§ Mr. CohenTo ask the Secretary of State for Employment to what investigations her Department has been subject by the Data Protection Registrar in relation to a suspected breach of a data protection principle; if she will summarise the nature of each complaint and state when the complaint was made; and what remedial action was taken by her Department to ensure future compliance with the principle subject to the investigation.
§ Mr. McLoughlinIn the Employment Department Group 16 cases of suspected breach of a data protection principle have been investigated by the Data Protection Registrar since November 1987 when rules on "subject access" came into force. The following table consists of a summary of the 16 cases giving details of dates, nature of complaint and remedial action taken.
219W220W221W
Summary of investigations by the Data Protection Registrar Date and Part of EDG Nature of complaint Remedial action taken November 1987 (ED HQ) Subject access request answer not received within the 40 days time (Principle 7) New circular issued to staff placing more emphasis on time limit. Re-issue of instructions to staff to improve communications. 9 February 1989 (ES) A client was visited at home by ES staff. Later he was handed a printout found by a neighbour which had on it his benefit record and written information of a sensitive nature, ie, he had been in prison (Principle 8) Case was upheld and an ex gratia payment was made to the client. Two internal investigations were carried out and the recommendations were accepted. (a) ES appointed a central DP co-ordinator with sole responsibility for DP issues; (b) A personal message on staff responsibilities under DP was sent to all staff by the Permanent Secretary; (c) Personal copies of a DP pamphlet were sent to all ES staff. 6 April 1989 (ED HQ) Caller supplied telephone number to office so that officer could return her call. The number is ex-directory, but she received a call from another Department. Concerned that the number was being held on computer by departments as personal data (Principle 8) DE Data Protection Officer confirmed with offices concerned that no automated/paper means was used to keep information given. Written confirmation was sent to the Registrar's office to reply to the person making the complaint. 1 February 1990 (ES) A client complained that ES did not respond to a subject access request within 40 days (Principle 7) Investigation showed that no request had been received. Arrangements were made to send details. No action required. 3 May 1990 (ES) A client complained that the inclusion of his NINO in the details shown in the window of his Giro envelope warranted an unauthorised disclosure of personal information (Principle 8) The NINO information was removed from the windows of the envelopes. 8 June 1990 (ES) A client complained that he did not receive an answer to a subject access request (Principle 7) Investigations showed that a reply had been sent within the required time. Further information was sent. No action required. 23 November 1990 (HSE) A request for personal data was not immediately identified as a subject access request, and a breakdown in the administrative procedures within the personnel section delayed a response within the time limits (Principle 7) Apology and copy of personal data sent to complainant. System managers reminded of action and time scale for dealing with subject access requests. Personnel system instructed to make changes to their administrative procedures. 24 January 1991 (ES) A client claimed that: Investigations showed that ES had responded to his requests within required limits and given him all information that was needed. No action required. (a) He did not receive a response to a subject access request; (b) The printout received after a "second" request was not within the 40 days; (c) He was not given all his personal information; and (d) Said that the printout was not accompanied by an explanatory note. (Principle 7) 28 January 1991 (ES) (Same client as 24 January 1991) After another complaint the Register asked: Further investigations showed that ES had complied the Act. The Registrar was informed of details. No action required. (a) Are ES holding information for a specific period for the client? (b) Was this data sent to the client on request? (c) Why was the client given the information shown on the attached printout? (Principle 7) 5 June 1991 (ES) A client complained that his benefit details had been disclosed to the tutor at his "Restart" course (Principle 8) No action required. ES were authorised to make this type of disclosure. 12 September 1991 (ES) A client complained that an ES application form said that information would be given to "relevant organisations". This is vague. What is "relevant" and how do ES decide? (Principle 8) No action required. "Relevant organisations' were listed in registrations. ES decided on "relevance" by giving info to companies who notified them of vacancies. 27 November 1991 (ES) A client complained that an ES employee had found his address through unauthorised use of the ES computer system (Principle 8) Complaint upheld - ES staff member given three-year disciplinary penalty. No action required as investigation showed that this was an isolated incident and staff were aware of their responsibilities under the Act.
Date and Part of EDG Nature of complaint Remedial action taken 18 December 1991 (ES) That ES was asking on the subject access request form for the DP registration number. The Registrar thought that this could give the impression that ES were trying to "frustrate" rather than "facilitate" those making requests (Principle 7) Although it was on the form we did not require the information to process a request. If the client could say where the contact was with ES that was sufficient. The form has now been amended. 6 February 1992 (ES) A client made a subject access request and then wrote to the Registrar claiming inaccuracies in the printout. The Registrar asked for details of the client so that the claims could be checked (Principle 7) ES sent the Registrar the requested details. Client's claims were unfounded. No action required. 5 June 1992 (ES) A client alleged that the ES never replied to a subject access request although he was verbally told that it was being dealt with (Principle 7) Investigations showed that no request had been received. The Registrar and ES followed up with the client, but he never responded to the letters. No action required. 23 December 1992 (ES) A client was dissatisfied with the information given on the data protection printout. He claimed that it was incorrect, ie, it showed he was paid benefit when he was not (Principle 7) Printout was correct. The dates concerned showed periods of signing on and not payment. No action required.