Personal information charter (2024)

The Department for Work and Pensions (DWP) processes lots of personal data, much of it sensitive. We take data protection very seriously and understand how important it is that you can trust us with your information.

This charter explains whose personal information we process, how we use it, why and what for.

If we process your personal information, we will:

• make sure you know why we need it
• only process the personal information we need
• make sure nobody has access to it who should not
• keep it secure
• tell you through this charter or in other ways if we share it with other organisations
• ask you to agree to us sharing your information where you have a choice
• only keep it for as long as we need to
• not make it available for commercial use (such as marketing) without your permission

If we ask you for personal information, you need to:

• give us accurate information
• tell us as soon as possible if there are any changes, such as a new address, when you start work or earn more

This helps us to:

• keep your information accurate and up to date
• pay you the right amount of benefit
• provide the best possible service

If you do not tell us about changes that affect any benefit that DWP is paying you, you may be prosecuted or other sanctions applied.

Data protection principles

We will always comply with data protection law. This says that the personal information we hold about you must be:

1. used lawfully, fairly and in a transparent way

2. collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes

3. relevant to the purposes we have told you about and limited only to those purposes

4. accurate and kept up to date

5. kept only as long as necessary for the purposes we have told you about

6. kept securely

What DWP uses personal information for

DWP collects information to deal with:

• social security (this includes benefits, grants, loans, pensions and Housing Benefit)
• child maintenance
• the investigation or prosecution of offences relating to tax credits and benefits
• prevention and detection of fraud, and protecting public funds
• employment and training
• promoting financial planning for retirement
• policy relating to occupational and personal pension schemes
• research and analysis into matters listed above

The information we collect about you depends on the reason for your business with us, but we may use the information for any of these purposes.

In exceptional circ*mstances DWP may process your information to protect you, your community or the wider public.

DWP uses your National Insurance number to help identify you when you use DWP services. Your National Insurance number is used by DWP and HM Revenue and Customs (HMRC), and Department for Communities if you live in Northern Ireland, and the Scottish Government if you live in Scotland.

DWP’s Compensation Recovery Unit (CRU) is responsible for administering:

• the Compensation Recovery Scheme – under this scheme, CRU works with insurance companies, solicitors and DWP customers to recover amounts of social security benefit paid as a result of an accident, injury or disease, if a compensation payment has been made

• the NHS Injury Cost Recovery Scheme on behalf of the Department of Health and Social Care. CRU recovers costs incurred by NHS hospitals and Ambulance Trusts for treatment from injuries from road traffic accidents where people have received personal injury compensation

DWP provides the Tell Us Once service for government. Information obtained for Tell Us Once is kept separate from other DWP data and is not used for anything else by DWP.

Most DWP offices use closed-circuit television (CCTV) to help manage security and keep people safe. DWP is a tenant of the buildings that we use, and CCTV services are usually provided by either the company we rent the office from, or by the company providing security services for the office. Signs in our offices say who manages the CCTV and who you should contact with any queries about this.

Telephone calls to DWP offices and about DWP services are recorded.

DWP will not use your data to try and sell you things, or sell your data to anyone.

The types of data that DWP use

The types of data that DWP processes about people will depend on the contact that DWP has with them. An easy way to see what kind of information DWP processes for a particular benefit is to look at the claim form for that benefit. Many of these are available on GOV.UK.

Types of data that DWP processes include:

• personal details
• family, lifestyle and social circ*mstances
• financial details
• employment and education details
• goods or services provided
• education and training details
• visual images

DWP also processes sensitive information that may include:

• physical or mental health details
• racial or ethnic origin
• political, religious or other beliefs of a similar nature
• trade union membership
• sexual life
• genetic data
• biometric data
• offences including alleged offences
• criminal proceedings, outcomes and sentences

Who DWP holds information about

DWP processes data about:

• members of the public
• customers and claimants
• people who live in the customer’s or claimant’s household
• suppliers and services providers
• advisers, consultants and other professional experts
• complainants and enquirers
• relatives, guardians and associates
• offenders and suspected offenders
• employees

DWP holds basic information (such as your name, address, date of birth) about everyone who has been allocated a National Insurance number. This information is used by DWP and HMRC, and also by the Department for Communities in Northern Ireland.

