Personal information charter

Our personal information charter (or privacy policy) contains the standards you can expect from us, how and why we use your personal information, and your rights and responsibilities.

The Department for Work and Pensions (DWP) processes lots of personal data, much of it sensitive. We take data protection very seriously, and understand how important it is that you can trust us with your information.

This charter explains how we use personal data, why, and what for.

Ask for a copy of the information we hold about you

To ask for a copy of the personal information DWP holds about you, please use our request for personal information form.

Our personal information charter

If we ask you for personal information, we will:

  • make sure you know why we need it
  • only ask for what we need
  • make sure nobody has access to it who should not
  • keep it secure
  • tell you if we share it with other organisations
  • ask you to agree to us sharing your information where you have a choice
  • only keep it for as long as we need to
  • not make it available for commercial use (such as marketing) without your permission

In return, we ask you to:

  • give us accurate information
  • tell us as soon as possible if there are any changes, such as a new address, when you start work or earn more

This helps us to keep your information accurate and up to date, and to pay you the right amount of benefit.

If you do not tell us about changes that affect any benefit that DWP is paying you, you may be prosecuted or other sanctions applied.

Data protection principles

We will always comply with data protection law. This says that the personal information we hold about you must be:

  1. used lawfully, fairly and in a transparent way

  2. collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes

  3. relevant to the purposes we have told you about and limited only to those purposes

  4. accurate and kept up to date

  5. kept only as long as necessary for the purposes we have told you about

  6. kept securely

What DWP uses personal information for

DWP collects information to deal with:

  • social security (this includes benefits, grants, loans, pensions and Housing Benefit)
  • child maintenance
  • the investigation or prosecution of offences relating to tax credits and benefits
  • prevention and detection of fraud, and protecting public funds
  • employment and training
  • promoting financial planning for retirement
  • policy relating to occupational and personal pension schemes
  • research and analysis into matters listed above

The information we collect about you depends on the reason for your business with us, but we may use the information for any of these purposes.

DWP uses your National Insurance number to help identify you when you use DWP services. Your National Insurance number is used by DWP and HM Revenue & Customs (HMRC), and Department for Communities if you live in Northern Ireland, and the Scottish Government if you live in Scotland.

DWP provides some other services for government. These include services such as the Tell Us Once service. DWP also manages the Vaccine Damage Payment Scheme jointly with the Department of Health, and also provides some other services to the Department of Health. Information obtained for each of these services is kept separate from other DWP data, and is not used for anything else by DWP. Read more about how each of these services uses information:

Most DWP offices use closed-circuit television (CCTV) to help manage security and keep people safe. DWP is a tenant of the buildings that we use, and CCTV services are usually provided by either the company we rent the office from, or by the company providing security services for the office. Signs in our offices say who manages the CCTV and who you should contact with any queries about this.

Telephone calls to DWP offices and about DWP services are recorded.

DWP will not use your data to try and sell you things, or sell your data to anyone.

The types of data that DWP use

The types of data that DWP processes about people will depend on the contact that DWP has with them. An easy way to see what kind of information DWP processes for a particular benefit is to look at the claim form for that benefit. Many of these are available on GOV.UK.

Types of data that DWP processes include:

  • personal details
  • family, lifestyle and social circumstances
  • financial details
  • employment and education details
  • goods or services provided
  • education and training details
  • visual images

DWP also processes sensitive information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • political, religious or other beliefs of a similar nature
  • trade union membership
  • sexual life
  • genetic data
  • biometric data
  • offences including alleged offences
  • criminal proceedings, outcomes and sentences

Who DWP holds information about

DWP processes data about:

  • members of the public
  • customers and claimants
  • suppliers and services providers
  • advisers, consultants and other professional experts
  • complainants and enquirers
  • relatives, guardians and associates
  • offenders and suspected offenders
  • employees

DWP holds basic information (such as your name, address, date of birth) about everyone who has been allocated a National Insurance number. This information is used by DWP and HMRC, and also by the Department for Communities in Northern Ireland.

