Access to Records

RELEVANT GUIDANCE

Data Protection Act 2018

UK General Data Protection Regulations – 'Right of Access by the Data Subject' (Information Commissioners Office)

Children Act 1989 Guidance and Regulations - Volume 3: Planning Transition to Adulthood for Care Leavers

Information Commissioner Toolkit for Public Authorities on Dealing with Vexatious Claims - a toolkit to help councils decide when a Freedom of Information (FOI) applicant is vexatious, issued by the Information Commissioner's Office (ICO).

Information Commissioner Guidance on Subject Access Requests - includes reminders that Subject Access Requests can be submitted by various means, including via social media, and do not have to contain the words' subject access request'.

1. Rights of Access by the Data Subject

The rights of a data subject to access personal information and records held by Children's Social Care Services are set out in Data Protection legislation (namely the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018). Under Data Protection legislation, those in respect of whom personal information is held in any form have a right of access to the information, unless any of the exemptions set out in Section 2, Exemptions to the Right of Access apply.

In Calderdale, access to records requests are processed by the Information Governance team in conjunction with Social Care staff. The Procedure for Disclosure of Children's records explains how this works in order that the information disclosed is compliant with Regulations and timescales are adhered to.

The right of access applies to both paper/hard copy records and records held electronically. It is important that electronic recording systems comply with the requirements for data subjects to easily find their story in a logical narrative. The Freedom of Information Act 2000 gives access to non personal information held by public authorities. Under the Act anybody may request information in writing or via e-mail from a public authority (which includes all local authorities) and must receive a response within 20 working days. The Act confers two statutory rights on applicants:

  • To be informed in writing whether or not the public authority holds the information requested; and if so;
  • To have that information communicated to them.

The Act applies to all information whether recent or old. The Act sets out 23 exemptions from rights of access to information. If the information is exempt, there is no right of access under the Act. One of these exemptions relates to personal information which cannot form part of a Freedom of Information request.

2. Exemptions to the Right of Access

The Data Protection Act 2018 (Schedule 3) contains exemptions to the rights of access contained in Article 15 of the UK GDPR for health, social work, education and child abuse data. The right of access which is afforded to data subjects is restricted in the following circumstances:

  1. Where the right of access would prejudice carrying out social work because access to the information would be likely to cause serious harm to the physical or mental health of the data subject or some other individual;
  2. Where the records contain child abuse data; there is an exemption from Article 15 if the application of that provision would not be in the best interests of the data subject. ("Child abuse data" is defined in the Act as personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse. For this purpose, "child abuse" includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18);
  3. Where the person is incapable of managing his or her affairs (for example where the person is a child);
  4. Where complying with the right of access would mean disclosing information was which given by the data subject in the expectation that it would not be disclosed or is information which the data subject expressly indicated should not be disclosed;
  5. Where the data is processed by a court, consists of information supplied in a report or other evidence given to the court in the course of proceedings, the data may be withheld by the court in whole or in part from the data subject.

Access can also be refused if:

  • Disclosing information to the data subject would involve disclosing information relating to third party who can be identified from the information. Unless (a) the other individual has consented to the disclosure of the information to the data subject, or (b) it is reasonable to disclose the information to the data subject without the consent of the other individual;
  • Where disclosure may prevent the detection or investigation of a crime or jeopardise public or national security.

Access requests can also be refused if they are 'manifestly unfounded or excessive' (for example if an identical or similar request has been received from the same person and already been complied with).

These exemptions do not justify the total withholding of information but only those records/parts of records which are covered by the exemptions. The remainder of the case records should be made available to the data subject.

The exemptions above do not apply where disclosure is required by a court order or is necessary for the purpose of or in connection with any legal proceedings.

3. Offering an Informal Approach

The practice of all staff when working with children and families should be to encourage routine sharing of information, including providing copies of key documents on an ongoing basis (e.g. minutes from Child Protection Conferences, notes from Core Group Meetings, copies of Care Plans etc.).

If a person currently in receipt of services asks to see a particular document or wants to have information about a particular aspect of their case records, their social worker should discuss this with them to see whether the request can be dealt with informally by showing them the relevant part of the file or providing a copy of relevant documents.

4. Handling Formal Requests for Access

Those making a formal request for access to their records should be asked to put the request in writing and support should be offered as necessary.