This is used by HMRC to keep records of employment and National Insurance contributions, and by DWP to pay benefits, administer pensions. We will hold more detailed information if you have claimed a benefit or used other DWP services.

DWP sometimes needs information about people other than the person who has applied for a benefit or service to work out what that person is entitled to. For example, where a person makes a claim for Universal Credit, we need information about other people who live in the same household to work out how much the person will be paid.

DWP uses data shared by other departments, in particular HMRC and Ministry of Justice, to prevent and detect fraud.

DWP may share information with and get it from other organisations such as:

• other government departments
• local authorities
• social security organisations in other countries
• employers and potential employers
• social landlords
• private-sector bodies, such as energy suppliers, water companies and credit reference agencies
• financial institutions, such as banks and other organisations that may lend you money
• charitable and welfare organisations
• the emergency services
• academic institutions

We do this for a number of reasons, including to:

• check the accuracy of information
• help people with particular difficulties, such as troubled families
• help people get or stay in work
• child maintenance
• help people get education and training to improve their chances of getting work
• support people with independent living, including home help and respite care
• prevent or detect crime
• check payments for services
• to reduce energy bills, improve the energy efficiency of people’s homes and help citizens in fuel and water poverty
• protect public funds
• use for research or statistical purposes
• to protect you or others in an emergency

Some social security services are also delivered under devolution agreements, for example by the Department for Communities in Northern Ireland, the Scottish Government, and some local authorities. DWP shares information when necessary for these services, as permitted by law.

We will only ever give information about you to someone outside DWP if the law allows us to.

DWP service providers

Many DWP services are delivered with the help of other organisations, such as contractors, local authorities, charities and others. We sometimes need to share data with these organisations so they can provide DWP services properly.

In most cases our contracted service providers – for example companies delivering the Work Programme – are acting as DWP’s data processors. This means that DWP is responsible for ensuring they handle your data correctly.

If you have a problem or query about how a DWP service provider is handling your personal data, tell us and we will try to resolve this for you.

Read more about the DWP Data Protection Officer on this page.

How long DWP keeps your data

We keep some basic information for as long as your National Insurance number exists, such as your name, date of birth and address.

Most benefit records (the detailed information you provide us with when you claim a benefit) and information provided for other DWP services are kept after the claim ends for the period necessary for any appeals, reviews and other activity to be completed. Payment records may be kept for longer, usually 6 years if they are relevant to the tax you pay.

DWP holds a lot of different kinds of information for a variety of different reasons, but we are committed to keep only what we need for no longer than is necessary.

Read more on this page about when and how long DWP keeps data.

The legal basis for processing your data

DWP processes personal data because we are required to by law, because it is the function of DWP to do so, or because it is in the public interest. Where this is the case we do not need your consent.

We may sometimes ask for your permission or consent to do something, but only when you have a genuine choice about it. Most of the time – for example when you claim a benefit – you have to provide us with the information we need to see if you are entitled to it, and DWP is required to use that data.

Read more about the legal basis for DWP’s processing on this page.

Processing data offshore

The data for most of DWP’s own systems is processed within the UK. Whenever any DWP data is processed outside of the UK, we always ensure that the data is just as safe as it would be if the processing was in the UK.

Keeping your information safe

DWP treats the security of your information very seriously. We have strict security standards, and all our staff get regular training about how to keep information safe. Read our main security policies.

Artificial intelligence

Artificial intelligence (AI) is the use of digital technology to create systems capable of assisting or performing tasks commonly thought to require intelligence. DWP uses AI to help detect and prevent fraud and error.

DWP does not use AI to replace human judgement to determine or deny a payment to a claimant. A final decision in these circ*mstances always involves a human agent.

Automated decision making

Most of the decisions DWP makes that have a substantial effect on you – for example whether or not you are entitled to a benefit – are made with meaningful input from staff. Review or appeal options are built in to all DWP benefit processes, even where this is not specifically required by data protection laws.

DWP is developing new digital services all the time. If any new services involve automated decision-making, we will tell you about this when the decision is made.

DWP uses of profiling

DWP uses profiling to help:

• avoid asking for information or evidence that we do not need, and make sure we ask for it when necessary
• call handling and providing services – to ensure people speak to the right part of DWP, and are offered additional support to access DWP services if they need it
• tailor support for individuals – for example to suggest skills to develop, offer specialist work coach or other support to help people gain employment
• improve DWP services
• to detect and prevent fraud and error

Data controller information

The Department for Work and Pensions is the data controller.

