SCOPE OF THIS CHAPTER
Subject Access Requests can also be called Access to Records Requests. The Subject Access Request Policy provides a process for Children's Services staff to follow when dealing with a request by someone for access to their personal records. The policy predominantly contains guidance for practitioners, based upon Information Commissioner's guidance, regarding the decisions that need to be made when releasing personal documents.
This policy does not cover requests by other agencies to access service user files.
This policy supersedes the Access to Case Records Policy.
This chapter was added to the manual in November 2014.
- Managing Subject Access Requests
- Processing a Subject Access Request
- Responding to a Subject Access Request
- Requests by/on behalf of Children and Young People
- Requests made on behalf of Adults lacking Mental Capacity
- Requests made through another Person or Organisation (agent)
- Requests for Access to Records of a Deceased Person
- The role of the Freedom of Information and Data Protection Team
- Deciding what to Disclose
- Refusals to Allow Access
- Correcting Inaccurate Information
- Reviews of Decision Making
- Step by Step Guide if you are Dealing with a Subject Access Request
- Advice and Support
This staff guidance relates to requests for access to personal data (1) made by service users, their representatives or other interested parties.
People can ask to see the information the Department holds about them by making a 'subject access request' in writing. The request must enable staff to identify the person and the information requested. Anyone, including local authority employees, service users and relatives of service users can make subject access requests. The information requested may be included in documents that are held in the names of other people, for example, information about a relative may be contained on the file of a service user. People will not normally be given information about other people. See Section 3.1, Third Party Information for information about "third parties".
If, in the course of a normal working relationship, a service user asks a worker to see the records that the worker has made about them this should not be treated as a 'Subject Access Request'. Staff should share the records they have made with the data subject as a matter of good practice and this should be recorded as part of on-going work with the service user. Such requests are not covered by this policy.
The Council holds a great deal of personal information about people:
- On computer, for example on the the ICS (Liquid Logic) and Civica case management systems and in emails;
- In paper records, for example, in historic case files, notebooks etc;
- In other media, for example, tape recordings and photographs.
Staff must comply with the Data Protection Act 1998 in relation to all this stored information and must meet the required standard of service when complying with requests for information. Information held, in whatever form, must be kept secure and retained only for as long as necessary, as set out in the guidance on the Case Records and Retention Procedure.
Staff should also be familiar with the information published on the website of the Information Commissioner's Office (ICO), in particular the Data Protection Technical Guidance Notes:
- "Subject access requests and social services records";
- "Access to pupils' information held by schools in England".
1.1 The Data Protection Act 1998
The Act gives data subjects (2) the right of access to personal data held about them. It also gives them other rights, for example, the right to,
- Prevent processing likely to cause damage or distress (Section 10 of the DPA) - Data subjects are entitled to serve a notice on the Local Authority to prevent further use of information in certain circumstances. The Department has a limited period in which to respond to the notice in order to continue to use the information. This is a legal process and if a section 10 notice is received staff should immediately contact the Data Protection Officer on firstname.lastname@example.org;
- Rectify information (Section 14 of the DPA) - Individuals have a right to request that information about them that they consider to be factually inaccurate is corrected. See Section 3, Deciding what to Disclose of this guidance for further information. They can also apply to the Court to seek to rectify factually inaccurate information. If the Department receives a request from an individual to amend incorrect or misleading information staff must comply with the request quickly to avoid Court Proceedings; within 20 working days would be reasonable.
Please note: unauthorised access to, or disclosure of, personal data could be in breach of the Council's Code of Conduct and may be considered under the Disciplinary Procedures.
(1) Personal data - is information from which the individual can be identified, whether directly or by reference to code and where the individual is the focus of information which affects the privacy of the individual in his/her personal or family life and in his/her business / professional capacity. For further information see the "Data Protection Technical Guidance - Determining what is personal data", published by the Information Commissioner's Office.
(2) Data subject - an identified or identifiable, living individual who is the subject of personal data.
