MHCLG Data Protection Impact Assessment (DPIA ... · Understanding the impact of the Homelessness...

DPIA Homelessness Data Linking

v0.1 1 1

MHCLG Data Protection Impact Assessment (DPIA): Understanding the impact of the Homelessness Programmes and the Homelessness Reduction Act 2017

Submitting controller details

Name of controller MHCLG

Title of DPO Data Protection Officer

Name of controller contact /DPO [email protected]

The need for a DPIA

Project Aims

HCLIC (Homelessness Case Level Information Collection) The sharing of data gathered for HCLIC is for research purposes only and aims to provide central government departments, local public services and delivery partners with valuable information about the cycle of homelessness and its impact on outcomes, as well as the impact and cost benefit of interventions and services targeted at reducing homelessness. The information should be useful to inform future service reform and investment decisions. Data sharing is necessary to observe the effectiveness of Homelessness Programmes and the Homelessness Reduction Act 2017 on a wide range of different outcomes that it aims to affect, spanning the remit of different Government Departments; and to control for household and individual characteristics.

This datashare will improve the evidence base for homelessness and be used to inform policy and investment decisions across government and local public services. In particular, it will aid and improve understanding of how households and individuals cycle in and out of homelessness over time and across the country; how homelessness impacts on a range of outcomes for individuals and household members, in particular young people; whether Homelessness Programmes and the 2017 Act improve outcomes for households and individuals; and the long term outcomes for those accommodated in response to covid-19. The Ministry of Housing Communities and Local Government will use the data gathered to provide local areas and other government departments with aggregate level findings on the following:


v0.1 2 2

• the characteristics of individuals and households who are homeless;

• historic problems (e.g. health problems, levels of offending over previous years, whether members have experienced entrenched worklessness);

• the fiscal costs associated with these individuals/households before and after intervention; and

• assessments of effectiveness, covering a range of outcomes.

Guidance for local authorities about the project and issuing privacy notices is published on the GSS H-CLIC page.

Type of Processing The project involves sharing personal identifiers and personal data between local authorities and MHCLG. The personal identifiers provided by local authorities will be processed by ONS (MHCLG’s trusted third party processor) to create an ONS ID that can be used to link together Homelessness Case Level Information Collection (HCLIC) Data submissions over time and across local authority boundaries. In the future it is hoped that the data can also be linked to other datasets, such as Rough Sleeping Questionnaire (RSQ), The Troubled Families Evaluation Dataset, and data from other Government Departments (OGDs), such as Ministry of Justice, Department for Education and Department for Work and Pensions/Her Majesty’s Revenue and Customs and health agencies (NHS Digital and Public Health England). The resulting dataset created for this project will be shared with ONS (in a de-identified form) to be made available to bona fide academics in the Secure Research Service (SRS). Data sharing will take place between local authorities and national public bodies and data sharing agreements will be agreed between MHCLG and each party. The data gathered for the project will be de-identified to allow use for research only.

Why we need a DPIA The project involves the processing of personal data and personal identifiers and data sharing between multiple bodies. The datasets resulting from the project will bring together multiple datasets at an individual and household level and include some area level data – increasing the risk of identification of individuals. Steps are taken to minimise the risk of identifying individuals and households, such as ensuring the personal identifiers are never held/processed alongside the attribute data and are handled by separate teams (this process is standard practice within ONS, health agencies and OGDs). This document sets out the measures to mitigate the risks to individuals of identification and to reduce the impact of the project on them, as well as the steps taken to meet the requirements of the Data Protection Legislation.


v0.1 3 3

Description of the processing

How we will collect and use data?

Personal identifiers (referred to as HCLIC PI) and HCLIC attribute data (referred to as HCLIC Data) will be submitted by Local Authorities using an XML upload to the MHCLG DELTA system. This is a secure data collection system accredited to store OFFICIAL-SENSITIVE data.

The HCLIC PI are submitted to a separate part of the DELTA system to the HCLIC Data. The HCLIC PI submission includes a unique LA individual identifier (ID) and household ID which facilitates data matching to other data. The HCLIC Data also includes these LA IDs. ONS only will have access to the HCLIC PI and LA IDs throughout the project. The MHCLG Analysis Team only will have access to the HCLIC Data with the LA IDs at the start of the project.

ONS will use the HCLIC PI data to create a look-up table of LA IDs against newly created ONS IDs (individual and household level IDs).

The look-up table will be used by MHCLG to replace the LA IDs contained within the HCLIC Data with the ONS generated IDs. These new ONS IDs should remain consistent over time and facilitate linking the HCLIC Data for the same individuals and households over time.

The look-up table will also be used by ONS to create datasets of HCLIC PI and ONS IDs for matching HCLIC Data to data from OGDs and health agency data.

MHCLG will use de-identified datasets matched together using the ONS IDs to carry out analysis (to include at least individual and household level data from HCLIC and in future the RSQ and data from OGDs). MHCLG may agree with health agencies (NHS Digital and Public Health England) to match to health data in the future – this is likely to involve sending HCLIC and OGD attribute data to health agencies for analysis.

MHCLG will return a de-identified version of the HCLIC dataset to ONS to be made available to bona fide researchers in the Secure Research Service (SRS). This will also allow for HCLIC Data to be matched to other data in the future, such as mortality data, further education data.

Files will be password protected before they are transferred and all data transfers between parties will meet Government Standards for securely transferring data, e.g. XML uploads, using Egress. The personal identifiers and attribute data will be processed by separate teams and the personal identifiers replaced by ONS IDs at the earliest opportunity to reduce the risk of identifying individuals and households.

See Data Flow Diagram below (a larger version of the HCLIC Data Flows is included in Annex A).

Annex A also includes data flows for the related research on Costs and Housing First which are projects gathering the Rough Sleeping Questionnaire data (RSEQ) – these are included for information only and covered by a separate DPIA).


v0.1 4 4

How do we store data?

MHCLG

The HCLIC Data collected for this project will be saved to a MHCLG access-controlled folder on a secure server (this meets the required standard for storing OFFICIAL-SENSITIVE data). This data will be only accessible to the Homelessness Analysis Team, password protected and stored only in the restricted access folder.