Where DWP uses contractors to deliver services they are usually acting as DWP’s data processor, and DWP and our processors share responsibility for how your data is handled.

DWP is the parent department for a number of arm’s length bodies – most of these are data controllers in their own right, and are responsible for any personal data that they process.

DWP also works closely with other government data controllers, especially where functions are linked or complement each other such as tax and benefits, or employment and health.

Find out more about how DWP works with other data controllers.

Your rights when DWP uses your information

You have various rights about how DWP uses your data. For example, you have the right to access the data that we hold about you. DWP does not charge for this.

New data protection laws also provide you with:

• the right to be informed (which we do through these pages)
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right to not be subject to automated decision-making, including profiling

Right to rectification

You have the right to have inaccurate personal data corrected. Let us know if your circ*mstances change and we will ensure your data is updated. This can be information such as your address, when you start work or when you are earning more. To tell us about a change of information, contact the DWP office or service you have been using.

Right to erasure

This is your right to have personal data erased when it is no longer needed. This is also known as the ‘right to be forgotten’. To find out how long DWP needs and keeps your information, see the section ‘How long DWP keeps your data’ on this page. DWP has to keep information about claims and services for a period after claims have ended, in case appeals or reviews are necessary, and to make sure we have finished any follow-up action.

Right to restrict processing

The General Data Protection Regulation (GDPR) gives you the right to request DWP to restrict processing of your personal data in certain circ*mstances. This may be due to the accuracy of the personal data DWP hold, if the data has been unlawfully processed or DWP no longer needs the data but you would like us to keep it in order to establish, exercise or defend a legal claim. We can refuse to comply if your request is unfounded or excessive, or repetitive in nature but we will justify the decision to you and will inform you of any decision that has been made.

Right to data portability

The right to data portability gives you the right to receive personal data in a structured, commonly used and machine readable format. This right only applies when you have consented to the processing of the data in question.

Right to object

The right to object dictates that you have a right to object to the processing of your personal data, specifically if the data is:

• for direct marketing purposes
• a task carried out in the public interest
• the exercise of official authority or legitimate interest

Rights related to automated decision making including profiling

Automated individual decision-making is a decision made without any human involvement. Profiling involves the use of personal data to evaluate certain personal aspects such as a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The DWP can only carry out solely automated decision making if the decision is:

• necessary for entering into or performance of a contract between you and DWP
• authorised by law
• based on your explicit consent

How to exercise your rights

You can request a copy of the information DWP holds about you.

To exercise or ask about any of your other rights, complete the DWP information rights request form (ODT, 31.8 KB).

For any other data protection questions or comments, see the section on the Data Protection Officer’s team on this page.

You also have the right to complain to the Information Commissioner if you are concerned about how DWP is processing your data. If you are going to do this, we would ask you to give DWP the chance to try and put it right or address your concerns first, by contacting our Data Protection Officer using the contact details on this page.

Read the Information Commissioner’s guidance on reporting concerns.

DWP’s Data Protection Officer

DWP has appointed a Data Protection Officer. The role of the Data Protection Officer is to make sure DWP is compliant with data protection laws and to act as a point of contact for data subjects.

You can contact the Data Protection Officer by post at:

Or by email at: data.protectionofficer@dwp.gov.uk.

If you want access to, or a copy of, information that DWP holds about you, use the guidance that’s available online rather than writing to the Data Protection Officer.

Contact the Data Protection Officer at DWP before contacting the ICO.

More about when and how long DWP keeps personal information

The length of time DWP keeps your data will depend on the type of DWP services you use, what kind of information it is, and whether it is information that is needed as evidence to support a benefit claim or other DWP service.

Read the main instructions to DWP staff on how to manage information.

Often we will delete or destroy records in specific exercises through the year to do this more efficiently and save money. Rather than destroying every piece of information due for destruction on a particular day or week, we may do this on a monthly or quarterly basis and destroy all information of a particular type that has expired in the previous period.

More about the legal basis for DWP’s processing

Data protection laws do not allow personal information to be used or processed unless some specific conditions are met.

