Data Protection at Work Programme

[delsus]

Hello, I was just wondering if anyone knows what I should be doing about potential data protection breaches at work programme?

 

I have informed my provider's manager about the issue of people storing copies of CVs on the companies PCs, (this could be down to anything, saved after downloading it from an email attatchment or just forgetting they downloaded it, and I got told they have software that wipes the computers every night that must be malfunctioning. This was about one month ago and on Friday I checked a PC which had the copies of CVs in the My Documents folder.

 

The worst potential breach I saw on Friday however was a shared folder, stored on another PC which was accessible to everyone who used a PC, this shared folder was simply called "cv" and contains approximately 82 CVs, all of which will contain personal information including addresses, email addresses and phone numbers.

 

I was wondering if this is something I should contact my MP about or someone else.

 

Thanks for any help.

[Mr.P]

If you can view other peoples CVs, it is not a "possible breach", but a genuine, and serious breach - One that the DWP should take very seriously.

Write a formal complaint addressed to the provider's head office, cc it to the head of Third Party Contracts (DWP, Sheffield), the ICO, and your MP. Print a few random pages if you can and bundle them with the letter sent to the DWP - That should light a few fuses under a backside or two.

Once the provider fails to address your concerns, you can then involve the ICE at a cost of £5000 to the provider.

 

I've posted the address for the head third party manager before - If you can't find it, I'll dig through my posts.

[delsus]

If you can view other peoples CVs, it is not a "possible breach", but a genuine, and serious breach - One that the DWP should take very seriously.

Write a formal complaint addressed to the provider's head office, cc it to the head of Third Party Contracts (DWP, Sheffield), the ICO, and your MP. Print a few random pages if you can and bundle them with the letter sent to the DWP - That should light a few fuses under a backside or two.

Once the provider fails to address your concerns, you can then involve the ICE at a cost of £5000 to the provider.

 

I've posted the address for the head third party manager before - If you can't find it, I'll dig through my posts.

 

Thank you, I'll have a look for the address and I will start making writing up the letters, I have a screenshot of the folder in question, would that be enough to prove the breach, or would I need to get copies of a few documents?

[Mr.P]

Derek French/Clare Elliot

Head of Work Programmes

Department for Work and Pensions

Level 4

Steel City House

56 West Street

Sheffield

S1 2GQ

 

Copies of offending documents to send to the DWP (and the ICO) always helps to demonstrate breaches - It supports your complaint and prevents the provider from brushing it under the carpet.

 

I had a similar issue with A4e when "advisers" would openly discuss clients criminal records within earshot of any Tom, Dick, and Me - Wrote to the DWP and informed them that the discussions were loud enough to be picked by a simple tape recorder (implying I had evidence on tape). Someone got their backside well and truly kicked judging by the reception I had at the next appointment.

 

Yes, evidence supports your complaint, and sent to the right places, will get bums smacked.

Edited May 19, 2013 by Mr.P

[jasta11]

Heartily agree - get as much evidence of the data breach as you can and nail the sods! Remember - it could be your CV that strangers are looking at next time.

 

Having said that, it's also up to all of us to guard our own details too. I've sat down at a pc before and noticed people's cv's just left on the pc desktop as a shortcut, or stored in the 'My Documents' folder for all the world to see, as you found yourself. I know some folks aren't too hot at using computers, but the WP should also be keeping an eye on them to ensure no data is left unsecured.

 

Let us know how you get on with your complaint.

[delsus]

Heartily agree - get as much evidence of the data breach as you can and nail the sods! Remember - it could be your CV that strangers are looking at next time.

 

Having said that, it's also up to all of us to guard our own details too. I've sat down at a pc before and noticed people's cv's just left on the pc desktop as a shortcut, or stored in the 'My Documents' folder for all the world to see, as you found yourself. I know some folks aren't too hot at using computers, but the WP should also be keeping an eye on them to ensure no data is left unsecured.

 

Let us know how you get on with your complaint.

 

Here's what I am thinking, there are a lot of computer illiterate people around, who can put it down to ignorance, they are getting help with their CV, and have to save it to email it to themselves (even computer literate people could forget to delete the file) even under the assistance of staff, it takes (and I know because I have done this) less than one minute to write a script to wipe My Documents and apply it as a policy to run every log off, the whole office could be secured in less than one hour.

