproportionate cost, never mind in response to a FoI request.

The Policy Extract states that Incidents are monitored to identify
trends and to ensure remedial action, yet this information is not
available in a suitable format even for senior management oversight
and for even the number of unrelated incidents to be identified. It
appears that a basic number of “Security Incidents” is not
available except “ at disproportionate cost". I have to wonder if
it costs so much, when can the DWP management at Executive Level
expect to see them so that they can do their job.

G) Could you clarify when this paragraph 1.3 came into effect, as
in the date in format "Day - Month - Year"?

There is a clear conflict between the policy stating that action is
taken and required and the absence of any form of coherent results
or evidence that this Policy is being used, as it is written and
published at[sic] January 2009.

H) Has there been an error in past responses under the Freedom of
Information Act to myself and or in Reporting to Parliament?

Fifth.

Section 1.7 gives a list of all staff who “In particular” should be
made aware of this Policy Document and be fully conversant with it.
There is a list of named officers which reads;

“..Unit Heads, Managers, Security Advisors, Internal Fraud Service,
Investigations Managers, HR Business Partners ..”.

It is noted that such Officers as “Customer Services Managers” and
“Data Protection Officers” have been omitted from the list.

I understand that all DWP offices have these employees in place.
This omission is most unusual as these are the DWP officers who
members of the public are most likely to be placed in contact with,
if they as “Data Subjects” of the DWP should find it necessary to
report to the DWP what would be a “Security Incident” under this
guidance or even under the Data Protection Act as a whole!

In fact, even if the member of the public was not a Data Subject
but should discover packages of DWP client papers on a roundabout,
as occurred twice in Exeter in 2008, and needed to alert the DWP to
this via Local DWP/Jobcentre Plus Office, the resident Customer
Services Manager and or Data Protection Officer is the most likely
member of staff to be tasked to deal with matters.
http://news.bbc.co.uk/1/hi/england/devon...

I)Can it be taken that the omission of “Customer Services Managers”
and “Data Protection Officers” is simply because these officers are
caught under the wide definitions of employees in the guidance and
that these front line staff are in fact specifically aware of this
guidance and know how, when and to who to report incidents that are
raised by members of the public for their attention?

Sixth.

I have been obliged, since August 2008, to repeatedly notify
employees of the DWP of breaches of The Data Protection Act 1998,
and have requested the identity of a DWP officer or employee who
could receive report of these concerns so that action could be
taken and matters recorded. I have never once been provided with a
valid answer or a suitable identity, contact address or details.

J) Would also be kind enough to provide copies of any and all
Monthly DWP “Management Bulletin to all staff” which I understand
are issued centrally by the DWP, highlighting this resource (
Security Guidance on DWP Intranet as at[sic] January 2009 ) on the
DWP Intranet for all staff's attention?

Seventh.

K) Please provide a description of the data types and operands used
to collect data in compliance with paragraphs 1.1, 1.2, and 1.3 of
“Extracts from Security Guidance on DWP Intranet as at[sic] January
2009” and where possible provide the start date and end date of any
and all reporting periods within which these operands have been
used to collect, collate, analyse and report incidents caught under
the provisions of “Extracts from Security Guidance on DWP Intranet
as at[sic] January 2009” and or any and all previous guidance that
it replaces.

Eighth.

L)please provide a copy of the document or documents, including
publication dates and sources, identified by the statement,“It
replaces all previous guidance.”

Nineth.

Should failures by DWP staff to follow this “Extracts from Security
Guidance on DWP Intranet as at[sic] January 2009” be reported as a
failure in departmental procedure, and if so to whom should the
report be made?

Yours Faithfully

white.mark.a

Dear Smith Carol LEGAL GROUP INFORMATION AND DEVOLUTION POLICY,

Thank you for belatedly supplying a response that answers some of
the original FOI request of 07 December 2008.

I have to state that both the delays and lack of clarity in getting
a lawful response are tedious and do not paint the DWP in a good
light.

I wonder if you would kindly clarify some points that remain
unclear, and others which have become unclear in light of your
latest response and the delivery of “Extracts from Security
Guidance on DWP Intranet as at[sic] January 2009”.

The DWPs previous responses appear to now be in conflict with each
other and other public resources!

The Guidance - Policy Document is most impressive, even if it
appears to have been hastily drafted and not to the normal standard
expected of the DWP. It appears to have been written with a focus
upon the Physical World and appears to have missed the full scope
of Data Protection as set out in The Act. Myopic could be applied
readily as a suitable description.

