Forum Home → Discussion → Universal credit administration → Thread
New claims, 2FA and GDPR
I am testing the water here.
I watched the debates about helping people to make new claims and respected voices saying it would likely be a breach of GDPR to be recording peoples’ log in credentials in any form. I didn’t really need to contribute at the time as the job didn’t demand it.
How have the GDPR concerns evolved now that we’ve got two factor authentication in play? Are people still referring in to HtC? I’m thinking that 2FA mitigates a lot of concerns about agencies being able to access clients’ accounts; they can’t any more!
I am faced, potentially, with a project that would mean a lot of new UC claimants. Can we help?
Hi Dan, when you log into client’s UCJ, there is an option “remember me for one week”. If client does not access their account from their device, you can do so from yours, without having to pass through 2FA.
You can also make various changes even if you are in the account just once; although not changes which would make money flow to you because changing bank details, phone numbers or some other features still requires a call from CM or visit at the JCP.
So, there is a potential for risk, harm or mischief from people without professional integrity.
BUT! Remember the actual escalation numbers, when you can speak with people with decision-making authority, without client present, and find out all sorts of things or tell them things about client?
Or writing to DWP, and attaching previously saved singed consent from the client, and changing details on client’s claim?
Yes, so if there is a will, there is a way (to breach data protection rules)
In my mind, this all has to be balanced with the realistic plan to offer best help for a client. If client can easily log in or come in to my office etc, then no need to access their Journal. I taught clients how to save Journals as pdf or send me screenshots. But there always be clients who need me to access their UCJ and there is just no way around it. So I do. I just do not record any details, I tell client to change the password afterwards and if necessary, I advise them about switching to phone claim (separate issue but I would only advise change in rare circumstances as phone claims are defo a hellhole and real barrier for vulnerable people and I made a ranty post about it here some time ago)
We both help people make new claims and regularly access their journal - with their consent. With the two factor, we get clients to read out the code when they get it and talk clients through what we’re looking at or doing on the claim, again obviously only with their consent.
We have created a specific process for retaining the login details of vulnerable claimants in encrypted documents- again only with their consent. This is a limited pool of people as most of our clients know their login details so we would not retain the information of those who can freely give the information when needed.
I think being able to access claims in this way means we are able to meaningfully help clients resolve their issues and can reassure them about why we want or need access in any given situation. For those who don’t want to share details, we accept this without issue and find another way but having direct access is often extremely helpful in identifying what the issue is and fixing it.
My two cents.
Said it before, but I’ll say it again. I think the whole GDPR thing is a nonsense/red-herring.
Pre-UC and online claim management, as professional advice workers we have always kept on file clients’ personal data. And stored sufficient personal data (DOB, NINo, address, telephone number, very often bank details) that would allow us to pass security or satisfy implicit consent requirements. That has always been a necessary part of the job. And it’s always been recognised as such. But the data that we kept on file would also almost certainly have allowed us to impersonate clients if we chose - we didn’t, because ethics/we’re professional/we just wouldn’t - take your pick.
UC being administered online and the client having a username and password changes none of that. If the client wants to share that data with us, that’s their choice, not the DWP’s. Of course, we have a duty to store a client’s data securely and to ensure there aren’t data breaches. But that duty exists whether in respect of their NNo and date of birth or the UC username and password.
2FA presents practical problems/nullifies to some extent the utility of storing the username and password. Though a quick phone call “I want to access your journal, the DWP will text you a code, can you call me and let me know what it is when you get it?” can deal with that. I have plenty of clients who either cannot reliably tell me or understand what has been entered on their journal or who live too far away to come into the office for the sole purpose of enabling me to have what will be no more than a 5 minute glance at the journal.
I know that I’m acting ethically and in the interests of my client. That’s good enough for me.
In this day and age with the prevalence of fraud and scams. We have an implicit duty to bolster the resilience of our clients - all the more so when dealing with the circumstances in which we’d ask for their passwords.
Passwords are materially different from other sensitive information. Partly because they are keys - and thus as a ‘keyholder’ you face fewer obstacles in opening the door. You could climb in an open window regardless, but confidently walking through the door raises fewer checks and leaves fewer traces of your interaction. Many services also have a ‘warranty void if password revealed’, type policy, which can add to the issue.
More importantly, they are often UNIVERSAL keys. People have horrible password habits: Their passwords are simple, and they either use the same password for many services, or very similar versions of them. Having one password you could thus likely access many services in short order.
The simplest defence is to never reveal a password, and by convincing someone they should reveal it to you you create an exception to that rule. To my mind that means a key part of any service that takes passwords from clients needs a policy that makes it very clear to clients why this exception applies and how to identify legitimate exceptions.
If you don’t have physical offices, call from a mobile (or hidden number), and have never met the client (or someone they trust implicitly) in person etc etc, then you have a very high bar to overcome to present as a legitimate exception. Failing to do so likely makes an already vulnerable client more vulnerable.
It’s entirely doable, and defensible, but it demands careful consideration and I think many people underestimate it.
There is also the thorny question of safeguarding which seems to be disregarded in these discussions. Is it appropriate to access the journal of someone so vulnerable that they may then believe that it is okay to share such data with others? I pose it as a question but anyone involved in safeguarding will see the answer as fairly clear cut. GDPR is but one of the issues on the table here.
Bank details? Never have I recorded bank details. The DWP guidance went to lengths to explain to staff that we didn’t need them and wouldn’t ask for them and I reassure myself that’s the case. I’d rather hold for 45 minutes then have a row with a call handler over the information they asked of me. I do recall the days when ravenhurst
I do see Mike & Alex’s point above, but safeguarding doesn’t carry a potential £2m fine…
I do access peoples’ journals, but I make a song and dance about not recording their credentials and that they’ll need to provide them every time they need me to do so to reinforce the concerns Alex has raised. I’d much rather their come to the office and show me but after what we’ve just been through the last couple of years that’s evolved somewhat.
2FA insulates against some of the concerns that were ventilated when last this debate raged.
Bank details? Never have I recorded bank details.
Neither have I in the sense of noting the details in my case notes or in any section on client details.
But I’ve had untold cases where I’ve needed a client’s bank statements for evidential reasons - which then means they’re on file. I can’t be alone in this, surely?
I have a policy of minimal retention - so would generally blot out any sensitive info (such as banking details) that isn’t useful to us.
Mostly a matter of good practice imho - ensuring individuals have as much control of their own data as possible etc. Just so happens that’s also in line with GDPR guidance.
I’d not ask for bank statements if I didn’t actually need them to progress a case - almost invariably, that will be in an appeal. Redaction doesn’t work in those cases.