 

In addition to the shared folders, use to the amount of CVs, in a logical place (a folder called CVs) I can only say that it's an advisor's PC, and they have shared the folder, in which case it is the advisor's fault, and by extension the fault of the company for allowing this to happen.

 

By the way, just so you know my sources for time scales and what can be done, I am currently looking for work in computer networking/support so I have to know it all

[jasta11]

Oh, they'll try and wriggle out of it, never fear - they'll blame the people for leaving their cv's around, and probably try and blame you for 'sticking your nose in', but it still doesn't hide the fact that a participant was able to openly view the cv's of other participants..and that's down to the WP to prevent.

 

I have no doubt at all that WP advisors have a good nose about through ALL the computers used by clients after they've left, to see what extra info they can pick up which might lead to job outcome payments or anything else they can claim for.

[Mr.P]

I am currently looking for work in computer networking/support so I have to know it all

 

There are many ways of securing documents from unauthorised access - Setting attributes so that only the owner can read/write. Encrypting files so that only the keyholder can read/write them.

Running a script that cleans out "My Documents" on logout or shutdown is fine until the user saves files in another directory - To get round this, one could mount a memory based virtual filesystem over the top of a read-only home directory. When the user logs out or powers down, the memory would be wiped. The "delete files from disk" strategy is a weak option as it is possible recover the data fairly easily on a Windows system and a little more involved on a *nix box. To effectively remove a file requires overwriting the entire file with $random data.

However, system security is an inverse function of the number of people with access - The more users, the greater the risk of a breach.

 

jasta11 is also correct - The WP provider will use the "You shouldn't look" excuse as the first line of their data protection policy. A totally inexcusable defence that should get a rapid and severe slapdown from both the DWP and the ICO.

[osdset]

A totally inexcusable defence that should get a rapid and severe slapdown from both the DWP and the ICO.

Sorry to pinch a quote from your post but the two abbreviations DWP and ICO caught my attention with regard to this.

 

A long running war of words has been waging between the DWP and the Information Commissioner’s Office (ICO) ever since a Freedom of Information request was submitted by Frank Zola asking for the names of organisations taking placements under the Government’s Mandatory Work Activity scheme. Three times the DWP have tried to dodge the ICO's demand for transparency which resulted in this week’s tribunal hearing.

 

In an astonishing legal defence the DWP claimed this week that if the public knew who was taking part in the workfare schemes then the entire racket might be in danger of collapse. Providing an unwitting but glowing testimony to the effectiveness of Boycott Workfare and other anti-workfare campaigners, the department claimed: “The activities of campaign groups and the results of negative publicity meant that… “a great many placement organisations” had ceased to offer placements. That in turn reduced the numbers of opportunities available across both programmes with a loss of many placements and prospective new placements being at risk.”

 

Full story here http://johnnyvoid.wordpress.com/2013/05/18/dwp-ordered-to-name-the-workfare-exploiters/

[Mr.P]

In an astonishing legal defence the DWP claimed this week that if the public knew who was taking part in the workfare schemes then the entire racket might be in danger of collapse.

 

I had read the Tribunal Judgement this afternoon - The DWP claim that disclosure would result in the collapse of "workfare" was slapped down as conjecture based on a very small number of responses to (mis)leading questions. Indeed, I await full disclosure of all companies and charities providing "placements" under these schemes.

[delsus]

I sent the letter in on Friday (earliest I could) and I got an email today saying they will launch an investigation. They will contact me when they have some more information, my appointment could be fun tomorrow.

[Mr.P]

If the s**t hits the fan before you get there, which it just might, expect a frosty reception bordering on open hostility. I'd strongly recommend recording all conversations (if you are not already doing so), and be prepared to be beaten around the head with the Data Protection Act - Worth reading that piece of legislation before you go in...

 

In my case, I had:

"If you record this conversation I will have to report you for breaking the law"

"Umm.... Which law would that be ?"

"The Data Protection Act"

""

"Are you recording this conversation ?"

" get on with it..."

[dyfed]

I am sure I read somewhere that you can record if you are party to the converasion or taking part in it and it involves you.

What you cant do is leave a recording device somewhere and record others and you are not party to or involved with the conversation.

 

This is my take on all the legal jargon used, I might be wrong but I am sure someone with legal knowledge can confirm this.

