Advisers accessing applicants journals with their permission

Nooooooooo!!

I completely agree with mycatismo, but I also agree that this is a huge barrier to people getting the help they need quickly, and there needs to be a better solution in some circumstances.

We’ve had several ideas, including getting a very specific signed form of authority from the client, followed by signed written confirmation from us detailing exactly when the diary was accessed, what was viewed, what was done, confirmation that the password is not stored, and an instruction that the client needs to change the password. However much protection you attempt to give yourself or your service, the fact remains that you leave yourself open to problems by doing it.

An adviser has just let me know of a severely disabled client with an MR notice attached to their journal. A copy of the MR needs to be printed out and attached to the SSCS1, but the client has no way of doing so (and JCP are so far refusing to send a paper copy). The client has also been unable to attach a copy to an email.

It would save everyone a lot of trouble, and greatly benefit the client, if we were to get the password and log on, but it isn’t something that we do. We’re all stuck….

I wonder if anyone has a suggestion (apart from challenging the ridiculous rule that states an appeal is only made correctly if it has an MR notice stuck to it….). Actually, on that point, can a ‘copy of an MR notice’ include a photograph?

P.s. I guess you may leave the client open to problems, too- if JCP know that someone else can access the diary, who’s to say that the third party isn’t the one filling in the diary entries….

P.p.s Apparently local HMCTS have said they will accept an SSCS1 without MRN (we were going to chance it) if there’s good reason not to have attached one- this is sensible….

mycatismo - 23 January 2018 12:43 PM

Nooooooooo!!

Although I agree with your sentiment. It is so handy being able to access the online journals- so if there was a way round this without the confidentiality issues- I would be all ears.

in my experience the HMCTS will not accept the appeal w/o a coy of MR notice - best of luck with this.

some friends / ex colleagues I was walking with over Christmas were discussing accessing client’s journals - I understand they need to get a new one for each time they access their client account - it has to be signed by the claimant each time.

I am yet to experience the full roll out service - in dread!

Greeny - 23 January 2018 04:42 PM

in my experience the HMCTS will not accept the appeal w/o a coy of MR notice - best of luck with this.

some friends / ex colleagues I was walking with over Christmas were discussing accessing client’s journals - I understand they need to get a new one for each time they access their client account - it has to be signed by the claimant each time.

I am yet to experience the full roll out service - in dread!

I’ll let you know if it works…. (SSCS1 without a MRN)

A conference call is the best middle way, but not always convenient, and is depends on the organisation having the right technology.

I hope you’re very familiar with the Data Protection Act at the very least….

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/

I agree that it’s super convenient, but its also a data protection breach which exposes your organisation to a fine of (from April) up to £20,000,000.

Lee Forrest - 23 January 2018 03:46 PM

I wonder if anyone has a suggestion (apart from challenging the ridiculous rule that states an appeal is only made correctly if it has an MR notice stuck to it….). Actually, on that point, can a ‘copy of an MR notice’ include a photograph?

...
P.p.s Apparently local HMCTS have said they will accept an SSCS1 without MRN (we were going to chance it) if there’s good reason not to have attached one- this is sensible….

HMCTS have a facility to simply ring up the DWP and ask if there has been an MR done. If there has been then the clerk should issue a “compliance waiver certificate” indicating that they have checked and the appeal is valid.

In some cases they might get a bit funny about it, but you can always insist on a judicial decision on the validity of the appeal (in particular pointing out that the Tribunal’s jurisdiction doesn’t depend on an MRN being attached to the appeal form - just there having been an MR conducted).

Elliot Kent - 23 January 2018 06:10 PM

I agree that it’s super convenient, but its also a data protection breach which exposes your organisation to a fine of (from April) up to £20,000,000.

Lee Forrest - 23 January 2018 03:46 PM

I wonder if anyone has a suggestion (apart from challenging the ridiculous rule that states an appeal is only made correctly if it has an MR notice stuck to it….). Actually, on that point, can a ‘copy of an MR notice’ include a photograph?

...
P.p.s Apparently local HMCTS have said they will accept an SSCS1 without MRN (we were going to chance it) if there’s good reason not to have attached one- this is sensible….

