Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • Ladidi
    • By Ladidi 21st Jul 18, 1:29 PM
    • 32Posts
    • 7Thanks
    Ladidi
    Dwp data breach
    • #1
    • 21st Jul 18, 1:29 PM
    Dwp data breach 21st Jul 18 at 1:29 PM
    Im in need of advice and you thoughts to the following please

    Long story short. DWP sent confidential medical information to someone who it was not even relevant or related to. It was pure fluke the information picked up showed it to be someone known (not related or otherwise - purely friend capacity) It was all bought to the attention of the person it all related to, the person receiving all this info about them but under their name, address and NINO allowed them to scan each page relating to them for evidence of the breach. Contacted Information Commissioner's office and DWP to high light the breach. DWP requested all documents back (refused this and allowed copies only) also contacted MP. Is there anything else should be done or is everything right so far?

    DWP REPSONSE

    Update on above post. Integrity team contacted to say 3 members of staff facing disciplinary 1 manager 1 Discision maker and 1 contact centre employee.

    Soloution offered - reinstatement of benefit back to how it was with monies owed going back to 15th april and put back into support group. £50 compensation.

    Question is this acceptable? In my view its not because they shared and gave out detrimental information that shouldn't have been shared. Its almost as if they are saying "it's ok, your on benefits so it wont have caused you that much harm"

    Whats your advice or take on it please, They are expecting a call back on Monday to say whether we deem this acceptable.
Page 1
    • FBaby
    • By FBaby 21st Jul 18, 1:41 PM
    • 17,186 Posts
    • 42,189 Thanks
    FBaby
    • #2
    • 21st Jul 18, 1:41 PM
    • #2
    • 21st Jul 18, 1:41 PM
    I think it is outrageous that without showing evidence of harm being done, they would try to make a deal in regards to a decision that should have nothing to do with the breach. People should claim what they are entitled to, not what they get reach a deal over.

    If damage can be evidenced, then a one off compensation amount should be agreed, but again, I suspect the person just couldn't believe their luck that such an error on their part meant getting the award they wanted.

    And just to add, my personal information was breached by my local hospital recently (along with other patients). Instead of thinking how I use it to my advantage, I just informed the Trust and reminded them of their duties. I didn't suffer any harm, so it didn't cross my mind for a second that I could get something out of it. Maybe I should have asked for free cosmetic surgery!
    • Ladidi
    • By Ladidi 21st Jul 18, 1:55 PM
    • 32 Posts
    • 7 Thanks
    Ladidi
    • #3
    • 21st Jul 18, 1:55 PM
    • #3
    • 21st Jul 18, 1:55 PM
    I think it is outrageous that without showing evidence of harm being done, they would try to make a deal in regards to a decision that should have nothing to do with the breach. People should claim what they are entitled to, not what they get reach a deal over.

    If damage can be evidenced, then a one off compensation amount should be agreed, but again, I suspect the person just couldn't believe their luck that such an error on their part meant getting the award they wanted.

    And just to add, my personal information was breached by my local hospital recently (along with other patients). Instead of thinking how I use it to my advantage, I just informed the Trust and reminded them of their duties. I didn't suffer any harm, so it didn't cross my mind for a second that I could get something out of it. Maybe I should have asked for free cosmetic surgery!
    Originally posted by FBaby

    I dont think you fully understand the breach involved. Its a VERY SERIOUS BREACH! The information they gave out to someone who it did not relate to and shared was confidential MEDICAL information who had no business having it. Its not as simple as having too much milk or sugar in your morning cuppa.

    Secondly its not about getting your benefits back and a little compensation as you put it! You clearly dont care who gets and receives information about you that are not entitled to it.

    They have a duty of care and attention to what they do with information they request and how they handle and share it. They seriously failed in this instance.

