Universal Job Match adverse processing of personal data

1. ----- Original message -----
2. From: [email protected]
3. To: [redacted]
4. Subject: Your DPA query about the DWP,MWS and UJM[Ref. RFA0580147]
5. Date: Fri, 15 May 2015 [redacted]
6.  
7. 15 May 2015
8.  
9. *Case Reference Number RFA0580147*
10.  
11. Dear [redacted],
12.  
13. Thank you for your enquiry in relation to the role of the DWP in
14. relation to information held by work programme (WP0 contractors,
15. www.myworksearch.co.uk[1] and the Universal Job Match (UJM) system.
16.  
17. We want to know how organisations are doing when they are handling
18. information rights issues. We also want to improve the way they deal
19. with the personal information they are responsible for. Reporting your
20. concerns to us will help us do that.
21.  
22. Our role is not to investigate or adjudicate on individual concerns but
23. we will consider whether there is an opportunity to improve the practice
24. of the organisations we regulate. We do this by taking an overview of
25. all concerns that are raised about an organisation with a view to
26. improving their compliance with the Data Protection Act 1998.
27.  
28. In broad terms, the DWP is data controller for the all the information
29. processed by all WP contractors dealing with work programme participants
30. (customers) on behalf of the DWP. This is because the WP contractors are
31. only processing the customers’ information while performing functions of
32. the DWP on the DWP’s instruction.
33.  
34. The most common occasion when information might be held by a WP
35. contractor about DWP customers that is not within the data
36. controllership of the DWP (and instead fall within the WP contractor’s
37. own data controllership) is when professional standards type complaints
38. are made by customers to the work programme contractor about the
39. contractor’s staff. In such circumstances it is the WP contractor who
40. would be data controller for the information processed in the course of
41. its handling of the complaint made by the DWP customer about the
42. contractor’s employee.
43.  
44. At this time we consider it reasonably clear that the DWP is data
45. controller for the personal data held, and processed, by its contractors
46. in the course of their normal functions – including MWS. Because it is
47. considered within the reasonable expectations of the customers that the
48. DWP is the data controller it is not essential for this to also be
49. explicitly stated in the terms and conditions.
50.  
51. We do however appreciate your concern about this matter. We have
52. therefore recorded your concern about this and will see if it is shared
53. by other people.
54.  
55. You then ask about the DWP’s data controllership over information kept
56. on UJM. I can advise you that the DWP is the data controller for the
57. customer information kept on UJM. The DWP cannot however arbitrarily
58. access and use the information that a customer keeps in their UJM
59. account for considering the customer’s entitlement to benefits.
60.  
61. To use the customer’s UJM data for considering a customer’s entitlement
62. to benefits the DWP needs the specific permission of the customer. This
63. is because of the fair processing requirement of the first data
64. protection principle.
65.  
66. While the DWP is already the data controller for the information, it
67. would be considered ‘unfair’ for the UJM information to be used to
68. consider the customer’s JSA (or similar benefit) claim without the prior
69. permission of the customer being obtained by the DWP.
70.  
71. I hope that this information is helpful to you.
72.  
73. Yours sincerely,
74. [redacted]
75.  
76.  
77.  
78. ____________________________________________________________________
79.  
80.  
81.  
82. The ICO's mission is to uphold information rights in the public
83. interest, promoting openness by public bodies and data privacy for
84. individuals.
85.  
86.  
87. If you are not the intended recipient of this email (and any
88. attachment), please inform the sender by return email and destroy all
89. copies. Unauthorised access, use, disclosure, storage or copying is not
90. permitted.
91.  
92. Communication by internet email is not secure as messages can be
93. intercepted and read by someone else. Therefore we strongly advise you
94. not to email any information, which if disclosed to unrelated third
95. parties would be likely to cause you distress. If you have an enquiry of
96. this nature please provide a postal address to allow us to communicate
97. with you in a more secure way. If you want us to respond by email you
98. must realise that there can be no guarantee of privacy.
99.  
100. Any email including its content may be monitored and used by the
101. Information Commissioner's Office for reasons of security and for
102. monitoring internal compliance with the office policy on staff use.
103. Email monitoring or blocking software may also be used. Please be aware
104. that you have a responsibility to ensure that any email you write or
105. forward is within the bounds of the law.
106.  
107. The Information Commissioner's Office cannot guarantee that this message
108. or any attachment is virus free or has not been intercepted and amended.
109. You should perform your own virus checks.
110.  
111. __________________________________________________________________
112.  
113.  
114. Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
115. Cheshire, SK9 5AF
116.  
117. Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk
118.  
119. Published with permission from ICO