Advisers accessing applicants journals with their permission

SamW - 25 January 2018 03:50 PM

Andyp5 Citizens Advice Bridport & District - 25 January 2018 11:53 AM

Regarding relevance to this debate on the thread, aside from the DP issues already raised which can’t be swept under the carpet. Is it actually ethical for us to have that sort of access to people’s journals in their absence and have their passwords, usernames, and security questions etc?

By that i’m not questioning the integrity or motivations of anyone.

 

I think there is a big difference to storing peoples log in details and potentially logging in (with the best of intentions) without them being aware to check on progress of claim and a situation where client calls on the telephone, tells you that there is something wrong with their UC claim and either they don’t understand or cannot access the internet, and agrees for you to log into their account at your end to work out what is happening and potentially communicate with the Jobcentre on their behalf.

Even the latter situation isn’t great, for one thing it goes against all of the advice you would normally give a vulnerable person to never share their PINs/passwords etc. But I do agree with much of what pastcaring is saying and it does seem that the current situation is one where ‘needs must’.

It is going to make things very difficult at both ends of the spectrum though - obviously as discussed above there are the chaotic clients who won’t engage and/or tell you when something is going wrong but there are also the clients who disappear off the radar the moment everything is sorted out - at the moment you can call ESA/PIP who will usually confirm that positive decisions have been made/premiums added etc but under UC this will no longer be possible which will impact on any service who is needing to record income gains/successful outcomes in order to secure funding.

I don’t think there is a difference, in terms of the actual potential DP and safeguarding issues/pitfalls that have already been raised. There is still the issue that we would be using that client’s user name, password, and answering two security questions, and logging on as if we are them.

I don’t say that to be sanctimonious, i am just urging caution, because ‘needs must’ may not be an arguable defence if things got ugly etc etc. 

Peter Turville - 25 January 2018 05:04 PM

SamW - 25 January 2018 03:50 PM

.... it does seem that the current situation is one where ‘needs must’.

 

But its not just a question of ‘needs must’.

Data protection law is prescriptive. An orgnisations indemnity insurance will also be prescriptive (if perhaps not quite so clear). An organisation will have to comply with those requirements (or face the potential consequences).

I would suggest that is why UC and the lack of implicit consent is a challenge to the way many organisation / advisers work and why it is a signifiant change in the ‘advice landscape’.

It must almost certainly mean recording and using a claimants log in details is prohibited (full stop, no exceptions!). That possibly extends to the adviser being given those details face to face and the adviser (rather than the client) then imputing those details to access the account (even if the advser does not commit them to memory - they have still been disclosed & used)

What is perhaps more of a grey area is issues around making entries on to a claimants journal on their behalf (including, for example, to make an MRl) with their permission, how you might then record that information in case records (print off, cut & paste etc) and whether it is neccessary / advisable to require a claimant to sign a form of authority that specifically addresses this issue in addition to a general date protection authority that most organisation use when writing, emailling etc DWP etc.

I am surprised that organisation like Citizens Advice, Advice UK etc are not (apparently) providing much clearer training, guidance etc for member orrganisations / staff on these issues.

Regarding your last point so am i, i think its something we need to contact them for!

basically, don’t do it.  in, fact, i’ll shout DON’T DO IT.

eventually, someone will come a cropper doing so.

but also - write to frank field showing him the problems and get his committee to investigate the issue and beat some sense into the DWP.

ClairemHodgson - 25 January 2018 10:40 PM

but also - write to frank field showing him the problems and get his committee to investigate the issue and beat some sense into the DWP.

Also (worth repeating again & again) refer cases / issue to clients MPs.

As I’ve said before I think UC will be similar to CSA - once MP’s surgeries and postbags have been overwhelmed with UC issues for months on end things will start to change just as they did with CSA. As well as on the opposition benches there are MPs on the government sides sympathetic to problems with UC. It may not take to many more with concerted & repeated raising of the issues for govt/DWP to have to make reforms.

Given the views expressed, what exactly should we be asking our MPs to do about this?

Billy Durrant - 26 January 2018 09:57 AM

Given the views expressed, what exactly should we be asking our MPs to do about this?

make representations as to how useless the journal system is using examples, of which there are more than plenty on these forums.

and pointing out that it doesn’t actually save anything in costs/time/etc since it only results in people having to take up time on phone lines etc trying to sort things out when both the person at the DWP answering the phone, and the person making the call, would both be better employed doing other things but can’t be because the system is so dire…

and of course none of this is going to be assisted by the new regulations on data protection shortly to come in…

Billy Durrant - 26 January 2018 09:57 AM

Given the views expressed, what exactly should we be asking our MPs to do about this?