The Procedure for Disclosure of Children's records (Section B) explains how the request is processed locally by the Information Governance team and the respective roles of both the Information Governance team and the Social Care staff.

If the person making the request is not currently known to the service they will be asked to provide photographic evidence of their identity, such as a passport or driving licence before a search of the records is made. Where the person making the request does not have a passport or driving licence, consideration should be given to accepting other forms of identification.

Once the identity of the data subject has been confirmed, all case records held on the person should be located and collected. All indexes and computer records should be checked, across all departments within Children's Social Care Services.

The Information Governance team should then carefully check the case records to ensure they are complete and that the information is provided in an intelligible and easily accessible form, using clear and plain language. The whole file should also be checked to ascertain whether any of the material comes within the exemptions to the rights of access and would, therefore, need to be removed/redacted (see Section 2, Exemptions to the Right of Access).

Where the person making the request has specific needs in relation to language, literacy or disability, arrangements must be made to present the information in a suitable format and to involve approved interpreters as needed.

Offering interpretative and supportive counselling may be advisable in certain cases, as well as using a number of interviews to disclose the information in stages.

The data subject should be provided with a copy of the data. A fee may be charged for any requests for additional copies.

5. Timescales

Access must be given to disclosable information within 30 days of receiving the request (or 30 days from the point at which the identity of the data subject is confirmed).

  1. Upon receipt of a request, the IG team should identify on CASS the allocated team and then email the Team's email inbox and the team manager within 2 working days with details of the request. Ensure the limited timescales are referred to at the start of the email. The relevant Team Manager should respond within 2 working days;
  2. The Team Manager is asked to record whether there are any reasons why a request should be refused and what those reasons are. Even with this tight timescale, it only leaves 19 working days based on a 31 day month without bank holidays in order to process the request;
  3. There should be oversight of the response by the Service manager (Localities) or a delegated alternative Service Manager prior to submission of the response to Information Governance;
  4. It is important that the IG team is notified of potential exemptions as set out above within 5 working days so that they can respond;
  5. Before responding to a request for access to information held about a child, it should be considered whether the child is mature enough to understand their rights. If they are, they should be responded to rather than the parent.

Any data held about a child is the child's personal data and does not belong to anyone else, including the parent. In the case of young children their right of access to information held about them will likely be exercised for them by people with PR.

In certain circumstances, for example when responding to particularly complex or multiple requests, the authority can take a further 2 months to provide data. If this is the case, the person requesting the information must be informed of the delay within 1 month of their original request and the reasons for the delay explained to them.

6. Applications by Children

Requests from children should be treated in the same way as requests from adults. In each case a judgement should be made by the social worker/local authority case worker as to whether the child making the request for access understands the nature of their request. Where appropriate, a parent/carer should be asked to provide written confirmation that the child understands the nature of the application.

Children with disabilities have the same rights as others to have access to information held about them. No assumption should be made about their level of understanding. This should be assessed on an individual basis as with all children.

A child of sufficient understanding should be allowed regular access to information held about them, consistent with their best interests. Relevant assessments, plans and records should be routinely shared with unless one of the exemptions set out above applies.

A child should be encouraged to contribute to their case record, including when there is disagreement about an entry in the file.

7. Applications by Parents / Those with Parental Responsibility

Even if a child is unable to understand the implications of a request, any data held about them is still their personal data and does not belong to anyone else, including a parent. It is the child who has the right of access to information held about them, even though, in the case of young children their rights are likely to be exercised for them by people with parental responsibility.

Before responding to a request for access to information held about a child, it should be considered whether the child is mature enough to understand their rights. If they are, they should be responded to rather than the parent. If the social worker / local authority case worker is unsure about whether a child is able to understand what it means to make a request and how to interpret the information they receive as a result they should consider:

  • The child's level of maturity and ability to make decisions like this;
  • The nature of the personal data;
  • Any court orders relating to parental responsibility that may apply;
  • Any consequences of allowing those with parental responsibility access to the child's information. This is particularly important if there have been allegations of abuse;
  • Any detriment to the child if people with parental responsibility cannot access this information;
  • Any views the child has on whether their parents should have access to information about them.