Principle 7 of The Data Protection Act 1998 has a wider remit than
simple security as it also deals with the need to protect data from
damage in all forms and data may become damaged in ways that
require no physical action. Principle 7 states;

"Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data."
http://www.opsi.gov.uk/Acts/Acts1998/ukp...

However, one principle can not be read in isolation and there are
clear implications under Principle 7 that arise from Principle 4;

“Personal data shall be accurate and, where necessary, kept up to
date.”

The use of the word “shall” makes the matter mandatory obligation
and not optional.

It is an obligation under principle 7 to ensure that appropriate
technical and organisational measures exist to ensure that the
processing of data does not cause data to become damaged or made
inaccurate by processing – or that data is not made inaccurate by
being handed to a third party at a time and in a manner that was
never designed for, and through that disclosure for inaccuracy to
be created.

Neither of these have anything to do with physical destruction, yet
they relate to the risk of damage to data as defined in the Act's
Principles. Both are security risks to the data, the reputation of
the DWP and the Public Purse, where such damage raises the risk of
Litigation and Damages, including Putative Damages.

Failure to recognise this and address it correctly as a Security
Issue is Myopic.

It is a matter of Public Record that others have been seeking
information from the government concerning compliance with the Data
Protection Act 1998.

Garlik, the on-line security company http://www.garlik.com ,have
issued press releases citing their use of Freedom Of Information
requests in 2007 and 2008.

If you are unfamiliar with them they can be checked here,
http://www.garlik.com/press.php?id=368-G..., and also here,
http://www.garlik.com/press.php?id=156-G....

In particular, the last Garlik report in January 2009 specifically
reported that following FoI requests issued since September 2008,
the DWP had;

1) no written data correction policy or protocol in place;

2) no allocated funds to the effort to correct erroneous data;

3) no statistical data regarding erroneous data correction;

4)never having been subject to an independent audit in order to
prove compliance with the Data Protection Act.

I believe that the DWP were asked to verify the veracity of the
Garlik publication in January 2009, as is standard practice where
press and publicity is concerned and in lines with best practice to
avoid accusations of Libel and Slander.

The parallels between the FoI requests made by Garlik, responses
published in Hansard and my own FoI requests lead to a need to
clarify a number of points that arise as a direct result of your
latest response and the content of “Extracts from Security Guidance
on DWP Intranet as at[sic] January 2009”.

In particular it is normal for a Data Contoller such as The DWP in
complying with Principle 7 to have in place policies, procedures
and protocols for the correction of inaccurate data (complying with
Principle 4) so that Principle 7 obligations are also met.

I am therefore struck that when Garlik made their FoI requests
between September and November 2008 the “Extracts from Security
Guidance on DWP Intranet as at[sic] January 2009” were not provided
and cited as compliance with the Data Protection Act. The correct
reporting by the DWP would have ensured that the DWP did not find
themselves being reported as having no Policies on the Correction
of Inaccurate Data. It would seem that the failure to disclose
prior to 10 Feb 2009 was an own Goal and not in the best interests
of the DWP.

The document now provided also states;

“WHO SHOULD READ THIS GUIDE?

1.7 All staff should be made aware of and have the opportunity to
read this guide. In particular Unit Heads, Managers, Security
Advisors, Internal Fraud Service, Investigations Managers, HR
Business Partners and other relevant personnel should be aware of
these procedures.”

Given that “All Staff” are to be aware of it, I am surprised that
multiple FoI request and Parliamentary Questions have failed to
reveal it, it's contents or it's consequences earlier than your
response of 10 February 2009.

My own FoI request 17 November 2008 also bears close scrutiny given
that the responses to it failed to cite or provide copies of
“Extracts from Security Guidance on DWP Intranet as at[sic] January
2009”
http://www.whatdotheyknow.com/request/dw...
which would have gone some way to providing lawful answers.

For clarification;

First.

Damage to Data can occur in many ways, not just fire, flood, theft
and other matters covered in this extract form “Security Guidance
on DWP Intranet as at[sic] January 2009”.

The Data protection Act of 1998 makes no distinction between data
being destroyed due to (a) the physical destruction of or damage to
storage media, equipment or facilities and (b) damage to data as it
is processed due to faulty systems, programming and faulty
procedures. One may be highly visible and the other virtual – but
both are damage.