Edited May 29, 2013 by dyfed
typo

[delsus]

If the s**t hits the fan before you get there, which it just might, expect a frosty reception bordering on open hostility. I'd strongly recommend recording all conversations (if you are not already doing so), and be prepared to be beaten around the head with the Data Protection Act - Worth reading that piece of legislation before you go in...

 

In my case, I had:

"If you record this conversation I will have to report you for breaking the law"

"Umm.... Which law would that be ?"

"The Data Protection Act"

""

"Are you recording this conversation ?"

" get on with it..."

 

I am sure I read somewhere that you can record if you are party to the converasion or taking part in it and it involves you.

What you cant do is leave a recording device somewhere and record others and you are not party to or involved with the conversation.

 

This is my take on all the legal jargon used, I might be wrong but I am sure someone with legal knowledge can confirm this.

 

I haven't been recording conversations, but I have been tempted, I aren't sure if the DWP have contacted them just yet, I noticed people looking at me whilst I was waiting, and the manager wanted to see some advisors, but no one mentioned anything, I'll see in two weeks when I have another appointment with them.

 

Oh and it seems my advisor is leaving soon, she says it's because she has to travel a long way to get there, so she is doing the same job somewhere else, 3 advisors in just over one year, yeah... really trying to help me, I guess I'll be back to square one now.

[jasta11]

Might be worth recording future conversations, if only to let the WP dig themselves in deeper if they try to use intimidation and bullying.

 

As far as I understand it, you're allowed to record anyone - either with their blessing or secretly, but it must be 'for your own domestic use'. ie don't broadcast it or stick it on Youtube. Also, you must not accidently record other people and infringe their privacy.

 

Everybody who gets recorded always comes out with the old 'that's against the law' patter - they have no idea what the law is really.

 

Keep us informed of developments.

[delsus]

Might be worth recording future conversations, if only to let the WP dig themselves in deeper if they try to use intimidation and bullying.

 

As far as I understand it, you're allowed to record anyone - either with their blessing or secretly, but it must be 'for your own domestic use'. ie don't broadcast it or stick it on Youtube. Also, you must not accidently record other people and infringe their privacy.

 

Everybody who gets recorded always comes out with the old 'that's against the law' patter - they have no idea what the law is really.

 

Keep us informed of developments.

 

I might try that from now on, and I will keep you informed

[Mr.P]

As far as I understand it, you're allowed to record anyone - either with their blessing or secretly, but it must be 'for your own domestic use'. ie don't broadcast it or stick it on Youtube. Also, you must not accidently record other people and infringe their privacy.

 

Regulation of Investigatory Powers Act 2000 covers the recording of conversations, either openly, or covertly.

Data Protection Act 1998 covers the storing and processing of the recordings. Section 36: Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.

European Convention on Human Rights (ECHR), Article 8 guarantees a "right to respect for privacy and family life" from state parties. However, in a public area (this includes open plan offices), there is no expectation to privacy - A point I would hammer home given opportunity with A4e..

 

Should anyone attempt to invoke any of the above instruments in an attempt to dissuade you from recording conversations, remind them that you are a private individual requiring accurate information for your personal records. Point out that if they continue, then they should seek opinion from a qualified and registered legal council - If nothing else, it will tie their hands for a few days and incur a substantial fee.

[delsus]

Just another update, I recieved an email yesterday with a letter attatched saying

 

Thank you very much for your letter and bringing your concerns to our attention.

 

DWP takes Data Protection and the security of personal information very seriously, please be assured that we have started a thorough investigation on the matters you have raised.

 

Once we have completed this work we will provide you with an update.

 

I'll let you all know what comes of it.

[Mr.P]

Did you send the letter to the Head of Work Programmes or lower down the food chain ?

 

Would love to be a fly on the wall just to see who gets a face full when the $**t hits the fan

[delsus]

I sent it to the head of work programmes, my next appointment could get really interesting. Seems like the DWP is doing more than my provider, they just say "It's the customers own fault, good bye" I didn't even get one letter from them because "we are too busy" I'm just sick of the excuses so I decided to take it as high as I could

[Mr.P]

Well done for taking it to the top. It may take a few days for the proverbial to filter down, but I suspect you will notice a change in attitude when it hits.

[delsus]

Well done for taking it to the top. It may take a few days for the proverbial to filter down, but I suspect you will notice a change in attitude when it hits.

 

The higher up I take it, in theory, the higher the chance of something happening.