Exploring how third party access to UC journals can be authorised in siuch a way that doesn’t compromise data security for the claimant.

ClairemHodgson - 26 January 2018 10:11 AM

and of course none of this is going to be assisted by the new regulations on data protection shortly to come in…

Paul_Treloar_AgeUK - 26 January 2018 10:19 AM

Exploring how third party access to UC journals can be authorised in siuch a way that doesn’t compromise data security for the claimant.

Are these in any way compatible?

Dan Manville - 25 January 2018 11:14 AM

That won’t work with some of my more chaotic claimants; either they won’t answer the phone or (and I’m kinda looking forward to this bit) the adviser with be subject to a delusional stream of consciousness wholly unrelated to the issue at hand; I’ve got at least two clients where that is a distinct possibility.

I’ve seen a journal Dan with pages of quite random stuff with every so often a crucial bit of information in. So evidence the DWP have been informed - they just have to find it…

Abashed as I am from not remembering my Shakespeare from my Marlowe, I wonder if we should be thinking of a joint/NAWRA approach to gather and present evidence on this subject (as well as advisers making approaches to individual MPs)?

This topic links directly to the problems relating to consent, and also embraces along the way the continuing problems faced by corporate appointees.

DWP policy and practice seems to be working, however unintentionally, to exclude advisers and expose the most vulnerable to unnecessary difficulties.

I am finding, where difficulties are raised (e.g. vulnerable claimant who cannot make or maintain an online claim) that an ad-hoc approach is being taken by DWP, doing what it takes to get the claimant on to UC (such as getting a friend to offer use of their email address), without apparent planning for what happens in the future as the claimant (or their poor friend) continues to be unable to use IT and yet is bombarded with emails asking them to look at their UC account.

It seems to be not ‘test and learn’ but patch-and-mend, and the high-ups of DWP need to have this called to their attention as forcefully as possible.

One for Claire possibly.  Is this a situation where the relationship between legally qualified reps, their privileges and their clients might carry some more weight?

Billy Durrant - 26 January 2018 10:33 AM

ClairemHodgson - 26 January 2018 10:11 AM

and of course none of this is going to be assisted by the new regulations on data protection shortly to come in…

Paul_Treloar_AgeUK - 26 January 2018 10:19 AM

Exploring how third party access to UC journals can be authorised in siuch a way that doesn’t compromise data security for the claimant.

Are these in any way compatible?

I believe so yes. It would mean that advisers would need to secure precise authorisation from a client to that effect, rather than the previous “I authorise Paul Treloar to deal with my Income Support claim” knd of authoriity but I don’t see the two aspects as being fundamentally incompatible.

Gareth Morgan - 26 January 2018 10:56 AM

One for Claire possibly.  Is this a situation where the relationship between legally qualified reps, their privileges and their clients might carry some more weight?

in what context?

I’m not that up on data protection law - all i know is i can’t even tell people that i act for someone without permission, can’t discuss their case with anyone, and have to protect their data/files/etc from unauthorised users

I would never expect my client to allow me access to any of his/her social media or other password protected area, and wouldn’t do it if s/he did.  and if i did i’d expect to be hauled over the coals by the SRA, the ICO, and the press in no uncertain terms.

As an example, a colleague used another colleagues login to do something online (her own refused to work); we’ve been bollocked for that, and that was internal and no breach of any client’s confidentiality etc.  but it was, rightly, the suspicion that there might have been such a breach.

I don’t see myself that legal professional privilege (which only applies to lawyers/clients, not welfs/clients) is relevant to the issue at hand

the issue is the over reliance, to the exclusion of anything else, on electronic/online means of communication, and a wholesale refusal to listen to the problems thus caused.

Personally I love IT/corresponding email (NOT text/whatsapp)/etc - but not everyone can/does, and in those situations then of course i revert to post/phone, personal visit as required.

and i’ve similar concerns re the proposals for online courts/LiPs being able to deal wtih online portal for their PI claims/etc.  IT CAN’T WORK for reasons we are all familiar with.

entertaining thought for the day - the day the DWP try to send submissions to HMCTS by email, and find that HMCTS won’t accept anything greater than 10 pages and if they do they charge you for the printing costs….(ditto fax)

The attached ‘vulnerable Persons policy’ devised by Taunton CA (Rhoda Cooke) and Taunton JCP (Lucy Martin), doesn’t address the issue of 3rd parties access to client’s journals.

