Guidance

Chapter 15: Data Sharing between DWP and Providers

Updated 23 December 2024

ESF Requirement Changes

1. When referring to ESF Requirements within this chapter please note the following changes to ESF Requirements effective from 24 July 2023 (England)

  • providers no longer need to submit or process ESF 14-20 Initial or ESF 14-20 End forms for Participants
  • products can be updated to remove ESF logos. Changes to existing products and any new marketing and publicity materials should be sent to WHP.ENQUIRIES@DWP.GOV.UK for approval.
  • providers should continue to use the current template for Good News Stories.
  • participants you have already submitted ESF 14-20 Initial and ESF 14-20 End forms for over the lifetime of your WHP contract continue to be subject to ESF obligations. This includes Audit requirements and the ESF Document Retention Policy which at present is expected to be 2034.

In addition to the above, ESF requirements do not apply to participants started on or after 1 November 2022.

Please note: You are expected to continue to complete and to share Good News Stories with your Performance Manager as part of your contract with DWP.

Please note: Please follow the processes outlined for both WHP Core and WHP Pioneer. Elements that are exempt from this can be found in Chapter 2b WHP Pioneer eligibility and entry points.

Introduction

2. The purpose of this chapter is to summarise all the elements of data that will be shared between the Department and you. The following paragraphs focus on the customer journey from referral stage through to when they finish the programme. We explain the type of data which will be shared and the sources of this, including the overarching processes in place.

3. As a Provider you will have been required to submit a Security Plan at the procurement stage. Once assured by the Department this demonstrates your suitability to receive and store information as well as confirming that you comply with the DWP Security Policy (which includes compliance with such standards as ISO/IEC27001). See further information about our security procedures can be found here: Generic Provider Guidance Chapter 8 – Information Security

Data transfer at the start of the programme

4. DWP may send you personal and special category information about participants. This will include documents detailing disability status and barriers to work. This data must be securely stored and with procedures in place which allow it to be retrieved from your systems. Some or all the data may be forwarded to your sub-contractors.

5. Individual data items are listed here:

  • Personal Information – This information will include the following data fields. (Note this list is not exhaustive);
  • Full name including title
  • National Insurance number (NINO)
  • Full address including post code
  • Telephone number inc area code
  • Other telephone number (mobile)
  • Unique PRaP Referral identifier
  • Client Number

6. This information will be largely transferred to you via the Department’s Provider Referral and Payment System (PRaP). If it is not appropriate to use PRaP this information will be shared by email. Further information is provided at paragraphs 10 and 11.

7. PRaP has a robust security accreditation level (IL2) in relation to data storage. This is reviewed annually or whenever there are any system updates/changes. In addition to this other PRaP features include:

  • The ability to limit Provider access until they have met the Department’s security standards.
  • Access Control – Audits are undertaken every 30 days to ensure the right people have access.
  • Provider access via Government Gateway which is a secure internet gateway which has its own security standards (owned by HMRC).

8. Multi Agency Public Protection Arrangement (MAPPA) participants will be referred through PRaP. Further information can be found in Chapter 3 - Acknowledging Referrals, Initial Participant Engagement and Registering a Start.

9. Participants who have been granted Special Client Record (SCR) status will always be referred to you clerically using the SL2 clerical referral form.

Data transfer during the programme

10. When the Department becomes aware of any changes in Participant information, they will notify you via a change of circumstances notification form (WHP07). Further information can be found in Work and Health Programme including WHP Pioneer Provider Guidance Chapter 10 – Change of Circumstances and Notifications.

11. Where the Participant is also a benefit claimant, you must notify Jobcentre Plus using the Change of Circumstances notification form WHP07 if you are informed that:

  • the Participant has disengaged with you (voluntary participants only)
  • the Participant has re-engaged with you following a disengagement (voluntary participants only)

12. There are also circumstances we expect you to notify the department about for mandated participants such as when they fail to engage with mandated activity or fail to attend. Please see:

  • Work and Health Programme Chapter 3 – Acknowledging referrals, initial Participant engagement and registering a start
  • Chapter 5a – Mandation to activity attracting a Low level sanction
  • Chapter 5b – Mandation to activity attracting a Higher Level sanction; and
  • Chapter 7 – Entitlement doubt, Chapter 8 – Raising a compliance doubt for LTU Participants and Chapter 9- Re-compliance and reviewing a compliance doubt

13. There is also a requirement for you to notify the Department when you employ a WHP Participant in your employment business. You must complete a WHP Employment Business Customer Form and provide the following information:

  • customer name
  • NINO
  • date employment commenced.

14. You must send this by unencrypted email, at least five days before first salary payment, to the Department’s Payment Team Central Inbox: [email protected]

15. The Department will be validating employment outcomes using employment and earnings data submitted using HMRC PAYE on line earnings data submitted by employers.

