Guidance

Chapter 5: Data sharing between DWP and providers

Updated 25 February 2022

Applies to Scotland

This is Job Entry: Targeted Support (JETS) in Scotland provider guidance.

Introduction

5.01 The purpose of this chapter is to summarise all the elements of data that will be shared between the Department for Work and Pensions (DWP) and you. The following paragraphs focus on the customer journey from referral stage through to when they finish the programme. We explain the type of data which will be shared and the sources of this, including the overarching processes in place.

5.02 As a Provider you will have been required to submit an Information Security Questionnaire at the procurement stage. Once assured by the DWP this demonstrates your suitability to receive and store information as well as confirming that you comply with the DWP Security Policy (which includes compliance with such standards as ISO/IEC27001). Further information about our security procedures can be found here Generic Provider Guidance Chapter 8 – Information Security.

Data transfer at the start of the programme

5.03 DWP may send you personal and sensitive information about participants. This will include documents detailing disability status and barriers to work. This data must be securely stored and with procedures in place which allow it to be retrieved from your systems. Some or all the data may be forwarded to your sub-contractors.

5.04 Potential participant data items are listed here:

  • Personal Information – this information will include the following data fields (Note this list is not exhaustive):
    • Full name including title.
    • National Insurance number (NINo)
    • Full address including postcode
    • Telephone number including area code.
    • Other telephone number (mobile)
  • Unique PRaP Referral identifier
  • Client Number
  • Qualifications:
    • Level
    • Subject
    • Outcome
    • Start date
    • End date
    • Basic skills assessment
  • Driving Licence
  • Employment:
    • Previous job dates
    • Aims (free text field)
    • Job preferences
    • Preferred hours

5.05 This information will be largely transferred to you via the DWP’s Provider Referral and Payment (PRaP) system (if it is not appropriate to use PRaP this information will be shared by email). Further information is provided at paragraphs 5.10 and 5.11.

5.06 PRaP has a robust security accreditation level (IL2) in relation to data storage. This is reviewed annually or whenever there are any system updates/changes. In addition to this other PRaP features include:

  • the ability to limit Provider access until they have met the Department’s security standards
  • Access Control – Audits are undertaken every 30 days to ensure the right people have access
  • Provider access via Government Gateway which is a secure internet gateway which has its own security standards (owned by HMRC)

5.07 Multi Agency Public Protection Arrangement (MAPPA) participants will be referred through PRaP. Further information can be found in JETS in Scotland Provider Guidance - Chapter 3 - Referrals, Initial Participant engagement and Starts on programme.

5.08 For MAPPA participants, you will receive the referral, minus the address, postcode and contact telephone number.

5.09 Participants who have been granted Special Client Record (SCR) status will always be referred to you clerically using the SL2 clerical referral form.

Data transfer during the programme

5.10 When the DWP becomes aware of any changes in Participant information, they will notify you via a change of circumstances notification form. Further information can be found in JETS in Scotland Provider Guidance Chapter 10 - Change of Circumstances and Notifications.

5.11 You must notify Jobcentre Plus using the Change of Circumstances notification form JETS.S07 if:

  • the Participant has disengaged with you
  • the Participant has re-engaged with you following a disengagement
  • a potential participant who has been mandated to attend and participate in the initial appointment with you, does not attend; and/or
  • there is a change in the Participant’s circumstance and through discussions with the Participant, you jointly identify that alternative provision may better support the Participant

5.12 Further information can be found in JETS in Scotland Provider Guidance Chapter 10 - Change of Circumstances and Notifications and Chapter 3 Referrals, Initial Participant engagement and Starts on programme.

5.13 There is also a requirement for you and your supply chain/sub-contractors to notify DWP when you employ a Participant in your employment business. You must complete a PBECFJETS.S Employment Business Customer Form. This can be found on Annex F on Jaggaer.

5.14 You must send this by unencrypted email, at least five days before first salary payment, to the DWP’s Payment Team Central Inbox prap.support@dwp.gov.uk.

5.15 DWP will be validating employment outcomes using employment and earnings data submitted using HMRC PAYE on line earnings data submitted by employers.

5.16 We will share some information about participant earnings with you. This will include a Participant’s first pay date and confirmation that they have reached the earnings threshold to achieve a job outcome. Further information can be found in JETS in Scotland Provider Guidance Chapter 9 - Validation.

Data transfer at the end of programme

5.17 You are required to complete Exit Report forms (JETS.S-ER) for JETS in Scotland Participants. To improve quality and consistency we have developed a standard form for you to complete. Further information on exit reports can be found in JETS in Scotland Provider Guidance Chapter 6 - Programme Completers and Early Exits.