Pleases note that The Act defines processing to also mean
recalling, displaying and obtaining Data.

The Act under Principle 7 requires that;

“Appropriate technical and organisational measures shall be taken
against … damage to, personal data.”
http://www.opsi.gov.uk/Acts/Acts1998/ukp...

The Act itself does not define the term damage as the standard
common sense usage of the word applies.

A) May it be taken that when a DWP employee should discover that
the actual operation of DWP systems, following the systems
programming and logic, is causing data to become inaccurate and
therefore damaged, that this system failure is to be reported as a
“Security Incident” under this policy? If it is not caught and
reported under this policy how should it be reported and to who?

B) More specifically, should the discovery of data that is
Inaccurate and which by it's processing is likely to damage more
data be reported as a Security Risk under this policy? If it is not
caught and reported under this policy how should it be reported and
to who?

Where accurate data is processed so as to make it inaccurate in any
way, the data has become damaged and can not be relied upon. I am
mindful of case law which holds that Evidence from a Data Printout
can not be taken as valid where it is contradicted by Oral
evidence! It would seem that this potential is already accepted in
relevant Judicial circles such as the Commissioners in hearing
appeals against the Secretary of State for the Department of Work
and Pensions. I have to wonder if the Commissioners have not in
fact been ahead of the DWP in dealing with Data Protection problems
and its implication on legislation. CF/13/92
Oral evidence prevails over computer print-out.

I am obliged to point out that where the very programming of
systems and their operation causes damage to data, by making it
inaccurate, that would be a Breach of Principle 7 as well as a
breach of Principle 4. Should the Inaccurate data then be further
processed the matter becomes far more serious and may lead to the
Data Subject suffering Damage and Distress as well as a prima
fascia Breach of Principle 4.

C)Does this Policy Document Extract at[sic] January 2009 extend to
any such incident or incidents caused by faulty programming, errors
in programming and or errors in system operation which cause data
to become Inaccurate and therefore damaged and leading to potential
risks that can and would arise? If it is not caught and reported
under this policy how should it be reported and to who?

Second.

I am also mindful of repeated incidents of DWP computer systems
terminating long standing claimants entitlement to benefit, without
review and or appeal, and the decision not being made know to the
claimant in any way, in spite of the obligation upon the DWP to
issue Statutory Notices which would have advised of these review
and appeal rights.

Such Automated Termination of Entitlement (Automated
Decision-Taking) has been traced to failures in the processing of
claims with the DWP computer systems, where staff have failed to
input correct data or ensure that the computer systems are notified
of delay due to staff shortages.

The Computer has progressed with it's programming assuming that
lack of staff input means that no input is required from staff and
that these staff agree with the computers intended action under
it's programming.

The payment of benefit has automatically been stopped without
notice to the claimant and caused claimants to be placed in debt
leading to the DWP facing claims of maladministration and
compensation being sought under the DWP “Guide to Financial Redress
for Maladministration”
http://www.dwp.gov.uk/publications/dwp/2... .

D)Would such an incident, which causes The DWP to have to pay
compensation due to incorrect processing of data, be listed and
reported as a Security Risk under this guidance at[sic] January
2009 – given the risk to the Public Purse? If it is not caught and
reported under this policy how should it be reported and to who?

Third.

E) Why has it not been possible for this “Policy Document”
(Extract) at[sic] January 2009” to be provided earlier and without
repeated prompting?

I note that the extract provided states that it “replaces all
previous guidance”, and this is made clear at Para 1.4.

This indicates that suitable guidance was extant and known to the
DWP prior to this extract being provided at[sic] January 2009 and
it therefore should have been provided far earlier in response to
this FoI Request and in December 2008.

F) The Policy Document Extract is identified by your response as
being from the DWP intranet at[sic] January 2009 – and yet it was
not supplied at the correct time under this FOI request. Could you
please explain why?

G) If this policy Document has been available via the DWP intranet
prior to at[sic] January 2009, why was it not provided in the
responses dated 19 December 2008 – 19 January 2009 – 21 January
2009 ?

F) May I take it that the Policy was unknown on the DWP intranet
until after 21 January 2009, and that is the cause of the earlier
failures to supply it earlier?

Fourth.

The Policy Document extract also states;

“1.3 Incidents are monitored to identify trends and to ensure that
remedial action, where appropriate, is taken.”