This is used by HMRC to keep records of employment and National Insurance contributions, and by DWP to pay benefits, administer pensions. We will hold more detailed information if you have claimed a benefit or used other DWP services.

How DWP shares information about you

When you are using a DWP service (for example claiming a benefit) DWP will share some of the information you have given us with other organisations such as:

  • other government departments
  • local authorities
  • social security organisations in other countries
  • employers and potential employers
  • social landlords
  • private-sector bodies, such as banks and organisations that may lend you money

We do this for a number of reasons, including to:

  • check the accuracy of information
  • help people with particular difficulties, such as troubled families
  • help people get or stay in work
  • child maintenance
  • help people get education and training to improve their chances of getting work
  • support people with independent living, including home help and respite care
  • prevent or detect crime
  • check payments for services
  • protect public funds
  • use for research or statistical purposes

Some social security services are also delivered under devolution agreements, for example by the Department for Communities in Northern Ireland, the Scottish Government, and some local authorities. DWP shares information when necessary for these services, as permitted by law.

We will only ever give information about you to someone outside DWP if the law allows us to.

DWP service providers

Many DWP services are delivered with the help of other organisations, such as contractors, local authorities, charities and others. We sometimes need to share data with these organisations so they can provide DWP services properly.

In most cases our contracted service providers – for example companies delivering the Work Programme – are acting as DWP’s data processors. This means that DWP is responsible for ensuring they handle your data correctly.

If you have a problem or query about how a DWP service provider is handling your personal data, please tell us and we will try to resolve this for you.

Read more about the DWP Data Protection Officer on this page.

How long DWP keeps your data

We keep some basic information for as long as your National Insurance number exists, such as your name, date of birth and address.

Most benefit records (the detailed information you provide us with when you claim a benefit) and information provided for other DWP services are kept after the claim ends for the period necessary for any appeals, reviews and other activity to be completed. Payment records may be kept for longer, usually 6 years if they are relevant to the tax you pay.

DWP holds a lot of different kinds of information for a variety of different reasons, but we are committed to keep only what we need for no longer than is necessary.

Read more on this page about when and how long DWP keeps data.

DWP processes personal data because we are required to by law, because it is the function of DWP to do so, or because it is in the public interest. Where this is the case we do not need your consent.

We may sometimes ask for your permission or consent to do something, but only when you have a genuine choice about it. Most of the time – for example when you claim a benefit – you have to provide us with the information we need to see if you are entitled to it, and DWP is required to use that data.

Read more about the legal basis for DWP’s processing on this page.

Processing data offshore

The data for most of DWP’s own systems is processed within the UK. Whenever any DWP data is processed outside of the UK, we always ensure that the data is just as safe as it would be if the processing was in the UK.

Keeping your information safe

DWP treats the security of your information very seriously. We have strict security standards, and all our staff get regular training about how to keep information safe. Read our main security policies.

Automated decision making

The decisions DWP makes that have a substantial effect on you – for example whether or not you are entitled to a benefit – are made with meaningful input from staff. Review or appeal options are built in to all DWP benefit processes, even where this is not specifically required by data protection laws.

DWP is developing new digital services all the time. If any new services involve automated decision-making, we will tell you about this when the decision is made.

DWP uses of profiling

DWP uses profiling to help:

  • avoid asking for information or evidence that we do not need, and make sure we ask for it when necessary
  • call handling and providing services – to ensure people speak to the right part of DWP, and are offered additional support to access DWP services if they need it
  • tailor support for individuals – for example to suggest skills to develop, offer specialist work coach or other support to help people gain employment
  • improve DWP services
  • to detect and prevent fraud and error

Data controller information

The Department for Work and Pensions is the data controller.

Where DWP uses contractors to deliver services they are usually acting as DWP’s data processor, and DWP and our processors share responsibility for how your data is handled.