ONS

The HCLIC PI data will be stored in the Secure Linkage Facility at all times and access will be limited to authorised personnel only. The datasets of HCLIC PI will be stored separately and will not be combined with attribute data or handled by the same members of staff at any time. How do we delete data? Staff at MHCLG and ONS will securely destroy/overwrite all datasets according to the timescales agreed and set out in this DPIA (see Scope of Processing below). Data sharing agreements with other parties (for example other Government Departments) will set out destruction dates for any personal data.

What types of processing are high risk

Multiple datasets, including some sensitive information (ethnicity, criminal behaviour, child safeguarding, substance misuse, health problems) will be brought together with area level information. This increases the risk of disclosure. There are risks of a data incident, for example

Local Authority (HCLIC)


DELTA system for personal identifiers

DELTA system for attribute data

Linked ID spine

De-identified data made available in the SRS

Researcher outputs

Attribute data

ONS Data Access Platform

MHCLG Secure Data Analysis

MHCLG Homelessness Team use

ID spine to link HCLIC A

HCLIC A

ONS Secure Research Service

Red line – personal identifiable data (e.g. names, DOB)

Amber line – de-identified data (characteristics, attributes)

Green line – non-identifiable data (aggregate level results, tables)

H-CLIC – Homelessness Case Level Data

HCLIC A – Homelessness Case Level Attribute Data

Look-up table includes ONS IDs alongside LA IDs only

HCLIC

Look-up table

Personal Identifiers

Research outputs

Look-up Table

H-CLIC A

Homelessness Case Level Data Linking

2020-2025


v0.1 5 5

during transfer or access to the data.

MHCLG have considered the potential risk of harm to the data subjects in the event of data loss or unauthorised disclosure and have sought to minimise such risks by putting in place safeguards. A security operating procedure has been agreed between parties involved in sharing data (MHCLG and ONS). MHCLG and local authorities (and in future other government departments/health agencies) will only use and share the minimum and proportionate amount of information required for the project:

• Access to confidential information will be on a strict need-to-know basis;

• All parties understand their responsibilities in relation to data protection legislation;

• Every effort will be made to consider and minimise risks of identification (or re-identification) to data subjects and households arising from all aspects of data handling;

• Measures will be taken to remove the sensitivity of the data through pseudonymisation and anonymisation; and

• technical and security measures will be put in place and strictly adhered to by those processing/sharing the data.

The scope of the processing

Nature of the data

HCLIC PI and HCLIC Data to be gathered for this project includes the following (with sensitive personal data highlighted in bold). The data collection includes special category and criminal offence data.

HCLIC personal identifiers (HCLIC PI)

Names Dates of birth Postcode National Insurance Number HCLIC attribute data (HCLIC Data) The characteristics of each household member (Ethnicity, Gender, Sexual Orientation) Reasons for the application (includes Domestic Abuse) Any support needs in the household (Domestic Abuse, Sexual Abuse, offending history, physical and mental health issues, substance misuse) Prevention/activity if the Prevention Duty is owed Relief/activity if the Relief Duty is owed Decision/activity if the case proceeds to an assessment for a final homelessness duty Final duties/activity if the case was assessed as owed a final homelessness duty Assistance with support needs received by the household Provision of temporary accommodation and/or if a temporary accommodation duty is owed. Any reviews requested of decisions made by the local authority

To note: data from other government departments (OGDs) has not yet been agreed,


v0.1 6 6

but it is part of future plans. Data that will be shared by OGDs may include the following: National Pupil Database Children in care Length of time in care Children in need Child Protection Plans Length of time in care Time on unauthorised absences Proportion of time spent absent Exclusions from school (temporary and permanent) SEN Eligibility for free school meals Pupil attainment (at the key stages and for each subject) Whether attending a pupil referral unit Length of time attended a pupil referral unit Type of setting Work and Pensions Longitudinal Study Whether adults are claiming benefits and type of benefit (present and past) Whether participating in any work Programmes Whether adults are in employment Nature of health problem, if on incapacity benefits Income, tax and tax credits Single Housing Benefit Extract Income (to identify low paid workers) Tenancy type Benefit type (housing benefit, council tax relief) Police National Computer Number of criminal convictions (present and past) Number of offences and type Disposals P-NOMIS Length of prison sentence Length of prison sentence served

How often will we collect data?

Local Authorities currently submit HCLIC Data to the MHCLG DELTA system quarterly each year (in April, July, October, January). They will be asked to submit HCLIC PI data at the same time.

Data from other government departments will be agreed in the future.

How long will we keep data?

HCLIC data retention

Table 1: Retention and destruction of datasets – those needed for a short time and for carrying out QA checks

Description of dataset Parties retaining Team responsible Retention


v0.1 7 7

dataset Period

LA IDs and personal identifiers

MHCLG (Delta) Automated process 10 years

ONS IDs, LA IDs and personal identifiers

MHCLG (ONS) ONS Indefinitely*

ONS IDs and personal identifiers

MHCLG (ONS) ONS Indefinitely*

ONS IDs and OGDs data

DfE, DWP, MoJ, MHCLG (HA Team)

DfE, DWP, MoJ. HA Team

1 year

ONS IDs and derived variables from OGD data

HA Team, MHCLG HA Team 2 years

HA Team: Homelessness Analysis Team *review every 5 years with ONS and local authorities

Table 2: Retention and destruction of look up tables and de-identified datasets – those

needed to be retained for longer/indefinitely

Description of dataset Parties retaining dataset

Team responsible Retention Period

LA IDs and case level HCLIC data

MHCLG (Delta) N/A 10 years

ONS IDs and LA IDs only, (look-up table)

MHCLG, ONS MHCLG,ONS

Indefinitely*

ONS IDs, HCLIC data MHCLG, (HA Team)

HA Team

Indefinitely*

ONS IDs, HCLIC data, RSQ and OGDs data

MHCLG, (HA Team)

HA Team 10 years

HA Team: Homelessness Analysis Team *review every 5 years with ONS and local authorities

The data destruction tables set out the length of time identifiable data (HCLIC PI) will be retained for this project. MHCLG need to better understand whether individuals and households are cycling in and out of the system and moving cross local authority boundaries. For this reason it is anticipated that personal identifiers will need to be retained by MHCLG (and ONS acting as a processor on their behalf) to monitor trends over a longer period of time. The retention of the HCLIC PI data will be reviewed with all parties every 5 years.