    As for evidence of what they have suffered, it has caused detrimental distress. The information was not widely known and only known between themselves and their GP and specialists.
    • Alice Holt
    • By Alice Holt 21st Jul 18, 2:00 PM
    • 3,390 Posts
    • 3,942 Thanks
    Alice Holt
    • #4
    • 21st Jul 18, 2:00 PM
    • #4
    • 21st Jul 18, 2:00 PM
    "Whats your advice or take on it please"

    Sounds like you are, in effect, being bribed by the DWP not to peruse the data breach.

    There are 2 issues here:
    1) whether your award is correct - this can be challenged and appealed.

    2) DWP poor practice leading to a data breach of highly confidential information.

    I believe under GDPR, the fines for such incompetence can be high.

    Only you can decide which option to take. I rather share your view that the DWP "offer" is not acceptable, and they are conflating separate issues.
    Last edited by Alice Holt; 21-07-2018 at 2:04 PM.
    Alice Holt Forest situated some 4 miles south of Farnham forms the most northerly gateway to the South Downs National Park.
    • tboo
    • By tboo 21st Jul 18, 2:02 PM
    • 999 Posts
    • 4,709 Thanks
    tboo
    • #5
    • 21st Jul 18, 2:02 PM
    • #5
    • 21st Jul 18, 2:02 PM
    Im in need of advice and you thoughts to the following please

    Long story short. DWP sent confidential medical information to someone who it was not even relevant or related to. It was pure fluke the information picked up showed it to be someone known (not related or otherwise - purely friend capacity) It was all bought to the attention of the person it all related to, the person receiving all this info about them but under their name, address and NINO allowed them to scan each page relating to them for evidence of the breach. Contacted Information Commissioner's office and DWP to high light the breach. DWP requested all documents back (refused this and allowed copies only) also contacted MP. Is there anything else should be done or is everything right so far?

    DWP REPSONSE

    Update on above post. Integrity team contacted to say 3 members of staff facing disciplinary 1 manager 1 Discision maker and 1 contact centre employee.

    Soloution offered - reinstatement of benefit back to how it was with monies owed going back to 15th april and put back into support group. £50 compensation.

    Question is this acceptable? In my view its not because they shared and gave out detrimental information that shouldn't have been shared. Its almost as if they are saying "it's ok, your on benefits so it wont have caused you that much harm"

    Whats your advice or take on it please, They are expecting a call back on Monday to say whether we deem this acceptable.
    Originally posted by Ladidi

    How was it that the DWP had your name and address then - did you ring up at one point for this friend?
    “You’re only here for a short visit.
    Don’t hurry, don't worry and be sure to smell the flowers along the way.”
    Walter Hagen


    • Ladidi
    • By Ladidi 21st Jul 18, 2:09 PM
    • 32 Posts
    • 7 Thanks
    Ladidi
    • #6
    • 21st Jul 18, 2:09 PM
    • #6
    • 21st Jul 18, 2:09 PM
    Sounds like you are, in effect, being bribed by the DWP not to peruse the data breach.

    There are 2 issues here:
    1) whether your award is correct - this can be challenged and appealed.

    2) DWP poor practice leading to a data breach of highly confidential information.

    I believe under GDPR, the fines for such incompetence can be high.

    Only you can decide which option to take. I rather share your view that the DWP "offer" is not acceptable, and they are conflating separate issues.
    Originally posted by Alice Holt
    Thats my view as well. I feel as if they are saying we can sweep this one away cheaply and not have too much repercussion. They acknowledge they have failed in their security process and that all 3 failed to do their jobs correctly to which they should have done.

    What sticks in my throat is the way they are saying be grateful for what your being offered with touch of contempt for complaining as if you have no right to do this and take up their time.