For personal data, the condition that applies to most processing done by DWP is that it is necessary for “a function of a government department”, which is allowed by section 8 of the new Data Protection Act, and Article 6(1)(e) of the GDPR.

For sensitive personal information, such as information about health, most processing by DWP meets the condition that it is “necessary for the purposes of … employment, social security and social protection”. This is allowed by section 10 of the new Data Protection Act and Article 9(2)(b) of the GDPR.

There may be some circ*mstances where DWP relies on other conditions to process personal information or sensitive personal information, but we will tell you separately if this happens.

How DWP works with other data controllers

DWP works closely with other parts of government to help deliver social security and other services. For most day-to-day DWP business, DWP is the data controller and is responsible for all aspects of how information is used. But for some of the areas where DWP works together with other organisations, we share responsibility for how your personal data is used. This section explains how this works.

HMRC

DWP and HMRC work very closely together, and share information often. This is because benefits and pensions are affected by how much you earn and the National Insurance contributions you have paid. Benefits, pensions and other payments you receive from DWP affect how much tax you have to pay, or tax credits that HMRC pay you.

DWP and HMRC can use the same reference number to identify people – your National Insurance number. DWP and HMRC are jointly responsible for deciding how National Insurance numbers can be used, who can use them, and the other personal information associated with them.

DWP and HMRC both use the same computer system (the Customer Information System) to keep a record of which National Insurance number relates to which person, and to record basic information about everyone who has a National Insurance number.

Find out more about National Insurance numbers and what they are used for.

Department of Health and Social Care (DHSC)

DWP, DHSC and the NHS work together and share information often to deliver a number of services, including:

• UK Global Health Insurance Card (GHIC), European Health Insurance Card (EHIC) and other overseas healthcare services
• checking entitlement to free prescriptions and other healthcare services such as fares to hospital
• compensation recovery services

Local authorities

DWP and local authorities work together and share information often to provide a number of services, including those related to housing, welfare, health and social care, and disability.

Ministry of Defence

DWP makes payments to veterans for the Ministry of Defence.

Arm’s length bodies

DWP is the parent department for a number of arm’s length bodies. Some arm’s length bodies are data controllers in their own right, and responsible for all aspects of how they use personal data. These arm’s length bodies are:

• Health and Safety Executive
• The Pensions Advisory Service
• The Pensions Regulator
• National Employment Savings Trust (NEST) Corporation
• Disabled Peoples Employment Corporation
• Pensions Ombudsman
• Pensions Protection Fund Ombudsman
• Pension Protection Fund
• Office for Nuclear Regulation

See full list of arm’s length bodies.

Office for National Statistics (ONS)

ONS collect, analyse and publish statistics about the UK’s economy, population and society. DWP may supply personal information we hold about you to ONS to help them carry out this function.

Find out more about ONS and how they manage personal data.

Northern Ireland

For people living in Northern Ireland, the Department for Communities is responsible for many of the same services that DWP provides in England, Wales and Scotland. The Department for Communities pays similar benefits to DWP and also uses the National Insurance number for similar purposes, so some IT and other services are shared between DWP and the Department for Communities.

The Department for Communities is the data controller for information about benefits and services they provide in Northern Ireland, but some data controller responsibilities are shared where we use the same IT systems.

Northern Ireland departments also provide some services such as call centres and benefit processing to DWP. Where they do this they are acting as DWP’s data processor, and DWP remains the data controller.

Scotland

Responsibility for some aspects of social security for people in Scotland have been devolved to the Scottish Government, and more will be devolved in the future. Current legislation allows DWP to share information with Scottish ministers for functions which have been devolved.

As devolution continues, Scottish ministers will be responsible for more social security matters, including some benefits. DWP shares information with Scottish ministers to support the services they are responsible for. Sometimes DWP may also act as a data processor for Scottish ministers to help deliver their services. The letters and notifications for the services will tell you when DWP is acting as a data processor for Scottish ministers.

Changes to this policy

This charter was updated on:

• 21 July 2023 to include academic institutions in the list of types of organisations that DWP shares information with
• 1 July 2022 to update the information about how DWP works with local authorities
• 24 June 2022 to remove references to the Vaccine Damage Payment scheme and amend details of how DWP works with the DHSC

When our charter or policy changes, we will update this page. Check this page to make sure you are aware of what information we collect, how we use it and the circ*mstances where we may share it with other organisations.