HMCTS have a facility to simply ring up the DWP and ask if there has been an MR done. If there has been then the clerk should issue a “compliance waiver certificate” indicating that they have checked and the appeal is valid.

In some cases they might get a bit funny about it, but you can always insist on a judicial decision on the validity of the appeal (in particular pointing out that the Tribunal’s jurisdiction doesn’t depend on an MRN being attached to the appeal form - just there having been an MR conducted).

Thanks for the info about the compliance waiver certificate- thanks, Elliot. Yes, I was thinking the same in case they refused. Interestingly the Clerk the adviser spoke to had no idea that MRNs relating to UC aren’t sent in a paper format in a full service area. For everyone else having a problem/ worried about it, it should come under Rule 7:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/455197/health-education-social-care-chamber-tribunal-procedure-rules.pdf

Sasha1 - 22 January 2018 07:28 PM

Hi
What are your thoughts on an adviser being given a client’s UC log in details by a client over the telephone so they can access the client’s account to explain what is going on regarding his UC payments / account?

Absolutely not acceptable. It may be acceptable if the client is with you and can see the computer screen but I would expect them to at least type in their password if at all possible.

In most organisations using another person’s login details to access their account is considered gross misconduct. I don’t see why such a policy would not apply to this situation.

Jeremy Barker - 24 January 2018 11:47 AM

Sasha1 - 22 January 2018 07:28 PM

Hi
What are your thoughts on an adviser being given a client’s UC log in details by a client over the telephone so they can access the client’s account to explain what is going on regarding his UC payments / account?

Absolutely not acceptable. It may be acceptable if the client is with you and can see the computer screen but I would expect them to at least type in their password if at all possible.

In most organisations using another person’s login details to access their account is considered gross misconduct. I don’t see why such a policy would not apply to this situation.

I couldn’t disagree more.

Assuming that a) data protection requirements are met and b) that the client gives explicit consent for such access, I do not see a problem. And unlike some other contributors who have suggested access is ok so long as it is either time-limited or for one specific thing, I’d argue for a wider, ongoing access.

It needs to be remembered that;

1. Implicit consent is not working.

2. Explicit consent - either via a carefully worded journal entry or a signed form of authority sent in by post - isn’t working either.

3. I may need to spend an hour with a client to explain the law and to obtain sufficient facts to establish a decision is challengeable. And then a further 60-90 minutes drafting the MR itself - having the client with me during that time - or calling them back in when I’ve finished - is a waste of their time and frequently impracticable.

4. Lodging an MR by the Freepost address leaves you entirely a hostage to fortune - it cannot be sent by Special or Recorded Delivery as there is no postcode.

5. It is routine/standard for the DWP to carry out an MR at the request of a representative organisation but to then notify that decision solely via an upload of the decision to the claimant’s journal. No paper copy is ever put in the post. With clients who are on the ball and have no difficulty accessing their journal, this may not be an issue. But for those who do have issues (for whatever reason) this regularly results in appeal deadlines being missed, sometimes by months and with it then being difficult, if not impossible, to give any good reason for lateness.

Further, I can think of a couple of cases where, in order to obtain evidence necessary for an appeal, I have had to spend a couple of hours viewing a client’s journal, taking screenshots and saving these to my own computer. Though the client was with me, this was a) a waste of their time - they were receiving no advice or input from me and b) meant that I had to carry out this routine task during normal office hours when it would have made far more sense to do it at another time.

We should also bear in mind that it is not possible so far as I am aware, for the claimant (and hence their adviser/representative) to edit or amend existing journal entries. Which eliminates the risk of tampering. We ought to be able to be creative enough to devise a form of authority which gives the adviser limited permission to make necessary journal entries - e.g. to lodge an MR - but to then have ‘read only’ access to enable them to periodically check for any response. Or to see whether housing costs that have been promised to be included in the next assessment period in fact have been.

Under the mantra of ‘helping the claimant to take responsibility for their claim’, this government and the DWP have made it significantly more difficult for claimants to actually benefit from the assistance of professional advice when it is needed. It seems to me that our vulnerable clients who try to obtain our assistance are showing the same kind of ‘responsibility’ as the top civil servants and government ministers who come out with this guff do when they turn to an accountant to help them manage their tax affairs.

