× Search rightsnet
Search options

Where

Benefit

Jurisdiction

Jurisdiction

From

to

Forum Home  →  Discussion  →  Universal credit administration  →  Thread

Advisers accessing applicants journals with their permission

 < 1 2 3

ClairemHodgson
forum member

Solicitor, SC Law, Harrow

Send message

Total Posts: 1221

Joined: 13 April 2016

generally speaking, i think you will find that most IT terms of service - and I anticipate UC/DWP is no different - have terms of service that, inter alia, the user will not let anyone else have their log on details (user name and password).

so whilst it is probably no unlawful per se for someone to give their log on details to someone else to use, it would be a breach of the terms & conditions of service

the reasons for such terms are not only to protect the individual user’s information, but also to protect the systems as a whole from hackers/criminals/whatever

clearly, any individual can give any other individual the right to access their data, and usually for good reason.  but that doesn’t give anyone the right to break their terms of service, which is a different thing from accessing their data (data, after all, usually being obtainable by provision of a duly signed form of authority specifying the data to be sent.)

this entire issue would, of course, as we all know be solved if the DWP (particularly in relation to UC) would sort out their issues re people who need such help.

Jon (CANY)
forum member

Welfare benefits - Craven CAB, North Yorkshire

Send message

Total Posts: 1362

Joined: 16 June 2010

Guidance is now available from Cit A, here (basically: don’t do it).

Martin Williams
forum member

Welfare rights advisor - CPAG, London

Send message

Total Posts: 769

Joined: 16 June 2010

You can’t access client bank account details without the 16 digit pin so the Cit A guidance is a bit misleading on that point.

Martin Williams
forum member

Welfare rights advisor - CPAG, London

Send message

Total Posts: 769

Joined: 16 June 2010

ClairemHodgson - 01 February 2018 07:49 PM

generally speaking, i think you will find that most IT terms of service - and I anticipate UC/DWP is no different - have terms of service that, inter alia, the user will not let anyone else have their log on details (user name and password).

so whilst it is probably no unlawful per se for someone to give their log on details to someone else to use, it would be a breach of the terms & conditions of service

the reasons for such terms are not only to protect the individual user’s information, but also to protect the systems as a whole from hackers/criminals/whatever

clearly, any individual can give any other individual the right to access their data, and usually for good reason.  but that doesn’t give anyone the right to break their terms of service, which is a different thing from accessing their data (data, after all, usually being obtainable by provision of a duly signed form of authority specifying the data to be sent.)

this entire issue would, of course, as we all know be solved if the DWP (particularly in relation to UC) would sort out their issues re people who need such help.

I’ve not seen any terms of service. But I can’t really see what the DWP could do if a claimant was to decide to breach any such terms of service- the claimant’s entitlement to UC would not be affected and the DWP have no other way of providing UC than digital by default so that is that…..

Martin Williams
forum member

Welfare rights advisor - CPAG, London

Send message

Total Posts: 769

Joined: 16 June 2010

Couple of other points on this thread in general:

1. Can someone point me to any guidance etc. from the ICO or legislation that makes it wrong to hold a client password etc. for the purpose of providing them with advice or assistance- there are a lot of references in thread about this being problematic from a DP point of view but not as far as I can tell any citation.

2. Perhaps worth considering for example tax advisers and accountants who seem to have no problem holding client login details to assist people with their tax returns etc (at least in cases I have seen).

Martin

ClairemHodgson
forum member

Solicitor, SC Law, Harrow

Send message

Total Posts: 1221

Joined: 13 April 2016

Martin Williams - 09 February 2018 12:04 PM

2. Perhaps worth considering for example tax advisers and accountants who seem to have no problem holding client login details to assist people with their tax returns etc (at least in cases I have seen).

Martin

mmm this is true, had forgotten that ..... to the extent that the taxpayer can’t then do their own thing, i think.

Paul_Treloar_AgeUK
forum member

Information and advice resources - Age UK

Send message

Total Posts: 3196

Joined: 7 January 2016

Martin Williams - 09 February 2018 12:04 PM

Couple of other points on this thread in general:

1. Can someone point me to any guidance etc. from the ICO or legislation that makes it wrong to hold a client password etc. for the purpose of providing them with advice or assistance- there are a lot of references in thread about this being problematic from a DP point of view but not as far as I can tell any citation.

