Mastering DWP MOU compliance audits: key insights from two local authorities

Over thirty local authorities attended Policy in Practice’s recent Universal Credit data roundtable. These discussions typically focus on how local authorities can use their administrative data to help their residents.

This meeting looked at:

• The change in government
• How Universal Credit data could help the government deliver more for less
• Experiences, challenges and reflections from two local authorities who were recently audited on their use and management of DWP data

In this blog post we summarise the key points discussed about the DWP Memorandum of Understanding MOU compliance audits. The core issues raised so far by DWP relate to staff training, working from abroad, information security, and how to work constructively with DWP.

Thank you to Zoe Kent, Head of Revenues & Benefits, Mid Kent Services and Martin Walmsley, Assistant Director – Shared Revenues and Benefits, City of Lincoln Council and North Kesteven District Council, for sharing their experiences.

1. Data security: This is the key issue and a good part of the audits are about compliance with data security protocols. Authorities are advised to stay updated with DWP requirements and ensure all breaches, however minor, are reported
2. Preparation and communication: Adequate preparation and clear communication with auditors are crucial. It will be helpful to all local authorities if they ensure all training and compliance activities are well documented and communicated effectively
3. Geographical work restrictions: Working from abroad remains a contentious issue. Implementing regular checks and requiring declarations from employees can help manage this risk
4. Flexibility and practicality: Authorities should advocate for practical solutions to compliance issues, emphasising fiscal and logistical realities. Constructive dialogue with the DWP can lead to more flexible, context-appropriate measures
5. Shared experiences: Engaging with other local authorities and sharing experiences can provide valuable insights and aid in preparing for audits. Establishing internal working groups can also streamline the process and ensure comprehensive compliance.

Zoe kicked off the conversation by recounting her experience with the recent audit. The audit report was mainly positive, highlighting some good practices but also listing some areas where improvements were needed.

Good practices included:

• a robust training programme in place and that the staff have sufficient knowledge and understanding by completing ongoing tests
• a dedicated team and process in place to log and monitor subject access requests
• a good security incident log specific to DWP derived data
• we’re looking to complete Cyber Essentials within the next six months

A notable point of contention was the auditors’ claim that there was no training for using Searchlight, which Zoe countered by providing a comprehensive list of training activities. Similarly, she was able to show when challenged that they were in the process of meeting Public Service Network requirements.

A significant issue raised in the audit was about working from abroad. A growing number of people have wanted to work from overseas since the pandemic and, despite her assurances that her team does not access DWP data while overseas, the auditors recommended suspending access to DWP systems during such periods. Zoe agreed to this but expressed concerns about the broader implications of this policy. She suggested IT conduct occasional checks to ensure compliance with geographical work restrictions.

One attendee added that her team planned to implement an annual declaration for officers, reaffirming their commitment not to work from abroad. This led to a discussion on handling secondary DWP information within local systems, with Zoe noting that IT should have mechanisms to detect unusual login locations.

All authorities emphasised data security as the key issue. This could well be because DWP had given local authorities more freedom to decide the purposes for which DWP data can be used. The flip side to this is that data should always be held and moved very securely. Clear communication within and across local authority departments is vital in this area.

Martin shared his experiences, emphasising the logistical challenges and the audit’s procedural aspects. His authority had to deal with scheduling conflicts and, like others, extensive preparatory work, including completing detailed questionnaires and gathering substantial evidence. The actual audit was a four hour Teams call, contrasting with the more intensive in person audits other authorities had faced.

Despite the rigorous process for the MOU compliance audits, Martin found the audit findings manageable. The report contained mostly low level recommendations, such as increasing the frequency of reviewing the Apollo Register. These were implemented without significant disruption, although the process was time consuming.

The conversation concluded with reflections on the varying lengths and depths of audit reports. Zoe noted that their report was particularly lengthy, possibly due to recent data breaches in parts of local government, which heightened the auditors’ scrutiny.

Martin observed a softening in DWP’s stance on certain issues, such as data encryption, where practical and fiscal reasons were considered. This flexibility was seen as a positive development, allowing for a more tailored approach to compliance, but without losing sight of security issues.

In conclusion, while DWP audits can be challenging and time consuming, a proactive and well organised approach can mitigate many of the associated difficulties. By maintaining clear communication, robust data security practices, and a willingness to adapt, local authorities can navigate these audits effectively and ensure compliance with DWP standards.

If you work for a local authority and would like to join Policy in Practice’s future Universal Credit data roundtable discussions please request an invitation via  hello@policyinpractice.co.uk.