MHCLG propose to retain the identifiable indefinitely with regular 5 yearly reviews in place to ensure the data is only retained if required. MHCLG propose that there is value in retaining the identifiable for longer than 10 years to assess the later life outcomes of children currently at risk of homelessness. MHCLG will only the personal data within the terms of data protection laws and will only keep it as long as we have a lawful basis to do so. MHCLG will delete any data securely and only keep it for as long as necessary for our work as a public body. A de-identified version of the HCLIC dataset will be retained. This is because the data will be useful to see the outcomes of children who are in the dataset over the next few years in 10 or 20 years or so time. This will be reviewed at the 10 year point and at regular intervals thereafter to ensure it is fit for purpose.

How many individuals are affected


v0.1 8 8

HCLIC data

The quantity of records is uncertain at present. We estimate the project will involve the processing and matching of approximately 825,000 individuals (275,000 households) per year.

What geographical area does it cover

England only

The context of the processing

The nature of MHCLG’s relationship with the individuals

MHCLG does not have a direct relationship with individuals. For the collection of HCLIC data, MHCLG will rely on Local Authorities to inform households about this project through the use of privacy notices. The HCLIC data is collected by Local Authorities on households who are at risk of homelessness (to record the support a household is provided) and more recently on rough sleepers accommodated during the covid-19 period (from March 2020). MHCLG will issue their own privacy notice in relation to this project on gov.uk.

How much control will individuals have?

Households providing data for HCLIC will be informed by Local Authorities about how their data is being used (this includes adults and children). The privacy notices let households and rough sleepers know their data is being shared to enable MHCLG to fulfil its statutory functions (i.e. reduce homelessness). There is no option to opt-out of the project, however if a household objected to their data being shared we would expect a Local Authority to remove their personal identifiers from the data submission (not the de-identified HCLIC data submission). This is included in the guidance to Local Authorities.

MHCLG acknowledge the groups included in this project are potentially vulnerable and include children. The Department has agreed the following methods of communicating the notice in discussion with the Information Commissioner’s Office. The Information Commissioner has suggested a layered approach to issuing privacy notices with high level information issued on posters/signage/information sheet and more detail available on websites:

• Notices as part of the assessment process (information sheet that frontline staff take households through) and/or in public places such as Housing Options office, Job Centres, Community Centres, Support Group venues, GP surgeries/hospitals etc. To ensure participants have an opportunity to see these, they should be displayed in places and services that they are likely to visit, e.g. GP surgeries, children’s services, benefit offices, drug treatment services, etc. Local Authorities have been asked by MHCLG to update their privacy notices and information provided to households assessed when they present for help with housing to let participants know that their personal identifiers and data will be shared for the purposes of evaluating the programmes related to Homelessness and to provide better evidence about homelessness.

• Notices on Local Council and MHGLC websites. These notices should be more detailed and

follow the good practice guidelines issued by the Information Commissioner’s Office.

This is left to the discretion of the Local Authority. MHCLG consider it the Local Authority’s responsibility to put in place measures which ensure they adhere to the requirements of the Data Protection Legislation.


v0.1 9 9

Prior concerns over this type of processing/security flaws

This project is based on tried and tested methods of processing data and includes secure measures to minimise the risk of individuals/households being identified. We are not aware of current concerns about processing data in this way for research purposes (see public issues of concern below).

This project is being carried out in collaboration with ONS, an organisation with expertise and experience of handling sensitive data and datasets. The project design is based on learning from the Troubled Families Evaluation, which brought together data from every upper tier local authority with data from Ministry of Justice, Department for Education, Department for Work and Pensions and Her Majesty’s Revenue and Customs to create a de-identified individual level dataset. The data security measures employed successfully for that project any lessons learnt have been applied to this project.

The current state of technology/data security in this area

The DELTA IT system has been developed by MHCLG and has been accredited to store OFFICIAL-SENSITIVE data. The HCLIC PI and HCLIC Data will be entered into DELTA as separate data submissions and transferred securely to the DELTA system using XML uploads or uploaded forms (depending on local IT arrangements). This is in line with the assessed impact level of the data (OFFICIAL-SENSITIVE), with the movement of all datasets to be recorded in the Access control templates. The transfer method (and any other subsequent transfers with OGDs) has to be approved by MHCLG security experts and meet HM Government standards1. The processing by local authorities, ONS, government departments and MHCLG will be in accordance with the sixth data protection principle requiring that appropriate organisational and security measures are put in place to protect data. The following data security measures will be put in place to protect the data and maintain confidentiality:

• all personal identifiers will be held in the secure data laboratory and held separately (by the ONS Data Team) from the attribute/matched data to reduce the risk of individuals being identified from the de-identified (pseudonymised) dataset; • the personal identifiers will be only shared where necessary with other government departments and health agencies for matching to data they hold and will be securely destroyed and replaced with a departmental identifier within a month (see destruction tables); • the de-identified matched data will only be shared where necessary and only between ONS, health agencies and Ministry of Housing and Communities and Local Government (some of this is set out in the data flows, these will be updated as other data shares are agreed); • the data will not be processed to support measures or decisions with respect to particular individuals; • the data will not be processed in such a way that substantial damage or substantial distress is or likely to be caused to any data subject; and • appropriate security measures will be in place to prevent unauthorised use of the information.

Current issues of public concern

Some organisations are concerned about household’s and individual’s personal data being used in ways in which they are not aware. Privacy notices and information sheets will be used be used to inform households and individuals how their data is being used. There are substantial public benefits from data sharing in this way – to provide better evidence which can better inform policy decisions to

1

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data

/file/715778/May-2018_Government-Security-Classifications-2.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf


v0.1 10 10

benefit those at risk of homelessness. Those delivering this project will strive to work with local authorities to take on board any concerns they have and provide reassurance about the project and its design, as well as to inform the public about the project. MHCLG are working with the UK Research and Innovation (Administrative Data and Research UK, ADR UK) to develop a communication strategy.