However, I have previously asked for this reported Monitoring
Information and been told that it does not exist. I have been
provided with copies of extracts from Hansard, 22 October 2008 –
Mark Williams MP Lib Dem - Ceredigion , where responses to
Parliamentary Question states;

“Because of the nature of a Department which handles data relating
to millions of individual customers on a daily basis, small
localised instances involving personal data loss—for example the
loss of an individual's papers—are not recorded centrally by the
Department or its agencies, and the details of such individual
instances could be provided only at disproportionate cost.”

The Policy extract says;

“1.1 Central Government requires that all Departments should have
processes in place to enable the types, volumes and costs of
security incidents and malfunctions to be recorded and monitored.
The information gathered is used to identify and analyse any
trends, to identify potential process weaknesses and identify where
there is a need for additional or enhanced controls.

1.2The Department for Work and Pensions (DWP) therefore has a duty
to capture all relevant information involving security incidents.
Departmental Security Group acts as the focal point within the
Department.”

The Policy extract further states that “Loss of customer records or
supporting documents” would be a security breach that would have to
be recorded and yet this can not agree with the contents of the
Parliamentary record from October 2008 and the answer provided to
Mark Williams MP.

It is quite reassuring that the DWP have recognised that the Data
Protection Act 1998 does extend to physical documents, but it is of
some concern that loss of such data is apparently not monitored for
trends, so that lessons can be learned and where necessary shared
across all DWP departments and offices.

The Quoted response to James Brokenshire MP - Hornchurch & Rainham
– Con dated 2 Jun 2008 was equally off topic and less than
informative. It only addressed the number so DWP staff who had been
disciplined, regarding breaches of the Data Protection Act, and
revealed nothing as to the True Number of incidents including those
that had nothing to do with staff activity.

Whilst staff disciplin is a required part of Principle 7, so is the
ability to know the nature of incidents, their origins, whether
cause by staff or not and for lessons to be learned and Breaches of
The Data Protection Act prevented.

Disciplining and firing staff will be of no value if the problem
lies with delinquent Computer Programs that can not be subject to
Disciplinary Action – though of course contractors who have
supplied the delinquent programs/systems can be subject to
contractual obligation and even removed from preferred contractor
status.

If the DWP state that they have a “duty to capture all relevant
information involving security incidents” it is astonishing that
this duty does not extend to knowing how many there actually are
and being able to promptly report them to MPs without claims of
disproportionate cost, never mind in response to a FoI request.

The Policy Extract states that Incidents are monitored to identify
trends and to ensure remedial action, yet this information is not
available in a suitable format even for senior management oversight
and for even the number of unrelated incidents to be identified. It
appears that a basic number of “Security Incidents” is not
available except “ at disproportionate cost". I have to wonder if
it costs so much, when can the DWP management at Executive Level
expect to see them so that they can do their job.

G) Could you clarify when this paragraph 1.3 came into effect, as
in the date in format "Day - Month - Year"?

There is a clear conflict between the policy stating that action is
taken and required and the absence of any form of coherent results
or evidence that this Policy is being used, as it is written and
published at[sic] January 2009.

H) Has there been an error in past responses under the Freedom of
Information Act to myself and or in Reporting to Parliament?

Fifth.

Section 1.7 gives a list of all staff who “In particular” should be
made aware of this Policy Document and be fully conversant with it.
There is a list of named officers which reads;

“..Unit Heads, Managers, Security Advisors, Internal Fraud Service,
Investigations Managers, HR Business Partners ..”.

It is noted that such Officers as “Customer Services Managers” and
“Data Protection Officers” have been omitted from the list.

I understand that all DWP offices have these employees in place.
This omission is most unusual as these are the DWP officers who
members of the public are most likely to be placed in contact with,
if they as “Data Subjects” of the DWP should find it necessary to
report to the DWP what would be a “Security Incident” under this
guidance or even under the Data Protection Act as a whole!

In fact, even if the member of the public was not a Data Subject
but should discover packages of DWP client papers on a roundabout,
as occurred twice in Exeter in 2008, and needed to alert the DWP to
this via Local DWP/Jobcentre Plus Office, the resident Customer
Services Manager and or Data Protection Officer is the most likely
member of staff to be tasked to deal with matters.
http://news.bbc.co.uk/1/hi/england/devon...

