The Department for Work and Pensions says it takes breaches ‘extremely seriously’
The DWP has been forced to boot out snoopers after revealing staff have been sacked for wrongly looking at personal data. Large numbers of its workers have also been disciplined, the department has admitted.
The revelation came in a parliamentary response to a question that had been submitted by a Tory MP. Mike Wood, MP for Kingswinford and South Staffordshire, had asked the Department for Work and Pensions “whether there have been any (a) disciplinary actions and (b) dismissals of (i) DWP and (ii) executive agency officials for unauthorised access to personal data since July 2024.
This week, the DWP responded to the MP’s question. They said seven people had been dismissed as a result of ‘unauthorised access’. More than 200 people working for the department have had a disciplinary case opened against them in the last 12 months.
Andrew Western, Parliamentary Under-Secretary for the Department for Work and Pensions, said: “DWP takes its responsibility to safeguard personal data extremely seriously. All staff have an obligation to report suspected breaches; security responsibilities are covered in mandatory security training, undertaken annually.
“As of 28 February 2026, we have 94,876 employees in the Department, of which, there are 227 individuals who have a disciplinary case currently open or closed within the last 12 months relating to ‘Unauthorised Access’, of which 7 individuals were dismissed. These figures cover both paid and unpaid Department for Work and Pensions staff only.” He added that information on the other parts of the question would “only be available at disproportionate cost as data is not held on central DWP systems.”
DWP rules on not misusing personal information
The DWP’s document on acceptable use policy was last updated in April this year. Its wording explains where ‘unauthorised access’ may occur. The document, which is written for employees, contractors, agents, and consultants who have access to DWP systems and data, states that users must: “Understand that they and DWP have a legal responsibility to protect personal and sensitive information and must not misuse their official position to further private interests or those of others. See the Civil Service Code and Standards of Behaviour Policy.”
It also notes that they must “ensure that all information is created, used, shared and disposed of in line with business need and in compliance with the Information Management Policy, Information Asset Inventory Guidance and Retention of Specific Information Guidance.”
It in addition says that users must “not attempt to access anyone’s personal data unless there is a legitimate business need that is appropriate to their job role. Users must not, under any circumstances, knowingly access, or attempt to access, their own DWP records or the records of friends, family members, ex-partners, relatives or anyone else they know on any Departmental computer, paper file or benefit system, irrespective of motivation.”