2. Perhaps worth considering for example tax advisers and accountants who seem to have no problem holding client login details to assist people with their tax returns etc (at least in cases I have seen).

Martin

Well there’s this for a kick-off at an adviser level (my emphasis):

Staff

It is vital that your staff understand the importance of protecting personal data; that they are familiar with your organisation’s security policy; and that they put its security procedures into practice. So you must provide appropriate initial and refresher training, and this should cover:

* your organisation’s duties under the Data Protection Act and restrictions on the use of personal data;
* the responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority;
* the proper procedures to use to identify callers;
* the dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making “phishing” attacks) or by persuading you to alter information when you should not do so; and
* any restrictions your organisation places on the personal use of its computers by staff (to avoid, for example, virus infection or spam).

The effectiveness of staff training is dependent on the individuals concerned being reliable in the first place. The Data Protection Act requires you to take reasonable steps to ensure the reliability of any staff who have access to personal data.

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/

Given the forthcoming GDPR changes, whereby authorisation will need to be extremely specific, I’m not entirely confident how many advice agencies are geared up on appropriate authority. If your client gives you permission to access their journal and store their password, and you’re off sick and they call up and I know where you keep those details and access their journal, where does that stand for example? It’s a really tricky area imo.

ClairemHodgson
forum member

Solicitor, SC Law, Harrow

Send message

Total Posts: 1221

Joined: 13 April 2016

i should have thought a question to the ICO would produce some useful guidance (especially if said question gives examples of what is going wrong with DWP’s current position etc….).  They might even, then, talk to the DWP to get them to sort themselves out…...

ClairemHodgson
forum member

Solicitor, SC Law, Harrow

Send message

Total Posts: 1221

Joined: 13 April 2016

reviewing the various guidance notes, the only analogy is with data sharing - but the guidance is about organisations sharing data about individuals, as opposed to this, which is about the individual sharing data with another individual/organisation.

the rest of it doesn’t seem to begin to address the points in issue.

Jeremy Barker
forum member

Citizens Advice North Lincolnshire

Send message

Total Posts: 102

Joined: 7 September 2010

Martin Williams - 09 February 2018 12:04 PM

2. Perhaps worth considering for example tax advisers and accountants who seem to have no problem holding client login details to assist people with their tax returns etc (at least in cases I have seen).

Martin

HMRC has a whole load of procedures and arrangements for accountants and so forth to deal with a client’s tax affairs. They have been dealing with third parties for years and long before they even knew what a computer is.

The only comparable procedure with the DWP is having an appointee to deal with a claimant’s claim.

Andyp5 Citizens Advice Bridport & District
forum member

Citizens Advice Bridport & District

Send message

Total Posts: 1004

Joined: 9 January 2017

CITA response to us re CITA policy on the above - see extracts

Extract from us posing question

‘What is Citizens Advice national policy on using / recording clients log in details, making of and case recording entries made by an adviser on their journal (even with their permission), safeguarding, data protection and indemnity insurance etc’

This relates to Universal Credit and managing online claims. There has been a discussion on ‘Rightsnet’ about whether advisers could/should ask the client’s permission, to be given their password to be able to access the client’s online UC journal to post relevant information for the client without the client having to be present.

Note, we haven’t been doing this but wonder if there is any CA policy on this’?

CITA response extract

‘Our information Governance Team has come back to me (I thought they might reply to you direct!).

What they have said is, we don’t have an existing policy that covers this. There view is that on this basis, from a data protection point of view, we can only recommend that it is not done (as appropriate technical and organisational measures around the security of handling this personal data would not be in place).

They also questioned whether, even when we have agency to act on behalf of a client in a matter, a client would be breaching the terms of the UC system by sharing their details with us and if it may potentially create a new exposure to legal claims we may not be covered for ie if a client suffers some detriment from changes we make on the system or they alleged we made?

On top of this there are issues about how we could securely store these login details, which Casebook isn’t designed for.