16. We will share some information about participant earnings with you. This will include a Participant’s first pay date and confirmation that they have reached the earning threshold to achieve an outcome. Further information can be found in Work and Health Programme including WHP Pioneer Provider Guidance Chapter 14 – Validation.

Data transfer at the end of programme

17. You are required to complete Exit Reports for each Participant listed in Chapter 11. To improve quality and consistency we have developed a standard form for you to complete. Further information on exit reports can be found in Chapter 11 – Programme Completers and Early Exits.

18. You will have considered the level of information needed in the exit report when you developed your systems and processes. This includes (but is not limited to):

  • Participant Surname
  • Participant National Insurance number (NINO)
  • Summary – How the Participant benefited from the Work and Health Programme, and the progress against the activities undertaken by the Participant whilst on the Work and Health Programme
  • Employability – your opinion on the Participants employment prospects, the type of employment which might be appropriate
  • Next steps – your recommendations to Jobcentre Plus on the most appropriate next steps for the Participant. There is a minimum word count for this free text entry to ensure a consistent quality referral.

19. To help ensure you tailor packages to individuals, you should encourage participants to share with you directly any appropriate information about their previous efforts to secure employment/move closer to the job market as will their JCP Work Coach. As some of these customers are vulnerable we ask you to act sensitively when trying to obtain this information.

20. You may use the DWP templates or you may use your own template providing it has been approved by DWP Further information can be found in Work and Health Programme including WHP Pioneer Provider Guidance Chapter 11 – Programme Completers and Early Exits.

For Participants started on or after 1 November 2022

21. The final Action Plan must be updated and detail all individual activities agreed and completed between you and the Participant during their time on Work and Health Programme.

22. You are not required to issue a copy of the final Action Plan to Jobcentre Plus; however, you must issue the final Action Plan to your Participant and encourage them to share this with Jobcentre Plus during your Work and Health Programme completers discussion.

23. This final Action Plan becomes the Participants Exit document and will be a key tool to determine the most appropriate support required for your Participant when they return to Jobcentre Plus.

24. Further information can be found in Work and Health Programme including WHP Pioneer Provider Guidance Chapter 11 – Programme Completers and Early Exits.

Provider receives a request to erase Participant information

25. There may be occasions when you receive a request from a Participant to erase their personal information from your records.

26. Upon receipt of the request you should acknowledge the request from the Participant and issue a holding response immediately detailing that the query will be dealt with within one month.

27. You should forward the details of the request to the following email addresses: DATA.PROTECTIONOFFICER@DWP.GOV.UK and copy in the WHP Enquiries team, email address: WHP[email protected]

28. You will receive a generic email containing a reference number and the actions that you should take from the Data Protection Office (DPO) team. The reference number must be used with all correspondence with the DPO team.

29. Before responding to the Participant, you should then consider the following information before agreeing to any information being removed.

Customers who have been referred to WHP and did not start take the following action:

30. You should consider the following scenarios and take the most appropriate action outlined below when you receive a request to erase a customer’s personal information.

31. For Voluntary customers. If the customer never started on the programme, there is no requirement to retain any of the personal information as the referral information will be kept on DWP systems.

32. For a Long Term Unemployed (LTU) customer (WHP). If the customer never started on the programme and were not mandated to any provider interview, before you input a Did Not attend (DNA) code into PRaP, there is no requirement to retain any of the customer personal information as the referral information will be kept on DWP systems.

33. Once you have considered these scenarios, and you agree to the erasure of the customer’s personal information, you must either issue the accepted letter WHP RTE Acc (letter which approves the request to erase the information) or respond with your own communication.

34. You should then forward the response email (including letter or communication from yourself) with the reference number to the Data Protection Office, email address: DATA.PROTECTIONOFFICER@DWP.GOV.UK and copy in the WHP enquiry inbox, email address: WHP.ENQUIRIES@DWP.GOV.UK

35. All responses must be issued within one month of receipt of the request from the customer and must contain the reference number supplied to you.

Please note: All additions and changes to the letters (including logos) must be signed off by ESF marketing team at: CEPESF14-20.MARKETING-PUBLICITY@DWP.GOV.UK

36. For all other scenarios you should consider the following and take the appropriate action outlined:

Mandated customer who have not started on the programme

37. For LTU customer (WHP participants) – If you have mandated the participant to attend an appointment with you which they don’t attend, then mandation activity is undertaken and a DNA is input, you must keep all supporting evidence on the compliance doubt. The supporting evidence should be retained in line with current retention policies.

38. Under these circumstances, you must follow the guidance and either issue the rejected letter WHP RTE REJ detailing the right of erasure to personal information has been rejected or respond with your own communication to the customer.

