Guide for all staff involved in processing Subject Access Requests
SUBJECT ACCESS REQUEST
GUIDE FOR CHILDREN’S SERVICES STAFF INVOLVED WITH PROCESSING SUBJECT ACCESS REQUESTS
UNDERSTANDING DATA SUBJECT RIGHTS AND ACCESS TO PERSONAL INFORMATION
INTRODUCTION
It is the East Riding of Yorkshire Council’s obligation to ensure compliance with the Data Protection Act 1998. The Information Commissioner, who oversees compliance and promotes good practice, requires all organisations and individuals who process personal data to comply with the eight data protection principles of ‘good information handling’. It is important to read the councils Data Protection Policy in conjunction with this Subject Access Request guidance.
http://insight.eastriding.gov.uk/corporate-information/policies-and-procedures/
The East Riding of Yorkshire Council is committed to ensuring that the personal data it holds is used fairly and lawfully and in a non-discriminatory manner.
THE AIM OF THIS GUIDANCE
· To help you make the correct decisions when dealing with Subject Access Requests and the redaction of information.
· To advise you on how to prepare a file.
· To advise how you can provide access.
WHO THIS GUIDANCE APPLIES TO
SENIOR CUSTOMER RELATIONS OFFICER.DESIGNATED SAR OFFICER (LOCALITY TEAMS).
SUPPORT SERVICES.
SENIOR MANAGER.
HEAD OF SERVICE.
This guidance is coded in the above colours to enable those who it applies to be directed to the guidance relevant to their role within the process. However it is advisable to read the full guidance to gain an understanding of the full process in completing a Subject Access Request.
There is also a flow-chart showing the SAR process and the stages where involvement from the above individuals and services is needed.
DATA SUBJECT RIGHTS
The Data Subject is the person whose information we hold. The Data Subject has a right to:
· Know if we or others on our behalf are processing their personal data.
· Have description of the data we hold about them.
· Know why we hold the data.
· Know the source of the data.
· Know who we have shared the data with.
· Request a copy of the personal data we held about them at the time the request was received (Subject Access Request);
· Require us to correct inaccuracies or irrelevancies in their records and to tell others we gave the inaccurate data to that is was incorrect.
· Require us to stop processing their personal data if it is not justified.
· Seek compensation for damage or distress our use of their data might have caused.
· Appeal to the Information Commissioner or the courts if access is refused or if the legally prescribed timescales are exceeded;
OUR RESPONSIBILITIES TO PROTECT AND ASSURE THE DATA SUBJECT’S ACCESS RIGHTS. We should:
· Record personal data in a way that promotes people’s rights of access and privacy (e.g., keeping family members’ individual, personal data separate).
· Gain consent to share third party data with those it’s about.
· Give them information informing them of their rights.
· Let them know if their records are held jointly (in which case they only need to apply to one organisation) or separately (in which case they need to apply separately to each organisation) so they can exercise their right of access to all their personal data.
· Maintain and store records so they can be retrieved when required in accordance with the Council’s Records Management/Governance policy.
· Locate all the applicant’s personal data that the applicant has identified. If we don’t hold an applicant’s personal data, inform them of that fact. We must respond.
· Not alter data once a request is received, except for routine recording, not even to make the record more acceptable to the subject.
· To provide a complete copy of their data that they are entitled to.
HOW OFTEN ARE DATA SUBJECTS ALLOWED TO APPLY FOR ACCESS?
We can refuse access if we’ve already complied with an identical or similar request from the same person, unless a reasonable interval has elapsed. A ‘reasonable interval’ depends on:
· The nature of the data held
· Why the data in being processed.
· How often we routinely provide a copy of their records to them.
· How often the data is amended or added to.
WHAT DATA SUBJECTS ARE NOT ENTITLED TO
· Information if it would be likely to prejudice the carrying out of social work because of the risk of serious harm to the physical or mental health or condition of the data subject or someone else.
· Information that in giving it could hinder the prevention or detection of a crime.
· Information that is legally privileged.
· Information in adoption records (this would need to be dealt with by the relevant adoption team under their regulations).
· Information provided in confidence (breach of confidence)
· Someone else’s information (Third party)
· Certain information without consent from its source to share the information.
DUTY OF CONFIDENCE
A duty of confidence arises between a member of the public and a professional where one party has information relating to another party in circumstances that give rise to an expectation that it will remain confidential e.g.
· A doctor has information about patients
· A contact through the Early Help & Safeguarding Hub where the member of the public wishes to remain anonymous
· A social worker has information about service users provided by a third party.
THIRD PARTY INFORMATION.
Third party information is information about someone else other than the data subject. It would include references to their family and friends, other non-Council professionals and agencies. Consideration needs to be given as to whether this information should be released.
Information from someone else is not the same thing e.g. people who have referred concerns about them such as relatives and non-council professionals and agencies acting in their professional capacity. In circumstances where information is provided by non-council professionals and agencies acting in their professional capacity consideration needs to be given to gaining consent before releasing the information.
For information provided by a member of the public/relative you would have to consider if this was provided in confidence and if so this would not be releasable, you could not seek consent as this would then be a breach of duty of confidence to the referrer.
INFORMATION ABOUT OUR OWN STAFF
Our own staff (including foster carers, others employed as agents for children’s social care) acting in their official capacity are “relevant person’s”. Staff acting in their personal capacity are third parties. This is an important distinction; redaction of references to them acting within their official capacity may only be undertaken if there is a clear risk of harm to someone, ordinarily consent is not needed to share information referring to them as a professional.