Obviously we want to support clients who are likely to be vulnerable, but given the risks, this is a long winded way of saying the advice at the moment is to not do it!’ 

 

Peter Turville
forum member

Welfare rights worker - Oxford Community Work Agency

Send message

Total Posts: 1659

Joined: 18 June 2010

Andyp5 Citizens Advice Bridport & District - 16 February 2018 02:41 PM

Obviously we want to support clients who are likely to be vulnerable, but given the risks, this is a long winded way of saying the advice at the moment is to not do it!’ 

Did they provide a reply on your more specific point about entering info on clients journal, case recording that and similar actions?

It could be argued that making an entry on a journal is no different to sending a letter or email to DWP on behalf of a client with their permission. Except a letter or email is specific to what it contains. Whilst accessing a clients account to make an entry on a journal an adviser could access and amend other parts of the account without permission (leave themselves open to such accusation).

So how should advisers case record entries made on the journal etc. (aside from the practicalities of ‘cut & paste’ or printing it out)? Do we need to record the clients permission for the specific action each time? What about, for example, storing a copy of the specific entry or whole / significant extracts of the journal (which may include entries not relevant to the issue / advice), or the payment history - by what ever case recording / paper file method preferred by an organisation)?

Or does ‘don’t do it’ cover those issues too?

We are still discussing / considering this type of issue from both the DPA and consistency of our case recording practice angles etc. so any further thoughts or note of what other organisations do in practice is of interest.

past caring
forum member

Welfare Rights Adviser - Southwark Law Centre, Peckham

Send message

Total Posts: 1116

Joined: 25 February 2014

If the advice is a blanket “don’t do it” we may as well admit that we no longer serve any useful purpose. By which I mean that if the advice is we should not even cut and paste a request for mandatory reconsideration into the journal with the client present and without ever storing their details. As I’ve mentioned previously, the UC Freepost address will permit neither Special Delivery post or simple proof of postage from the Post Office counter - so it’s important to have some evidence that the MR request was made.

What I do is this;

- write the paper letter
- write an entry into the journal along these lines;

I wish to request a mandatory reconsideration of the decision of X date that I am not entitled to Universal Credit because I do not have a right to reside sufficient for this benefit. I authorise Mr ******* ******** of Southwark Law Centre to act for me in this request and in any subsequent appeal. My representative has submitted the mandatory reconsideration request by post - that request is copied in full below.

“Copy and paste the MR request here”

- take a screenshot of the MR request sitting in the client’s journal
- save to client’s case record
- print and insert in client’s file (I am fortunate to have returned to work in an organisation that sees the sense in still using paper files)

I am also pleased to report that my discussions with the senior solicitor here (fresh from her GDPR training!) have achieved agreement in principle that we can and should store user names and passwords where clients ask this of us. Obviously, the detail of how we do that needs to be worked out and it’s not a done deal yet, but progress is being made…. :)

 

 

 

Andyp5 Citizens Advice Bridport & District
forum member

Citizens Advice Bridport & District

Send message

Total Posts: 1004

Joined: 9 January 2017

Peter Turville - 16 February 2018 04:53 PM
Andyp5 Citizens Advice Bridport & District - 16 February 2018 02:41 PM

Obviously we want to support clients who are likely to be vulnerable, but given the risks, this is a long winded way of saying the advice at the moment is to not do it!’ 

Did they provide a reply on your more specific point about entering info on clients journal, case recording that and similar actions?

It could be argued that making an entry on a journal is no different to sending a letter or email to DWP on behalf of a client with their permission. Except a letter or email is specific to what it contains. Whilst accessing a clients account to make an entry on a journal an adviser could access and amend other parts of the account without permission (leave themselves open to such accusation).

So how should advisers case record entries made on the journal etc. (aside from the practicalities of ‘cut & paste’ or printing it out)? Do we need to record the clients permission for the specific action each time? What about, for example, storing a copy of the specific entry or whole / significant extracts of the journal (which may include entries not relevant to the issue / advice), or the payment history - by what ever case recording / paper file method preferred by an organisation)?

