Work and Pensions CommitteeWritten evidence submitted by the Information Commissioner’s Office

The Information Commissioner has responsibility in the UK for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations (EIR) and the Privacy and Electronic Communications Regulations. The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken.

The Information Commissioner’s Office and the Department for Work and Pensions have a long standing and positive relationship. The ICO considers the Department to be a key stakeholder in our role to develop information rights policy and practice. We meet with the DWP officials, both on a regular basis and also where appropriate on specific matters, which raise data protection, privacy and general information access issues.

The Work and Pensions Committee has invited responses on a number of issues relating to the services provided by Jobcentre Plus (JCP); amongst these and of particular interest to the ICO is the “digital by default” approach to the delivery of JCP services.

The ICO recognises the benefits of a “digital by default” approach to the provision and delivery of services by the public sector. There are however, a number of important considerations that should not be overlooked in the development and roll out of services by this means.

It is very important that, where appropriate, “digital by default” takes account of the provisions of the DPA in relation to data protection and privacy. The Information Commissioner advises a “Privacy by Design” approach whereby privacy and data protection compliance is designed into systems processing personal information right from the start, rather than being bolted on afterwards or ignored.

Adopting a “Privacy by Design” approach to the digitalisation of services and their delivery, will ensure that data protection and privacy considerations will be identified earlier by JCP and built into initiatives such as Universal Jobmatch at the earliest stage.

It is important that a “digital by design” approach meets the specific needs of users. As with all online transactions identities must be properly attributed and securely issued. Arrangements should seek to minimise the amount of personally identifiable data collected and retained. Users should fully understand why certain personal information may be required, the uses to which it will be put and also what security measures are in place to protect their personal data. It is also important that as far as possible users should easily be able to access their own personal data.

We strongly advise that when processing personal information online, JCP should pay particular attention to the provision of clear and informative “Privacy Notices” explaining why personal information is to be collected, by whom and for what purpose. The primary purpose of a privacy notice is to make sure that information is collected and used fairly.

There should also be clear and consistent messages about whether use of an online service is compulsory or not, something that was not always apparent during the introduction of Universal Jobmatch. Queries and complaints to our office also suggest that JCP need to ensure that privacy notices are drafted in a way that is appropriate to the level of understanding of their clients, some of whom are not familiar with online transactions. The ICO has published a Code of Practice on Privacy Notices:1

We would expect that JCP staff have an important role in providing help and guidance to users in accessing Departmental services online. We have had some contact with the Department for Work and Pensions in relation to the Universal Jobmatch initiative and it is clear that JCP staff have an important role in providing clear, consistent and informed advice and guidance to users on the operation of the service. This is particularly important in the case of more vulnerable clients accessing JCP services.

24 May 2013

1 http://www.ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Detailed_specialist_guides/PRIVACY_NOTICES_COP_FINAL.ashx

Prepared 27th January 2014