For years, I’ve warned that the Department for Work and Pensions (DWP) has a culture problem around privacy and data. I saw it up close. In my own court case, documents disclosed by the DWP revealed names and National Insurance Numbers of more than 300 Universal Credit employees—information that should never have been exposed. I was also sent a document that did not identify me but was nevertheless asserted to be mine. I’m pursuing this through the courts, and I’m stating this publicly because it speaks to a wider pattern I believe exists.
And the public record backs up the broader concern.
When redaction goes wrong, real people pay the price
In October 2022, the UK Information Commissioner’s Office (ICO) issued a formal reprimand to the DWP after Child Maintenance Appeals bundles were sent out unredacted, exposing the personal data of 16 people to third parties. The ICO found no Data Protection Impact Assessment and inadequate testing of the redaction tool, causing highly sensitive information to leak. Information Commissioner’s Office+2Information Commissioner’s Office+2
The ICO has repeatedly warned that these kinds of mistakes put lives at risk, especially for victims of domestic abuse when addresses or contact details are exposed. The DWP was explicitly named among organisations reprimanded in that context. Civil Service World
2024–2025: “Basic” breaches keep happening
This isn’t ancient history. In May 2025, the DWP exposed disabled people’s personal email addresses by sending a group email without using proper privacy settings—an avoidable, “basic” breach. Separate newly released figures also showed hundreds of data-security incidents across Jobcentres in 2024. Canary
That same week, another report highlighted that the DWP shared the email addresses of participants in a Green Paper consultation event—again, an elementary confidentiality failure that should have been prevented by process and training. Benefits and Work
Independent tech trade coverage also tallied nearly 400 data breaches at Jobcentres in 2024, and pointed back to the 2022 ICO reprimand over failure to redact sensitive data—including a case where information was sent to an ex-partner with a history of domestic abuse. IT Brief UK
Even on timeliness and transparency, the DWP has been called out
While separate from GDPR, it’s telling that in March 2025 the ICO found the DWP breached section 17(5) of the Freedom of Information Act for failing to issue a refusal notice on time. When a department struggles with basic statutory deadlines and clarity, public trust in its handling of any information—especially personal information—inevitably suffers. Information Commissioner’s Office
Why this matters (and what must change)
Privacy isn’t “nice to have” bureaucracy. It is a legal duty and a safety issue. When a department handling millions of people’s benefit claims can’t guarantee that email addresses, home addresses, or sensitive case details won’t be exposed, the harm is real—from distress and harassment risks to chilling effects on people engaging with the system at all. The ICO has said it plainly: this pattern must stop. Civil Service World
What the DWP should do now
Prove redaction reliability: DPIAs, testing in real-world scenarios, and formal sign-off before any production use. The 2022 reprimand should have ended any corner-cutting for good. Information Commissioner’s Office
Stop “basic” breaches: Mandatory training, technical controls (bcc enforcement, mailing-list tooling), and escalation pathways when incidents occur. Benefits and Work+1
Own the timeline: Publish regular, auditable stats on incidents, fixes, and lessons learned—alongside prompt FOI and SAR compliance. Information Commissioner’s Office
Prioritise victim safety: Treat any address/identifier exposure as a critical risk, with automatic safeguarding reviews. Civil Service World
Digital ID, the Fraud and Debt Recovery Bill – and a red flag for all of us
The stakes are only getting higher. The government’s Fraud and Debt Recovery Bill proposes giving the DWP sweeping powers to demand and monitor personal financial data, even reaching back decades. Alongside talk of digital ID systems, this means one department already criticised for basic GDPR failures could soon hold unprecedented access to our bank accounts, transactions, and identity data. That should ring alarm bells. If the DWP cannot reliably redact case bundles or keep email addresses confidential, why should we trust it with the keys to our entire digital identity and financial history? These powers, unchecked, could erode privacy, disproportionately impact disabled people and claimants, and create risks far beyond the DWP’s track record of “basic mistakes.”
My promise—and a call to action
I’ll continue to pursue my own case through the courts. But this is bigger than one claim: it’s about respecting the rights and safety of people who trust the system with their most personal information. If you’ve experienced a data breach involving the DWP, you can report it to the ICO and seek legal advice. And if you work inside the system, please push for the safeguards your claimants deserve.
Because when the state asks us to hand over intimate details of our lives, the bare minimum in return is competence, care, and the law—properly applied.