Or does ‘don’t do it’ cover those issues too?

We are still discussing / considering this type of issue from both the DPA and consistency of our case recording practice angles etc. so any further thoughts or note of what other organisations do in practice is of interest.

‘Did they provide a reply on your more specific point about entering info on clients journal, case recording that and similar actions’?

No, i copied and pasted everything in the post bar pleasantries etc etc.

 

 

Jon (CANY)
forum member

Welfare benefits - Craven CAB, North Yorkshire

Send message

Total Posts: 1362

Joined: 16 June 2010

It could be argued that making an entry on a journal is no different to sending a letter or email to DWP on behalf of a client with their permission. Except a letter or email is specific to what it contains.

I think it depends how it’s done. I don’t see the problem with past caring drafting a journal entry for a client who is present, has logged in to their journal, and who can then read it and decide whether to submit it or not in their name. But me making a journal entry by logging in as the claimant would be me purporting to the DWP system that I am someone I am not. Now, I could add a note on the journal, saying “this note is actually written by Jon of the CAB on claimant’s behalf, who is too incapacitated to attend to this himself”, but DWP have not set up the UC journal to allow that sort of third party access. Purely from an IT security standpoint, DWP could say their standard response to that sort of message would be to freeze the account because it has clearly been compromised, and ask the claimant to re-set their password.  I know this may seem like an artificial distinction, but using someone else’s log-in credentials seems to me more like ringing the helpline and pretending to be them, than it is like sending a letter on their behalf.

In terms of retaining records of what’s in the journal, as all access we have is with the claimant’s direct control, I don’t see the problem in asking if we can print certain sections from the screen we are both looking at, and us keeping them on file. It’s only when you start accessing the journal without the immediate knowledge of the claimant that this gets iffy.

If the advice is a blanket “don’t do it” we may as well admit that we no longer serve any useful purpose. By which I mean that if the advice is we should not even cut and paste a request for mandatory reconsideration into the journal with the client present and without ever storing their details.

I haven’t seen anyone giving that advice. I thought the concern is more about (a) storing and (b) using, log-in credentials.

Andyp5 Citizens Advice Bridport & District
forum member

Citizens Advice Bridport & District

Send message

Total Posts: 1004

Joined: 9 January 2017

past caring - 16 February 2018 05:26 PM

If the advice is a blanket “don’t do it” we may as well admit that we no longer serve any useful purpose. By which I mean that if the advice is we should not even cut and paste a request for mandatory reconsideration into the journal with the client present and without ever storing their details. As I’ve mentioned previously, the UC Freepost address will permit neither Special Delivery post or simple proof of postage from the Post Office counter - so it’s important to have some evidence that the MR request was made.

What I do is this;

- write the paper letter
- write an entry into the journal along these lines;

I wish to request a mandatory reconsideration of the decision of X date that I am not entitled to Universal Credit because I do not have a right to reside sufficient for this benefit. I authorise Mr ******* ******** of Southwark Law Centre to act for me in this request and in any subsequent appeal. My representative has submitted the mandatory reconsideration request by post - that request is copied in full below.

“Copy and paste the MR request here”

- take a screenshot of the MR request sitting in the client’s journal
- save to client’s case record
- print and insert in client’s file (I am fortunate to have returned to work in an organisation that sees the sense in still using paper files)

I am also pleased to report that my discussions with the senior solicitor here (fresh from her GDPR training!) have achieved agreement in principle that we can and should store user names and passwords where clients ask this of us. Obviously, the detail of how we do that needs to be worked out and it’s not a done deal yet, but progress is being made…. :)

 

 

 

Simon regarding your last point, i have hazy recollection of a presentation by the manager of Croydon WRU at a NAWRA conference (think it was June 2016 in Greenwich), and she mentioned stuff around vulnerable clients i.e. storing their user names and passwords and safeguarding etc agreed within the LA and i think social Services were involved.