We need to think creatively about how we can deal with these changes and still best assist our clients.

NOTE: these are my views. I am open about them both on here and in my employment. And I continue to make the case with my employer as to why we need to devise a form of authority that will allow us to access a client’s UC journal with their permission. But I have never accessed a client’s journal without their being present.

I agree with past caring. I don’t think the analogy with sharing login details in employment is valid. An employer is entitled to make rules and to dismiss staff. Benefits claimants however have a right to access payment and the DWP are not entitled to obstruct this in the same way. They may not approve of doing this but it should be the client’s consent that matters. Interacting with a UC journal with consent is not fundamentally different to any other interactions with the DWP or appeals system on someone’s behalf and similar principles should be observed in my view. That does not in any way mean there are not potential problems.

“Interacting with a UC journal with consent is not fundamentally different to any other interactions with the DWP or appeals system on someone’s behalf”

I) The o/p isn’t just talking about “interacting” with the client’s journal, they’re asking about obtaining their log-in details including password, which is where the problems arise in the first place.

2) This is fundamentally different to other interactions as those other interactions either happen with the client sat there with you (and therefore giving consent to DWP to talk to you and logging themselves in) or writing to them with consent.

3) I’m really not sure about the legality of either a client revealing their password to me, nor the ethics unfortunately, and II would certainly be very worried about storing or saving that password anywhere, whether on a PC or written down. The potential for problems is huge.

“t is not possible so far as I am aware, for the claimant (and hence their adviser/representative) to edit or amend existing journal entries. Which eliminates the risk of tampering.”

But it is possible for whoever has access to a journal to make new entries. Client gives me their password, I log onto their journal to check some details, I do nothing more. Few week’s later client calls me, very upset, to say that their UC has stopped and they don’t know why. They say I must have made an entryin their journal to bring about this event. How do I prove that I didn’t?

Mr Finch - 24 January 2018 02:49 PM

I agree with past caring. I don’t think the analogy with sharing login details in employment is valid. An employer is entitled to make rules and to dismiss staff. Benefits claimants however have a right to access payment and the DWP are not entitled to obstruct this in the same way. They may not approve of doing this but it should be the client’s consent that matters. Interacting with a UC journal with consent is not fundamentally different to any other interactions with the DWP or appeals system on someone’s behalf and similar principles should be observed in my view. That does not in any way mean there are not potential problems.

What is Citizens Advice national policy on using / recording clients log in details, making of and case recording entries made by an adviser on their journal (even with their permission), data protection and indemnity insurance etc?

I assume CA have a policy / have issued guidance to bureaux?

Paul_Treloar_AgeUK - 24 January 2018 04:56 PM

“It is not possible so far as I am aware, for the claimant (and hence their adviser/representative) to edit or amend existing journal entries. Which eliminates the risk of tampering.”

But it is possible for whoever has access to a journal to make new entries. Client gives me their password, I log onto their journal to check some details, I do nothing more. Few week’s later client calls me, very upset, to say that their UC has stopped and they don’t know why. They say I must have made an entryin their journal to bring about this event. How do I prove that I didn’t?

I take your point in that it is difficult to prove a negative. However, we have trust and professionalism. If the client persists and wishes to make a formal complaint or a criminal allegation then computer logs would (eventually and, at some expense, I grant you) be able to establish the truth of things.

But such things have always been possible.

I see a client who wishes to claim DLA for her child. She is claiming IS and HB and reveals to me that she has £14,000 in undisclosed capital and is LTHAW with a partner who is employed. I advise her of the legal position. I explain that whilst I can assist her to disclose what needs to be disclosed to the DWP, thus hopefully minimising the impact on her entitlement and any overpayments and recoverability, I cannot provide any ongoing assistance unless she agrees to make disclosure, otherwise I will be open to charges of fraud myself. But I will not make disclosure without her permission. Her decision is that she will do without my advice.

A week later she gets called to an interview under caution. How do I prove it wasn’t me who grassed her up?

To be clear here.