    The award they are offering is basically to put you back into the position you was before you was refused and denied even though information/circumstances hadn't changed. This was going to appeal. they are now saying we will stop the appeal and put you back into the position you was before as if nothing had changed or happened. (Hence, the feeling of we are doing you a favour be gratful)
    • Ladidi
    • By Ladidi 21st Jul 18, 2:16 PM
    • 32 Posts
    • 7 Thanks
    Ladidi
    • #7
    • 21st Jul 18, 2:16 PM
    • #7
    • 21st Jul 18, 2:16 PM
    How was it that the DWP had your name and address then - did you ring up at one point for this friend?
    Originally posted by tboo
    A claim for benefits was made and awarded for claimant A. This was later reviewed and denied. All medical information etc was sent to appeal decision. Claimant B also in process of dealing with their claim. Neither knew about the other persons claims. (friends due brother of claimant A and claimant B son friendship)

    Claimant B was going through tribunal appeal. Received all paper work for tribunal. It was in this paper work that Claimant A private and confidential records were disclosed. Claimant B showed son who informed mate who in turn told brother. Claimant B brought all paper work round to Claimant A and showed them and parents. Agreed to scan paper work for evidence. Copies sent to DWP with evidence and strong worded letter notfiying severity of breach. Outcome as above.
    • Alice Holt
    • By Alice Holt 21st Jul 18, 2:40 PM
    • 3,390 Posts
    • 3,942 Thanks
    Alice Holt
    • #8
    • 21st Jul 18, 2:40 PM
    • #8
    • 21st Jul 18, 2:40 PM
    If the DWP are conceding the case, then that's usually because they have belatedly realised they don't have a leg to stand on re the appeal.

    If they are saying drop the compliant and we will then award you SG - that is completely unacceptable and highly unprofessional.

    You would need proof of any attempt to "bribe" you in this way. An SAR request:
    https://www.gov.uk/guidance/request-your-personal-information-from-the-department-for-work-and-pensions

    Although the DWP can be incompetent, I would be surprised at such a "bribe". It would seem to be very unwise for the DWP.
    When you speak on Monday I would clarify exactly what they are saying. A decision to reinstate the SG should be made solely on the appeal evidence.
    Alice Holt Forest situated some 4 miles south of Farnham forms the most northerly gateway to the South Downs National Park.
    • Ladidi
    • By Ladidi 21st Jul 18, 2:45 PM
    • 32 Posts
    • 7 Thanks
    Ladidi
    • #9
    • 21st Jul 18, 2:45 PM
    • #9
    • 21st Jul 18, 2:45 PM
    If the DWP are conceding the case, then that's usually because they have belatedly realised they don't have a leg to stand on re the appeal.

    If they are saying drop the compliant and we will then award you SG - that is completely unacceptable and highly unprofessional.

    You would need proof of any attempt to "bribe" you in this way. An SAR request:
    https://www.gov.uk/guidance/request-your-personal-information-from-the-department-for-work-and-pensions

    Although the DWP can be incompetent, I would be surprised at such a "bribe". It would seem to be very unwise for the DWP.
    When you speak on Monday I would clarify exactly what they are saying. A decision to reinstate the SG should be made solely on the appeal evidence.
    Originally posted by Alice Holt
    I shall request they put their offer in writing and the reasons for this outcome. As you say are they awarding SG based on them not winning appeal or to simply make complaint go away as cheaply as possible.
    • Ladidi
    • By Ladidi 21st Jul 18, 3:13 PM
    • 32 Posts
    • 7 Thanks
    Ladidi
    Dwp data breach
    I just want to add both Claimant A and B have been offered the same deal. DWP already had claimant B at tribunal stage which is how all this came about. Claimant A got their tribunal papers this morning.

    DWP denied both cases and at MR stage stood by their decision. All of this comes about and suddenly they want to stop tribunal and put things back to where they was before they were both denied.