2. Managing Subject Access Requests
A Subject Access Request (SAR) must be received in writing, either by email or on paper. A request form can be accessed from Bradford Council website.
2.1 Processing a Subject Access Request
See Section 7, Step by Step Guide if you are Dealing with a Subject Access Request if you have been asked to work on a Subject Access Request.
Subject access requests (SAR) are received by the Children's Initial Contact Point (CICP).
If the officer dealing with the request is not sure about the identity of the person making the request two forms of identifying documentation will be required from the person before continuing with the request. This should be a formal document which contains reference to the individual by name and address; it could be in the form of a copy of a utility bill and a driving license/passport.
Where the request comes from a solicitor who is acting as the agent of the person making the access request it is assumed that the identification of the data subject will have taken place. Requests made by solicitors acting on behalf of clients should include a signed authorisation form. In such cases it is not necessary to verify the identification of the person using the solicitor. The officer must make sure that the authorisation form specifically relates to information from social care records.
On receipt of a request for access CICP will acknowledge the request and explain that they are undertaking a search for the files. CICP will request the files from the relevant archive and inform the person requesting access that the they can expect to receive any information (40 calendar days from the date of receipt, wherever this was in the Council).
The Subject Access Request will be recorded within the case management system (Liquid Logic) and on the Sharepoint system by CICP. All contacts in relation to the request should also be recorded on the case record.
CICP will inform the Data Protection Officer on email@example.com that a SAR has been received as soon as possible.
The request and relevant files are passed to a social work team who will liaise with the person who has made the request and provide the information requested, in line with these procedures.
The timeline starts from the date that the authority receives the SAR. However, if the request does not contain enough information to identify the data subject or process the request then the timeline is paused whilst this information is immediately sought.
If the files cannot be identified the request for subject access, and information regarding all archives searched, CICP will write to the person who has made the Subject Access Request to inform them that despite searches their information cannot be found. This will be recorded on the case file. This information will be passed to the data protection team.
2.2 Responding to a Subject Access Request
Within 40 calendar days of making a written subject access request the applicant is entitled to be provided with such information as the Department holds which is personal to him/her and can be disclosed.
Meeting the 40 calendar day deadline will be the responsibility of the individual service areas and will be monitored by the Data Protection Team. If you think it is not possible to complete a SAR within the 40 day timeframe then let the then let the Data Protection Team as well as the person making the request know as soon as possible.
It is good practice when undertaking a Subject Access to discuss with the person what information they would like. In some circumstances they may want information regarding a specific period, while in others they may want an overview of for example, their life in care.
A decision must be made about what information should, and can, be released (see Section 3, Deciding what to Disclose) and the file must be prepared in an accessible format including any additional information held in electronic systems.
If the data subject is given access, the relevant information should be given to them in an accessible form, for example, as a photocopy of a document.
If the 40 day deadline is missed the officer dealing with the request must write to the data subject apologising and giving the reason for the delay.
In circumstances in which the request covers a large quantity of information and it is possible that the information will not be supplied within in the required 40 days it can be legitimate to ask the data subject whether they wish to receive one section of the records before another. This must not be used as an excuse for failing to meet what is a statutory requirement to supply information within 40 days. It is important that this discussion and actions are recorded on the case record.
Information must be disclosed unless:
- There is insufficient information to identify or locate the requested information. The data controller is not obliged to comply with a request until satisfied as to the identity of the person making the request (see Section 2.1, Processing a Subject Access Request for details) and until sufficient information has been given to allow any records to be located;
- An individual makes repeated requests to access the same or similar information (a vexatious request). Where the officer dealing with the request for access has already complied with a request for personal data, s/he is not obliged to comply with a subsequent request which is either identical or similar, unless a 'reasonable interval' has occurred. The definition of a "reasonable interval" is a matter of professional judgement (normally around 2 years);
- A factor that would count against providing further access would be that there has been no further contact with the service user in between requests. However, a factor that would indicate that a reasonable interval has passed would be if there have been significant additions to the information that the Department holds on the person. The Information Commissioner's Office (ICO) has published guidance on vexatious requests, "Freedom of Information Act Awareness Guidance no 22";
- The data includes information about a third party who has not consented to disclosure. See Section 3.1, Third Party Information for more information;
- Disclosure could result in a risk of serious harm to that individual or any other person (see Section 4.1, Exemptions under the DPA for the list of exemptions under the DPA).