This isn’t a case where some people are right and some people are wrong. Data protection, client consent and confidentiality and organisational indemnity are all legitimate areas of concern. And any policy that would allow advisers to access client journals will need to properly address these.

But it remains the case that organisations’ existing policies were developed to meet the needs of another country (and besides….......) - I do not think that complaints and policy papers to MPs and government ministers along the lines of the UC system being one which prevents us from intervening on behalf of our clients are going to fall on anything but deaf ears. That is, after all, precisely what they want - it may have been an unforeseen benefit of UC, but it is a benefit nevertheless.

It may be, after proper consideration, we have to say that we cannot draft policies/office manuals and forms of authority that will fit the bill - the other considerations are just too important or too risky or cannot be adequately addressed. In which case we simply admit defeat and ever diminishing relevance.

I couldn’t agree more that this conversation needs to happen and that we need to be creative in thinking about how to respond and especially, how to work with Ministers, MP’s and DWP in order to look to improve how we can effectively work to support our clients. UC is such a game changer and it’s acceptted, at least n principle, by government that many people do require significant and in many cases on-going support.

However, I also think we should be very cautious about undertaking activity that, however well meaning, could have serious legal implications for advisers and the agencies we work for. Let alone what that means from an indemnity perspective, good practice, etc etc.

‘It may be, after proper consideration, we have to say that we cannot draft policies/office manuals and forms of authority that will fit the bill - the other considerations are just too important or too risky or cannot be adequately addressed. In which case we simply admit defeat and ever diminishing relevance.’

This touches in the heart of the matter. Knowingly or unknowingly (and I have a very clear personal view on the matter) the government has introduced rules and policies which disadvantage the vulnerable and exclude advisers, even when the new ‘simple’ system grows ever more convoluted. remember how they claimed that the appeals system was now so simple that advisers would not be needed?

But I don’t think that gov’t can forever turn a deaf ear (perhaps that’s partly as I just got hearing aids…) - I think determination and persistence will pay off and we need to continue to point out as firmly as possible that, whatever the policy intention, gov’t is further isolating vulnerable people and this will come back to bite them eventually. They have retreated on the PIP changes, there are surely more wins for common sense out there.

Paul_Treloar_AgeUK - 25 January 2018 09:13 AM

I couldn’t agree more that this conversation needs to happen and that we need to be creative in thinking about how to respond and especially, how to work with Ministers, MP’s and DWP in order to look to improve how we can effectively work to support our clients. UC is such a game changer and it’s acceptted, at least n principle, by government that many people do require significant and in many cases on-going support.

However, I also think we should be very cautious about undertaking activity that, however well meaning, could have serious legal implications for advisers and the agencies we work for. Let alone what that means from an indemnity perspective, good practice, etc etc.

Absolutely.

I think what bothered me is that some contributions (at least as it seemed to me) appeared to refuse to countenance any change - solely on the basis of ‘‘this is how we’ve always done it/what does our organisation’s policy say?”

........the wench is dead.

It’s really fascinating to hear everyone’s thoughts on this. 

A few months ago I received a letter from Barclays which included a section indicating that they would use passwords provided by the client to access the client’s bank account, to withdraw consent clients would have to change their password.  I’ve attached a picture of the relevant section of the letter.

What relevance (if any) does everyone feel this has to the debate on this thread?

‘another country….....the wench is dead.’

Allusion to Shylock, Inspector Morse, or both? :)

Peter Turville - 24 January 2018 05:04 PM

Mr Finch - 24 January 2018 02:49 PM

I agree with past caring. I don’t think the analogy with sharing login details in employment is valid. An employer is entitled to make rules and to dismiss staff. Benefits claimants however have a right to access payment and the DWP are not entitled to obstruct this in the same way. They may not approve of doing this but it should be the client’s consent that matters. Interacting with a UC journal with consent is not fundamentally different to any other interactions with the DWP or appeals system on someone’s behalf and similar principles should be observed in my view. That does not in any way mean there are not potential problems.

What is Citizens Advice national policy on using / recording clients log in details, making of and case recording entries made by an adviser on their journal (even with their permission), data protection and indemnity insurance etc?

I assume CA have a policy / have issued guidance to bureaux?

