Taking on the MoD about mismanagement of personal data

#1
My partner is thinking about taking on the MoD under DPA 98 in the court for mismanagement of her records over several years, have already got some good evidence to support the claim from the ICO and was recommended - any thoughts?
 
#2
What exactly do you mean by "mismanagement"?

Has somebody revealed personal data that they ought not to have, or is it just that the data held is incorrect or not held legitimately?
 

Guns

ADC
Moderator
Book Reviewer
#3
The MoD, for good reasons, takes the DPA very seriously. It is one of a few Government departments which has reached the Cabinet Office IAMM Level 3 and beyond.

Firstly you need to prove that the MoD has a policy broke that the law, then you would need to prove each occasion and the person responsible negligently broke the rules.

Having once been the Navy's Information Assurance Officer I can tell you the ICO would need strong evidence as the MoD is seen as an industry leader in this field.
 
#4
The MoD, for good reasons, takes the DPA very seriously. It is one of a few Government departments which has reached the Cabinet Office IAMM Level 3 and beyond.

Firstly you need to prove that the MoD has a policy broke that the law, then you would need to prove each occasion and the person responsible negligently broke the rules.

Having once been the Navy's Information Assurance Officer I can tell you the ICO would need strong evidence as the MoD is seen as an industry leader in this field.
Perhaps you could, as an aside, explain why my details as held on JPA are not only incorrect, but palpably so, and having correctly filled in the annual JPA assessment several times stating that much of the information was incorrect and therefore contrary to the terms of the DPA, absolutely bugger all has been done to either correct the information, or to delete the information which is incorrect.

I have copies of the proformas.
 

Guns

ADC
Moderator
Book Reviewer
#5
Firstly you need to check if any of the wrong data is self-editing. Sometimes people don't realise what can and cannot be edited on JPA.

Then email (so it is auditable) your UPO and inform them of each error and what you want fixed. Give them a reasonable time frame, say a week, to get it done. If they fail speak to your unit Data Protection Officer and let them know of the breach and that you would like action taken by, think of a number, weeks or you will formally complain.

If nothing give the DPO at NCHQ a ring, if it is the same bloke when I was there he will be more than happy to help you out. He will contact the unit CO (designated role within DPA) and inform them there is an error that needs resolving. He will also let them know that this is now raised as a risk within the NCHQ Information Risk Register. This is seen monthly by the Naval Service's CIO and Senior Information Risk Officer (Fleet Commander).

I had the same issue and got to stage 2 before I took the team aside and explain why they needed to get their shit in one sock.

There is no excuse, the rules within the Naval Service are very clear on this and each unit or command has a Data Protection team.

I am out of the loop at the moment but if you want to PM we can chat about it. I might still have some of my contacts at NCHQ.
 
#6
Thank you for the feedback I will pass it on to my partner, but I think there are many more problems than just the errors Identified on JPA, which was a system only stitched on to the Army in Spring 2007 and has never achieved 'a loving embrace' with soldiers, in fact more often it is a manic 'choke hold' the soldier has on their JPA terminal borne out of exasperation, whilst the clanky but reasonably competent UNICOM system was thrown on the junk pile complete with errors imported into DPRR as a consequence of the haste to filter data onto JPA in late 2006 / early 2007.

The problems started much earlier and manuscript material was not properly organised or secured either, meaning there is no back up for the DPR Repository. There are no criteria currently specified by MOD for what is held in a soldier's 'P file', which becomes defacto the individual's Record of Service upon discharge together with the only other material available being a print off of a corrupted JPA record and / or DPPR.

The MoD admits that the majority of nearly 15000 Subject Access Requests to APC Glasgow each year come from veterans and by that time the damage has already been done, although very few personnel properly check their personal data and get things corrected when they're still in service - something that definitely needs to change. It's important because of potential data loss / corruption related to events that might impact on future health e.g. Hearing loss, PTSD, or career e.g. Qualification status, public inquiries or inquests.

The MoD has admitted to the ICO that they have lost nearly 200 pages of a personnel file and deleted the JPA account in error amongst several other incidents of personal data mismanagement. Difficulty is, they then gave the ICO and my partner the Agincourt sign and ICO are toothless, because they will not act in the case of an individual only multiples (case officer quoted '2000 incidents' should do it) before they impose a penalty and the fine goes into the public coffers, whilst there is still no tangible outcome for the individual.

ICO advice is go to court to get a judge to make an order to reinforce the Data Subject Notice under s10 of the DPA 98 issued 4 months ago (21 days is the mandated period allowed under present legislation ... MoD has it's own Mayan calendar), but this appears to be the only option. The ICO wouldn't even investigate the fabrication the CIO made in their explanation to the Information Commissioner, because it's not their remit apparently!
 
#7
UAM Part 5, Chapter 4 is quite clear about the care of personal documentation and what is to be placed in the 'P File'.
 
#8
UAM Part 5, Chapter 4 is quite clear about the care of personal documentation and what is to be placed in the 'P File'.
Does it still exclude MPARs?
 
#9
Unfortunately, there is little adherence to any protocol for 'P files' and is not defined in the MoD, as it is a generic term and each area of MoD business a serving person comes into contact with, will tend to generate one, either manuscript or electronic (sometimes both) and widely dispersed - even the ABF9999 is only considered a 'temporary' file!

People move on or are posted and the only materials that Glasgow ends up holding are a scattering of personal data sets with no index, no collation and little sense of organisation. In fact, Glasgow has two chunks of disassembled personal data - a manuscript bundle held by TNT contracted as the Document Handling Centre and another chunk of scanned material, again in no particular order called the EDM.

