DWP should "Refresh consent" concerning the ESA65B letter and informing Doctors of claimant 'fit-for-work' decisions

The request was partially successful.

Dear Department for Work and Pensions,

Please disclose the information you hold on what procedures, processes and actions the DWP undertake, who does them, when a Universal Credit or ESA claimant says they do not agree to the DWP informing their:

"doctor or any doctor treating me, being informed about the Secretary of State's determination on

– limited capability for work

– limited capability for work-related activity, or– both"
(This "I agree" statement is included in your ESA1, ESA50 and UC50 forms)

If a UC claimant uses a UC Journal to withdraw consent from the above "I agree" statement, what precise processes and actions does their work coach have to undertake to ensure the DWP do not send the ESA65B, UCD90 and UCD210 letters to claimants Doctors, including their GP.

If a UC claimant wants to withdraw consent to this "I agree" statement, by sending a letter to the DWP, please provide the street address and named individuals they should write to.

In a recent reply, you said the DWP:

“has no plans to seek retrospective consent”
FOI reply IR2019/33113: ‘Lack of claimant consent to process health information for ESA and Work Capability‘ – October 9th 2019

concerning claimants who have completed the multiple "I agree" statements in your ESA1, ESA50 and US50 forms, even though they currently do not comply with the GDPR and Data Protection Act 2018, as they do not give claimants opt-in consent to said "I agree" statement.

In your internal guidance on consent, it states:

****************start******************

[] Amend notifications and other documentation to reflect new basis for processing

Refer to the guidance on obtaining and managing consent to ensure you include
everything the data subject must be told about for consent to be fully informed. An example
consent statement is given to help you.

In addition to forms and leaflets, communications in operational instructions and processes,
telephony scripts, and online information and services must be reviewed and made compliant
with the new requirements where consent is being used as the lawful basis for processing
personal data.

[] Consider whether people already in the process should be informed

Where DWP changes the lawful basis for processing personal data, especially if it changes
people's rights, you must give consideration to notifying those affected.

[] Cease processing for all people who withhold or withdraw consent

Of course, in circumstances where we are relying on consent, we must be prep ared for
people to refuse to give or withdraw their consent, and to cease processing for those
individuals.
https://www.whatdotheyknow.com/request/5...
(disclosed 15 July 2019)

****************end******************

Please disclose a copy of the information the mentioned "risk register" or other information held on why the DWP is not seeking to "Refresh consent" for all the claimants that have completed your ESA1, ESA50 and UC50 forms, as you have already accepted that the "I agree" 'consent' statements contained in the claimant signed and dated Declaration are not "considered valid under the GDPR", in your FOI2019/25761 reply https://www.whatdotheyknow.com/request/l...

After the ICO wrote to you about:

“we have in fact contacted DWP about the issues you raised with us. We took the view that DWP has not complied with its data protection obligations, because its ESA1, ESA50 and UC50 forms do not provide a way for claimants opt in to the statement “I agree to my doctor or any doctor treating me, being informed* about the Secretary of State’s determination on limited capability for work, limited capability for work-related activity, or both…”
*[Doctors are “informed” by use of the DWP ESA65B ‘fit-notes’ letter]
https://mrfrankzola.files.wordpress.com/...
Information Commissioner letter 9 July 2019

[] Refresh consent for people already in the process

It is unlikely that consent obtained under the requirements of the 1998 Data Protection Act will be considered valid under the GDPR. When the consent forms and process have been
updated to comply with the GDPR, existing consent should be refreshed using the new
process in most circumstances. If consent is not refreshed the risks must be assessed,
accepted, and recorded on the appropriate risk register.
https://www.whatdotheyknow.com/request/5...

Please also disclose a copy of information held on why you have not informed claimants who completed the GDPR invalid ESA1, ESA50 and UC50 forms that they now have new Data Protection rights:

[] Consider whether people already in the process should be informed

Where DWP changes the lawful basis for processing personal data, especially if it changes
people's rights, you must give consideration to notifying those affected.
https://www.whatdotheyknow.com/request/5...

Yours faithfully,

Frank Zola

DWP freedom-of-information-requests, Department for Work and Pensions

This is an automated confirmation that your request for information has
been accepted by the DWP FoI mailbox.
 
By the next working day your request will be forwarded to the relevant
information owner within the Department who will respond to you direct. 
 
If your email is a Freedom of Information request you can normally
expect a response within 20 working days.
 
Email FOI responses will be issued from [1][email address]
We recommend that you add this address to your email contacts otherwise
the response may be treated as Spam or Junk mail.  
 
Should you have any further queries in connection with this request do
please contact us.
 
[2]http://www.gov.uk/dwp
 
 

show quoted sections

References

Visible links
1. mailto:[email address]
2. http://www.gov.uk/dwp

Dear DWP freedom-of-information-requests,

To assist you in finding the information I am seeking, below are the relevant extracts from the General Data Protection Regulation (GDPR), noting that the current ESA1, ESA50 and UC50 forms are not "in line with the conditions of this Regulation" (Recital (171) concerning Conditions for consent (Article 7) nor the GDPR definition of ‘consent’ (Article 4 (11), all of which leads to the understanding that the DWP is required to obtain consent again from the data subjects who have signed and dated the Declaration sections of said forms prior to them being revised.

"consent wording included in the declaration sections
on ESA forms is being revised and will be removed
from the declaration."
FOI2019/25761: ‘ ‘Lack of claimant consent to send their personal data to GPs, using the ESA65B letters‘ – 8 August 2019
https://www.whatdotheyknow.com/request/l...

Article 4 (11)
Definitions

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 7
Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

(171) Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.
https://eur-lex.europa.eu/legal-content/...

Resources:

Articles 4(11) and 7 and Recital (171) of the GDPR
https://eur-lex.europa.eu/legal-content/...

EDPB guidelines on Consent under Regulation 2016/679
https://ec.europa.eu/newsroom/article29/...

Yours sincerely,

Frank Zola

no-reply@dwp.ecase.co.uk on behalf of DWP Strategy Freedom of Information, Department for Work and Pensions

2 Attachments

Dear Frank Zola,

I am writing in response to your request for information, received 18th
October.

Yours sincerely,

DWP Central FoI Team

Frank Zola left an annotation ()

"we are now aiming to have the ESA1 and
ESA50 live from mid-August and can share copies with you once they have been published. "
https://www.whatdotheyknow.com/request/6...
21/7/20 update
https://mrfrankzola.wordpress.com/2020/0...