39. You must forward the response email (including the letter/communication) with the reference number to the data protection office. email address: DATA.PROTECTIONOFFICER@DWP.GOV.UK and send a copy to the WHP enquiry inbox, email address: WHP.ENQUIRIES@DWP.GOV.UK

40. All additions and changes to the letters (including logos) must be signed off by ESF marketing team at: CEPESF14-20.MARKETING-PUBLICITY@DWP.GOV.UK.

Please note: Under all circumstances you must keep evidence and personal information in line with your own retention periods as outlined in your contracts. Information retained on the mandation activity must be retained for a minimum of 13 months from the date you (the provider) are notified of the decisions maker’s decision.

Participants who have started provision

41. For any Participant who has started on the programme, you must retain all information for official functions and duties, the right of erasure does not apply in these circumstances. The following information must be kept:

  • All mandation activity (including evidence)
  • All ESF forms including, ESF1420: European Social Fund – ESF Participant Referral Form (Initial), ESF1420: European Social Fund – ESF End Data, etc.
  • evidence demonstrating customer journey and,
  • payments.
  • For mandated customers any mandated information should be retained for a minimum of 13 months from the decision maker’s decision.

Please note: this list is not exhaustive.

Please note: For ESF audit purposes, retention is for up to 10 years after the programme ends and their final ESF claim is paid. Further information is provided in Generic Provider Guidance Chapter 11b, Page 4, sections 7-29 on ESF Audit requirements.

42. Under these circumstances, you must follow the guidance and either issue the rejected letter WHP RTE REJ detailing the right to erasure of personal information has been rejected or respond with your own communication to the Participant.

43. You must forward the response email (including the letter/communication) with the reference number to the data protection office. email address: DATA.PROTECTION@DWP.GOV.UK and send a copy to the WHP enquiry inbox, email address: WHP.ENQUIRIES@DWP.GOV.UK

Please note: All additions and changes to the letters (including logos) must be signed off by ESF marketing team at: CEPESF14-20.MARKETING-PUBLICITY@DWP.GOV.UK

44. All responses must be issued within one month of receipt of the request from the Participant and must contain the reference number supplied.

Please note: Under all circumstances you must keep evidence and personal information in line with your own retention periods as outlined in your contracts. Information retained on the mandation activity must be retained for a minimum of 13 months from the date you (the provider) are notified of the decisions maker’s decision.

Document retention

45. All documents, whether clerical or electronic, carrying personal information should be retained securely in line with the WHP Contract and Data Protection Act Principles.

Use of Unencrypted Email

46. You must be able to communicate with and receive communications from the Department by unencrypted email as required.

47. Before DWP approves you to use unencrypted email for the first time for a specific process there are steps you must undertake to comply with DWP security requirements. You must email [email protected] with any request to use unencrypted email and comply with the implementation and assurance requirements specified by DWP prior to beginning to use of unencrypted email.

48. Before allowing your sub-contractors to use the unencrypted email for any new process, you must have ensured that the sub-contractor has been formally approved by DWP and you have undertaken any necessary due diligence. Further detail can be found in: Generic Provider Guidance Chapter 8 – Information Security.

49. The following processes are the only approved processes that you may use unencrypted email for. You are not permitted to use unencrypted email for these or any other purpose without the written permission of the Department.

  • Exit Reports
  • Raising a Compliance Doubt and notifying participant re-compliance following a sanction
  • Reporting Changes of Circumstances
  • WHP Employment Business Customer’ Form
  • ESF 14-20 form
  • WHPS01 form (self-referral)
  • List of 500 names and NINOS
  • Good news stories.

50. Unencrypted emails sent to you by the Department will always be sent to a dedicated Provider inbox agreed by you and DWP for Work and Health Programme.

51. You must only use unencrypted email for sending information to the Department with the written permission of the Department and in line with existing exemptions. Further detail can be found in: Generic Provider Guidance Chapter 8 – Information Security.

52. When you use unencrypted email to send information to the Department you must adhere to the restrictions stipulated within Generic Provider Guidance Chapter 8 – Information Security. The following restrictions relate to the processes in the above paragraph and will include all or part of the following:

  • only one record per email (except for the requirements to share information between Prime Providers, their Supply Chain and Third parties)
  • standard email content
  • standard template completed and included in email
  • Email sent from and to a designated inbox.

53. Please refer to Generic Provider Guidance Chapter 8 – Information Security for unencrypted email exemptions not specifically detailed above.

54. If you wish to extend the use of unencrypted email to one of your existing DWP approved sub-contractors who was not named on the list you initially supplied, you must supply an updated list to your Supplier Manager and agree a date for the new sub-contractor to begin using the unencrypted email process.