But could be a starting point for potentially addressing the implicit consent angle and some sort of wider policy communicating with client’s consent with jobcentres etc .Following on from Claire’s point, i think Frank Field et al would find the attached helpful. 

Andyp5 Citizens Advice Bridport & District - 25 January 2018 10:56 AM

Had a look on CABlink and BMIS couldn’t find anything specific to advisers accessing UC journals. Found a dizzying array of other stuff regarding DP and indemnity insurance oh and policy on infectious diseases.

Regarding casebook the CITA case recording system all Bureaux use, we are not allowed to use someone else’s user name and password. So really can’t imagine CITA approving we access client’s journals in their absence logging on using their usernames and passwords etc.

There is reference on cablink to a UC resource called “Storing clients passwords”, but it doesn’t seem to be published yet as far as I can tell.

I’m a little surprised that there doesn’t seem to be a T+Cs from DWP for claimants, instructing them not to disclose their passwords to third parties. Is there any such policy claimants are asked to abide by? I guess a reason that there wouldn’t be, is that it’s not obvious how any contraventions could be dealt with. DWP can hardly withdraw its services, and they seem unlikely to set up offline processes as an alternative way to continue a UC claim.

I’m guessing most organisations will be going through a GDPR review/ training soon, so it will probably be a good time to raise this issue….!

Andyp5 Citizens Advice Bridport & District - 26 January 2018 12:48 PM

The attached ‘vulnerable Persons policy’ devised by Taunton CA (Rhoda Cooke) and Taunton JCP (Lucy Martin), doesn’t address the issue of 3rd parties access to client’s journals.

But could be a starting point for potentially addressing the implicit consent angle and some sort of wider policy communicating with client’s consent with jobcentres etc .Following on from Claire’s point, i think Frank Field et al would find the attached helpful. 

That policy is fine for one CAB.  What about all those advisers who are not in the CAB, people such as support workers, housing officers, social workers, solicitors, relatives, etc?  Why limit it to vulnerable people?

In my experience,  when one advice agency agree a protocol with DWP, it can end up being used by DWP to block access by others and a failure to recognise that CABs are just one part of the advice jigsaw.

neilbateman - 28 January 2018 08:32 PM

Andyp5 Citizens Advice Bridport & District - 26 January 2018 12:48 PM

The attached ‘vulnerable Persons policy’ devised by Taunton CA (Rhoda Cooke) and Taunton JCP (Lucy Martin), doesn’t address the issue of 3rd parties access to client’s journals.

But could be a starting point for potentially addressing the implicit consent angle and some sort of wider policy communicating with client’s consent with jobcentres etc .Following on from Claire’s point, i think Frank Field et al would find the attached helpful. 

That policy is fine for one CAB.  What about all those advisers who are not in the CAB, people such as support workers, housing officers, social workers, solicitors, relatives, etc?  Why limit it to vulnerable people?

In my experience,  when one advice agency agree a protocol with DWP, it can end up being used by DWP to block access by others and a failure to recognise that CABs are just one part of the advice jigsaw.

I was thinking beyond confining the above exclusively to CA’s, see paragraph 2 in the context of the wider topic.

Whilst I know that people have got the wind up regarding current and future Data Protection requirements, I am struggling to understand a few things;

1. Is it/will it be unlawful for an individual to decide that they wish to share their username and password with me so that I can assist them?

2. Having so decided, is it then unlawful for that individual to give written and express confirmation for me to store and use their username and password?

3. Or is it that none of that would be unlawful and that the only unlawfulness would occur at the point I decided to act on their instructions? If this is the case, can someone explain how it can be unlawful for me to act with the express permission on the direct instructions of my client if 1 and 2 above are not unlawful?

Lee Forrest - 23 January 2018 04:52 PM

Greeny - 23 January 2018 04:42 PM

in my experience the HMCTS will not accept the appeal w/o a coy of MR notice - best of luck with this.

some friends / ex colleagues I was walking with over Christmas were discussing accessing client’s journals - I understand they need to get a new one for each time they access their client account - it has to be signed by the claimant each time.

I am yet to experience the full roll out service - in dread!

I’ll let you know if it works…. (SSCS1 without a MRN)

A conference call is the best middle way, but not always convenient, and is depends on the organisation having the right technology.