    I cant help being a cynical person that I am that DWP are conceeding this based on the fact of the enormity of the breach involved but also treating them both with contempt as if to say you are benefits be greatful for the outcome your being offered and go away.
    • tomtom256
    • By tomtom256 21st Jul 18, 3:15 PM
    • 1,308 Posts
    • 2,059 Thanks
    tomtom256
    Im in need of advice and you thoughts to the following please

    Long story short. DWP sent confidential medical information to someone who it was not even relevant or related to. It was pure fluke the information picked up showed it to be someone known (not related or otherwise - purely friend capacity) It was all bought to the attention of the person it all related to, the person receiving all this info about them but under their name, address and NINO allowed them to scan each page relating to them for evidence of the breach. Contacted Information Commissioner's office and DWP to high light the breach. DWP requested all documents back (refused this and allowed copies only) also contacted MP. Is there anything else should be done or is everything right so far?

    DWP REPSONSE

    Update on above post. Integrity team contacted to say 3 members of staff facing disciplinary 1 manager 1 Discision maker and 1 contact centre employee.

    Soloution offered - reinstatement of benefit back to how it was with monies owed going back to 15th april and put back into support group. £50 compensation.

    Question is this acceptable? In my view its not because they shared and gave out detrimental information that shouldn't have been shared. Its almost as if they are saying "it's ok, your on benefits so it wont have caused you that much harm"

    Whats your advice or take on it please, They are expecting a call back on Monday to say whether we deem this acceptable.
    Originally posted by Ladidi

    So what is this breach worth to you then to make it go away?


    3 people will lose there jobs over this, that's potentially 3 families lives ruined and the staff involved who will not get any other similar job owing to a gross misconduct sacking.


    Money would/could not rectify the breach, as it has already been done.


    An apology and disciplinary action is the main way to treat it.


    They could give a pay out, but if it's over £16k then the person involved would lose all benefits until said payment is below £16k again.
    • Ladidi
    • By Ladidi 21st Jul 18, 3:49 PM
    • 32 Posts
    • 7 Thanks
    Ladidi
    So what is this breach worth to you then to make it go away?


    3 people will lose there jobs over this, that's potentially 3 families lives ruined and the staff involved who will not get any other similar job owing to a gross misconduct sacking.


    Money would/could not rectify the breach, as it has already been done.


    An apology and disciplinary action is the main way to treat it.


    They could give a pay out, but if it's over £16k then the person involved would lose all benefits until said payment is below £16k again.
    Originally posted by tomtom256
    As far as I'm aware from what they have told Claimant B. The staff will have it noted onto their records in relation to the breach and be given more staff training. So I think they and their families will sleep easy but hopefully learning how to be cautious and responsible with the data they are handling. They have also implemented new orders across the board as to how they deal with all data they receive and what they are and not allowed to do during their handling of data eg copy/cut/paste etc (assuming that bit) The claimants however more so the person who's private medical information what has been disclosed is more detrimental, information that was seen as between them and GP and specialists.

    What is worth? I could say a million, you would say greedy! I could say make me an offer and they do as cheaply as possible due to the fact its benefts!! its the detriment of what they have disclosed without permission. As someone stated, if they seriously thought they was right to deny benefits from ESA50 and assessment stage and again stand by that decision at MR stage telling them both to take it to tribunal.

    WHY suddendly change their stance? Are they saying you should have not been denied? or are they saying give them back the position they held before to make them go away?
    • bspm1
    • By bspm1 21st Jul 18, 6:13 PM
    • 267 Posts
    • 440 Thanks
    bspm1
    As far as I'm aware from what they have told Claimant B. The staff will have it noted onto their records in relation to the breach and be given more staff training. So I think they and their families will sleep easy but hopefully learning how to be cautious and responsible with the data they are handling. They have also implemented new orders across the board as to how they deal with all data they receive and what they are and not allowed to do during their handling of data eg copy/cut/paste etc (assuming that bit) The claimants however more so the person who's private medical information what has been disclosed is more detrimental, information that was seen as between them and GP and specialists.

