DWP managing customer records guide
Updated 17 April 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/dwp-information-management-policies/dwp-managing-customer-records-guide
This is version 6.0 and is effective from 11 March 2024.
1. Overview
1.1. Department for Work and Pensions (DWP) is legally required to manage its customer records to ensure it complies with data protection legislation, including the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR). The legislation requires that any personal data must be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date
- kept for no longer than is necessary
- processed securely
2. Scope
2.1. Compliance with these instructions is the responsibility of all DWP staff.
3. Policy Statement
3.1. Classification of records
3.1.1. DWP has two classifications of customer records: Supporting Records or Non-supporting / Ephemeral Records. See Appendix 2.1 for definitions.
3.2. How long do I keep records?
3.2.1. Supporting records (see Appendix 2.1: Definitions): Standard retention is 24 months. See Appendix 2.2: Retention by line of business. Supporting records are retained for 24 months after DWP’s live interest in the claim has ended see 5.2 for a list of live interests.
3.2.2. Ephemeral records see (Appendix 2.1 Definitions): These should be retained locally for 4-weeks, and then electronic records should be deleted, and paper records must be destroyed via confidential waste.
3.3. Telephone call recording
3.3.1. Specific retention periods apply for telephone calls recorded in DWP operations. These are as follows:
3.3.2. Supporting calls: 24 months from date of call and then deleted.
3.3.3. All DWP staff must comply with the above guidelines.
3.3.4. If there is a need to retain telephony records for longer than the standard retention period a change request must be applied for.
3.4. SMS text messages
3.4.1. The full content of the SMS, including the mobile number to which the SMS was sent, to be retained for 90 days.
3.5. Destruction of benefit records
3.5.1. When destroying benefit documents / data, we are applying DWP Information Management Policy (IMP) and not the UK General Data Protection Act (UK GDPR). The UK GDPR does not specify retention periods.
3.6. Destruction embargoes
3.6.1. Destruction embargoes or easements to current retention periods may be applied to customer records from time to time based on business need. These can be applied to records irrespective of format.
3.7. Sending benefit records to Stores
3.7.1. Benefit documents must be recorded on RS Web before being sent to Remote Stores.
4. Accountabilities and Responsibilities – General retention principles
4.1. Users must
4.1.1. Only retain information required to support a claim by applying the principles of what is ‘supporting’ and what is ‘ephemeral’.
4.1.2. Apply retention periods to all claim documents or data whether the claim is successful or not.
4.1.3. Destroy all paper documents that are scanned into electronic systems within 4 weeks of being scanned.
4.1.4. Retain clerical benefits, including Armed Forces Independence Payment (AFIP) locally, apart from Industrial Injuries Disablement Benefit (IIDB) claims which should be sent to Remote Stores.
4.1.5. Photocopy documents identified as valuable. The original should be returned to the claimant and the photocopy sent to Remote Stores.
4.1.6. Save customer information in the right place for the right length of time.
4.2. Users must not
4.2.1. Print any documents relating to a benefit that are uploaded onto the Enterprise Content Management System (ECMS) unless they are required to support an appeal or prosecution where access to DRS is not available.
4.2.2. Print information stored on electronic systems, including Universal Credit Build (UCB) and Child Maintenance System (CMS) 2012 unless it is required to support an appeal or prosecution, and access to these systems is not available.
4.2.3. Retain duplicate information under any circumstances.
4.2.4. Retain customer records ‘just in case’ they may be needed at some point in the future.
4.2.5. Retain supporting records locally for longer than 4 weeks after they have been uploaded to ECMS/DRS. Once supporting documents have been uploaded to ECMS/DRS they can be destroyed.
4.2.6. Send non supporting/ephemeral records to Remote Stores under any circumstances.
4.2.7. Send Non-Associated Post (NAP) to Remote Stores if it does not have a parent file (a live original claim) there already.
5. Accountabilities and Responsibilities – Guidance for specific customer records
5.1. General records
5.1.1. Retention for all lines of business can be found at Appendix 2.2: Retention by line of business.
5.1.2. Applicable retention periods are applied to customer records, whether they are, telephony, paper based or uploaded onto ECMS/DRS.
5.1.3. If the case has the following DWP interest, the customer or benefit record must be retained until end of interest, then the normal retention period applies. DWP Interest is defined in 5.2.
5.2. Ongoing action
5.2.1. Debt Management including: overpayments, Compensation Recovery (CRU), civil proceedings and Recovery from Estates.
5.2.2. Appeals including: Mandatory Reconsiderations.
5.2.3. Customer feedback or complaints being dealt with by Independent Case Examiner (ICE) cases and Parliamentary Health and Service Ombudsman (PHSO) Cases only.
5.2.4. Criminal Cases Review Commission cases.
5.2.5. Cases subject to a Performance Measurement check.
6. Compliance
6.1. Compliance with this policy is the responsibility of all DWP staff, contractors, third parties and suppliers working on the DWP estate.
6.2. Line managers are responsible for ensuring that all DWP staff, contractors, third parties and suppliers working on the DWP estate understand their responsibilities as defined in this policy and that they continue to meet its requirements for the duration of their employment within DWP. It is a line manager’s responsibility to take appropriate action if individuals fail to comply with this policy.
6.3. The DWP Security and Data Protection Team will regularly assess compliance with this Policy and may inspect technology systems, paper holdings, design, processes, people and physical locations to facilitate this. All staff, contractors, third parties and suppliers, who create, handle or store information on the DWP estate are required to facilitate, support, and when necessary participate in these inspection requests.
6.4. Employees are responsible for ensuring that they understand their responsibilities as defined in this policy and the Acceptable Use Policy.
6.5. Once this document has been read and understood by a member of staff, they should record the information in line with the Security Responsibilities Checklist.
7. Appendices
Appendix 2.1 Definitions
| Term | Definition |
|---|---|
| Customer records | include any piece of information that relates to our claimants or customers regardless of its content and format (i.e., the retention policy is ‘format neutral’) |
| What is a Customer Record? | A customer record is the personal data created, received, processed and/or maintained by DWP, regardless of format, including but not limited to that which is essential to fulfil the DWP’s legal obligation to administer pension, welfare and Child Maintenance cases on behalf of customers, and for the prevention and detection of fraud. |
| Handling of Lists Containing Personal Data | Personal data about an individual/group of individuals held solely to manage workflow and caseload, (e.g. lists or spreadsheets for reports, trackers etc….) and which contains details of multiple customers is not a ‘customer record’. These lists are information assets. |
| Supporting records | documents or data that support a benefit or child maintenance outcome decision, and contains information on how that decision was made. It is generally information that would be supplied in the event of an appeal or fraud investigation, or that affects the amount of benefit paid or child maintenance assessment. See Appendix 2.2: Retention by line of business for the standard retention of customer documents. |
| Non-supporting or Ephemeral records | documents or data that do not fit into the definition of supporting documents. These are of a general nature and do not affect the claim in any way. For example, general enquiries, internal templates, front cover sheets. |
| End of live interest | The retention period is ‘triggered’ when a case is closed or at the end of DWP interest. DWP interest includes: • fraud investigation has ended, • overpayment has been repaid |
Appendix 2.2 - Retention by Line of Business
DWP managing customer records guide - Appendix 2.2: Retention by line of business.