Hello,

If you include a letter from yourself explaining the issue, the client’s health problems and limitations as a result, I find that HMCTS do accept SSCS1 forms without a MRN.  Also within the letter explain that one will be sent as soon as you are able.

It is worth ringing them explaining the problem so they already have it on record too.

Best of luck!

past caring - 30 January 2018 04:05 PM

Whilst I know that people have got the wind up regarding current and future Data Protection requirements, I am struggling to understand a few things;

1. Is it/will it be unlawful for an individual to decide that they wish to share their username and password with me so that I can assist them?

2. Having so decided, is it then unlawful for that individual to give written and express confirmation for me to store and use their username and password?

3. Or is it that none of that would be unlawful and that the only unlawfulness would occur at the point I decided to act on their instructions? If this is the case, can someone explain how it can be unlawful for me to act with the express permission on the direct instructions of my client if 1 and 2 above are not unlawful?

If an adviser uses someones log in details they could go into their account and not only check or make an entry in their journal but could change their personal details etc. That is different to disclosing information by letter/phone/email etc to DWP - you disclose on behalf of the client (with their permission) DWP action/decide/change.

But if you change details then you (not the DWP) have taken that action / made that change. So even if you don’t in fact change anything and only check information like the claimants payment history or make an entry in the journal (inc making an MR) you leave yourself and your organistaion open to the client (or DWP) accusing you of having taken unauthorised other action / made a change to the clients account / details.

If a client gave you their on line bank or utility log in details. You might only use them to to check info. on their account - but you would be open to an accusation that you had also conducted a transaction.

That is why storing and using a clients log in details (or even making entries / changes to their account if the client themselves have accessed their account for you) is such an important issue.

I repeat that I am surprised that organisations like CA and AdviceUK don’t appear to have issued clear guidance to member organisations about this issue.

Sounds like a silly question but if you log into a UC account, can you see details of the bank account that payments are made to?

Paul_Treloar_AgeUK - 01 February 2018 10:29 AM

Sounds like a silly question but if you log into a UC account, can you see details of the bank account that payments are made to?

No.

Peter -

There are a whole load of ‘ifs’ there…...‘if you have this data you could do something dodgy’.

But this has always been the case - via the ‘report once’ facility I have, with implicit consent, reported that one member of a Pension Credit couple has died, that a partner has gone to reside permanently in a care home so that the single person rate of benefit should be paid without a carer premium, that a cared for partner has died so that DLA for the claimant and CA for carer should cease. And I’ve done so numerous times. Plenty of opportunity for wrongdoing there.

I have also advised countless clients of their duty to disclose facts or changes of circumstance to the DWP that will affect their benefit entitlement and where they have already been overpaid as a consequence of not having disclosed (recoverability for periods prior to obtaining my advice might be an issue, but following this it is not). I have always made it clear that it is the client’s decision as to whether or not to disclose, that my organisation offers a confidential service and will not disclose without their permission, that, however, we cannot assist or be complicit in fraud and that therefore any ongoing assistance will only be provided if the client decides to disclose. And a fair number of clients have then decided they no longer wish me to assist as a result - I have always assumed they have done so because their choice was not to make disclosure. Nothing to prevent me from making an anonymous tip-off in those circumstances should I have chosen to.

I and every other adviser and advice agency hold personal data on clients (name, place of birth, date of birth, NINo, address, telephone number) that would be an absolute gold mine for scammers and fraudsters - and we could easily pass such data on. In many cases we hold data which would be even more useful to fraudsters - passport and ID card numbers, bank account details and so on. We have been doing all this for time immemorial.

Yes, storing a claimant’s user name and password and using these to view their journal does open us up allegations of abuse or wrongdoing - this is not new.

But you haven’t addressed the questions I actually asked;

1. Is it/will it be unlawful for an individual to decide that they wish to share their username and password with me so that I can assist them?

2. Having so decided, is it then unlawful for that individual to give written and express confirmation for me to store and use their username and password?

3. Or is it that none of that would be unlawful and that the only unlawfulness would occur at the point I decided to act on their instructions? If this is the case, can someone explain how it can be unlawful for me to act with the express permission on the direct instructions of my client if 1 and 2 above are not unlawful?

Peter Turville - 01 February 2018 10:00 AM

past caring - 30 January 2018 04:05 PM

Whilst I know that people have got the wind up regarding current and future Data Protection requirements, I am struggling to understand a few things;

1. Is it/will it be unlawful for an individual to decide that they wish to share their username and password with me so that I can assist them?