For a complete list of exemptions see: Section 4, Refusal of access to records.
When possible the requestor should be asked to collect the prepared document from a council property to ensure the safe distribution of personal information. This will not be possible in the case of a request by a solicitor or other legal representation.
A Data Subject has the right to have personal data communicated to him or her in an intelligible manner. It is therefore the responsibility of the Local Authority to ensure that the Data Subject understands the data that they receive. If the Data Subject cannot clearly understand instances of data, action should be taken by the Local Authority to explain the data.
Please note - Where the record requested reveals an individual to be an adopter or an adoptee, advice must be sought from One Adoption before any records are disclosed.
2.3 Requests by/on behalf of Children and Young People
In all circumstances involving requests for access to records held in the name of a child under 18 years consideration should be given to the requirements of The Children Act 1989.
Children under the age of 18 years have a right of access provided that they understand the nature of the request, that is, they understand what it means to exercise that right. Good practice dictates that efforts should be made to explain the implications of making a request to the young person.
If a child under 18 years does not have sufficient understanding to make his/her own request then a person with Parental Responsibility can make a request on behalf of a child. In deciding to allow access to the person with parental responsibility we must be satisfied that:
- The child lacks the capacity to apply in his / her own right; or
- The child has authorised the parent to make the application and s/he understands the nature of the request and the implications of authorising access.
Where a child lacks the capacity to make a valid request we must be satisfied that any application is made in the best interests of the child and that disclosing the information would also primarily be in the best interests of that child and not that of the parent(s).
There is no facility for anyone, other than a person with parental responsibility or a person authorised in writing by the child, to act as an Agent for the child. Where parental responsibility is held by more than one person it may be exercised independently without the consent of the other party.
A parent making a valid request for access to records about a child does so by virtue of their parental responsibility for that child and must be presumed to be acting in the best interests of the child unless there is information to the contrary.
2.4 Requests made on behalf of Adults lacking Mental Capacity
The DPA does not refer to requests made on behalf of adults who lack mental capacity - that is people who are not able to manage their affairs. A person with a mental disorder is not necessarily lacking in mental capacity.
In allowing access to records we need to be satisfied that the person understands the nature of the request. Good practice dictates that we must make efforts to explain the implications of making a request to the individual.
If an adult lacks the capacity to manage their affairs only a person who acts under an order of the Court of Protection or acts within the terms of a registered Enduring Power of Attorney may request access on their behalf. The request should then be treated as if made by an agent (see Section 2.5, Requests made through another Person or Organisation (agent)).
2.5 Requests made through another Person or Organisation (agent)
Appointed agents, such as solicitors, must provide evidence of their authority and confirm their identity and relationship to the individual. This evidence should normally be in writing. Once authorised the request should be dealt with as if it were made by the data subject.
Were an adult is unable to give written authorisation to an agent a judgment will have to be made and recorded on whether the data subject has given consent.
Where allowing access involves the disclosure of sensitive information it may be appropriate to approach the data subject directly to ensure they understand the nature of the request made by their agent.
2.6 Requests for Access to Records of a Deceased Person
Data on a deceased person is confidential however it is not covered by the Data Protection Act but instead by the Freedom of Information Act.
In deciding whether to allow access to an individual requesting information in relation to a deceased person we will need to consider any responsibility of confidentiality to that deceased person.
We should also consider the rights of the applicant and data subject under the Human Rights Act, Article 8 - the right to respect for a private and family life.
The ICO has published guidance called, "Freedom of Information Act. Practical Guidance: Information about the deceased".