I think it extended beyond client’s who weren’t necessarily under LB Croydon corporate appointeeship but can’t remember much more. May be worth contacting them.

past caring
forum member

Welfare Rights Adviser - Southwark Law Centre, Peckham

Send message

Total Posts: 1116

Joined: 25 February 2014

Thanks Andy - I’ll try to see if they have anything useful. I do know that there have been some discussions between advisers (some of whom have contributed to this thread) and NAWRA about the latter drafting a policy/procedure but I don’t think there’s anything concrete in place yet.

But the practical policy and procedure templates that corporate appointees have in place would be a good place to start - no point reinventing the wheel (which is why I imagine you may have heard the talk at NAWRA and why advisers have approached that organisation, given that many corporate appointees will be LAs and the high percentage of LA welfare rights advisers in NAWRA).

Andyp5 Citizens Advice Bridport & District
forum member

Citizens Advice Bridport & District

Send message

Total Posts: 1004

Joined: 9 January 2017

past caring - 16 February 2018 06:08 PM

Thanks Andy - I’ll try to see if they have anything useful. I do know that there have been some discussions between advisers (some of whom have contributed to this thread) and NAWRA about the latter drafting a policy/procedure but I don’t think there’s anything concrete in place yet.

But the practical policy and procedure templates that corporate appointees have in place would be a good place to start - no point reinventing the wheel (which is why I imagine you may have heard the talk at NAWRA and why advisers have approached that organisation, given that many corporate appointees will be LAs and the high percentage of LA welfare rights advisers in NAWRA).

I think it came out of questions from the floor at the conference re passwords etc, The actual workshop was about what was then known as Digital UC. Anyway, I remember from working for an NHS trust, if i ever had contact with Croydon’s corporate appointee wing, they were very keen to tell me every time, they had the most client’s under appointeeship than any other etc etc etc .

Regarding yours, Peter’s and Jon’s points regarding helping client’s make entries in journals etc etc, we have asked CITA for a response on that.

 

Sally63
forum member

Generalist Adviser, Southwark Citizens Advice Bureau

Send message

Total Posts: 177

Joined: 21 January 2016

Well, it is certainly true that the CAB doesn’t seem to see a problem.

Neither does our local JCP which, when it helps people make UC applications, helpfully writes down all the security details so that clients can show them to other people and get further help.

And the DWP doesn’t seem to care much about people’s rights to access their own on-line digital data because they alter it and hide it according to their own whims. The call centre can explain to the clients what is held about them but that is because the call centre can access/see what the client cannot. And once the record is changed (to fit what should have happened but didn’t) then no one can see the original.

Me looking at a client’s journal after they have given me the details which the JCP gave them and me explaining to them what is being written about them etc while they sit beside me seems pretty innocuous in the face of all this.

[ Edited: 18 Feb 2018 at 12:27 pm by Sally63 ]
Dan_Manville
forum member

Mental health & welfare rights service - Wolverhampton City Council

Send message

Total Posts: 2262

Joined: 15 October 2012

Sally63 - 17 February 2018 09:27 AM

Well, it is certainly true that the CAB doesn’t seem to see a problem.

Que?

Jon (CHDCA) - 07 February 2018 05:06 PM

Guidance is now available from Cit A, here (basically: don’t do it).

Jane O-P
forum member

Parkinson's UK

Send message

Total Posts: 55

Joined: 31 July 2017

Does anyone have a copy of the terms & conditions re access and passwords etc that claimants agree to when they sign up to the UC online system? Or have any idea what it is called so I can do a FOI? (or is anyone already waiting on an FOI?)

Also do people think that Schedule 2 of the UC C&P regs http://www.legislation.gov.uk/uksi/2013/380/pdfs/uksi_20130380_300916_en.pdf sheds any light on this - my reading is that it doesn’t support either the pro or con argument but would like to hear your thoughts.