Sign up to approved code of conduct or certification scheme

There are guidelines and best practice for Government Social Researchers2 and Government Statistical Services which the teams at MHCLG and ONS will adhere to. The latter part of the project (where data is available in the Secure Research Service at ONS) will be subject to the UK Statistics Authority Accreditation Board to allow the dataset to be legally shared for research under Section 64 of the Digital Economy Act.

The purposes of the processing

Aims and intended benefits of the Project

The homelessness data linking project will support the work being carried out by the Homelessness Policy Team in the Department. By linking data sources on homelessness, we will be able to measure the effectiveness of a range of homelessness programmes and monitor the implementation and impact of the 2017 Homelessness Reduction Act (‘the 2017 Act’).

The addition of ONS individual and household identifiers (IDs) to the HCLIC Data return will mean use of the collection can be expanded to assess the longer term outcomes of those assisted with their homelessness, including rough sleepers accommodated during the covid-19 period, the success of other MHCLG intervention projects or to collect wider characteristics about those who are homeless to better assess why some interventions fail or succeed. Researchers will not know whose data they hold and will work with a de-identified dataset. ONS will use the personal identifiers to create ONS IDs and MHCLG will receive a look up table to match to the HCLIC case level data provided by LAs. These IDs will allow MHCLG to create a de-identified dataset that allows analysts to monitor the 2017 Act and to identify patterns within homelessness, by:

• tracking cases across local authority boundaries and the country; and

• following families/individuals in their journeys over time.

MHCLG are also hoping to use the personal identifiers and ONS IDs to:

• link data from other homelessness evaluations being run within MHCLG;

• link to the Troubled Families Evaluation Dataset; and,

• link to nationally held administrative data, dependent on putting in place agreements with other government departments. This could include data on benefits, offending, health, education, and child safeguarding.

We will create a de-identified dataset which includes HCLIC data and data from other government departments to control for and take account of a wider range of factors affecting homelessness and outcomes.

2

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data

/file/732407/The_GSR_Code_-_Products.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/732407/The_GSR_Code_-_Products.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/732407/The_GSR_Code_-_Products.pdf


v0.1 11 11

The sharing of personal identifiers, attribute data and other data for the HCLIC project is for evaluation and research purposes only - it will not be used for operational purposes or to make decisions that affect individuals or households (data subjects). This project will provide robust information to further our understanding of repeat homelessness, the success of prevention activities, the outcomes of those in receipt of homelessness services, including those accommodated during the covid-19 period, and the causes and factors associated with homelessness. The aggregate level results and analysis will be shared with policy colleagues at MHCLG and

published regularly to provide national and local policy makers with an evidence base on which to

design better services and achieve better outcomes, such as which homelessness prevention

activities are most effective with particular groups.

Consultation process

Consultation with relevant stakeholders

MHCLG have agreed an approach with the Information Commissioner’s Office to inform households about how their data is being used for the HCLIC data collection. The HCLIC data is being collected to allow MHCLG to fulfil its functions (in the public interest).

MHCLG hope to work with a small group of Local Authorities to test the proposal, guidance to local authorities and draft Data Sharing Agreements. This will provide local authorities with an opportunity to raise concerns and for MHCLG to amend its approach.

In 2020, MHCLG and ONS plan to host a small number of webinars and meetings to which local authorities will be invited. This will provide an opportunity for MHCLG to discuss the proposed project with nearly all local authorities.

MHCLG have worked closely with legal and data security experts in the development of this project. Information Security Experts will check and agree the security measures in place for the project. The measures agreed have to meet well established standards used by HM Government.


v0.1 12 12

Necessity and proportionality

Lawful basis for processing MHCLG has entered into arrangements with ONS to obtain and use this information for the research purposes outlined in this Data Protection Impact Assessment (DPIA) in exercise of its common law powers. The arrangements with ONS will be set out in a Data Processing Agreement and the arrangements with local authorities and other government departments/health agencies will be included in Memoranda of Understanding/Data Sharing Agreements. MHCLG MHCLG, as an emanation of the Crown, has ordinary common law powers to do whatever a natural person may do (subject to overarching legal constraints), in contrast with bodies which have powers conferred on them by statute and no powers under the common law and can share and process data for the purposes of research so long as it complies with the Data Protection Legislation, Human Rights Act 1998 and common law duty of confidentiality. Compliance with the Data Protection Principles are explored further in section 4 of this DPIA. The condition for processing personal data under the GDPR is met:

MHCLG will rely on Article 6(1)(e) of the GDPR as a lawful basis to process the personal data provided by local authorities. The processing is necessary for MHCLG to perform its functions, in particular to reduce homelessness through the Homelessness Data Linking Project. The processing of personal data is necessary to further our understanding of repeat homelessness, the success of prevention activities, the outcomes of those in receipt of homelessness services, and the causes and factors associated with homelessness (spanning the remit of a number of different government departments). The range of data allows analysts to control for family and individual characteristics. The results of this data share will be used to inform policy across Departments and decision making by local authorities. The shared data will be used to significantly improve the evidence base and inform future policies aimed at those who are homeless or at risk of becoming homeless. In particular it will be used to assess whether the approach by local authorities and the Homelessness Reduction Act are effective at improving the outcomes of those who approach local authorities for help. This will provide useful information in the future to allow government departments and local authorities to make informed decisions about how to spend scarce resources for greater effect. Condition for processing special category data Where the personal data to be processed is special category data (sensitive personal data) it will be possible to rely on Article 9(2)(g) of the GDPR. MHCLG will rely on meeting the condition in Schedule 1, part 2, Paragraph 6 of the DPA 2018 in order to process special category personal data in accordance with section 10(5) of the DPA 2018.

• Article 9(2)(g) allows for the processing of special category data where it is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject/individual.

If approaches to addressing homelessness prove effective in reducing homelessness and meeting


v0.1 13 13

householders housing needs (and this is the key source of information to allow us to assess this), this project will demonstrate the savings to the Government and the tax payer as well as improve the lives of those who are homeless or at risk of homelessness. Learning from this project will be used to design future housing services and initiatives aimed at those with multiple complex needs and should increase the effectiveness of such services and initiatives, reducing the harm and cost of these families to society. MHCLG will prepare an appropriate policy document for the processing of special category data which sets out the procedures in place to comply with the principles in Article 5 of the GDPR. Condition for processing criminal offence data MHCLG will rely on meeting the condition in Schedule 1, part 2, Paragraph 6 of the DPA 2018 in order to process criminal offence data in accordance with Article 10 of the GDPR and Section 10(5) of the DPA 2018. MHCLG has prepared an appropriate policy document for the processing of criminal offence data which sets out the procedures in place to comply with the principles in Article 5 of the GDPR.

