HB Bulletin U1/2019: Urgent reminder about data security relating to the Housing Benefit Debt Service
Updated 23 August 2019
Contact
For queries about the:
- distribution of this bulletin, contact: housing.correspondenceandpqs@dwp.gsi.gov.uk
- content of this bulletin, contact: hbsdsecurity.team@dwp.gsi.gov.uk
Who should read
All Housing Benefit (HB) debt recovery staff
Action
For information and action, where required
Background
1. In the course of our ongoing work to support local authorities (LAs) operating the Housing Benefit Debt Service (HBDS), HM Revenue & Customs (HMRC) identified a data security breach.
2. Specifically, an individual LA debt recovery staff member shared the HBDS data about a claimant directly with that same claimant. This was done with good intentions but ultimately led to the temporary suspension of the data share from HMRC to the Department for Work and Pensions (DWP).
3. This bulletin sets out to remind all HB debt recovery staff about their responsibilities in relation to data security and any remedial action their managers may need to take.
General data security responsibilities
4. To access and receive data in relation to HB administration, including debt recovery, all LAs must sign up to a memorandum of understanding (MoU) with DWP which is renewed each year.
5. The MoU sets out the responsibilities of both LA staff members and authorities as a whole in relation to every aspect of the security of the data we share with them. DWP reserves the right to suspend or cancel access to shared data should LAs not meet the requirements set out in the MoU or, if a serious breach was to occur, without taking remedial action.
Specific data security principles in relation to the HBDS
6. For the HBDS, the data DWP share with LAs is actually an onward share of HMRC data, which they have shared with DWP. This data share is covered by DWP’s MoU with LAs, and DWP also has signed a separate MoU with HMRC.
7. Both MoUs are explicit about the requirement of LAs (and individual LA staff members) not to onward share any data with any other individual or organisation, without the explicit permission of the data owner. So, in the case of the HBDS, the data owner is HMRC.
8. With regard to the data security breach in question, the LA member of staff believed it was okay to share an individual’s own HMRC earnings data with that individual, subject to identity checks. However, HMRC’s rules clearly count this as a breach of security.
9. There should be no routine reason for individuals to see proof, or require proof, of the earnings data LAs have received. Should an unusual circumstance lead to an LA’s need to demonstrate proof, for example in the case of a complaint, then it is vital for the LA to seek HMRC’s permission to do so. In such circumstances LAs should email datbulkdataexchange.ris@hmrc.gov.uk
10. LAs should also be reminded, in this same context, that paragraph 4.2 of the Frequently Asked Questions for HBDS states that if a debtor asks where the data has come from, then they should be advised it has come from DWP. Similarly, if LAs receive Freedom of Information requests in relation to the release of HBDS data, they should be forwarded to DWP.
Action required
11. To ensure all LA HB debt recovery staff fully understand their data security responsibilities.
12. All managers of HB debt recovery staff discuss this bulletin with their team members and, where necessary, ensure any remedial learning and development.