    What is worth? I could say a million, you would say greedy! I could say make me an offer and they do as cheaply as possible due to the fact its benefts!! its the detriment of what they have disclosed without permission. As someone stated, if they seriously thought they was right to deny benefits from ESA50 and assessment stage and again stand by that decision at MR stage telling them both to take it to tribunal.

    WHY suddendly change their stance? Are they saying you should have not been denied? or are they saying give them back the position they held before to make them go away?
    Originally posted by Ladidi
    As a former DWP employee who has seen other employees fired for leaving their Peds (Pedestal Drawers) unlocked after finishing shift, we kept our passwords in them to the many systems that were used which contained sensitive information, even though we were told never to write passwords down , gross misconduct charges for losing or mislaying their Smart cards then I do not think the three members of staff involved in your error will get away with just more training.
    • Ladidi
    • By Ladidi 21st Jul 18, 7:27 PM
    • 32 Posts
    • 7 Thanks
    Ladidi
    Dwp data breach
    As a former DWP employee who has seen other employees fired for leaving their Peds (Pedestal Drawers) unlocked after finishing shift, we kept our passwords in them to the many systems that were used which contained sensitive information, even though we were told never to write passwords down , gross misconduct charges for losing or mislaying their Smart cards then I do not think the three members of staff involved in your error will get away with just more training.
    Originally posted by bspm1
    It is of the understanding that was stated by the complaint handler whose words were " they will face a disciplinary which will involve them to under take more training and noted in their work records"

    I take that to meam a written warning and given more training in data security procedures
    • FBaby
    • By FBaby 22nd Jul 18, 9:11 AM
    • 17,186 Posts
    • 42,189 Thanks
    FBaby
    If three staff are being disciplined, it is highly likely the breach will have been reported and indeed, a fine might be issued. All this is how it should happen. Saying that the staff will sleep well really shows a complete lack of empathy. You have no idea of the circumstances that led to the error and being disciplined is extremely stressful. It will be on their record which mean that they will be unlikely to apply to new jobs/promotions etc... for some time.

    I'm still not clear from what you've written what actual harm has actually been done. So someone, who doesn't know the person affected, only that they know someone who knows someone who knows someone has some medical information about them. Ok, not nice, but have they used this information to blackmail, threaten them? Have gone and told everyone about it? Is it medical information that is very sensitive that no-one else knew about?

    Both these claimants were considered not to meet the criteria for benefits, why should tax payers pay for them because of an error by the DWP? I still believe this is totally wrong. The case should have been investigated to consider harm done and compensation based on this. Why the person who received the information should received benefits when they were deemed not eligible is beyond belief.
    • Ladidi
    • By Ladidi 22nd Jul 18, 9:43 AM
    • 32 Posts
    • 7 Thanks
    Ladidi
    Its a bit like that old chestnut "lessons will be learned"
    If you are unhappy maybe a word with your MP before he or she disappears to the south of France for a month?
    Originally posted by venison
    I emailed her with all that has been said by the complaint handler. Im waiting on a reply.
    • TELLIT01
    • By TELLIT01 22nd Jul 18, 10:00 AM
    • 7,214 Posts
    • 7,830 Thanks
    TELLIT01
    Personal information being sent to the wrong person is taken extremely seriously by DWP. There will always be an investigation into how and why it happened and any disciplinary action will be based on the outcome of that investigation.
    The occurrences are actually pretty rare when the number of documents being handled is considered, although that doesn't make it any better for the people involved, both within and outside DWP.
    • Ladidi
    • By Ladidi 22nd Jul 18, 10:03 AM
    • 32 Posts
    • 7 Thanks
    Ladidi
    If three staff are being disciplined, it is highly likely the breach will have been reported and indeed, a fine might be issued. All this is how it should happen. Saying that the staff will sleep well really shows a complete lack of empathy. You have no idea of the circumstances that led to the error and being disciplined is extremely stressful. It will be on their record which mean that they will be unlikely to apply to new jobs/promotions etc... for some time.

