Will claimant refusal to share their sensitive personal data have an impact on their #UC claim?

Original post from blog of Disabled People Against Cuts (DPAC)

The full post

‘With many thanks to John Slater, for writing this article,

If you claim Universal Credit (“UC”) the DWP intends to share your most sensitive personal data with local authorities, citizens advice bureaux, credit unions, social landlords and relevant registered charities:

  •  Full name (including initials)
  • Contact details including: address, email, telephone.
  • Details of others in household, in relation to the relevant Benefit Unit.
  • Type of accommodation – private / social rented, owned, none etc.
  • Gender
  • Ethnicity *.
  • National Insurance Number.
  • Date of birth / age range.
  • Employment status / earning.
  • Debts / arrears/rent payable.
  • Benefits received including: level of payment, copy of documents (e.g. claimant commitment).
  • Health conditions / disabilities *
  • Caring responsibilities.
  • Qualifications / training status.
  • Transport situation e.g. able to drive /access to car or easy access or public transport.
  • Barriers to work.
  • Languages spoken.
  • Access to financial products such as bank / building / credit union / Post Office card account / credit card.
  • Level of personal budgeting.
  • Access to computer and internet.
  • Level of digital skills.

On the 10th December 2014 the DWP quietly published a consultation document (see link below). This does seem to be a strange time to launch a consultation exercise given the proximity of the Christmas and New Year holidays. People would be forgiven for wondering if the DWP was attempting to sneak this out without anyone finding out until it was too late.


Controlling and processing any personal data like that listed above is subject to the Data Protection Act 1998 (“DPA”). In the UK we have an organisation called the Information Commissioner (“ICO”) which has a statutory role in regulating the DPA. The DWP knows this as it has consulted with it on other matters. Did the DWP invite the ICO to take part in the consultation process? It probably won’t come as a surprise to many people to hear that the DWP didn’t invite the ICO to take part and as a result people would be forgiven for wondering how seriously the DWP takes its obligations under the DPA when dealing with sensitive personal data.

When I heard about the DWP proposals I sent a copy to the ICO as I wasn’t happy with the type of information being shared and the fact that the DWP included a threat against claimants if they weren’t willing to share their data. In section 4.4 of its consultation document the DWP states:

Objecting to information sharing may, of course, have the potential to undermine an individual’s claim – claimants will therefore need to be advised about the possible adverse consequences of objecting to information sharing.”

It seems that the DWP just can’t help itself. If it doesn’t get its own way it automatically wants to punish members of society who face the most barriers and disadvantages.

Despite having a huge workload, the ICO acted quickly and issued a response to the DWP consultation document (see link below):


It is obvious from its response that the ICO is very unhappy about the DWP proposals and the fact that it wasn’t invited to take part in the consultation. The following extracts give you a taste:

The Information Commissioner is surprised and disappointed not to have also received a copy of this consultation or his officials alerted to the proposals given his Office’s role in regulating the Data Protection Act and also having issued a statutory code of practice on data sharing – https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf

 We have been consulted in the past on data sharing initiatives arising from the Welfare Reform Act such as the Troubled Families initiative and have worked closely with the Department and local support agencies in advising on data sharing and helping to overcome perceived barriers. Additionally the shortness of the consultation period, and falling over the holiday period, has meant that we have been unable to give as much consideration to the content of the consultation as we would have wished. We would welcome the opportunity to meet with the Department to discuss in further detail the data protection and privacy issues arising from the regulations which we note are intended to come into force on 13 February 2015 and be implemented the following month.”

The document further states that ‘objecting to the sharing may have the potential to undermine an individual’s claim and so claimants will need to be advised about the possible adverse consequences of objecting to information sharing’. The Information Commissioner’s view is that consent is not appropriate where it cannot be freely given and where the data sharing is to take place regardless of the wishes of an individual or where a sanction could be imposed if agreement is not forthcoming. In this context it is also important to clarify that there is no legal opt out under the DPA but any such arrangements should be as transparent as possible and that individuals affected should be aware that the processing will be taking place.”

With so much personal data being collected and used by large organisations these days, some people may be wondering if any of this really matters. I think it does matter and that as a society we are sleep walking into a data protection nightmare. It isn’t just companies trying to sell us goods that make use of data about us. There can be some very unpleasant consequences of allowing organisations access to our sensitive data and have free reign to do what they want with it. What about if:


  • The data being shared about you is wrong and it results in the wrong decisions being made about you? (e.g. you get refused credit, your insurance costs go up or landlords won’t rent to you).
  • It allows unscrupulous companies to target members of society who face the most barriers and disadvantages and steal from them?
  • The organisations lose your data and it enters the public domain. You could end up suffering verbal or physical abuse as this Government’s ongoing demonization of people claiming benefits makes this a sad and worrying possibility.
  • You simply don’t want these organisations to know so much about you? After all it’s your life and your data.
  • The data isn’t used solely for the purposes claimed? Sharing such sensitive information as part of your UC claim relies on you being able to trust the DWP and the organisations listed.