To note: data sharing with other government departments (OGDs) has not yet been agreed, but it is part of future plans. MHCLG will agree legal powers to share data and Memoranda of Understanding with each party in due course and update the DPIA to reflect any changes. Data sharing for further research MHCLG will rely on Section 64 of the Digital Economy Act to provide a legal power for the final datasets to be shared for further research. This will allow for the data to be made available to researchers via the ONS Secure Research Service. To do this the project and MHCLG researchers will need to be accredited by the UK Statistics Authority Accreditation Board. This accreditation will be sought in 2020. Local Authorities Local authorities have been asked to satisfy themselves that the legal powers are in place to allow them to supply all of the information for the project.

Most local authorities are seeking to rely on the general power of competence under section 1 of the Localism Act 2011 and powers under section 111 of the Local Government Act 1972 to share data for the purposes of the project.

Most local authorities will rely on Article 6(1)(e) of the GDPR as a lawful basis to process the Personal Data. The processing is necessary for local authorities to perform their functions as local housing authorities. In addition, most local authorities are likely to rely on Article 9(2)(g) and meeting the condition in Schedule 1, Part 2, Paragraph 6 of the DPA 2018 to process Special Category Personal Data.

In our view, local authorities are also capable of meeting the conditions for processing criminal offence data set out Article 10 of the GDPR, for instance by meeting the condition in Schedule 1, part 2, Paragraph 6 of the DPA 2018.

If data sharing is agreed with other government departments this section will be updated to include the legal gateways for sharing data with MHCLG. Common Law Duty of Confidentiality MHCLG have considered the common law duty of confidentiality and whilst it accepts that personal identifiers may have been given in confidence by the data subject, such interference is justified and


v0.1 14 14

is in the public interest because:

• The overriding aim of the project is linked with the wider programme of homelessness work, which aims to reduce homelessness and improve outcomes for households (children and adults) who are homeless or at risk of becoming homeless. This includes determining whether households have better outcomes as a result of homelessness interventions such as safeguarding children and/or vulnerable adults, reducing offending behaviour, improving school attainment – this project will improve the evidence base about the factors associated with homelessness and outcomes associated with homelessness programmes in accordance with the objectives of the Act;

• The Department have also considered the potential risk of harm to the data subjects in the event of data loss or unauthorised disclosure and the Department have sought to minimise such risks by putting in place safeguards. The Department, local authorities and other government departments will only use and share the minimum and proportionate amount of information required for the project;

• Access to confidential information will be on a strict need-to-know basis;

• All parties understand their responsibilities in relation to data protection legislation;

• Every effort will be made to consider and minimise risks of identification (or re-identification) to data subjects and their families arising from all aspects of data handling.

• Measures will be taken to remove the sensitivity of the data through pseudonymisation and anonymisation; and

• technical and security measures will be put in place and strictly adhered to by those sharing the data.

Human Rights Act 1998 – Article 8 European Convention Human Rights The Department’s view is that the interference with Article 8 is justifiable on the basis that it is necessary and proportionate in the interests of the economic well-being of the country, for the prevention of disorder of crime, the protection of health or morals and the protection of rights or freedoms of others. The Homelessness Data Linking Project will improve understanding of the effectiveness and cost benefit of the Homelessness Reduction Act and housing support in supporting households who are homeless or at risk of homelessness - such as reducing their offending behaviour, levels of unemployment, and improving educational outcomes. It will also provide essential information about how the services delivered by local authorities might be improved further, by gaining an understanding of what is and isn’t working well. The interference is, therefore, necessary in the interests of the economic well-being of the country, for the prevention of disorder or crime, the protection of health or morals and the protection of rights or freedoms of others. How the project meets the principles of the GDPR

1st principle and Article 5(1)(a) of the GDPR: personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals (“lawfulness, fairness and transparency”).

Fairness


v0.1 15 15

MHCLG has held regular discussions about the project with the Information Commissioner’s Office. These discussions have included working through how to best inform households/rough sleepers about how their data is being used. It has been agreed that local authorities should make every effort to inform households/rough sleepers about how their personal data will be used for this project. Local authorities should where possible and practical tell households/rough sleepers directly about the research and should issue privacy notices in person and/or in public places (discussed in more detail below). MHCLG has issued guidance to Local Authorities setting out the purpose and the design of the project, including processes to ensure secure transfer, storage and access to the data provided and how the Department will meet the requirements of Data Protection Legislation. In the guidance MHCLG set out the expectations of local authorities, as data controllers in their own right, to inform households/rough sleepers of how their data is being used for the project. MHCLG have provided local authorities with draft privacy notices which set out the information required to meet Article 12(1), 13 and 14 of the GDPR. Local authorities (as data controllers) can amend the privacy notices to meet their local needs. MHCLG is also a data controller and to meet its obligations set out in Articles 12, 13 and 14 of the GDPR will update the privacy notice on their website. This privacy notice will set out the purpose and design of the project, including the legal bases for processing data and processes in place to ensure the secure transfer, storage and access to the data. Privacy notices Privacy notices are necessary in order to inform participants about the use of their data (the right to be informed is set out under Article 12(1) of the GDPR and what individuals need to be informed about set out under Articles 13 and 14). Local authorities have informed participants about the use of their data in this way through privacy notices. In light of the sensitive nature of the project and vulnerability of certain groups, MHCLG have agreed the following methods of communicating the notice in discussion with the Information Commissioner’s Office. The Information Commissioner has suggested a layered approach to issuing privacy notices with high level information issued on posters/signage and more detail available on websites:

• Notices as part of the assessment process and/or in public places such as Housing Options office, Job Centres, Community Centres, Support Group venues, GP surgeries/hospitals etc. To ensure participants have an opportunity to see these, they should be displayed in places and services that they are likely to visit, e.g. GP surgeries, children’s services, benefit offices, drug treatment services, etc.