An application by a parent or those with parental responsibility can be refused if it would mean disclosing information which was provided by the child in the expectation that it would not be disclosed, or if the child expressly indicated that it should not be disclosed.

Regardless of whether or not a child is capable of understanding the request or has consented to the parent making the request, it is important that a parent should only be given access to the information about the child if the worker in consultation with their manager is satisfied that the request is made in the child's and not the parent's interests.

8. Applications by Care Leavers

For further information, see: Children Act 1989 Guidance and Regulations - Volume 3: Planning Transition to Adulthood for Care Leavers.

When an application has been received from a care leaver, it is important that the request is acknowledged promptly and in writing, or by using another appropriate forms of communication if required. The process and timescales for dealing with such requests should be explained, as well as any additional support services that the authority is able to provide.

An acknowledgement should be sent to the care leaver within 10 working days confirming that their records exist. The acknowledgement should also indicate when they are likely to receive information from the case records and clarify that:

  • The local authority will attempt to locate all existing records relating to the care leaver, including registers from children's homes. Legislation requires that a child's case record must be kept until the 75th anniversary of the child's date of birth;
  • There is a statutory duty to respond to a subject access request within 1 month;
  • The care leaver will need to produce proof of their identity before the organisation can disclose any personal information. However, if the person is already known to the service the proof of formal ID is not required.

If the records cannot be located, the care leaver should be informed as soon as possible about the steps that will be taken to try to locate them. If records have been transferred to another local authority, the care leaver should be provided with relevant contact details. If the authority becomes aware that the case records do not exist, there should be no delay informing the care leaver. When records have been destroyed or mislaid, the care leaver must be informed as soon as possible and assistance given to help them locate other information and registers that may be available, such as, health and education records.

It is important that the local authority case worker has telephone or direct contact with the care leaver to introduce themselves and explain the process. This also provides an opportunity for the care leaver to discuss what they are hoping to obtain from their records, how they would like these to be shared and what they already know about their family and history. The local authority case worker can also identify any support the care leaver would like to receive. The care leaver should be assured that they will receive comprehensive information about their family background and time in care including information already known to them. It is important to offer to telephone the care leaver after they have received and read their records and to inform them that the case worker remains available to answer any questions or discuss concerns they may have.

Local authorities should respond to requests from a direct descendant of a care leaver if information about family history is being sought.

9. Applications by Agents

A request for access to records may be made through an agent (for example, a solicitor).

It is the agent's responsibility to produce satisfactory evidence that they have authority to have access to the records. This will always include proof of their identity.

The relevant Team Manager will decide whether the representative will be allowed access, having sought Legal Advice if necessary.

10. Applications by the Police

Requests from the Police for information from children's files:

  1. This section relates to:
    • Data Protection Act 2018 Schedule 2 Part 1 – disclosure required for the:
      1. Prevention or detection of a crime;
      2. The apprehension of offenders.
    • 2013 Protocol for Disclosure of information in cases of alleged child abuse and linked criminal and care directions hearings.
  2. N.B. Common Law Duty of Confidentiality must be assessed on a case by case basis and is not overridden by Data Protection Acts 1998/2018;
  3. IG shall process initial requests for disclosure to the police, in liaison with:
    • The relevant Team Manager if the request relates to a child who is open to Children and Young People's Services or has been open within the last three months. The team manager will check whether there are any court documents or other prohibited information (e.g. legal advice which is confidential).
    • The Team Manager will ensure that there is oversight by a Service Manager of the agreed information prior to the information being passed to Information Governance.
    • The Service Manager (Localities) if it relates to a child who has not been open to Children and Young People's Services for longer than 3 months.
  4. An Annex C form should accompany all requests for information from the police where the request relates to a child who is or was at the time of the alleged offence under the age of 17. IG will ask the police to provide a completed Annex C form before progressing the request. DP7 or DP 9 consents are also required.