DWP is the parent department for a number of arm’s length bodies – most of these are data controllers in their own right, and are responsible for any personal data that they process.

DWP also works closely with other government data controllers, especially where functions are linked or complement each other such as tax and benefits, or employment and health.

Find out more about how DWP works with other data controllers.

Your rights when DWP uses your information

You have various rights about how DWP uses your data. For example, you have the right to access the data that we hold about you. DWP does not charge for this.

New data protection laws also provide you with:

  • the right to be informed (which we do through these pages)
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right to not be subject to automated decision-making, including profiling

Right to rectification

You have the right to have inaccurate personal data corrected. Let us know if your circumstances change and we will ensure your data is updated. This can be information such as your address, when you start work or when you are earning more. To tell us about a change of information, please contact the DWP office or service you have been using.

Right to erasure

This is your right to have personal data erased when it is no longer needed. This is also known as the ‘right to be forgotten’. To find out how long DWP needs and keeps your information, see the section ‘How long DWP keeps your data’ on this page. DWP has to keep information about claims and services for a period after claims have ended, in case appeals or reviews are necessary, and to make sure we have finished any follow-up action.

Right to restrict processing

The General Data Protection Regulation (GDPR) gives you the right to request DWP to restrict processing of your personal data in certain circumstances. This may be due to the accuracy of the personal data DWP hold, if the data has been unlawfully processed or DWP no longer needs the data but you would like us to keep it in order to establish, exercise or defend a legal claim. We can refuse to comply if your request is unfounded or excessive, or repetitive in nature but we will justify the decision to you and will inform you of any decision that has been made.

Right to data portability

The right to data portability gives you the right to receive personal data in a structured, commonly used and machine readable format. This right only applies when you have consented to the processing of the data in question.

Right to object

The right to object dictates that you have a right to object to the processing of your personal data, specifically if the data is:

  • for direct marketing purposes
  • a task carried out in the public interest
  • the exercise of official authority or legitimate interest

Automated individual decision-making is a decision made without any human involvement. Profiling involves the use of personal data to evaluate certain personal aspects such as a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The DWP can only carry out solely automated decision making if the decision is:

  • necessary for entering into or performance of a contract between you and DWP
  • authorised by law
  • based on your explicit consent
How to exercise your rights

You can request a copy of the information DWP holds about you.

To exercise or ask about any of your other rights, please complete the DWP information rights request form (ODT, 31.8KB) .

For any other data protection questions or comments please see the section on the Data Protection Officer’s team on this page.

You also have the right to complain to the Information Commissioner if you are concerned about how DWP is processing your data. If you are going to do this, we would ask you to give DWP the chance to try and put it right or address your concerns first, by contacting our Data Protection Officer using the contact details on this page.

Read the Information Commissioner’s guidance on reporting concerns.

DWP’s Data Protection Officer

DWP has appointed a Data Protection Officer. The role of the Data Protection Officer is to make sure DWP is compliant with data protection laws and to act as a point of contact for data subjects.

The DWPs Data Protection Officer is Dominic Hartley. You can contact the Data Protection Officer by post at:

DWP Data Protection Team
Benton Park View 5
Mail Handling Site A
Wolverhampton
WV98 1ZX

Or by email at: data.protectionofficer@dwp.gsi.gov.uk.

If you want access to, or a copy of, information that DWP holds about you, use the guidance that’s available online rather than writing to the Data Protection Officer.

Please contact the Data Protection Officer at DWP before contacting the ICO.

More about when and how long DWP keeps data

The length of time DWP keeps your data will depend on the type of DWP services you use, what kind of information it is, and whether it is information that is needed as evidence to support a benefit claim or other DWP service.

Read the main instructions to DWP staff on how to manage information.

Often we will delete or destroy records in specific exercises through the year to do this more efficiently and save money. Rather than destroying every piece of information due for destruction on a particular day or week, we may do this on a monthly or quarterly basis and destroy all information of a particular type that has expired in the previous period.