• Notices on Local Council and MHCLG websites

Local Authorities have been asked by MHCLG to update their privacy notices and information provided to households assessed when they present for help with housing to let participants know that their personal identifiers and data will be shared for the purposes of evaluating the programmes related to Homelessness and rough sleeping. This is left to the discretion of the Local Authority. MHCLG consider it the Local Authority’s responsibility to put in place measures which ensure they adhere to the requirements of the Data Protection Legislation. The processing by local authorities, ONS, Departments and MHCLG will be in accordance with the first data protection principle requiring that the data be processed fairly and lawfully:

• all personal identifiers will be held in the secure data laboratory and held separately (by the ONS Team) from the attribute/matched data to reduce the risk of individuals being identified


v0.1 16 16

from the de-identified dataset; • the personal identifiers will be only shared where necessary with other government

departments and health agencies for matching to data they hold and will be securely destroyed and replaced with a departmental identifier within a month (see destruction tables);

• the de-identified matched data will only be shared where necessary and only between government departments, health agencies and Ministry of Housing and Communities and Local Government (set out in the data flows);

• the data will not be processed to support measures or decisions with respect to particular individuals;

• the data will not be processed in such a way that substantial damage or substantial distress is or likely to be caused to any data subject; and

• appropriate security measures will be in place to prevent unauthorised use of the information.

2nd principle and Article 5(1)(b) of the GDPR: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Article 5(1)(b) is satisfied as the information is to be obtained for a specified and lawful purpose. In addition by virtue of Article 89(1) of the GDPR, the further processing of personal data for historical research purposes is not to be regarded as incompatible with the initial purposes for which they are obtained as there are appropriate safeguards in place for the rights and freedoms of the data subject: (a) the data are not processed to support measures or decisions with respect to particular individuals and (b) that the data are not processed in such a way that substantial damage or substantial distress is or likely to be caused to any data subject. MHCLG will agree processes with ONS to ensure their compliance with this principle. MHCLG will ensure the information is only used to meet the aims of the project and only process the data in a manner compatible with the purpose of the project. The purposes for which personal identifiers are obtained for this project are outlined in the privacy notice.

3rd principle and Article 5(1)(c) of the GDPR: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')

The number of items of personal identifiers to be used in this project will be limited to the minimum required to identify records relating to the relevant individuals within each dataset. Likewise, the variables to be included in the data extracts is limited to those that are essential to the aims and purposes of the data share, which helps to make this option proportionate. The data sharing practices are not unclear, nor intrusive; the data collected will be de-identified and its use will be for specific purposes set out in a Data Sharing Agreement and the Data Processing Agreement with ONS. It is not intended to use any of the data collected in relation to any specific individual. Data shared for the purpose of this project will be adequate, relevant and not excessive in relation to the purpose for which they are being processed in accordance with Article 5(1)(c) of the GDPR. Different options on the number of records held in administrative datasets to be included in this data sharing study have been assessed to ensure that there is an appropriate and defensible balance between the legitimate aims pursued by the data sharing study and the requirements of the Data Protection Legislation and Article 8 of the ECHR.


v0.1 17 17

4th principle and Article 5(1)(d) of the GDPR: Personal data shall be accurate and, where necessary, kept up to date.

Local authorities will collect personal information as part of their assessment process when households present for help. This information should be accurate at the time of collection and therefore at the time it is provided to MHCLG. Personal identifiers collected from local authorities will be kept to the minimum required to create an ONS de-identified identifier and to get a good match in administrative datasets and will include National Insurance Number where possible to ensure good match rates. Any data supplied by Local Authorities will uploaded securely to the MHCLG Delta system using XML or a form sent securely.

Datasets containing the attribute data (HCLIC Data, RSQ, Troubled Families Evaluation Dataset and/or data provided by government departments) will contain an ONS pseudonymised identifier (to allow the MHCLG Homelessness Analysis Team to link individuals and households data (and other data gathered) together for analysis) and an indication of match quality provided by other government departments, but no other identifiable data. The match quality variable should ensure that only those for whom a ‘good quality match’ is found in the administrative datasets of other Government Departments. HCLIC PI Data and HCLIC Data is provided by LAs each quarter, and the data created for this project will be collected and processed at least annually. Each time the HCLIC Data is used for this project, it will be over-written with the most up-to-date data for each household.

5th principle and 5(1)(e) of the GDPR: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal identifiers are processed.

Article 89(1) of the GDPR provides that personal identifiers which are processed only for research purposes in compliance with the relevant conditions may be retained. The relevant conditions will be satisfied for this project as they are:

• that the data are not processed to support measures or decisions with respect to particular individuals, and

• that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

Retention of the personal identifiers and the de-identified dataset retention will be reviewed by MHCLG annually to ensure the data is being held for the right reasons. The data destruction tables set out the length of time identifiable data will be retained for this project. MHCLG need to better understand whether individuals and households are cycling in and out of the system and moving cross local authority boundaries. For this reason it is anticipated that personal identifiers will need to be retained by MHCLG (and ONS acting as a processor on their behalf) to monitor trends over a longer period of time. This will be reviewed with parties every 5 years.

6th principle and Article 5(1)(f) of the GDPR: Personal data shall be processed in a manner that ensures appropriate security of the personal identifiers, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').


v0.1 18 18

MHCLG data security experts will inspect the security measures at ONS and have confirmed the existing/planned security measures are sufficient for this project. They meet the required standard for data security which is for OFFICIAL-SENSITIVE data (BIL3). Measures will be taken to ensure the security of the data throughout the project. This includes: individuals with access to the data; the transfer of data from Local Authorities to MHCLG DELTA system, to ONS and from ONS to government departments and from MHCLG to health organisations; how data is used, held and stored by all parties.

Individual Rights Set out under Articles 12 to 22 of the GDPR: The processing of personal data shall be in accordance with individual rights.

MHCLG will take into account its obligations under the GDPR when considering how to respond to requests relating to individual rights. The individual rights are:

• The right to be informed – this is covered by privacy notices issued by local authorities and MHCLG

• The right of access - MHCLG will respond appropriately to any subject access requests within 30 calendar days. The project will be set up in a way that the personal identifiers cannot be linked or matched to the HCLIC data or any other attribute data, i.e. any data used for research will be pseudonymised.