Only you know if you are happy to share your information so widely, which is why the DPA states that each of us must give our consent for our data to be shared. However, some of the data on the DWP is treated differently and is called sensitive personal data (“SPD”). For this to be shared the DWP needs your explicit consent. This means you have to freely agree (i.e. not subject to threat or other coercion) in unambiguous terms that you are happy for specific data to be shared for specific purposes.

The ICO data sharing code of practice defines consent as:

Consent (explicit consent for sensitive personal data) is one of the conditions the DPA provides to legitimise processing. The Data Protection Directive on which the UK’s DPA is based defines ‘the data subject’s consent’ as:

 ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

 “There must therefore be some form of active communication where the individual knowingly indicates consent. Whilst consent will provide a basis on which organisations can share personal data, the ICO recognises that it is not always achievable or even desirable. If you are going to rely on consent as your condition you must be sure that individuals know precisely what data sharing they are consenting to and understand its implications for them. They must also have genuine control over whether or not the data sharing takes place. It is bad practice to offer individuals a ‘choice’ if the data sharing is going to take place regardless of their wishes, for example where it is required by statute or is necessary for the provision of an essential service.

The DPA definition of what counts as SPD is shown below. The data items marked with an “*” in the list of data that the DWP intends to share is SPD. Other data (e.g. language spoken) could also be SPD if they also disclose information listed below:

  1.  the racial or ethnic origin of the data subject,
  2. his political opinions,
  3. his religious beliefs or other beliefs of a similar nature,
  4. whether he is a member of a trade union (within the meaning of the M1TradeUnion and Labour Relations (Consolidation) Act 1992),
  5. his physical or mental health or condition,
  6. his sexual life,
  7. the commission or alleged commission by him of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

I believe that allowing organisations to have access to SPD is as much a matter of trust as anything else. Do you trust the DWP to do what it says and only use the data for what states in the consultation document? Personally I don’t trust the DWP due to its historic behaviour and how it plans to share your data with these organisations using a new IT system.

A New IT System

In section 2.8 of its consultation document is states:

Further expansion of UC will provide the opportunity to build a secure platform for the introduction of Universal Support by mobilising local partnerships nationwide and putting in place a robust infrastructure ready for all claimant groups, in particular the more complex and vulnerable.”

If I translate this from management gobbledegook into English I think it says that the DWP plans to develop yet another UC IT system to share your data. Even if we set aside the abject failure of Governments in general to deliver IT systems, UC is a special case. It has been roundly criticised by the House of Commons Public Accounts Committee, the National Audit Office, the House of Commons Work and Pensions Committee, its own suppliers, its own staff (in a leaked employee survey) and reputable media (e.g. Dispatches and Panorama).

It has spent huge sums of public money on IT development and has little to show for it. In December 2014 HM Treasury finally admitted that £663 million of spending on UC IT is likely to have to be written off as it won’t be used in the final UC system. To put this into perspective this is almost twice the cost of the Independent Living Fund that the Government is closing. This means that whilst claiming that the country can’t afford the benefits bill Iain Duncan Smith has flushed almost a billion pounds of public money down the drain.

Complex IT systems are by their very nature difficult to produce and it’s not easy to ensure that the data they hold is secure. If you look at the DWP history of IT development and the diverse nature of the organisations that the DWP wants to share your data with then it would be a brave person to simply accept that everything will be kept safe.

The DWP Can Be Trusted, Can’t it?

Can you be sure that the DWP will keep its word in respect of your data, especially your SPD? My personal view is that the DWP cannot be trusted not to abuse the powers it is granted and it has demonstrated this consistently over recent years.

The most recent example is the despicable harassment of people in the ESA Support Group by calling them to attend work focused interviews. Despite this allegedly being voluntary there is compelling evidence that people have been threatened with sanctions if they didn’t attend. Is this just a matter of a few overzealous JCP employees or something more sinister? I would argue that something more sinister is happening and that the DWP was knowingly acting unlawfully.

It simply isn’t credible that most civil servants working in the DWP don’t know that they can’t just do whatever they want. Our system of law and Government means that IDS needs permission from Parliament to administer the benefits system. This takes the form of primary legislation (e.g. the Welfare Reform Act 2012) and if IDS acts outside this “permission” he is acting unlawfully. The Welfare reform Act states the following in relation to people allocated to the ESA Support Group:

The Secretary of State may not impose any work-related requirement on a person falling within this section.”

This proves that the targeting of people in the support group to pressure them to attend work-focused interviews (“WFI”) is clearly unlawful. There is no ambiguity here as Parliament specifically forbade IDS from doing this. It doesn’t matter if letters included the word voluntary or not, if, thanks to the actions of JCP employees, the person truly believed that they had no choice but to attend a WFI then the DWP is breaking the law.

The DWP has considerable ‘form’ for using other ‘dirty tricks’ as well. If you have claimed for ESA you may have come across the DWP edict that a WCA can only be deferred for a maximum of 4 weeks. This is nothing more than an internal DWP policy but it would have you believe otherwise.