2.7 The role of the Freedom of Information and Data Protection Team
Please inform the Data Protection Team when any Subject Access Requests are received.
Subject Access Requests are normally dealt with by staff in the relevant Locality/service area.
The Data Protection Team may also be able to provide additional support for the following requests and should be informed of these types of request as soon as possible:
- The request is made by a solicitor and where the stated aim is to make a claim against the Council;
- The person requesting access states their intention to make a claim against the Council;
- Initial consideration of the records by staff suggests that a claim against the Council might succeed;
- There is a request for information on behalf of a data subject in support of a claim from the Criminal Injuries Compensation Authority (CICA) on a closed case, from either a solicitor or from an officer of the CICA. Open cases are dealt with by the case holder;
- There is a real/potential conflict of interest in the service are responsible for access, for example, where a Subject Access Request is received whilst legal proceedings are in progress. (This does not normally apply where the subject access request is made in connection with a complaint).
The Data Protection Team can also seek legal guidance when required.
The Data Protection Team will also provide a monitoring and support role to help ensure that the statutory timeframe is met.
3. Deciding what to Disclose
Ordinarily, service managers will be the final decision-makers about what information can be disclosed and to whom. Where the redaction of the records is delegated to another officer the material to be disclosed should always be agreed with the service manager.
Once the decision has been made to allow access and the information has been prepared in an accessible format, a letter should be sent to the data subject with a copy of the information.
Please note - Where the record requested reveals an individual to be an adopter or an adoptee, advice must be sought from One Adoption before any records are disclosed.
Data may be held in a number of different places including electronic files, paper case files, email systems etc.
Emails will generally have been uploaded to the electronic case file but it is important to note that customers have the right to see copies of their own personal data wherever it is recorded.
Reasons for data preparation and editing/redacting
Social work case records may involve the personal data of more than one individual (e.g. siblings included), therefore data must be prepared to ensure only appropriate data is disclosed during subject access. The process of identifying non disclosable data is known as redaction. It is necessary to ensure any third party information is removed from the subject's records.
The quality of data cannot be isolated from the subject access process. Very often, the quality of data is the subject of a subsequent complaint. A Misspelled name, an inaccurate date of birth or inaccurate data about the subject may have been recorded. In addition to being lawful, it is vitally important that we record good quality data and that a few minutes spend ensuring that text has been correctly entered will save time later.
In preparing records for access it must always be made clear, on the record, where information had been taken out and the reason for this. Care must be taken not to disclose the identity of a third party in so doing.
It is useful to meet with the person making the SA request to be clear about what information they are looking for.
The usual reasons for redaction will be:
- Third party information without consent to disclose;
- Legal privilege;
- Medical Information;
- Exempted information (this is where the disclosure of information is deemed to cause serious harm).
If the information has been edited in any way the applicant should be informed including information about their right of appeal to the Information Commissioner or the Courts.
A copy of the redacted records, as sent/given to the data subject must be retained, for example scanned into ICS, for the length of time applicable to the records in full.
If a review is undertaken corporately or by the Information Commissioners Office these records will be inspected.
3.1 Third Party Information
Material which a customer has already been party to can be released e.g. the minutes of a meeting where the data subject was an attendee.
We do not have a responsibility to disclose information that the data subject has already had a copy of or material that has already been disclosed to the data subject. Occasionally and depending on the circumstances we may re-supply information.
The data subject is not entitled to see the personal data of third parties (i.e. anyone else) without the third parties consent unless it is reasonable in all the circumstances to disclose it without their consent. Please discuss this with the Data Protection Team if you want advice or more detailed guidance about this subject.
Not all detail constitutes third party 'personal data' and a logical view can be taken of some date that my, for example, be already known or sheared with the subject i.e. the name of a sibling but not necessarily their current address or circumstances.
