What Do They Know

What Do They Know

DWP Central Freedom of Information Team

e-mail:

Our Ref: VTR 167

Dear Mr White

Freedom of Information Request

Thank you for your email of 30 January asking for the decision on the handling of your Freedom of Information request “ the Subject Access Request Guide “ dated 20 January 2009 to be reviewed.

I am the Senior Civil Servant head of Information and Devolution policy in DWP and I have considered your original request completely afresh in the light of your request for a review.

You wrote on the 30 January

"Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Department for Work and Pensions's handling of my FOI request 'DWP Policy to NOT Comply With The Subject Access Rights Under The Data Protection Act'.

A full history of my FOI request and all correspondence is available on the Internet at this address:

I specifically note that the response states;

"In practice, this is done by the Data Protection Officer sending the customer a “SANTA01” letter to clarify which information they are seeking when the request is not specific or clear. I enclosed a copy of the SANTA01."

This does not make sense. "I enclosed" indicates past action. There has been no past action that is evident!

if it is meant to read I enclose - the enclosure has been omitted!

Could you please clarify what you are saying and why!

I have however been able to locate a copy of the SANTA01 refereed to, using this Foi Request which obtained a Copy of the DWP Subject Access Response Guide ( SARG ). the FoI request can of course be found here -

Having Studies the SANTA01 form there is no mention of anyone having to have previous knowledge of which Data is being processed by the DWP! It is also noted that SARG has not been in the Public Domain or even available via the DWP website.

the SARG guide states;

"Audit Trail Information

154 If the customer specifically requests audit trail information it can be provided to the customer, subject to any exemptions. However, do not include audit trail information as part of a response to a routine subject access request. Only include it if they specifically ask."

It is noted that the DWP policy states that a SANTA01 Form whousl (sic) be sent to as person making a Subject Access Request where phrases such as “all the personal information you hold on me” are used in the original request. It is evident that where a Data Subject uses such a phrase the SANTA01 only has the function to obtain specific operands and not to reduce the scope of the Subject Access Request.

There is no exemption within The Data protection Act Subject Access provisions for Data such as Audit data and Audit Data Trails to be withheld when a Subject Access Request is made. Any and all Data caught under the definition of Data within the Act are to be supplied except where there is a lawful exemption. there is No Blanket Exemption for Audit Data - Audit trail Data and as such It is to be supplied automatically when a Subject Access Request is Received.

The SANTA01 Form mentions nothing of Audit Data and it's function is not to decide which Data Are to be provided but to seek relevant operands and identifiers which a Data can Controller can reasonably request as per Section 7(3) of the Data Protection Act which states;

"A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks."

The SARG document acts to alter the intent and explicit application of the Data protection Act 1998 and to withhold data that is caught fully within the definitions of The Act.

Again you are requested

1.) When did the DWP adopt this policy of not fully complying with the Subject Access Provision of The Data Protection Act 1984/1998

and started to fail to comply fully with the Act? For clarity please provide date in the form "day - month - year"

2. Provide full copies of any and all policy documents, other than SARG, operated, used or held by the DWP as to this withholding of

Data in breach of a Lawful Subject Access Request.

Again these are DOCUMENTS and POLICY STATEMENTS in their own right and which will need to be provided in Acrobat Pdf Format.

3. Identify who is the person and their contact details who should be contacted to first object to such breaches of The Data Protection Act and also who is responsible for providing this Audit Data as it was on the date a Subject Access Request was lawfully made to the DWP.

That is name - Salutation - Christian name Surname, Job Title, Correspondence Address.

Please do not Obstruct the Obligations that the DWP have under the Freedom Of Information Act. Such conduct tends towards Maladministration as defined by the DWP and which can be found Here

-

Provide the required information within the time limits of the legislation, or earlier at your convenience."

My decision

I have considered the response sent to you on 20 January.

The sentence "I enclosed a ….." should have read "enclose". I hope you will accept this as a simple typing error.

The copy of the letter SANTA01 should have been enclosed with the reply and I hope you will accept our apology for this omission. I note that you have since obtained a copy of the SANTA01 letter.

You state that the Subject Access Request Guide (SARG) has not been in the Public Domain or even available via the DWP website. This is not the case. The SARG has always been available via the DWP Publication Scheme, as was its predecessor the Data Protection Manual (DPM). A link explaining how to access a current version of the SARG on the DWP website can be found atDWP - how to handle subject access requests

You ask when did the DWP adopt the policy of not fully complying with the Subject Access Provision of The Data Protection Act 1984/1998 and started to fail to comply fully with the Act? You also ask to be provided with full copies of any and all policy documents, other than the SARG, operated, used or held by the DWP as to this withholding of Data in breach of a Lawful Subject Access Request.

DWP policy is to comply fully with the Act and as such there are no documents used or held by DWP as to the withholding of data in breach of a subject access request. DWP do clarify with customers, when appropriate, exactly which information they require. This ensures customers are given only the information they require, an approach endorsed by the Information Commissioner.

The Department does not regard audit data trails as being covered by an exemption from the Data Protection Act. Rather, we do provide such data if requested by a customer in the same way that we would provide any other personal data so requested. The SANTA01 letter provides a means of identifying precisely what the customer’s requirements are.

You also ask DWP to identify who is the person and their contact details who should be contacted to first object to such breaches of The Data Protection Act and also who is responsible for providing this Audit Data as it was on the date a Subject Access Request was lawfully made to the DWP. The Department has a network of Data Protection Officers who handle subject access requests, which can include a request for audit data. Responsibility for complying with these requests rests with senior management in the part of the Department handling the request.

If you are not content with the outcome of my internal review you have the right to apply directly to the Information Commissioner to look into the way your request has been handled. The Commissioner can be contacted at:

Information Commissioner’s Office email: ”

Yours sincerely

Rob Molan

Top View