Data Protection , sensitive personal data is shared with companies that did not exist when original consent was given

deutschlad made this Freedom of Information request to Department for Work and Pensions

This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was successful.

Dear Department for Work and Pensions,

I have recently been asked to attend a PIP medical. When I arrived at the centre, 2 Queen Caroline Street, London, W6, Regus House I found that ATOS (or any of it's sub companies) was not known there. Since this address can be rented by the day, the receptionist called a few offices and found a renter called PHYSIO WORLD LTD, who claims to be acting on the DWP's behalf, would be carrying out the PIP assessment . Can you please confirm or deny whether or not this company is acting as a sub contractor to ATOS IT (trading as ATOS Healthcare) because on the invitation letter it clearly said ATOS HEALTHCARE on behalf of the DWP, or if the DWP has a contract with PHYSIO WORLD LTD directly to carry out these assessments?

Can you please clarify why and exactly which of my personal sensitive medical data (I have an illness that automatically qualifies me as disabled under the Equality Act 2000) is being shared with PHYSIO WORLD Ltd, Company number 09805028, a private ltd company that has been incorporated on the 1 October 2015, and has yet to declare their 'nature of business' and has not yet filed accounts ?

Can you tell me whether or not the DWP has a contract with this private Ltd company 'Physio world' newcomer, who has a limited liability of £1? How much is 'Physio World' paid per PIP consultation.

How is a claimant assumed to have given 'explicit' consent to have his personal, sensitive medical data shared with companies incorporated after the claimant signed the declaration, when the Data Protection Act makes it clear that one can only give consent to circumstances that have been known at the time? In the PHYSIO WORLD example, the PIP application was signed, say 1 April 2015, yet the Data is being shared with a company that wasn't in existence at the time?

Another newcomer is company number 09072343 The Centre For Disability Assessments LTD, another company with a maximum liability of £1, reported turnover : £67,774,723 they made a loss of £50,309 and which was pretty much dormant but 'just sitting' in case the ultimate owner MAXIMUS HEALTH AND HUMAN SERVICES LTD and MAXIMUS COMPANIES LTD needed it and its involvement in ESA assessments. I would like to know where the £67million Pound of tax payers money has evaporated to and how a company, that is insolvent is able to carry on trading with upcoming liabilities of over £21million due within 1 year, is still able to carry on with the DWP's blessing?

Can you please confirm to me whether or not ATOS IT is still the IT service provider for ESA and PIP assessments and how much the DWP is paying for leasing the system ATOS IT provides and, if you have it, how much MAXIMUS (and it's variants) pay ATOS IT for use of the existing system that ATOS IT (trading as ATOS HEALTHCARE) just 'abandoned' last year?

Is ATOS IT, as the system provider, therefore able to access all confidential health records that are being passed by the DWP to MAXIMUS for ESA assessments?

Please explain how the data is passed from the DWP to Physioworld and/or to ATOS IT. Does the data, at any stage, leave the originator system that the DWP has full and exclusive control of?

Who maintains this third party system?

My condition requires explicit consent to be shared with a third party, how come the DWP does not seek my consent and shares this data with companies I do not wish to share my data with?

ATOS says the DWP is the Data Controller, the DWP says ATOS is the Data Controller, can you please clarify who the ultimate Data Controller is and when and how a Data Controller (DWP) makes a third party interloper and private company (ATOS IT / MAXIMUS UK) a Data Controller?

I can opt out of ATOS having an electronic record of my day-to-day medical data, for example data held by my GP or the Hospital, called ''. Is there an option for me to withdraw consent for similar data being given to MAXIMUS or ATOS IT or any newly formed company like PHYSIO WORLD LTD who isn't even sure what business they are in, who have been fined in many countries for their data protection infringements because they each have a parent company that specifically sells that information to Insurance providers or to Pharmaceutical Companies or ( / Dame Fiona Caldicott in April 2014 admitted the scheme to be 'mishandled') anybody who wants to pay them for an anonymised version, which, if you have a bit of extra data will still make the data subject easily identifiable?

Please tell me the names of all the companies that have an active involvement in the electronic processing / transfer /maintenance program used by the DWP.

Yours faithfully,

DWP freedom-of-information-requests, Department for Work and Pensions

This is an automated confirmation that your request for information has
been accepted by the DWP FoI mailbox.
By the next working day your request will be forwarded to the relevant
information owner within the Department who will respond to you direct. 
If your email is a Freedom of Information request you can normally
expect a response within 20 working days.
Should you have any further queries in connection with this request do
please contact us.
For further information on the Freedom of Information Act within DWP
please click on the link below.

show quoted sections


Visible links

DWP Health Services Correspondence, Department for Work and Pensions

1 Attachment

Dear Mr Kruger,
Please see our response to your recent Freedom of Information request.
Yours sincerely
Correspondence Team |Business Management Team | Health Services
Directorate | Finance Group | Department for Work and Pensions | Green
Zone 2nd Floor, West Wing, Phase 2 | Peel Park | Brunel Way | Blackpool |
FY4 5ES |

show quoted sections