Both parts are incoherent, but these are the materials provided if anyone makes an SAR, especially a veteran, because everything else is ditched apart from medical records and JPA or DPRR depending when you left service.

No one checks across MoD for any mini 'P files', which includes the numerous e-folders people or 'local' databases, including spreadsheets that are created by folk and no one is bothered until the proverbial excretion extraction fan gets spinning.

Point is, what is the purpose of the shed loads of posters, e-learning, policy documents up the yin yang citing DPA 98, if the dominating culture the MoD adopts is to own you and your personal data? The concept of MoD being a temporary custodian of your personal data, like any other employer or service provider is an anathema to the system controllers.
 
#10
MPARs are a management tool and are not to be given to the subject but retained for upto 12 months by the Line Manager.
 
#11
Incorrect, MPARs are part of an appraisal process under both OJAR and SJAR systems and are absolutely to be shared with the individual appraisee and both parties contribute and sign the form, it should be an ongoing conversation like any other HR performance management process. The MPAR is destroyed once the OJAR / SJAR is finalised by the career desk at APC Glasgow in the case of Army personnel, although it is always wise for the appraisee to keep their copy of the MPAR just in case their are ER disputes down the way; uncertain about destination for dark / light blue versions. All performance reports including SJARs / OJARS, however, are part of the individual's personal data and are to be made available within 40 days following an SAR during or post service, although they are directly available on JPA at a keystroke for serving individuals to view / print.
 

Guns

ADC
Moderator
Book Reviewer
#12
As an aside I did the Subject Access Request for all of my reports from joining up 20 plus years ago.

Great reading, I surprised I am still in.

Recommend everyone does it.
 
#13
I agree, it's kind of my point really, making an SAR is something all serving personnel should do at least every 10 years, 5 if you've got the stamina and 3 if you flit about a lot as an individual augmentee like some specialists or reservists do, because once the errors creep in its a helluva job to get them sorted out once a few years have passed ;)

Not just restricted to the appraisal reports though, there are so many human errors made and incomplete processes that it all adds up to tears at bed time when the veteran discovers it too late or the serving person finds they've just been dicked for something unpleasant that wasn't their fault!
 
#14
Has anyone else found that ten years of reports have magically disappeared? Is that legal?
 
B

bokkatankie

Guest
#15
Has anyone else found that ten years of reports have magically disappeared? Is that legal?
I applied, and received, all my confidential reports, full service history (no gaps) and most of my medical records, some years ago.

Personally I think they were glad to get rid of them!

Got my Army record in 3 formats, PAMPAS print out, letter and a rather good quality card produced thingie, made me proud I tell you!

Now PAMPAS was shite but great thing was that we never had any input so it was always right - it appears that JPA has a major flaw - user access!
 
#17
The MoD, for good reasons, takes the DPA very seriously. It is one of a few Government departments which has reached the Cabinet Office IAMM Level 3 and beyond.

Firstly you need to prove that the MoD has a policy broke that the law, then you would need to prove each occasion and the person responsible negligently broke the rules.

Having once been the Navy's Information Assurance Officer I can tell you the ICO would need strong evidence as the MoD is seen as an industry leader in this field.
The ICO has already responded to two separate complaints, which found the MoD had failed to comply with several Data Principles, including failing to respond to an SAR, failing to secure personal data, failing to maintain accurate personal data, failing to respond to notices under section 10. The culture needs to be changed and properly led. It is unfortunate that the ICO doesn't have more powers to act for individuals and is reliant on courts to do it instead, but at a significant cost to the individual. The ICO reports are obviously helpful evidence, but an otherwise 'paper tiger'.
 
#18
Incorrect, MPARs are part of an appraisal process under both OJAR and SJAR systems and are absolutely to be shared with the individual appraisee and both parties contribute and sign the form, it should be an ongoing conversation like any other HR performance management process. The MPAR is destroyed once the OJAR / SJAR is finalised by the career desk at APC Glasgow in the case of Army personnel, although it is always wise for the appraisee to keep their copy of the MPAR just in case their are ER disputes down the way; uncertain about destination for dark / light blue versions. All performance reports including SJARs / OJARS, however, are part of the individual's personal data and are to be made available within 40 days following an SAR during or post service, although they are directly available on JPA at a keystroke for serving individuals to view / print.
But can you put it in a P file?
 
#19
when DMICP (the 'all singing all dancing' medical computer software) was being rolled out it was supposed to talk to JPA to allow JPA to take the lead on some personal data, name, rank, contact details etc, unfortunately JPA was horrifically inaccurate. we had a list of a couple of thousand in Catterick garrison alone
The official policy was to change known accurate data (we could check it against multiple entries on an FMed 4 and make educated guesses that even the REME won't promote a 4 yr old girl to SSgt) rather than expect units to chase soldiers to update JPA with accurate data.
 
#20
MPARs are effectively the 'halfway house' for the SJAR/OJAR process that is hosted on JPAS, although the completed MPAR is not a text file held on JPAS. No appraisal material should be kept within the ABF9999 in a unit or the 'P file' in APC Glasgow / elsewhere. When you make an SAR under DPA 98 as is your right then the final appraisal reports will be available as part of the JPA data, but MPARs are usually maintained between the individual and the 1RO, so only the date shows on JPA. This is obviously not true in all cases if HR practices are not adhered to, but that's part of the reason I posted the thread on the forum - not everything is necessarily as it should be in the MoD.
 

Similar threads


Latest Threads

Top