5.18 You will have considered the level of information needed in the exit report when you developed your systems and processes. As JETS in Scotland is a light touch programme the JETS.S-ER Exit Report form has been updated to reflect this. This includes (but is not limited to):

  • Participant Surname
  • Participant National Insurance number (NINo)
  • Summary – How the Participant benefited from the JETS in Scotland, and the progress against the activities undertaken by the Participant whilst on programme
  • Actions completed
  • Next steps – your recommendations to Jobcentre Plus on the most appropriate next steps for the Participant

5.19 To help ensure you tailor packages to potential Participants, you should encourage Participants to share with you directly any appropriate information about their previous efforts to secure employment/move closer to the job market as will their Jobcentre Plus work coach. As some of these Participants are vulnerable we ask you to act sensitively when trying to obtain this information.

Use of Unencrypted Email

5.20 You must be able to communicate with and receive communications from the Department by unencrypted email as required.

5.21 Before DWP approves you to use unencrypted email for the first time for a specific process there are steps you must undertake to comply with DWP security requirements. You must email WPD.Security@dwp.gov.uk with any request to use unencrypted email and comply with the implementation and assurance requirements specified by DWP prior to beginning to use of unencrypted email.

5.22 Before allowing your sub-contractors to use the unencrypted email for any new process, you must have ensured that the sub-contractor has been formally approved by DWP and you have undertaken any necessary due diligence. Further detail can be found in Generic Provider Guidance Chapter 8 – Information Security.

5.23 The following are the only approved processes that you may use unencrypted email for:

  • Exit Reports
  • Raising a Compliance Doubt and notifying participant re-compliance following a sanction
  • Reporting Changes of Circumstances
  • JETS in Scotland Employment Business Customer’ Form PBECFJETS.S
  • List of 500 names and NINos; and
  • Good news stories

5.24 You are not permitted to use unencrypted email for any other purpose without the written permission of the DWP. Further detail can be found in Generic Provider Guidance Chapter 8 – Information Security.

5.25 Unencrypted emails sent to you by the DWP will always be sent to a dedicated Provider in-box agreed by you and DWP for JETS Scotland.

5.26 When you use unencrypted e-mail to send information to the DWP you must adhere to the restrictions stipulated within Generic Provider Guidance Chapter 8 – Information Security The following restrictions relate to the processes in the above paragraphs and will include all or part of the following:

  • only one record per e-mail (except for the requirements to share information between Prime Providers, their Supply Chain and Third parties)
  • standard e-mail content
  • standard template completed and included in e-mail; and
  • Email sent from and to a designated inbox

5.27 If you wish to extend the use of unencrypted email to one of your existing DWP approved sub-contractors who was not named on the list you initially supplied, you must supply an updated list to your Supplier Manager and agree a date for the new sub-contractor to begin using the unencrypted email process.

5.28 If you wish to extend the use of unencrypted email to a sub-contractor who has newly joined your supply chain you must:

  • ensure that they have been formally approved by the DWP
  • supply an updated list of your sub-contractors whom you have permitted to use unencrypted email for which unencrypted email process to your supplier manager and agree a start date; and
  • ensure you have completed the necessary assurance process and undertaken the relevant due diligence including confirmation that the sub-contractor is not using any product or service with any offshore elements or links

5.29 You may forward unencrypted emails to an approved sub-contractor and inboxes within your organisation provided that:

  • no more than one Participant’s record at a time is emailed
  • a business need to share the information exists; and
  • the recipient is entitled to receive the information (emails must not be automatically forwarded without ensuring this)

Please note – You must keep a record of where and when you sent the notification form for three months.

5.30 You may decide that you no longer wish one of your sub-contractors to use unencrypted email for a specific process. You must notify your Supplier Manager as soon as possible and provide an updated list of your sub-contractors whom you have permitted to use unencrypted email process to your Supplier Manager. You must agree a date with the Supplier Manager for when the sub-contractor will cease using the unencrypted email for the specific process.

5.31 If you send data to the wrong sub-contractor, you must alert the sub-contractor to the error and ensure that they delete the record. You must keep records of the actions taken for three months.

5.32 If an email was sent to you in error or includes Participants with the wrong details (for example, incorrect NINo) or Participants who belong to a different Provider, please notify your Performance Manager.

5.33 You are not required to retain a record of the emails you have received therefore you must delete the email from your inbox once you have actioned it.

5.34 There may be occasions when due to circumstances such as IT failure you are temporarily unable to receive or send unencrypted emails.

5.35 If you anticipate the situation will continue for 48 hours or longer you must ensure that you inform DWP and revert to clerical methods until the problem is resolved and you are able to use the unencrypted email again.

5.36 You must inform DWP when you will be able to use unencrypted email again prior to starting to use it. DWP will notify colleagues when the clerical process is being used and when unencrypted email is to be re-introduced.

5.37 Similarly, if DWP have an IT failure you must suspend using unencrypted email if you are notified to do so by DWP.

5.38 DWP will notify you if the problem will last for longer than 48 hours and will ask you to revert to the clerical process if appropriate.

5.39 Once resolved, DWP will notify you when unencrypted email has been re-introduced.

Please note: A list of data items to be shared with Providers can be found on Annex B on Jaggaer.