Sensitive personal data: When considering the personal date of third parties and trying gauge its relevance to the main client it is useful to hear in mind the definitions of sensitive personal date as defined in the Act:
- The racial or ethnic origin of the data subject;
- His or her political opinions;
- His or her religious beliefs or other beliefs of a similar nature;
- Whether he or she is a member of a trade union;
- His or her physical or mental health condition;
- His or her sexual life;
- The commission or alleged commission by him or her of any offence, or any proceedings for any offence committed or alleged to have been committed by him ore her, the disposal of such proceedings for the sentence of any court in such proceedings.
Seeking consent from third party individuals - the data subject should be informed that we might need to contact other individuals about whom personal information is recorded on their file and seek their consent to share their data with the data subject. The data subject has the right to request that should not contact certain individuals, for instance a child might not want us to contact their parents. This would lead to information being redacted prior to the release of the records.
Data provided by third party professionals - there is sometimes a lack of clarity regarding the requirement of consent in the case of third party professional data. There is separate legislation relating to access to education records, health records and 'social services' records. In practice this means that if the third party individual is a health, education or social services professional, the information is regarded as information provided by a 'relevant professional' and not a 'third party' as such. There is specific guidance to 'relevant professionals' opinions on the Information Commissioners website (see link below). Seek advice from the data protection team if you are uncertain regarding this issue.
Physical and mental health data - if case recording includes information on the physical or mental health of the data subject, whilst generally disclosable, you must consider whether disclosure is likely to have a detrimental effect on the data subject.
Court reports - court reports can be disclosed to the applicant if they were party to the proceedings of the report. If a third party requests copies of the court proceedings then the individuals party to the proceedings should be consulted.
Police documents - if the case contains documents supplied by the police, consent should always be sought before disclosure. Many police documents are "restricted".
Data Protection Office,
West Yorkshire Police,
PO Box 9,
If in doubt - do not disclose. The Information Commissioner can issue an enforcement notice where disclosure should have been sanctioned.
The decision making process regarding why information is being withheld must be recorded and outcome must be recorded.
ICO guidance is on this link Dealing with subject access requests involving other people's information".
Relevant Persons;(3) where information relates to Bradford MDC paid staff and others paid for similar work a distinction is drawn between the private and public life of the person. Information relating to individuals in their official or work capacity should be disclosed, unless to do so would risk them being harmed. Personal information; addresses, 'phone numbers etc must not be disclosed without consent.
(3) Relevant Person - anyone who is employed by the Local Authority or who has performed, for reward, a service similar to a service carried out by the Authority).
3.2 Information given by another Professional or AgencyWhere information has been provided by another professional or agency, it should be disclosed unless it is covered by an exemption. Where this information has been recorded in the Department's filing system it becomes the "property" of the Department. In these circumstances a letter informing the professional or agency of the intention to disclose should be sent as a matter of courtesy. A copy of the relevant information should be enclosed with this letter. It is the responsibility of the service manager (or more senior manager), acting on behalf of the Department to decide on whether access may be given.
3.3 Medical Information held in Records
The ICO has published a Data Protection Technical Guidance Note, "Subject access request and social services records" which gives further advice on disclosing medical or health related information.
Where information held on the Department's records has been provided by a medical professional and refers to the physical or mental health or condition of an individual it may not be disclosed without consulting the "appropriate health professional". For a list of "appropriate health professionals" see Section 9, Glossary.
The appropriate health professional would normally be the person who provided the information and can be approached directly. Alternatively staff can contact the Data Protection Team.
The requirement to consult does not apply where the information has been supplied by a health professional but is not a professional health opinion. This means that documentation provided by an appropriate health professional, including records made by a member of staff in case notes or running records, may be disclosed without consulting that professional, unless it contains information that is personal to a third party and consent has not been given. However a courtesy letter should be sent to inform the health professional of the intention to disclose.
4. Refusals to Allow Access
Where the decision is taken to refuse to allow access to all of the information requested it is imperative that the reasons for that refusal are explained to the person making the request and recorded. The individual concerned must also be provided with details of how they can take matters further, should they wish to do so. See Section 6, Reviews of Decision Making.
Decisions about total refusal should only be taken after advice has been sought from the Data Protection Team who can, if necessary, take advice from Legal Services.
