Source · Select Committees · Work and Pensions Committee
Recommendation 33
33
Support organisations have expressed concern that DWP’s approach to data sharing and consent has had...
Recommendation
Support organisations have expressed concern that DWP’s approach to data sharing and consent has had a detrimental effect on their ability to support vulnerable claimants. The Department now says it is exploring options for improving its model Universal Credit: the wait for a first payment 83 of explicit consent. We urge the Department to publish more detail about how this exploration is being progressed, including when the Department expects progress to be visible to observers and experienced by claimants. We echo the Social Security Advisory Committee’s recommendation that DWP should consider applying the implicit consent model to Universal Credit, or at least consider what improvements it can make to the model of explicit consent. More broadly, DWP should review its approach to how it works with people and organisations that support claimants, including support workers, housing associations and local authorities. (Paragraph 145) Payment timeliness
Government Response
Not Addressed
HM Government
Not Addressed
The Department operates a policy of explicit consent to help reduce the risk of fraud by ensuring that our claimants’ data is kept safe. This is important because the UC system is structured around an online personal account which contains all the information relevant to the claim. This includes a claimant’s bank account details, savings, capital, medical history, family relationships and address, which means that we have a responsibility to ensure that a high level of security and protection is in place, and that we take all reasonable steps to protect the position of claimants and their data which includes ensuring that consent is explicitly given to share it. We recognise that a number of organisations have raised concerns as to whether the explicit consent rules are sufficiently flexible. The Department agreed to explore options for improving the process of explicit consent in conjunction with the Social Security Advisory Committee (SSAC) and stakeholders. SSAC have commented that they are pleased with the work that the Department has done to develop a prototype in a positive collaboration with end users. UC design follows the ‘data protection by design and default principle’ to ensure that appropriate technical and organisational measures have been, and continue to be developed and implemented to safeguard personal data and the rights of individuals. Like other government departments, we are obliged to demonstrate plans and actions in order to meet all legal and regulatory requirements, and the published minimum government security standards. These are drawn from international standards, combined with specific UK Government requirements and obligations. The Department does implement controls set against ISO27001 and other international standards; with the assistance and support of the Government’s National Technical Authorities. We have an independent second line assurance function that assures against all relevant security standards – which are in place, amongst other reasons, in order to protect personal data and comply with data protection legislation, principally the GDPR. Further assurance is provided by the Government’s independent Internal Audit Agency operating as a third line of defence. We are confident that we have the right engagement strategy and mechanisms in place to enable stakeholders to provide feedback, develop a shared understanding of areas for improvement and have input to how UC operates and the support that is provided to our claimants.