    See: Glossary of Terms below for further information on Annex C, DP7 and DP9;
  5. Consent from the person to whom the information relates (DP9) to share the information is useful to seek at this point because it will be needed should the case go to trial and the police need to request onwards disclosure. Relevant consent at this stage will reduce the risk of delay later on. The IG team will inform the Police of this requirement;
  6. If in exceptional circumstances an Annex C cannot be provided by the police at the time of the request, details of the reasons why must be obtained and the request referred to the local authority's Data Protection Officer will make a decision as to whether to release the information requested without an Annex C form;
  7. 'Requests should be specific about the type of information required, and include details such as charge sheets where available. The Annex C should provide sufficient information for IG to assess whether the request for disclosure is necessary for the pursuit of reasonable lines of enquiry. The CPS describe 'reasonable lines of enquiry' as:

    In conducting an investigation, the investigator should pursue all reasonable lines of inquiry, whether these point towards or away from the suspect. What is reasonable in each case will depend on the particular circumstances. For example, where material is held on computer, it is a matter for the investigator to decide which material on the computer it is reasonable to inquire into, and in what manner." Relevant material is defined (at para.2.1) as: "…it has some bearing on any offence under investigation or any person being investigated, or on the surrounding circumstances of the case, unless it is incapable of having any impact on the case".

    See: Disclosure - A guide to "reasonable lines of enquiry" and communications evidence (CPS);
  8. IG will check with Business Support in Legal whether there have been any Family Court proceedings. Documents relating to Family Court proceedings must not be included in the files to be examined by the Police. Information 'relating to the proceedings' includes documents prepared for the purpose of the proceedings;
  9. Where there have been Family Court proceedings the police may be provided with a list (e.g. copy of a redacted court index) of the court documents without describing what it is. Also, the text or summary of a Judgement given in the Family Court proceedings can be included. These documents should only be provided with the agreement and oversight of Legal Services;
  10. Documents to be viewed by the police will either be sent to them securely or made available for the police to view within LA offices. The information will be sent securely to the Police if the records are held on CASS or the paper record is small, and it is impracticable for the Police to come in to view the files. Where the Police are asked to come and look at the files, the Police will mark the documents they wish to have copies of and will be provided with photocopies to take away;
  11. Where documents are provided to them the Police will be reminded that they are for read only and must not be used or shared without our further specific consent or court order;
  12. A request from the police or CPS to share the material must be via an Annex E (see Glossary) which will be forwarded by IG to Legal for consideration. If a DP9 has not yet been provided by the police then IG will request this from the police.

Glossary of terms

  • Annex C - the request that comes from the police requesting sight of documents to help them investigating/prosecuting a crime;
  • DP7 - request for disclosure signed by an inspector;
  • Annex E - this is the form where the police have read the material and have identified key documents they need to release to the defence;
  • DP9 - Consent form signed by the data subject agreeing to the release of their records to the police in relation to their complaint.

11. Application on Behalf of Deceased Persons

Where a request is received for access to the records of someone who has died, the person making the application should be asked to explain in writing their relationship to the deceased person, what information is needed and why. The local authority case worker should make a decision in consultation with their manager and advise the applicant in writing of the decision with reasons.

12. Rectification or Deletion of Records

If a person considers that any part of the information held on their records is inaccurate, they have (Under Articles 16 and 17 of the UK GDPR) the right to apply verbally or in writing for it to be rectified or deleted.

Local authorities have 1 month to respond to any such requests.

If a request for rectification is received, the local authority should take reasonable steps to establish that the data is accurate and to rectify the data if necessary.

What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort a local authority should put into checking its accuracy and, if necessary, taking steps to rectify it.

A local authority can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If a local authority considers that a request is manifestly unfounded or excessive you can:

  • Request a "reasonable fee" to deal with the request; or
  • Refuse to deal with the request.

13. Refusal of Access

If the social worker or local authority case worker considers there are reasons to refuse a request for access to all or any part of the records (see Section 2, Exemptions to the Right of Access), this should be discussed with their manager and legal advice should be obtained if necessary.

The manager should be asked to make a final decision on refusal of access, having sought legal advice if required. If refused, the date of the request and reason for refusal must be recorded in the file.

The decision and the reasons for it should be confirmed in writing to the person requesting access, or in a format appropriate to the needs of the person concerned.

14. Appeals Process

The data subject concerned has the right to apply to the court for an order to disclose, correct or erase information held. They also have a right of appeal to the Information Commissioner who may make an assessment about whether the law has been complied with an issue enforcement proceedings to make the local authority comply with the request if necessary and/or recommend an application to court alleging a failure to comply with data protection legislation.