INFORMATION FROM HEALTH PROFESSIONALS
This applies to personal information about the physical or mental health or condition of the data subject.
Correspondence from health professionals and agencies is often stamped as confidential. In this context “confidential” usually means “this contains sensitive, personal information and must be transmitted and stored safely.” It does not mean necessarily that it is restricted from the data subject. However it is important that you consult with the most recent health professional responsible to gain consent to either release the information or withhold the information. Alternatively you can inform the data subject that they will need to approach the appropriate agencies directly to request the information. The latter process is advisable in most case as the agency can then make the decision as to what they can share and whether the release of information would pose a risk. If a decision is made to request the data subject approaches the other agencies this needs to be explained in a timely manner to the data subject to avoid unnecessary delay.
INFORMATION FOR OTHER PROFESSIONALS AND AGENCIES
The default for any information we handle, including any that other professionals/agencies give us apart from health information, should be to disclose it to data subjects. Dependent on what the information is consideration needs to be given to contacting the professional to gain their view of releasing the information. In most cases professionals will expect their name and business contact details to be released, however consideration may need to be given if the release of the information poses a risk of harm where objections are made by the professional. If you are unable to contact the professional you will need to consider if it is reasonable to release the information without consent. Consider informing the data subject to approach the professional/agency directly to request the release of information.
ACCESS RIGHTS OF CHILDREN
The right of access extends to children who can understand what it means to exercise that right. (Fraser Guidelines) they can therefore apply for their information as an adult. The fact of making a request is probably sufficient evidence that they do understand, provided we are sure the child really has made the request.
If a parent with Parental Responsibility wants to access their children’s record’s, if the child is of such an age that it is considered they would not understand what is means to exercise their rights then they can access the child’s information as long as we are satisfied this is not against the best interest of the child. For further clarification, if a child is 12 years old or above the parent who has Parental Responsibility will need to seek consent from the child to access records. In some cases where we think a child over 12 may have been coerced into giving consent it is good practice to contact the child and explore with them their understanding of a what a subject access request is and what they have consented to share with their parents.
In both these instances we must take into account if granting such access would be likely to result in harm to someone. Refusal of access on grounds allowed in the: Subject Access Modification/Social Work Order 2000. This enables you to consider withholding information if it is likely to prejudice the carrying out of social work by causing serious harm to the physical or mental health or condition of the data subject or another person. This order does confirm that the identity of social workers as relevant people should be disclosed but also confirms that this can be overruled if there is a strong likely hood of serious harm being caused to the social worker.
WHAT IS REASONABLE TO DISCLOSE
The Data Protection Act does not provide any guidance on what is reasonable in all circumstances to disclose, there can be a conflict between the data subjects rights of access and a third party to privacy, careful consideration needs to be given to this dilemma. If you cannot respond to a SAR without disclosing information about another individual (third party) who could then be identified from that information, you are not obliged to disclose it as a duty not to breach confidence unless consent has been given by that individual or if you think it reasonable in all the circumstances to disclose it without consent. Decisions should always be taken on a case by case basis after careful consideration of all the circumstances surrounding each case. If in doubt seek legal advice and discuss this with you line manager, customer relations team or data protection team.
THIRD PARTY INFORMATION AND CONSENT to consider
· Do we have a duty of confidence to the third party whose personal information we are considering disclosing?
· What steps, if any, did we take to gain consent from the third party?
· Are their whereabouts unknown or cannot be found out?
· Are they capable of giving consent?
· Did they expressly refuse consent?
· Would seeking consent from the third party disclose the subject’s personal information?
· What does the subject already know or is likely to find out? If they already know this information, then we are not disclosing it.
· Is the third party information confidential, sensitive or harmful?
· Was the source “a relevant person” Only the likelihood of serious harm would justify refusal of access. Subject Access Modification/Social Work Order 2000.
· Can it be edited to protect the third party’s identity appropriately?
INFORMATION WOULD BE WITHHELD IF:
· Consent is not given; and
· It is not clear if it’s reasonable to disclose the information without it; and
· The information cannot be edited appropriately to remove identifying references to the third party.
WHERE INFORMATION IS HELD
Supervision notes are generally released under a SAR as long as the information relates to the data subject and does not contain personal information in relation to the workers practice etc. If this is the case this will need to be redacted.
E-mails
Emails are no different from any other record containing information about the data subject.
‘Restricted’ information on file
This by its very nature means there are reasons to withhold the information. When the information is no longer restricted then consideration needs to be given to releasing this to the data subject.
Child Case Management data base/ONE system/E-start
All information held on these data bases belong to Young people’s support and safeguarding services and consideration needs to be given to releasing this information in a SAR if the data subject or agent acting on their behalf requests all records.
SUBJECT ACCESS REQUESTS v INFORMATION SHARING
Requests made from a social worker from another local authority is not considered a subject access request but information sharing and should therefore be dealt with under normal business by the relevant social work team. Requests for personal information without the consent of the data subject can be made under exemptions outlined in the Data Protection Act, an example of this is Sections 29(3) and 35 of the Act which covers the release of personal information because it is needed to prevent or detect a crime, or catch and prosecute a suspect. Disclosures to the police are not mandatory except in cases where the council is served with a court order requiring information.
For the request to be complied with it needs to be: