× Search rightsnet
Search options

Where

Benefit

Jurisdiction

Jurisdiction

From

to

Forum Home  →  Discussion  →  Universal credit administration  →  Thread

Other people’s UC passwords

Elliot Kent
forum member

Shelter

Send message

Total Posts: 3117

Joined: 14 July 2014

Working in a full service area, I am finding clients who are getting UC are increasingly keen - without any prompting - to give their advisers their full login details for their online account.

Whilst obviously this is convenient if you need to go digging around the journal for whatever reason, it does really make me uneasy in a bunch of ways and my gut reaction is that I should refuse to keep these details.

I wondered what people think. Am I being excessively cautious?

alang
forum member

Paisley South HA

Send message

Total Posts: 54

Joined: 9 February 2015

I agree, it is their personal account and I would feel very uncomfortable being given log in details, would you accept someones log in details to their online bank account for the purposes of drawing up a financial statement? No.

In scenarios like this I would not accept someone telling me their log in details. I would allow them to sit at my computer to log in themselves and then log out with them in my presence and write it up in my notes that they were satisfied I had logged out.

I think to actually type them in or to keep a note of them leaves you open to allegations in the future if someone was to gain access to their account and do something nasty.

However, I am not in a full service area so I can take the moral high ground, I may change my mind later once I have had the pleasure.

Paul_Treloar_AgeUK
forum member

Information and advice resources - Age UK

Send message

Total Posts: 3196

Joined: 7 January 2016

I think there are two separate but interlinked issues potentially at play here.

The first are your responsibilities with regards to data protection in general, as regulated by the ICO. I don’t profess to know enough about the intracacies of this area but such personal data will have implications for how you store and use that information at the very least.

The second would be the legal disclaimer signed by the client when making the UC claim - this would, I imagine, have some clear statement about not sharing your personal details such as password although I’m uncertain as to what penalty may be imposed if they are willingly shared.

And I would imagine there may be some crossover between the two issues. It’s tricky.

ClairemHodgson
forum member

Solicitor, SC Law, Harrow

Send message

Total Posts: 1221

Joined: 13 April 2016

we’re all told never to give passwords to anything to anyone for any purpose (save as forced to by operation of law in particular situations, usually criminal). 

in principle, i should think it’s quite wrong for a client to do this even though s/he may have the best of intentions, and quite wrong for a rep to receive the information and use it.

This relates to the discussion on the other thread re people incapable, for whatever reason, of accessing their account

it comes back, doesn’t it, to the DWP’s position on actual/implied consent to give out info to reps and the like?

if they sorted themselves out on that, clients wouldn’t feel the need to do this and reps wouldn’t need to find themselves tempted.

it should be possible for a client to authorise a rep to have access, and for that rep to have their own password etc to access their client’s data.  the technology is there

Gareth Morgan
forum member

CEO, Ferret, Cardiff

Send message

Total Posts: 1995

Joined: 16 June 2010

If someone gave me their login details for UC then I would, effectively, become a de facto appointee.  I should not want to be in that position without some very serious consideration.

Dan_Manville
forum member

Mental health & welfare rights service - Wolverhampton City Council

Send message

Total Posts: 2262

Joined: 15 October 2012

I’m not in a full service area so don’t need to worry about this yet however I have found the ICO’s helpline to be very helpful in times passed… As regards allegations of tampering; I am quite sure the IP address of a machine that’s logged in to the system would be recorded so they’re easily disposed of. It would take a very technologically savvy claimant to spoof your IP address.

https://ico.org.uk/global/contact-us/

Benny Fitzpatrick
forum member

Welfare Rights Officer, Southway Housing Trust, Manchester

Send message

Total Posts: 627

Joined: 2 June 2015

Like so many things, the DWP don’t seem to have thought this through very well.  Or, alternatively, it is all part of a fiendish plan to obfuscate, frustrate and confuse.

Peter Turville
forum member

Welfare rights worker - Oxford Community Work Agency

Send message

Total Posts: 1659

Joined: 18 June 2010

see also http://www.rightsnet.org.uk/forums/viewthread/10478/P30

There appears to be no clarity about how alterntaives to implicit concent in UC Full Service areas will work - in terms of what they are, whether they actually work in practice,  how long it takes to establish that consent onto the DWP sysytems / claimants UC account etc.

Does anyone know if Advice UK, Citizens Advice, A N Others have developed guidance / policy advice on this issue including the Data Protection and Indemnity Insurance implications of retaining (or even seeing them when the claimant inputs it themselves in the presence of an adviser) a clients log in details? We will now contact Advice UK regaring this issue.

We have long seen this as a potential issue with UC and it now looks like agencies in full service areas should consider very seriously the implications both of retaining such information and how the alternatives too, or lack of, implicit consent will change / further hinder the way we can assist clients when they are not physically present to give consent.

1964
forum member

Deputy Manager, Reading Community Welfare Rights Unit

Send message

Total Posts: 1711

Joined: 16 June 2010

Will be interested in the response from Advice UK Peter.

This is a right can (or lobster pot) of worms isn’t it? What an unholy mess this is becoming.

Tom H
forum member

Newcastle Welfare Rights Service

Send message

Total Posts: 783

Joined: 23 June 2010

It’s laughable isn’t it?  How the DWP completely muck up someone’s benefits putting them in severe hardship and exacerbating their health problems, only to then tell you when you phone up on the person’s behalf to sort it out that they cannot help because they have to look out for the customer’s interests and rights.  What about the right to have their benefit claim handled competently?  And whilst I’m not downplaying data protection, was there really a problem with implicit consent?  Even under that policy, you were never given any info like bank account details which could harm the client.  Most of the time it was clear that you were acting with the interests of the customer in mind and for their good.

I am in a full service area and am experiencing the same thing as Elliot with clients willingly offering you their online passwords.  I even had to help one client devise secure passwords for both the UC online claim and for the online provider who had to verify her id (as well as set up two factor authentication on her email and arrange for her to be sent a new email password as she’d forgotten her old one).  I’m not sure what the legalities are if someone consents in writing to you accessing their account.  There’d presumably be a data trail of anything you do whilst in the account as Dan says.

An urban myth that clients are moving postcodes to avoid full service?  I don’t think it’ll be long before the same thoughts occur to advisers, vacancies permitting.  Gateshead’s looking good in the UC distance, even Sunderland.

Edit: forgot to say that I’ve even had a couple of UC call centre staff actually ask me for the answers to the client’s security questions (first gig you attended, name of your first pet etc) as a condition of proceeding with the call.

[ Edited: 8 Dec 2016 at 02:18 pm by Tom H ]
Peter Turville
forum member

Welfare rights worker - Oxford Community Work Agency

Send message

Total Posts: 1659

Joined: 18 June 2010

1964 - 08 December 2016 01:38 PM

Will be interested in the response from Advice UK Peter.

This is a right can (or lobster pot) of worms isn’t it? What an unholy mess this is becoming.

Advice UK advise that Indemnity Insurance policy through AdviceUK will not cover cases where client log in details etc have been used / recorded by the adviser / organisation. I would assume many other insurance policies will contain similar restrictions.

Advice UK do not appear to have issued any general guidance etc on this issue yet (I stand to be corrected).

I understand that recording such details would also be covered by Data Protection and general guidance from the Information Commissioner.

So it looks like (unsurprisingly) using our clients logins etc on their behalf is a no no!

What are organisation out there in UC full service land doing in practice?

Mike Hughes
forum member

Senior welfare rights officer - Salford City Council Welfare Rights Service

Send message

Total Posts: 3138

Joined: 17 June 2010

Dan Manville - 08 December 2016 11:21 AM

I am quite sure the IP address of a machine that’s logged in to the system would be recorded so they’re easily disposed of. It would take a very technologically savvy claimant to spoof your IP address.

That seems unlikely to me. If one were, for example, to use a desktop PC belonging to my employer to do such a login, it would be quite an extraordinary vulnerability for someone outside of that network to be able to identify that specific IP address. The IP of the network? Yes. The IP of a subnet? Maybe. The IP of a specific machine I would think should never be available to be logged other than from within that network.

 

[ Edited: 13 Dec 2016 at 09:19 am by Mike Hughes ]
Dalibor Warburton
forum member

Development Team, AdviceUK

Send message

Total Posts: 5

Joined: 7 April 2011

Peter Turville - 12 December 2016 01:11 PM
1964 - 08 December 2016 01:38 PM

Will be interested in the response from Advice UK Peter.

This is a right can (or lobster pot) of worms isn’t it? What an unholy mess this is becoming.

Advice UK advise that Indemnity Insurance policy through AdviceUK will not cover cases where client log in details etc have been used / recorded by the adviser / organisation. I would assume many other insurance policies will contain similar restrictions.

Advice UK do not appear to have issued any general guidance etc on this issue yet (I stand to be corrected).

I understand that recording such details would also be covered by Data Protection and general guidance from the Information Commissioner.

So it looks like (unsurprisingly) using our clients logins etc on their behalf is a no no!

What are organisation out there in UC full service land doing in practice?

Peter, just to say that I’ve raised this with DWP - I would be interested in updates others have.

Paul_Treloar_AgeUK
forum member

Information and advice resources - Age UK

Send message

Total Posts: 3196

Joined: 7 January 2016

Dalibor Warburton - 13 December 2016 12:32 PM

Peter, just to say that I’ve raised this with DWP - I would be interested in updates others have.

When you say you’ve raised this Dal, do you mean you’ve raised the issue of how (or indeed whether) DWP are working to better faciltate third party access to client accounts and/or implicit consent issues, or do you mean the simple fact of advisers recording and using their client’s log-in details for follow-up work?

We need to push on the former, imo, because that circumvents the latter issue if it’s resolved in any meaningful way.

Peter Turville
forum member

Welfare rights worker - Oxford Community Work Agency

Send message

Total Posts: 1659

Joined: 18 June 2010

Dalibor Warburton - 13 December 2016 12:32 PM
Peter Turville - 12 December 2016 01:11 PM
1964 - 08 December 2016 01:38 PM

Will be interested in the response from Advice UK Peter.

This is a right can (or lobster pot) of worms isn’t it? What an unholy mess this is becoming.

Advice UK advise that Indemnity Insurance policy through AdviceUK will not cover cases where client log in details etc have been used / recorded by the adviser / organisation. I would assume many other insurance policies will contain similar restrictions.

Advice UK do not appear to have issued any general guidance etc on this issue yet (I stand to be corrected).

I understand that recording such details would also be covered by Data Protection and general guidance from the Information Commissioner.

So it looks like (unsurprisingly) using our clients logins etc on their behalf is a no no!

What are organisation out there in UC full service land doing in practice?

Peter, just to say that I’ve raised this with DWP - I would be interested in updates others have.

Dal - see also http://www.rightsnet.org.uk/forums/viewthread/10478/P30
I also note Paul’s comments above.

What would be helpful to clarify with DWP is what alternatives to implicit consent in UC full service areas will DWP provide? How can the claimant provide third party authorisation (for example, through their account). How can the adviser provide written consent (only through snailmail, an email address etc?). How long will it take for that consent to be recorded on the UC system? Once that consent is recorded what method of access will be available to the representative (phone only?). What information will DWP then be able to disclose (the same range as under implicit consent?).

Others may think of further practical questions that require a DWP respone too.

I am posting my reply here, rather than to your email, so others can add further questions about alternatives to implicit consent under UC full service.

stevenmcavoy
forum member

Welfare rights officer - Enable Scotland

Send message

Total Posts: 869

Joined: 22 August 2013

how easy is it for clients to change their password?  could we log in and then advise them to change their password and add that to our notes.  is that a way around it?

i know in practice most wouldnt bother mind you…

Peter Turville
forum member

Welfare rights worker - Oxford Community Work Agency

Send message

Total Posts: 1659

Joined: 18 June 2010

stevenmcavoy - 14 December 2016 06:07 PM

how easy is it for clients to change their password?  could we log in and then advise them to change their password and add that to our notes.  is that a way around it?

i know in practice most wouldnt bother mind you…

I think the issue is more fundemental. Yes, clients & advisers may find ways around the process in paractice such as your example.

BUT

Bad practice can have consequences. My concern would be that sooner or later an adviser / organisation is going to be accused by a claimant of accessing their account without permission and as a result there was a consequence for the claimant (i.e. a significant under or overpayment). If the adviser / organisation is found to have used the claimants log in & security details (even with the claimants authorisation) their insurance will not cover the legal costs etc of the case (fine print and all that). As they say ‘it could be you’.

Glenys
forum member

Housing Systems, Leeds

Send message

Total Posts: 206

Joined: 23 June 2010

Peter Turville

” What would be helpful to clarify with DWP is what alternatives to implicit consent in UC full service areas will DWP provide? How can the claimant provide third party authorisation (for example, through their account). How can the adviser provide written consent (only through snailmail, an email address etc?). How long will it take for that consent to be recorded on the UC system? Once that consent is recorded what method of access will be available to the representative (phone only?). What information will DWP then be able to disclose (the same range as under implicit consent?).”

Got some answers to some (but by no means all) of this through an FOI recently

https://www.whatdotheyknow.com/request/follow_up_to_vtr_3405_date_06_au#incoming-905397

Paul_Treloar_AgeUK
forum member

Information and advice resources - Age UK

Send message

Total Posts: 3196

Joined: 7 January 2016

i think you’re being generous to call their response to date “answers” to be honest.

They’ve sent a copy of a form that DWP use to access a claimant’s financial details. There’s nothing really about the substantive decision at hand that I can see.

Glenys
forum member

Housing Systems, Leeds

Send message

Total Posts: 206

Joined: 23 June 2010

Well at last they said that they would accept written authorisations…. but I agree it is only partly useful.

ClairemHodgson
forum member

Solicitor, SC Law, Harrow

Send message

Total Posts: 1221

Joined: 13 April 2016

and of course, in every workplace bar none it will be a serious disciplinary offence (probably warranting a final written warning if not instant dismissal, one would have thought) to have and use someone else’s log in details.  for very good reason.

Glenys
forum member

Housing Systems, Leeds

Send message

Total Posts: 206

Joined: 23 June 2010

Paul_Treloar_AgeUK - 21 December 2016 04:25 PM

i think you’re being generous to call their response to date “answers” to be honest.

They’ve sent a copy of a form that DWP use to access a claimant’s financial details. There’s nothing really about the substantive decision at hand that I can see.

Just received a reply to FOI acknowledging this was indeed the wrong form - and that a writen authority to disclose template doesn’t exist!
https://www.whatdotheyknow.com/request/follow_up_to_vtr_3405_date_06_au#incoming-915110

(Also note the guidance they quote is only the live area guidance as it still refers to implicit consent)