Thanks

Jane

Debbie Witton
forum member

Senior welfare rights officer - Salford City Council Welfare Rights Service

Send message

Total Posts: 15

Joined: 17 June 2010

Do any of you have a policy on advisers access to applicants journals? Am late to the UCFS party as Salford only went digital on 26 September. When with the client and with the clients permission….
1) do you only see a client’s journal on their own device? or
2) For clients without a device/data - do you allow a client to log on to their account on your computer/device? If so are there any data protection issues that can arise such as the device remembering the log on details?
3) Does the client need to explicitly state on the journal that they agree to logging on to the advisers device?
4) If the client has literacy problems for example and asks the adviser to write in the journal on their behalf or upload a document whilst the adviser is present - do you do that?
3) For telephone advice when the client is not with you have you had any success with conference calling with the client and Service Centre?
4) Is it correct that when phoning the service centre it is best for the client to use their phone so that the call can be routed directly to their case team?
5) What mobile technology do you have as an adviser or wish you had if your organisation could afford it?
I’m sure there is more but I’ll stop there.

Dan_Manville
forum member

Mental health & welfare rights service - Wolverhampton City Council

Send message

Total Posts: 2262

Joined: 15 October 2012

Debbie Witton - 15 October 2018 03:46 PM

Do any of you have a policy on advisers access to applicants journals? Am late to the UCFS party as Salford only went digital on 26 September. When with the client and with the clients permission….
1) do you only see a client’s journal on their own device? or
2) For clients without a device/data - do you allow a client to log on to their account on your computer/device? If so are there any data protection issues that can arise such as the device remembering the log on details?
3) Does the client need to explicitly state on the journal that they agree to logging on to the advisers device?
4) If the client has literacy problems for example and asks the adviser to write in the journal on their behalf or upload a document whilst the adviser is present - do you do that?
3) For telephone advice when the client is not with you have you had any success with conference calling with the client and Service Centre?
4) Is it correct that when phoning the service centre it is best for the client to use their phone so that the call can be routed directly to their case team?
5) What mobile technology do you have as an adviser or wish you had if your organisation could afford it?
I’m sure there is more but I’ll stop there.

1) no; it doesn’t matter to my mind as the IP address of the machine is logged each time someone logs in
2) I’ve clients who are totally excluded and it’s much easier to log on to my device. I’m careful not to allow it to save log in details.
3) no
4) yes and I’m shy of making entries on the client’s journal without them next to me.
3) yes; it’s my preferred manner of contacting them; especially in the afternoon. Be careful to make sure a consent entry is put in the Journal though
4) Yes, however we were advised that if we’re calling from our phones rather than the clients then avoid entering the phone number and just provide postcode and date of birth instead; I’m usually getting through to our service centre using that method.

ar-chik1
forum member

Salford Welfare Rights

Send message

Total Posts: 11

Joined: 3 April 2017

Hi all, it seems it’s been a while since anything was last posted on this thread so i’m just seeking an update really as to where people feel they stand currently with this issue? How did advisers manage through the pandemic? Has there been any updated guidance with regards to advisers accessing claimants’ journals on their behalf? I note Peter’s last comment about the CAB and other orgs having not done more about issuing guidance, etc, has this now changed? Has UC issued any specific guidance? I cannot find anything; what i can find is related to consent but not specifically to this issue. Thanks in advance.

Va1der
forum member

Welfare Rights Officer with SWAMP Glasgow

Send message

Total Posts: 706

Joined: 7 May 2019

I think from a practical standpoint: If a client doesn’t have the IT skills/access to manage a digital claim, then the claim either has to go through the admin maze of being moved to a phone claim, or find some way to enable them to (reliably) access their account - for instance open access computers, IT training etc.
Otherwise they’d be forever dependant on your help.

In the rare cases where that isn’t appropriate/feasible I think you’ve overcome any policy etc. issues, as the benefits of your intervention outweighs the cost of inability to manage their claim.

I’d say don’t store their password, but if you’re in regular contact you’ll likely memorize it anyway (since most people have (bad) simple, easy to remember passwords).
Ideally, you’d get time-limited access. I.e. they should change their password after sharing it. But, that’s not feasible due to the IT skills required.

If you are going to store passwords you need to encrypt them. No question. Ensure that a data breach from your normal database doesn’t give access to the passwords. Bad enough if passwords go missing - extremely bad if they are tied to personal data. 

I’d also use specific mandates, ex: “Agree to store passwords for x weeks, in order to resolve issue Y. ++”.


As advisers we should encourage people to maintain good IT safety - that means not sharing passwords. Need to impress upon them the care needed when breaking that rule.