Reasons for refusal must distinguish between:
- Reliance on an exemption under the DPA;
- Inability to obtain the consent of a third party.
Applicants should be informed about their right of appeal to the Data Protection Team.
4.1 Exemptions under the DPA
It is not necessary to comply with the DPA where:
- Information is held for the purpose of the prevention/detection of crime. The data controller is not required to disclose personal data if it is held to prevent or detect crime or to apprehend or prosecute offenders. This applies to information received from or disclosed by another organisation (e.g. police) and to information held on the Authority's records, such as in adult safeguarding cases where there is a criminal investigation. The data controller is not obliged to allow access to information which might prejudice a criminal investigation. This exemption also applies where an alleged offence involves any unlawful claim for payment out of public funds such as benefits;
- Disclosure would prejudice the carrying out of social work functions because there is a significant risk that it would result in serious harm to another person. The data controller need not disclose personal data where to do so would prejudice the carrying out of social services functions because serious harm could be caused to the physical or mental health or condition of the subject or any other person, including employees of the Authority. Only that information which is likely to cause serious harm may be withheld;
- The data requested has been supplied to a court. Reports written by the Department become the property of the court at the point at which they are filed with a court;
- Personal data is covered by other legislation. In particular, adoption records and reports which are governed by the provisions of the Adoption Act 1976, sections 50 & 51, parental order records and reports which are governed by provisions of the Adoption Act 1976, and the Human Fertilisation and Embryology Act 1990 and regulations (DP (Miscellaneous Subject Access Exemption));
- The information requested is not covered by the Act and is confidential (i.e. information relating to deceased persons (4)). Such information is covered by the Freedom of Information Act. Information is exempt from disclosure under the Freedom of Information Act (FOIA) if it was obtained, in confidence, from any other person (including another public authority) and disclosure would constitute a breach of confidence actionable by that or any other person;
- The information is covered by legal privilege. The data controller need not disclose personal data if it attracts legal privilege. This covers all communications, written and oral, to and from the Authority's legal staff in which advice is sought and/or provided. It includes notes of telephone calls and legal advice given at meetings and conferences. It also refers to any process by which legal staff are instructed. Please note: it may not be possible to apply this exemption if the legal advice has already been communicated in any way to the data subject or to a family member or friend acting on his/her behalf. This exemption does not apply to communications with lawyers who do not act for the Authority. Advice should be sought from Legal Services in these circumstances.
Below are the three exemptions that may be applied under the Act:
- Exemption: Statutory Instrument 2000 No. 415:
The Data Protection (Subject Access Modifications) (Social Work) Order 2000 - (S.I. No. 415) states that personal data does not have to be released if in doing so serious physical or mental harm to any individual is likely to result and serious consideration must be given to judge if this is the case or not. This exemption may also be used if disclosure of data is likely to prejudice the carrying out of social work functions. We are still under an obligation to inform the data subject that we hold this information whether we are releasing it or not;
- Exemption: Section 29 Crime & Taxation:
If to release personal data would impact on the effective prevention or detection of crime, then the data is exempt and does not have to be released as part of the Subject Access process.
When Police Authorities apply to Local Authorities for access to customer's records, they must provide a Section 29 (3) Notice before disclosure takes place. Always advise the DMAO or Legal Services of any such requests. These types of requests must be logged on a corporate disclosure log so that we retain a permanent record of what has been disclosed and who disclosed it;
- Exemption: Section 7  Duty of Confidentiality Owed
If an overriding duty of confidentiality is owed to any individual, the data should not be disclosed. For instance, personal data should not be disclosed if:
- It was provided by a third party in the expectation that it would not be disclosed to the person making the Subject Access request;
- It was obtained as a result of an examination or investigation to which the third party consented in the expectation that the information would not be so disclosed; or
- If the third party has expressly indicated the information should not be so disclosed.