Data protection laws do not allow personal information to be used or processed unless some specific conditions are met.

For personal data, the condition that applies to most processing done by DWP is that it is necessary for “a function of a government department”, which is allowed by section 8 of the new Data Protection Act, and Article 6(1)(e) of the GDPR.

For sensitive personal information, such as information about health, most processing by DWP meets the condition that it is “necessary for the purposes of … employment, social security and social protection”. This is allowed by section 10 of the new Data Protection Act and Article 9(2)(b) of the GDPR.

There may be some circumstances where DWP relies on other conditions to process personal information or sensitive personal information, but we will tell you separately if this happens.

How DWP works with other data controllers

DWP works closely with other parts of government to help deliver social security and other services. For most day-to-day DWP business, DWP is the data controller and is responsible for all aspects of how information is used. But for some of the areas where DWP works together with other organisations, we share responsibility for how your personal data is used. This section explains how this works.

HMRC

DWP and HMRC work very closely together, and share information often. This is because benefits and pensions are affected by how much you earn and the National Insurance contributions you have paid. Benefits, pensions and other payments you receive from DWP affect how much tax you have to pay, or tax credits that HMRC pay you.

DWP and HMRC can use the same reference number to identify people – your National Insurance number. DWP and HMRC are jointly responsible for deciding how National Insurance numbers can be used, who can use them, and the other personal information associated with them.

DWP and HMRC both use the same computer system (the Customer Information System) to keep a record of which National Insurance number relates to which person, and to record basic information about everyone who has a National Insurance number.

Find out more about National Insurance numbers and what they are used for.

Department of Health and Social Care

DWP provides some services for the Department of Health and Social Care, and is acting as their data processor when we do this. These services include:

  • the Vaccine Damage Payment Unit
  • European Health Insurance Cards (EHIC) and recovering costs of healthcare provided to European Union (EU) nationals from other member states
  • checking entitlement to free prescriptions and other healthcare services such as fares to hospital
  • compensation recovery services

Ministry of Defence

DWP makes payments to veterans for the Ministry of Defence.

Arm’s length bodies

DWP is the parent department for a number of arm’s length bodies. Some arm’s length bodies are data controllers in their own right, and responsible for all aspects of how they use personal data. These arm’s length bodies are:

  • Health and Safety Executive
  • The Pensions Advisory Service
  • The Pensions Regulator
  • National Employment Savings Trust (NEST) Corporation
  • Disabled Peoples Employment Corporation
  • Pensions Ombudsman
  • Pensions Protection Fund Ombudsman
  • Pension Protection Fund
  • Office for Nuclear Regulation

See full list of arm’s length bodies.

Northern Ireland

For people living in Northern Ireland, the Department for Communities is responsible for many of the same services that DWP provides in England, Wales and Scotland. The Department for Communities pays similar benefits to DWP and also uses the National Insurance number for similar purposes, so some IT and other services are shared between DWP and the Department for Communities.

The Department for Communities is the data controller for information about benefits and services they provide in Northern Ireland, but some data controller responsibilities are shared where we use the same IT systems.

Northern Ireland departments also provide some services such as call centres and benefit processing to DWP. Where they do this they are acting as DWP’s data processor, and DWP remains the data controller.

Scotland

Responsibility for some aspects of social security for people in Scotland have been devolved to the Scottish Government, and more will be devolved in the future. Current legislation allows DWP to share information with the Scottish Government for functions which have been devolved.

As devolution continues, the Scottish Government will be responsible for more social security matters, including some benefits. DWP shares information with the Scottish Government to support the services they are responsible for. Sometimes DWP may also act as a data processor for the Scottish Government to help deliver their services. The letters and notifications for the services will tell you when DWP is acting as a data processor for the Scottish Government.

Changes to this policy

If our charter or policy changes, we will update this page. Check this page to make sure you are aware of what information we collect, how we use it and the circumstances where we may share it with other organisations.