2. Having so decided, is it then unlawful for that individual to give written and express confirmation for me to store and use their username and password?

3. Or is it that none of that would be unlawful and that the only unlawfulness would occur at the point I decided to act on their instructions? If this is the case, can someone explain how it can be unlawful for me to act with the express permission on the direct instructions of my client if 1 and 2 above are not unlawful?

If an adviser uses someones log in details they could go into their account and not only check or make an entry in their journal but could change their personal details etc. That is different to disclosing information by letter/phone/email etc to DWP - you disclose on behalf of the client (with their permission) DWP action/decide/change.

But if you change details then you (not the DWP) have taken that action / made that change. So even if you don’t in fact change anything and only check information like the claimants payment history or make an entry in the journal (inc making an MR) you leave yourself and your organistaion open to the client (or DWP) accusing you of having taken unauthorised other action / made a change to the clients account / details.

If a client gave you their on line bank or utility log in details. You might only use them to to check info. on their account - but you would be open to an accusation that you had also conducted a transaction.

That is why storing and using a clients log in details (or even making entries / changes to their account if the client themselves have accessed their account for you) is such an important issue.

I repeat that I am surprised that organisations like CA and AdviceUK don’t appear to have issued clear guidance to member organisations about this issue.

We have contacted CITA, and we are waiting for a response, as soon as we get something, we will post it.

past caring - 01 February 2018 10:34 AM

Yes, storing a claimant’s user name and password and using these to view their journal does open us up allegations of abuse or wrongdoing - this is not new.

This is what i s covered by the DPA, this is what you’d need to be extremely cautious about storing confidential informaiton of this nature and the forthcoming data protection changes will make this even more stringent.

I think the issue of accessing a UC journal is also a fundamentally different matter than advising someone about a potential overpayment and disclosure etc. The issue at hand is data protection for an individual and is a different kettle of fish. What instructions are given by DWP to UC claimants about their journals and passwords? What legal warnings are there?

Paul_Treloar_AgeUK - 01 February 2018 10:52 AM

The issue at hand is data protection for an individual and is a different kettle of fish. What instructions are given by DWP to UC claimants about their journals and passwords? What legal warnings are there?

Also, another question - if there are legal warnings, do these actually carry any weight in law?

past caring - 01 February 2018 10:34 AM

But you haven’t addressed the questions I actually asked;

I don’t have an answer I’m just engaging in the debate.

You work in a law centre, so I assume that if not yourself, you have legally qualified colleagues. What is their advice on this issue? What is the policy of your organisation?

I think it’s the storing of details that’s the big problem for me.

Subject to any policy by my employer, if I ever accessed a journal for someone it would be exceptional because they couldn’t do so without that assistance. In that event I would just memorize their login. Building a database of logins would be a different concern.

Also, another question - if there are legal warnings, do these actually carry any weight in law?

Not as far as I can see. In fact such warnings would be a bit freeman-on-the-land.

Peter Turville - 01 February 2018 11:31 AM

I don’t have an answer I’m just engaging in the debate.

You work in a law centre, so I assume that if not yourself, you have legally qualified colleagues. What is their advice on this issue? What is the policy of your organisation?

Nobody I have spoken to thinks it can be in any way unlawful. Of course, there are existing requirements under the DPA about how clients’ data is stored and it is quite possible these will become more stringent and will need to be complied with.

It is not currently our policy to store and use clients’ UC usernames and passwords and we do not do it. But everyone knows my views and there is agreement that we will need to review our policy and work out whether this is something we can accommodate. It is just a question of finding the time to do this.

As an aside, but to further demonstrate the problems, the kind of the thing that eats into one’s time because of UC was amply illustrated yesterday - client’s UC journal closed following negative RtR decision, so I cannot copy and paste the MR request into the journal and I cannot send it by Special or Recorded delivery because the address is a Freepost address. But you can get proof of postage for Freepost items by taking the letter in to the Post office counter - so off I trot. After 20 minutes of queuing in the local PO I am told that I cannot get proof of postage in this instance because the DWP’s Freepost address contains no Freepost reference code and no post code. So that’s it - and time entirely wasted.

Perhaps as a parallel, some of our housing solicitors do store and use clients’ usernames and passwords for their ‘homesearch’ accounts - i.e. the local authority system that allows homeless or overcrowded individuals to ‘bid’ for LA accommodation. Of course, what is happening here is that the solicitor is doing this to either alert a client with no internet access to properties on which they could potentially bid or to check progress on the client’s existing bids.

.