In Atherton, R (On the Application Of) v Secretary of State for Work And Pensions , the High Court heard a challenge to an initial decision by the Department of Work and Pensions (DWP), to refuse to communicate with the applicant, Mr Atherton, by email. Mr Atherton has a medical condition which, by his submission, (not contested by DWP in the substantive proceedings) makes it difficult for him to communicate by postal mail. He challenged both DWP's initial refusal to correspond with him by email and then, in amended pleadings, DWP's reliance on a "workaround". Although the judge dismissed the application, the judgment gives a helpful reminder that insistence on data security, without considering reasonable adjustments, might result in unlawful discrimination.
DWP was said to:
“[be] able to, and does, communicate by email with benefit claimants in relation to matters such as invitations to appointments. However, operates [sic] a rule that such communications must not contain personal information.”
We note that surely an appointment email to a claimant itself “contains personal information”, but nothing turns on this.
The reason for the rule is, unsurprisingly – and legitimately - rooted in DWP’s concerns around data protection and data security. In evidence, its Head of Customer Communications and Accessibility explained that its policy needed to be placed “in the context of a world where cyber-crime and data theft are rising at an exponential rate and keeping one's data safe and secure is becoming ever more difficult”.
By the time the case came before the court the amended challenge was actually to a proposed workaround process, under which DWP sends postal mail to a third party (a central “Alternative Formats” team) which converts it to email to be sent to the benefits claimant. 32 claimants avail themselves of this “Alternative Formats” option to be sent email in circumstances where DWP would normally refuse to do so, despite its centralised operation having what the judge terms a “wrinkle”, whereby other government communications to a claimant may end up also being routed through it.
The judicial review application was on the basis that DWP’s decisions, including its workaround, amounted to a breach of its public sector equality duty (PSED) pursuant to s149(1) Equality Act 2010 and a breach of its duty to make reasonable adjustments to accommodate Mr Atherton’s disability, pursuant to ss20 and 29 of the same Act.
In dismissing the application, the judge held that DWP had, with the workaround, offered a system of communication that (subject to effective implementation) amounted to a reasonable adjustment and complied with its PSED. Notwithstanding this, and having heard evidence on other examples of difficulties in persuading DWP to make reasonable adjustments to its methods of communication in order to accommodate disability, he was critical:
"The approach of the DWP to the Claimant, and to many other disabled benefit claimants, failed over a period of years to comply with its statutory obligations under the Equality Act 2010 (and, before that, the Disability Discrimination Act 1995). Those with disabilities that meant that they had difficulty communicating by post were, in many instances, unable to secure a satisfactory means of communication with the DWP. This in turn meant that some went without benefits that were essential to them. At the time this claim was filed the DWP had still not complied with its statutory duties in respect of the Claimant" (para 107).
It is worth noting, in passing (because no specific arguments were heard regarding data protection law), that the General Data Protection Regulation (GDPR) does not require a counsel of perfection when it comes to imposing security measures to protect personal data – it requires that technical and organisational measures should be implemented to ensure a level of security appropriate to the risk. And that, where risk does exist, measures such as encryption should be introduced. Although data protection law does not impose a requirement on a controller to introduce encryption in order for someone to communicate with them, all those subject to the public sector equality duty might wish to bear in mind that saying "data protection says 'no'" might not always be an adequate or - with particular reference to disability discrimination law - lawful response.