In considering these exemptions the officer dealing with the request, or anyone advising them, must always be mindful of the Human Rights Act 1998, particularly Article 6 (the right to a fair trial) and Article 8 (the right to respect for a private and family life), the Freedom of Information Act 2000 (information about third parties, including the deceased - see link below) and the Mental Capacity Act 2005 (Part 1 - Persons Who Lack Capacity).
If the decision is made by a service manager to withhold information, the data subject must be informed in writing that an exemption applies, that the information they have requested will not be released to them and their right of appeal. This decision should also be recorded in a case management system (Liquidlogic).
(4) The ICO has published guidance called, "Freedom of Information Act. Practical Guidance: Information about the deceased"
5. Correcting Inaccurate Information
Inaccurate information is information that is incorrect or misleading in any matter of fact. Opinions can only be deemed inaccurate where they are based on inaccurate facts - an opinion may remain valid even where some facts are inaccurate.
If the data subject considers that the information held is inaccurate s/he may ask for a correction or an erasure to be made. Such requests must:
- Be in writing;
- Include sufficient information for the data controller to locate the alleged inaccuracy;
- Specify how the data subject thinks that it is inaccurate;
- State what the data subject considers the accurate information to be.
Requests for corrections to information should be dealt with within 21 calendar days of receipt of the letter from the data subject.
The decision to alter the records should be made by the service manager (or more senior manager) If the manager dealing with the request agrees that the information is inaccurate then it should be altered on the record. A note should be made of the change along with the reason for it and the name of the decision-maker. The data subject should be sent a copy of the corrected information.
If the manager does not agree that the information is inaccurate an addition to reflect what the data subject has stated may be made to the written record or computerised system. The data subject must be informed of the decision and invited to supply the text for this addition. This can be done with help from a member of social care, if necessary and appropriate.
In hard copy written records, an entry to the effect that the data subject regards the information to be inaccurate should be placed alongside the original entry. This will include a version of events which the data subject believes to be accurate, where this is provided. In ICS, staff should enter an alternative version by clicking the green pencil next to the original entry.
Information held on the Department's files is retained, in part, as a record of professional activity; as such it may not be appropriate to erase it. Advice must always be sought from the Data Protection Team before making an erasure.
6. Reviews of Decision Making
An internal review can be requested by the data subject in the following circumstances.
- There has been a delay in the statutory timescales;
- The information has not been supplied in an accessible form;
- A decision has been made to refuse all / part of the data;
- The information is believed to be incomplete.
The review will be undertaken by the Freedom of Information / Data Protection Team.
The data subject is also legally entitled to go straight to the Information Commissioner to "request an assessment". The Information Commissioner may order disclosure or uphold the Council's decision. Details of how to contact the ICO are:
The Information Commissioner
Information Commissioner's Office website.
7. Step by Step Guide if you are Dealing with a Subject Access Request
Step 1 (Any member of staff)
If you receive a subject access request by telephone, complete request form (available at www.bradford.gov.uk) with the data subject and forward the completed form to CYP - CICP via email using Bradford email system.
If the request is from someone you are working with (e.g. care leaver) this should be recorded on their file. Good practice would be to refer the data subject to the Care Leavers Association who are able to offer guidance and support throughout the process.
Step 2 (CYP - CICP)
CICP will record the contact on the Electronic Case Record system and forward referral the data protection team (currently to Sally Marshall - firstname.lastname@example.org).
CICP will send a letter to acknowledge the request and explain that a search for the records has been initiated. They will advise of 40-calendar day deadline.
If CICP need information to confirm the identity of the person making the request they will request this first.
Any paper files required for the request will be ordered from the Records Office and sent with the referral to the social work team.
If the files cannot be found, CICP will write to the applicant explaining this and giving information about the search for files that have been undertaken. They will provided details of the data protection team, and complaints procedures.
Step 3 (Data Protection Team)
Upon receipt of the completed referral, Sally Marshall will check the supporting identity documentation, and enter on the corporate tracking system.
Step 4 (Social Worker Team)
The social work team manager will allocate the work to a member of their team and ensure the worker has looked at the procedures and guidance in completing this piece of work.