Had a look on CABlink and BMIS couldn’t find anything specific to advisers accessing UC journals. Found a dizzying array of other stuff regarding DP and indemnity insurance oh and policy on infectious diseases.

Regarding casebook the CITA case recording system all Bureaux use, we are not allowed to use someone else’s user name and password. So really can’t imagine CITA approving we access client’s journals in their absence logging on using their usernames and passwords etc.

I am just dealing with my first two UCFS claimants. I have called UC then got the claimant up on a conference call and all has been sorted. I know

That won’t work with some of my more chaotic claimants; either they won’t answer the phone or (and I’m kinda looking forward to this bit) the adviser with be subject to a delusional stream of consciousness wholly unrelated to the issue at hand; I’ve got at least two clients where that is a distinct possibility.

Hopefully Mr Couling will read this and realise what a silly policy Explicit consent is. In fact I might just tweet this at him unless anyone objects.

Andrew Dutton - 25 January 2018 10:10 AM

‘another country….....the wench is dead.’

Allusion to Shylock, Inspector Morse, or both? :)

Christopher Marlowe’s The Jew of Malta

Ah - wrong writer!!!!

Owen Stevens - 25 January 2018 10:10 AM

It’s really fascinating to hear everyone’s thoughts on this. 

A few months ago I received a letter from Barclays which included a section indicating that they would use passwords provided by the client to access the client’s bank account, to withdraw consent clients would have to change their password.  I’ve attached a picture of the relevant section of the letter.

What relevance (if any) does everyone feel this has to the debate on this thread?

Regarding relevance to this debate on the thread, aside from the DP issues already raised which can’t be swept under the carpet. Is it actually ethical for us to have that sort of access to people’s journals in their absence and have their passwords, usernames, and security questions etc?

By that i’m not questioning the integrity or motivations of anyone.

Gareth Morgan - 25 January 2018 11:19 AM

Andrew Dutton - 25 January 2018 10:10 AM

‘another country….....the wench is dead.’

Allusion to Shylock, Inspector Morse, or both? :)

Christopher Marlowe’s The Jew of Malta

Indeed.

Andyp5 Citizens Advice Bridport & District - 25 January 2018 11:53 AM

Regarding relevance to this debate on the thread, aside from the DP issues already raised which can’t be swept under the carpet. Is it actually ethical for us to have that sort of access to people’s journals in their absence and have their passwords, usernames, and security questions etc?

By that i’m not questioning the integrity or motivations of anyone.

Which begs the prior question of the ethics of the government creating a situation where professionals might feel the need for this.

- due to the Freepost issue, I cannot send MR requests or other correspondence by Special or Recorded PO delivery - which makes evidencing the fact they were sent much more difficult.

- due to the fact that MR decisions are notified solely by an upload to the client’s journal - even where the MR has been carried out at my behest - I have no way of knowing whether it has been done unless the client tells me. Many of clients are not capable of this.

- if I call the helpline, I have no prospect of obtaining any information unless the client is with me. Even if the client is with me, the odds are no better than even that what I am told will be accurate.

The truth is that I do not want the ability to access client’s journals - for all of the reasons others have given and more besides. I want a system where I can do my job properly and can effectively assist my clients without intruding into their privacy and opening myself up to allegations of impropriety. We have had such a system within living memory - it may not have been perfect, but generally it worked.

I now attend DWP meetings with policy wonks from Caxton House who look utterly bemused when I explain the difficulties presented by notifying an MR decision only by upload to the client’s journal. When I explain that I am the claimant’s legal representative, that the MR has been carried out my request and that there is a resulting obligation to notify me, they simply do not get it. This, together with the rubbish coming from government and likes of Couling, makes me very pessimistic about the prospects of our being able to successfully lobby for meaningful change.

I hope I’m proved wrong….

Andyp5 Citizens Advice Bridport & District - 25 January 2018 11:53 AM

Regarding relevance to this debate on the thread, aside from the DP issues already raised which can’t be swept under the carpet. Is it actually ethical for us to have that sort of access to people’s journals in their absence and have their passwords, usernames, and security questions etc?

By that i’m not questioning the integrity or motivations of anyone.

