DWP Central Freedom of Information Team

DWP Central Freedom of Information Team

e-mail:

Our Ref: VTR57

20 January 2009

Dear Mr White,

Freedom of Information Request – VTR57

I am writing in response to your request for information about the Subject Access Request Guide which you requested on 15 January 2009.

You state: Having had the opportunity to study the DWP Subject Access ResponseGuide (SARG) obtained under the FOI request made here

, I am shocked to discover that the document instructs employees of

the DWP to not provide Data that should automatically be provided.

The SARG Guide States at section 154;

"If the customer specifically requests audit trail information it

can be provided to the customer, subject to any exemptions.

However, do not include audit trail information as part of a

response to a routine subject access request. Only include it if

they specifically ask."

It is noted that nowhere within the published and previously

available information on making a Subject Access Request does it

advise applicants that they will have to ask for this Audit Data

explicitly to obtain it, even though such data is caught fully

under the Subject Access Provisions of The Data Protection Act.

1.) When did the DWP adopt this policy of not fully complying with

the Subject Access Provision of The Data Protection Act 1984/1998

and started to fail to comply fully with the Act?

2. Provide full copies of any and all policy documents, other than

SARG, operated, used or held by the DWP as to this withholding of

Data in breach of a Lawful Subject Access Request.

3. Identify who is the person and their contact details who should

be contacted to first object to such breaches of |The Data

Protection Act and also who is responsible for providing this Audit

Data as it was on the date a Subject Access Request was lawfully

made to the DWP.

DWP policy is to comply fully with legislation including the Data Protection Act 1998.

The Data Protection Act 1998 allows data controllers, in this case DWP, to confirm with its customers (data subjects) exactly which parts of their personal information they are seeking when they make a subject access request. This is to ensure that we provide the customer with only the information they require. This approach has been endorsed by the Information Commissioner's Office.

In practice, this is done by the Data Protection Officer sendingthe customer a“SANTA01”letter to clarify which information they are seeking when the request is not specific or clear. I enclosed a copy of the SANTA01. You will note that the letter contains a range of specificoptions and has a space for the customer to specify any other personal information they require.

Once the customer has returned the completed SANTA01 letter to the Data Protection Officer, the requested information is gathered and sent to the customer, subject to allowable legal exemptions.

The Department handle Subject Access Requests against a background of varying definitions of personal data,ranging from legal case law to guidance issued by the Information Commissioner. In the case of the Commissioner,

the guidance issued in August 2007 (Determining What is Personal Data)sets out his latest thinking. A link to this guidance is provided below for information.

The Department applies its best judgement of what should be classified as personal data in responding to subject access requests. In the past, we took the view that audit trail information did not constitute personal data as it did not contain any biographical content about the customer, and offering such data on a non statutory basis would carry disproportionate IT costs.

However, giving the continuing uncertainty over the definition of personal data, we have since modified our policy (as evidenced in the current SAR guide) to provide such information to customers if they request it, subject to any exemptions. This is consistent with our general handling policy for subject access requests of only giving customers only the information they want.

If you are not satisfied with the handling of your request please tell me why within two calendar months of the date of this letter. I will then arrange for someone to conduct an internal review of your request and my decision. The review will be conducted by another officer, usually of a more senior grade to myself. This person will have taken no part in my original decision. You will be advised of their decision in writing.

If you are still not content with the outcome of the internal review you have the right to apply directly to the Information Commissioner to look into the way your request has been handled. Please note that generally the Commissioner cannot make a decision unless you have first exhausted DWP’s own complaints procedure. The Commissioner can be contacted at:

FoI Complaints Resolution

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Fax: 01625 545 510

email:

If you have any queries about this letter, please contact me. Please remember to quote the reference number above in any future communications.

Yours sincerely

DWP Central FoI Team