• The right to rectification – local authorities should be able to deal with requests to correct any data. MHCLG will correct data where appropriate. MHCLG will not be able to link or match the personal identifiers to the HCLIC data or any other attribute data held.

• The right to erasure – this does not apply, as the data processing is NOT based on consent. The data will be deleted when processing is no longer justified.

• The right to restrict processing – measures have been put in place to ensure all processing is compliant

• The right to data portability – this doesn’t apply as the data is not processed by automated means or based on consent

• The right to object – there is no requirement to comply as the processing is necessary for the performance of a public interest task.

• Rights in relation to automated decision making and profiling - the data will not be used by MHCLG for automated decisions or profiling.

The results of the research and resulting statistics will not be made available in a form which identifies any data subjects. If a complaint is received from an individual about the use of their personal data, ONS has been instructed to refer this to MHCLG. In this case MHCLG will take into account its obligations under the Data Protection Legislation when considering how to respond.

International Transfers – Articles 44 to 50 of the GDPR Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The personal identifiers and data is provided by the local authorities to MHCLG (and ONS). Both MHCLG and ONS operate within the UK. Personal identifiers will be stored in a secure data laboratory by ONS and personal data stored securely by MHCLG, as outlined in Data Sharing Agreements and the Data Processing Agreement. MHCLG is subject to data protection regulation. The data will not be transferred to a third party that falls outside data protection regulation.


v0.1 19 19

MHCLG and ONS have no intention of processing the PI HCLIC Data outside the UK.


v0.1 20 20

Risk assessment

Source of risk and nature of potential impact on individuals.

Likelihood

of harm

Severity

of harm

Overall

risk

The risks outlined below relate to the HCLIC project

Risk 1

Some people may feel a loss of autonomy (if they haven’t given consent for their data to be shared). Some may not be aware of or understand how their data is being used. The data includes personal identifiers and sensitive data relating to children in each household.

Local Authorities have been asked to inform households and rough sleepers that their data is being passed onto MHCLG for the purposes of this project through the use of privacy notices and/or consent forms. This is an approach developed in discussion and agreed with the Information Commissioner’s Office and local authorities.

Risk 2

There is potential for a data incident, for example the personal/matched/linked data to be accessed illegally during transfer and whilst being stored (including data on children in the household), an email sent mistakenly to incorrect recipient, for a MHCLG laptop to be stolen or lost in a public place/or paper copies or CD copies being lost/misplaced.

Strict controls will be put in place to ensure: only the minimum amount of data necessary to carry out the project will be shared; that the data is only accessed by named individuals; and data is processed according to the written data sharing agreements. Processes will be put in place to ensure the secure transfer, handling, storage and destruction of the data, including protocols to ensure that data is only accessed securely on encrypted laptops, etc. Individuals accessing the data have been security checked and informed of their lawful obligations and processing requirements. These include encrypting and password protecting (with strong passwords) all datasets being transferred and providing passwords separately, accessing data only through a secure network and saving data to the secure network only at all times. Whilst at MHCLG, the data will be held securely at all times and personal identifiers will be stored and accessed separately to the attribute data (HCLIC and RSQ) and datasets containing matched data from other Government Departments (in the future). Access controls will ensure data is only accessed by those with permission to do so.

Possible

Possible/

remote

Minimal

Significant

Low

Low


v0.1 21 21

At MHCLG the data will be stored according to pan-Government security standards and for analysis purposes in a restricted access folder. Individuals accessing the data have passed CTC checked and been informed of their legal obligations. Risk 3 There is a risk that individuals could be identified from the pseudonymised matched data. The data includes data on children in each household. Pseudonymisation (removal of personal identifiers, but leaving a unique identifier in the dataset) and recoding variables (e.g. ages recoded into categories) and destroying the raw data at regular intervals reduces the possibility of identifying individuals. At no point will the attribute data be linked or used alongside the personal identifiers will be stored separately and securely by the ONS Data Team in restricted access folders and staff will be made aware of their legal obligations around handling and storing the data. A security operating procedure sets out how data security will be maintained. This has been signed off by the CLAS consultant and meets pan-Government security standards. Risk 4

There is a risk that individuals could be identified in outputs (publications).

Any published results are subject to strict controls to reduce the potential to identify individuals and all outputs will be checked thoroughly to maintain the confidentiality of individuals. The results of the analysis will be made public in aggregated form. MHCLG will carry out a thorough check of the data and ensure that all steps are taken within its powers to minimise the risk that any outputs lead to identification of a person by a third party. This will include a requirement that local authorities have provided a sample of a minimum size before MHCLG is able to provide local results.

Remote

Remote

Significant

Significant

Low

Low


v0.1 22 22

Step 6: Identify measures to reduce risk

Additional measures to reduce or eliminate risks identified as medium or high risk in step 5

Risk Options to reduce or eliminate risk

Effect on risk

Residual risk

Measure approved

Eliminated reduced

accepted

Low medium

high

Yes/no


v0.1 23

23

Annex A: Data Flows



DELTA system for personal identifiers

DELTA system for attribute data

Linked ID spine

De-identified data made available in the SRS

Researcher outputs

Attribute data

ONS Data Access Platform

MHCLG Secure Data Analysis

MHCLG Homelessness Team use

ID spine to link HCLIC A

HCLIC A

ONS Secure Research Service

Red line – personal identifiable data (e.g. names, DOB)

Amber line – de-identified data (characteristics, attributes)

Green line – non-identifiable data (aggregate level results, tables)

H-CLIC – Homelessness Case Level Data

HCLIC A – Homelessness Case Level Attribute Data

Look-up table includes ONS IDs alongside LA IDs only

HCLIC

Look-up table

Personal Identifiers

Research outputs

Look-up Table

H-CLIC A

Homelessness Case Level Data Linking

2020-2025


v0.1 24 24

ANNEX B: PROCESSING INSTRUCTIONS/SECURITY OPERATING PROCEDURE

Processing/security procedures

1. The PI Data (set out in Annex 1, variables A1.1 to A1.8) will be submitted by local authorities to the MHCLG DELTA system. As a separate submission, the HCLIC Data (set out in Annex 2, variables 1.1 to 10.6) is already submitted by local authorities to DELTA.