    I'm still not clear from what you've written what actual harm has actually been done. So someone, who doesn't know the person affected, only that they know someone who knows someone who knows someone has some medical information about them. Ok, not nice, but have they used this information to blackmail, threaten them? Have gone and told everyone about it? Is it medical information that is very sensitive that no-one else knew about?

    Both these claimants were considered not to meet the criteria for benefits, why should tax payers pay for them because of an error by the DWP? I still believe this is totally wrong. The case should have been investigated to consider harm done and compensation based on this. Why the person who received the information should received benefits when they were deemed not eligible is beyond belief.
    Originally posted by FBaby
    Im sorry you feel I'm lacking empathy for the staff concerned. I feel the department are lacking in their empathy and concern at the information which was given to them as highly sensitive and not to be shared by anyone other than those who needed to see this within the department and what it has done to the person concerned.

    The information shared has caused considerable distress, purely due to the fact that they hadn't discussed the issues with anyone but GP and specialist. Because of this breach and what was revealed they had to sit down with their parent and go into detail with what was revealed causing considerable distress. Should the department pay for that? Yes they should! It was their error and their fault. As for the party the information it was given to, they showed her son. Her son is best mates with the injured partys brother..so yes information was revealed. Do you have any idea how hard somethings can be to talk about to other people and trust them with the issues because they going to help you? The distress caused by this breach has been detrimental.

    I cant comment on why the party receiving the information was given the same "payoff" To be fair, we have asked the same question. Hang on one minute your standing by your decision to deny benefits and saying take to tribunal etc. This kicks off, they investigate. Cant apologize enough for their breach and say to put things right we are going to have 3 staff facing disciplinary( means written into their work info and more training) and for you we will reinstate benefits and award £50 compensation. Does that seem justifiable? Another to thing to think about is, are awarding benefits because they should have in the first place or are they awarding because they screwed up revealing info? If awarding because they should have, all well and good. If they are awarding because they screwed up, then that is wrong in its entirety as the way i see it, they are awarding benefits as a way of compensation.
    Last edited by Ladidi; 22-07-2018 at 10:12 AM. Reason: error
    • pmlindyloo
    • By pmlindyloo 22nd Jul 18, 10:09 AM
    • 12,449 Posts
    • 14,235 Thanks
    pmlindyloo
    Have you written to the DWP Data Protection Officer?

    DWP has appointed a Data Protection Officer. The role of the Data Protection Officer is to make sure DWP is compliant with data protection laws and to act as a point of contact for data subjects.
    The DWPs Data Protection Officer is Dominic Hartley. You can contact the Data Protection Officer by post at:
    DWP Data Protection Team
    Benton Park View 5
    Mail Handling Site A
    Wolverhampton
    WV98 1ZX
    Or by email at: data.protectionofficer@dwp.gsi.gov.uk.
    • Ladidi
    • By Ladidi 22nd Jul 18, 10:17 AM
    • 32 Posts
    • 7 Thanks
    Ladidi
    Have you written to the DWP Data Protection Officer?

    DWP has appointed a Data Protection Officer. The role of the Data Protection Officer is to make sure DWP is compliant with data protection laws and to act as a point of contact for data subjects.
    The DWPs Data Protection Officer is Dominic Hartley. You can contact the Data Protection Officer by post at:
    DWP Data Protection Team
    Benton Park View 5
    Mail Handling Site A
    Wolverhampton
    WV98 1ZX
    Or by email at: data.protectionofficer@dwp.gsi.gov.uk.
    Originally posted by pmlindyloo
    We handed it over to DWP and it was in turn handed over to DWP complaints. Im going to assume its the same place/people dealing with the issues.

    Our MP has forwarded our complaint onto Mr Andrew Rhodes DWP director General. When I advised them of this, the reply was all that will happen there is, they ask us if we have investigated and what out decision outcome was which is what I am discussing with you now.

    Should I email them?
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

3,169Posts Today

7,297Users online

Martin's Twitter