 

I think there is a big difference to storing peoples log in details and potentially logging in (with the best of intentions) without them being aware to check on progress of claim and a situation where client calls on the telephone, tells you that there is something wrong with their UC claim and either they don’t understand or cannot access the internet, and agrees for you to log into their account at your end to work out what is happening and potentially communicate with the Jobcentre on their behalf.

Even the latter situation isn’t great, for one thing it goes against all of the advice you would normally give a vulnerable person to never share their PINs/passwords etc. But I do agree with much of what pastcaring is saying and it does seem that the current situation is one where ‘needs must’.

It is going to make things very difficult at both ends of the spectrum though - obviously as discussed above there are the chaotic clients who won’t engage and/or tell you when something is going wrong but there are also the clients who disappear off the radar the moment everything is sorted out - at the moment you can call ESA/PIP who will usually confirm that positive decisions have been made/premiums added etc but under UC this will no longer be possible which will impact on any service who is needing to record income gains/successful outcomes in order to secure funding.

past caring - 25 January 2018 03:12 PM

Andyp5 Citizens Advice Bridport & District - 25 January 2018 11:53 AM

Regarding relevance to this debate on the thread, aside from the DP issues already raised which can’t be swept under the carpet. Is it actually ethical for us to have that sort of access to people’s journals in their absence and have their passwords, usernames, and security questions etc?

By that i’m not questioning the integrity or motivations of anyone.

Which begs the prior question of the ethics of the government creating a situation where professionals might feel the need for this.

- due to the Freepost issue, I cannot send MR requests or other correspondence by Special or Recorded PO delivery - which makes evidencing the fact they were sent much more difficult.

- due to the fact that MR decisions are notified solely by an upload to the client’s journal - even where the MR has been carried out at my behest - I have no way of knowing whether it has been done unless the client tells me. Many of clients are not capable of this.

- if I call the helpline, I have no prospect of obtaining any information unless the client is with me. Even if the client is with me, the odds are no better than even that what I am told will be accurate.

The truth is that I do not want the ability to access client’s journals - for all of the reasons others have given and more besides. I want a system where I can do my job properly and can effectively assist my clients without intruding into their privacy and opening myself up to allegations of impropriety. We have had such a system within living memory - it may not have been perfect, but generally it worked.

I now attend DWP meetings with policy wonks from Caxton House who look utterly bemused when I explain the difficulties presented by notifying an MR decision only by upload to the client’s journal. When I explain that I am the claimant’s legal representative, that the MR has been carried out my request and that there is a resulting obligation to notify me, they simply do not get it. This, together with the rubbish coming from government and likes of Couling, makes me very pessimistic about the prospects of our being able to successfully lobby for meaningful change.

I hope I’m proved wrong….

Couldn’t agree more with you Simon!

Whether its your points regarding ethics in connection with those concerned in the DWP past and present or what those same people term as ‘operational difficulties’.

 

SamW - 25 January 2018 03:50 PM

.... it does seem that the current situation is one where ‘needs must’.

 

But its not just a question of ‘needs must’.

Data protection law is prescriptive. An orgnisations indemnity insurance will also be prescriptive (if perhaps not quite so clear). An organisation will have to comply with those requirements (or face the potential consequences).

I would suggest that is why UC and the lack of implicit consent is a challenge to the way many organisation / advisers work and why it is a signifiant change in the ‘advice landscape’.

It must almost certainly mean recording and using a claimants log in details is prohibited (full stop, no exceptions!). That possibly extends to the adviser being given those details face to face and the adviser (rather than the client) then imputing those details to access the account (even if the advser does not commit them to memory - they have still been disclosed & used)

What is perhaps more of a grey area is issues around making entries on to a claimants journal on their behalf (including, for example, to make an MRl) with their permission, how you might then record that information in case records (print off, cut & paste etc) and whether it is neccessary / advisable to require a claimant to sign a form of authority that specifically addresses this issue in addition to a general date protection authority that most organisation use when writing, emailling etc DWP etc.

I am surprised that organisation like Citizens Advice, Advice UK etc are not (apparently) providing much clearer training, guidance etc for member orrganisations / staff on these issues.