2. Within the MHCLG DELTA application the PI Data provided by each Local Authority will be securely stored. These records are associated within the system. ONS will securely extract the PI Data from the DELTA application. The PI Data will be transferred securely and stored in a restricted access folder to which only named individuals within ONS will have access.

3. ONS will create ONS unique individual and household level identifiers based on the PI Data using an algorithm3.

4. ONS will create a “look-up” table of only LA identifiers and ONS identifiers, i.e. without personal identifiers.

5. The look-up table will be provided to the Homelessness Analysis Team at MHCLG.

6. The Homelessness Analysis Team will use the look-up table to replace the LA IDs on the H-CLIC Data with the ONS IDs.

7. In future if Memoranda of Understandings are agreed with other government departments, ONS will use the ONS IDs along with the personal identifiers to create datasets for use by other government departments (such as MoJ/DfE/DWP) to match to their administrative data.

8. Government departments will return a de-identified dataset to MHCLG which can be matched to HCLIC Data using the ONS IDs.

9. The final de-identified dataset of ONS IDs and H-CLIC Data (and in future other data

gathered from other government departments, Rough Sleeping Evaluation Questionnaire) will be returned securely to ONS to be made available in the Secure Research Service (SRS). The final dataset will not contain any personal identifiers. This final dataset will be stored separately from any personal identifiable information.

10. All work carried out by MHCLG will be carried out using restricted access folders on a

secure system. Access to the data will be controlled and monitored. MHCLG has agreed to limit access to the data to essential personnel required for data handling. These individuals have all been security cleared to at least CTC (counter terrorism

3 The algorithm creates household and individual level IDs using the personal identifiers. These

IDs ensure the analysts cannot identify individuals and the ID is created in such a way that it

cannot be linked back to the personal identifiers to identify individuals.


v0.1 25 25

check) level. Appropriate security measures and procedures will be put in place to ensure the privacy of individuals and households is maintained.

11. All those at ONS involved in the creation of an analytical dataset will be ONS employees who have at least the SC level of security clearance. All ONS personnel accessing the data have signed confidentiality agreements stating they will abide by section 39 of the Statistics and Registration Service Act 2007 and ensure the confidentiality of the information they access.

12. The PI Data will be retained in an assured ONS Data Analysis Environment to support any clerical matching used to assess linkage quality, and future matching exercises agreed by both parties.

13. The resultant matched data will be transferred via MOVEIT to the ONS Secure Research System (SRS) and can only be accessed from a secure approved location, never from the public internet, by approved or accredited researchers. Access will be managed and monitored by ONS staff.

14. Access to the data at MHCLG and ONS shall only be granted to those with a valid business reason with appropriate audit records being maintained.

15. Any data transferred will be done so securely and in line with the assessed impact level (BIL3/OFFICIAL-SENSITIVE) and agreed by MHCLG data security and to HM Government standards:

• Datasets will be transferred from local authorities using DELTA. Data transferred between ONS and MHCLG will be encrypted and password protected before secure online transfer or secure email using a password protected WinZip folder (selecting the AES256 encryption method).

• Files will be password protected and become unusable if three incorrect passwords are entered. The password will be set to strong - i.e. contain at least 9 characters of upper and lower case.

• A nominated member of staff at MHCLG to call ONS to confirm safe arrival of the dataset and to gain the password for the encrypted media.

Outputs and publication of results

1. A short output will be published following the linkage. This will outline the aims of the project and the quality of the matching. Whilst the report will be a joint MHCLG/ONS product, it will be published by ONS who will decide release date in line with other publication priorities.

2. When approving the release on an analytical dataset for a specific project MHCLG

may specify any statistical disclosure control rules that must be applied prior to outputs leaving the SRS.

3. Unless otherwise instructed a minimum cell count of 10 will be applied to all outputs.

ONS will review the linked dataset prior to releasing it to the SRS and will confirm to MHCLG that this threshold is appropriate given the results of the linking.

4. The SRS output checking team will ensure all outputs are non-disclosive in

consultation with researchers and controllers in accordance with SDCRS policy.


v0.1 26 26

Security and Data Management (measures in place at ONS)

1. The Data will be managed according to the ONS security principles. The security principles are the high-level, overarching requirements that the ONS DAP infrastructure, data ownership, data management and supporting business activities operate within.

Security governance across DAP with an accountable, named business owner, accountable, named data owners and a set of support policies and processes that govern security operations and data management; Risk assessment of data to determine its content and sensitivity that enables the appropriate security protection and business access. Once within DAP regular risk assessment reviews the adequacy of the security control environment based on the collection of available aggregated data; Technical design based on Government and industry best practice following a security by design approach that blends system and security development activity within the development lifecycle;

User access through controlled and centrally managed unique user accounts that

apply the ‘Need To Know’ based on role and need. Access is only granted to IT

and business users who have valid reasons for this;

Protective monitoring is performed on all access to DAP for business user data

and platform maintenance, captured in logs and analysed for anomalies;

Import and export of data is highly controlled and follows a defined process that

focuses on statistical information. Single routes for import and export exists and

full authorisation and checking is required for both;

Assurance and audit to assess and demonstrate that DAP governance and

security controls are working as expected.

2. All data will be permanently destroyed in line with HM Government security

guidelines. This guidance can be accessed via the following link: https://www.gov.uk/government/publications/security-policy-framework/hmg-security-policy-framework)

Onward Disclosure of data

1. ONS may be requested by the controller (MHCLG) to make the de-identified dataset provided, in totality or in part, available to other organisations via the SRS. Such requests are outside the scope of this agreement and would be subject to separate documentation.

https://www.gov.uk/government/publications/security-policy-framework/hmg-security-policy-framework

https://www.gov.uk/government/publications/security-policy-framework/hmg-security-policy-framework

MHCLG Data Protection Impact Assessment (DPIA ... · Understanding the impact of the Homelessness...

Documents

Transcript of MHCLG Data Protection Impact Assessment (DPIA ... · Understanding the impact of the Homelessness...