55. If you wish to extend the use of unencrypted email to a sub-contractor who has newly joined your supply chain you must:

  • ensure that they have been formally approved by the Department
  • supply an updated list of your sub-contractors whom you have permitted to use unencrypted email for which unencrypted email process to your supplier manager and agree a start date
  • Ensure you have completed the necessary assurance process and undertaken the relevant due diligence including confirmation that the sub-contractor is not using any product or service with any offshore elements or links.

56. You may forward unencrypted emails to an approved sub-contractor and inboxes within your organisation provided that:

  • No more than one Participant record at a time is emailed.
  • a business need to share the information exists.
  • the recipient is entitled to receive the information (emails must not be automatically forwarded without ensuring this).

Please note: You must keep a record of where and when you sent the notification form for three months.

57. You may decide that you no longer wish one of your sub-contractors to use unencrypted email for a specific process. You must notify your Supplier Manager as soon as possible and provide an updated list of your sub-contractors whom you have permitted to use unencrypted email process to your Supplier Manager. You must agree a date with the Supplier Manager for when the sub-contractor will cease using the unencrypted email for the specific process.

58. If you send data to the wrong sub-contractor, you must alert the sub-contractor to the error and ensure that they delete the record. You must keep records of the actions taken for three months.

59. If an email was sent to you in error or includes participants with the wrong details (e.g. incorrect NINO) or participants who belong to a different Provider, please notify your Performance Manager.

60. You are not required to retain a record of the emails you have received therefore you must delete the email from your inbox once you have actioned it.

61. There may be occasions when due to circumstances such as IT failure you are temporarily unable to receive or send unencrypted emails.

62. If you anticipate the situation will continue for 48 hours or longer you must ensure that you inform the Department and revert to clerical methods until the problem is resolved and you are able to use the unencrypted email again.

63. You must inform the Department when you will be able to use unencrypted email again prior to starting to use it. The Department will notify colleagues when the clerical process is being used and when unencrypted email is to be re-introduced.

64. Similarly, if the Department have an I.T. failure you must suspend using unencrypted email if you are notified to do so by the Department.

65. The Department will notify you if the problem will last for longer than 48 hours and will ask you to revert to the clerical process if appropriate.

66. Once resolved, the Department will notify you when unencrypted email has been re-introduced.

IT Equipment ‘Fair Use Policy’

67. The Provider should implement ‘Fair Use Policy’ for any IT equipment issued to participants to be used where the Provider feels that issuing IT equipment to participants with multiple barriers to work and/or have a disability will support in overcoming these barriers.

68. Provider should have discussions with the participants around ‘Fair Use’ of the IT equipment. As good practice, in addition to these discussions, Providers may wish to issue a ‘Fair Use’ form to participants that have been issued with IT equipment to help strengthen the message. Further information on the IT Equipment ‘Fair Use Policy’ can be found in Chapter 1: Introduction and Overview

Annex A

List of data items to be shared with Providers (new items may be added at a future date)

Data item Data item Data item Data item Data item
Unique PRaP Referral Identifier Customer Title Customer Forename Customer Surname Verified Address (including postcode)
National Insurance Number Claimant Reference Number Telephone Number Disability Status  
  Additional Information Other Activities Agreed restrictions Additional Information (free text on Action Plan)
Voluntary or Mandatory Referral Mandatory Work Related Activity JCP Adviser Name (Forename, Surname and Initials) JCP Adviser Officer Code Claimant Deceased  
      Referral date  
Voluntary Early Entry Category Incident marker Child care requirements Balance of Time Welsh spoken and written indicators
Fast Track Status Joint Claimant’s name Joint Claimant’s title Joint Claimant’s National Insurance Number Disadvantaged group, early entry
Barriers to Work Additional support / reasonable adjustments (e.g. New Work Capability outcome) Admission / discharge hospital Appointee / Power of Attorney Caring responsibilities
Change of benefit (e.g. off JSA to IS/ESA) Change of conditionality group/labour market regime which impacts participation on WHP Changes to participant’s conditionality Changes that affect participant’s work-related requirements (e.g. Jury service, civic duties, domestic emergency, easements for domestic abuse/violence)  
Claim termination / benefit ends Death Imprisoned / leaves prison JSA extended period of sickness Moves to live abroad
New claim to benefit e.g. UC Partner enters / leaves household Part-Time education Period of sickness (restrictions and duration) Restrictions (e.g. attendance)
Starts / ends work (inc p/t, vol, s/e, permitted) Signing day/cycle (excludes NEA) Outcome of Self-Employment Gateway Interview and subsequent quarterly interviews (if appropriate) Claimants first payment date Claimants earnings reach £1,000
Claimants earnings reach £2,000 Claimant’s earnings reaching the National Threshold of approximately £3000. The actual figure is based on the national minimum wage at any given time, and is therefore subject to change)      

Should you require a copy of any of the forms mentioned in this chapter, please email: WHP.ENQUIRIES@DWP.GOV.UK