Step 5 (Allocated Social Worker)
The allocated social worker will send a letter to the applicant where they will advise of disclosure date and contact details and arrange to contact the data subject to discuss what information they are hoping for. They should say that if they have not heard from the data subject by a certain date they will not be following up their request.
Discussing what is needed with the data subject will give clarity of what their awareness is to ensure the correct third party data is removed. It would also eradicate time being taken to redact documents if the worker gained an understanding of what the data subject wanted to gain or questions they wanted answering from accessing their data file.
The social worker will use the procedures complete this work and to identify what can and cannot be disclosed. If they are unsure they should seek advice from the data protection team (Sally Marshall).
The social worker will record all contacts and action taken on the electronic file.
All data will be prepared and scanned to facilitate editing by the allocated social worker in line with the Subject Access Policy. This includes data downloaded from ICS and paper files where they exist. This process is managed by the allocated social worker and their line manager. Two copies of any data prepared for the subject should be made, one to go to the subject and one copy to return to archives.
The allocated social worker arranges with the subject how they want to receive the data - to come in to the office or for this to be sent. It is good practice to offer a meeting with the data subject to support them when going through the file and be able to offer some answers to the questions they may have. Understandably some files maybe exceptionally large and it would benefit the data subject to be contacted at a later date to ensure that the data subject has no outstanding queries, but particularly in instances where it is envisaged that some of the data disclosed may have revealed distressing events or circumstances to the data subject. It is important to recognise that accessing personal data can have a profound impact on an individual and signposting to support services may be required
Once the work is completed the file will be closed and sent back to source. The Data Protection team should be informed that the file is now closed.
Step 6 (Line Manager and Allocated Social Worker)
It is the line manager's responsibility to ensure that the completion of the request is in compliance with the Data Protection Act 1998 and all documents are uploaded to CIVICA.
The Data Protection team (Sally Marshall) must be informed that the access to files has been completed and when the information will be shared with the data subject.
Step 7 (Data Protection Team)
Update the corporate tracking spreadsheet upon completion.
8. Advice and Support
Freedom of Information and Data Protection Team
Tel: 01274 431322
The team can offer advice on processing Subject Access Requests and on decisions about the disclosure of information.
Support for Care Leavers
For Post Care Adults who require support and advice, here is some useful links:
NAPAC - National Association for people abused in childhood.
The Care Leavers Association - a charity campaigning for the rights of Post Care Adults.
Appropriate Health Professional - anyone who is:
- A registered medical practitioner;
- A registered dentist (Dentists Act,1984);
- A registered optician (Opticians Act, 1989);
- A registered pharmaceutical chemist (Pharmacy Act, 1954);
- A registered nurse, midwife or health visitor;
- A registered osteopath (Osteopaths Act, 1993);
- A registered chiropractor (Chiropractors Act, 1994);
- Any person who is registered as a member of a profession to which the Professions Supplementary Medicines Act, 1960, extends;
- A clinical psychologist, child psychotherapist or speech therapist;
- A music therapist employed by a health service body;
- A scientist employed as head of a department of a health service body.
Data controller - the data controller is Bradford MDC as a legal entity.
Data subject - an identified or identifiable, living individual who is the subject of personal data.
Personal data - is information from which the individual can be identified, whether directly or by reference to code and where the individual is the focus of information which affects the privacy of the individual in his/her personal or family life and in his/her business / professional capacity.
Processing personal data - includes most dealings with personal data by City of Bradford Metropolitan District Council. 'Processing' refers to the obtaining, recording, keeping, using, deleting and sharing of information which is necessary for the exercise of social care functions.
Relevant Person - anyone who is employed by the Local Authority or who has performed, for reward, a service similar to a service carried out by the Authority. Since 3rd September 2000 this has included all current foster carers, other than kinship carers who are registered for a named child and who receive only an allowance. Information which is personal to a 'relevant person', including their home address, must not be disclosed without consent.