I think there is a real risk that the DWP will pressure people into ‘consenting’ to share their sensitive personal data under threat of sanctions because it seems to rely on people being too scared to fight back and not knowing what the DWP can and cannot impose

What Happens Now?

The DWP consultation is now closed and we have to wait and see what happens next. Will the DWP discuss its proposals with the ICO? Will the DWP take any notice of what the organisations that responded to the consultation say? Will it publish the responses?

When I first heard about the DWP proposals I thought I’d submit a Freedom of Information request to see what the DWP would tell me. The request and the DWP response can be found here:


I respect of claimants refusing to share data the DWP appears to have had a change of mind as it said in its response:

In respect of data sharing for Universal Support provision, the legislation allows for data to be shared, this will happen following a conversation with a claimant during which they will have the opportunity to decline to share some or all of the information. If someone prefers not to share information, there is categorically no impact on their claim for Universal Credit. Giving consent will enable Universal Support partnerships to offer tailored and more holistic support more quickly this will help to ensure that people get the level of support they need. 

 We will be taking steps to ensure that data sharing complies with data protection principles; that claimant confidentiality is not compromised; and that no claimant is inadvertently put at risk. We are developing procedures and guidance that will clarify this.

This response does suggest that for some of the data the DWP accepts that the claimant can refuse to share it without any threat to their UC claim. However, the response also stated that the DWP believes it doesn’t need the claimant’s consent to share some of the data.

I had a look at the Welfare Reform Act 2012 (“WFA”) and it has amended the Social Security Administration Act 1992 to allow IDS to make regulations to gather information that may be relevant to a benefit claim:

“(1A) Regulations may make provision for requiring a person of a prescribed description to supply any information or evidence which is, or could be, relevant to—

  1. a claim or award relating to a benefit to which this section applies, or
  2. potential claims or awards relating to such a benefit.”

This isn’t a surprise as it’s reasonable to allow the DWP to gather information it needs to administer benefits. The WFA also allows IDS to make regulations to specify who this information can be shared with. This explains the “draft Social Security (Information-Sharing in Relation to Welfare Services Etc.) Amendment Regulations 2015” included in the consultation document.

However, I’m still unsettled by the DWP wish to share SPD and if it still plans to do so without the explicit consent. I’m have submitted another FOIA request to see if I can find out why the DWP believes it can share some data without any consent and if it plans to share any SPD without explicit consent from UC claimants (link below).


What could you do if:

  • the DWP tells you that you must sign something agreeing to share your data and/or your SPD? or
  • you are claiming UC and the DWP wants to share your SPD with other organisations and you don’t want to?

If you are being pressured to sign something that suggests the DWP needs your consent to share your data. If your consent if required then it must be given freely and without coercion, i.e. the DWP shouldn’t be threatening you with sanctions if you don’t sign. Consent isn’t just a matter of signing a piece of paper, as you have to understand what you are agreeing to. It’s reasonable to explain that you don’t understand what is going on and that you need to get some advice about what you are being asked to sign. Explain that you want to take the document you are being asked to sign away with you and respond within a reasonable period of time (perhaps a week).

You might want to consider politely asking the following questions and if possible get answers in writing. If the person refuses to put their answers in writing then there is nothing stopping you from doing so and sending a letter to the person thanking them for their time and outlining what you asked and what they said. If they don’t challenge what you said then it would be hard for the DWP to convince anyone that your record isn’t accurate.


  1. Ask what are you agreeing to and what the DWP will do if you refuse?
  2. Ask them to explain why the DWP thinks your information needs to be shared (i.e. what’s in it for you) and why you should give your consent.
  3. Ask how sharing the data helps with the administration of your UC claim (i.e. can’t your UC claim be administered if this data isn’t shared?).
  4. Explain that it is your understanding that your explicit consent is required to share your SPD and that this cannot be coerced. If they believe otherwise ask them to explain on what basis they believe they have to power to share your SPD without your explicit consent.Show the person you are dealing with the DWP response to my FOIA request explaining that your claim shouldn’t be threatened if you decline to share your SPD.

If, despite being polite and asking reasonable questions the DWP threatens you with sanctions or your claim being refused if you don’t agree to share your SPD you need to consider what is best way forward for you personally.

You might be in a position where you are able challenge the DWP and fight the sanction/refusal through the DWP complaints process. However, you might reasonably feel that having your UC sanctioned / claim refused is not something you can risk. If this is the case then you can protect yourself by including the phrase “vi coactus” or the initials (V.C.) after your signature. This indicates that your consent has been granted under duress. You could then seek help through organisations such as the Citizen’s Advice Bureau (http://www.citizensadvice.org.uk/) or complain directly to the DWP or the ICO:

Web site:                               https://ico.org.uk/

Telephone:                           0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a

national rate number.

Email:                                      casework@ico.org.uk (please include your telephone number)’

One thought on “Will claimant refusal to share their sensitive personal data have an impact on their #UC claim?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.