I)Can it be taken that the omission of “Customer Services Managers”
and “Data Protection Officers” is simply because these officers are
caught under the wide definitions of employees in the guidance and
that these front line staff are in fact specifically aware of this
guidance and know how, when and to who to report incidents that are
raised by members of the public for their attention?

Sixth.

I have been obliged, since August 2008, to repeatedly notify
employees of the DWP of breaches of The Data Protection Act 1998,
and have requested the identity of a DWP officer or employee who
could receive report of these concerns so that action could be
taken and matters recorded. I have never once been provided with a
valid answer or a suitable identity, contact address or details.

J) Would also be kind enough to provide copies of any and all
Monthly DWP “Management Bulletin to all staff” which I understand
are issued centrally by the DWP, highlighting this resource (
Security Guidance on DWP Intranet as at[sic] January 2009 ) on the
DWP Intranet for all staff's attention?

Seventh.

K) Please provide a description of the data types and operands used
to collect data in compliance with paragraphs 1.1, 1.2, and 1.3 of
“Extracts from Security Guidance on DWP Intranet as at[sic] January
2009” and where possible provide the start date and end date of any
and all reporting periods within which these operands have been
used to collect, collate, analyse and report incidents caught under
the provisions of “Extracts from Security Guidance on DWP Intranet
as at[sic] January 2009” and or any and all previous guidance that
it replaces.

Eighth.

L)please provide a copy of the document or documents, including
publication dates and sources, identified by the statement,“It
replaces all previous guidance.”

Nineth.

Should failures by DWP staff to follow this “Extracts from Security
Guidance on DWP Intranet as at[sic] January 2009” be reported as a
failure in departmental procedure, and if so to whom should the
report be made?

Yours Faithfully

white.mark.a

Dear Mr Dillion Adelphi Freedom-of-Information-Request,

I have reviewed your response and have to point out to you that it
is nonsensical and somewhat indicative of confusion on your part.

Perhaps this is caused by you having responded to this FOI request
with an answer to a different FOI request. A bit of an error and
even an own Goal. I do hope that this error is not indicative of
work stress.

For propriety and to ensure that error is minimised both under the
Freedom Of Information Act and The Data Protection Act, could you
please respond to questions correctly and in a manner that respects
both Acts.

Please re-post you response in the correct place so that any and
all readers are not lead astray or lead into confusion by your "nōn
sequitur".

I am obliged to point out that your response is de facto a none
response to my questions of 11 February 2009, where I state;

"Dear Smith Carol LEGAL GROUP INFORMATION AND DEVOLUTION POLICY,

Thank you for belatedly supplying a response that answers some of
the original FOI request of 07 December 2008.

I have to state that both the delays and lack of clarity in getting
a lawful response are tedious and do not paint the DWP in a good
light."

Forgive me for stating the obvious, but if the DWP FOI team is not
able to keep data concerning FOI requests in order, it is in fact
proof of the concerns I have expressed through FOI requests as to
the DWP's compliance with the Data Protection Act. It Aint Rocket
Science as I am becoming obliged to remind many within the DWP.

Please keep matters in order and respond to FOI requests correctly
and in the correct place - It Aint Rocket Science as I have made
clear to Both Mel Groves, Acting Chief Executive Jobcentre Plus and
Sir Leigh Lewis KCB Permanent Secretary Department for Work and
Pensions, as well as a few others, including Lord McKenzie of
Luton, Parliamentary Under Secretary of State - Data Protection and
FOI .

I take your response as an error and request that you correct your
error and I also request that you please remind "Smith Carol LEGAL
GROUP INFORMATION AND DEVOLUTION POLICY" that a response is awaited
in in the correct place and in a timely manner.

Should you not accept this may I point you to the DWP's guidance on
Official Error and Maladministration which can be found at
http://www.dwp.gov.uk/publications/dwp/2...

I have to make clear that presently the Inaccuracy being displayed
by the DWP in FOI responses is analogous to the level of Error and
failure to comply with the Data Protection Act.

Please either do better or produce more of the same. If the DWP Do
better under The Freedom Of Information Act and the Data protection
Act that can only be welcomed. However, should the DWP wish to
provide evidence of incompetence under either Act that is also to
be welcomed for diametrically opposed reasons which are equally
valid.

Again thank you for your response, but could you please post it in
the right place for propriety and even with a view to keeping the
facts straight.

Yours sincerely,

white.mark.a