Access to Records/Subject Access Requests

1. Rights of Access by the Data Subject

The rights of a data subject to access personal information and records held by Children's Social Care Services are set out in Data Protection legislation (namely the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018). Under Data Protection legislation, those in respect of whom personal information is held in any form have a right of access to the information, unless any of the exemptions set out in Section 2, Exemptions to the Right of Access apply.

A subject access request does not replace appropriate sharing of information with the service user through social work practice.

The right of access applies to both structured hard copy records such as files records and records held electronically. It is important that electronic recording systems comply with the requirements for data subjects to easily find their story in a logical narrative. The Freedom of Information Act 2000 gives access to non-personal information held by public authorities. Under the Act anybody may request information in writing or via e-mail from a public authority (which includes all local authorities) and must receive a response within 20 working days. The Act confers two statutory rights on applicants:

• To be informed in writing whether or not the public authority holds the information requested; and if so;
• To have that information communicated to him / her.

The Act applies to all information whether recent or old. The Act sets out 23 exemptions from rights of access to information. If the information is exempt, there is no right of access under the Act. One of these exemptions relates to personal information which in most cases cannot be disclosed under a Freedom of Information request.

2. Exemptions to the Right of Access

The Data Protection Act 2018 (Schedule 3) contains exemptions to the rights of access contained in Article 15 of the UK GDPR for health, social work, education and child abuse data. The right of access which is afforded to data subjects is restricted in the following circumstances (please note these exemptions are not absolute but only apply to the extent necessary):

1. Where the right of access would prejudice carrying out social work because access to the information would be likely to cause serious harm to the physical or mental health of the data subject or some other individual;
2. Where the records contain child abuse data; there is an exemption from Article 15 if the application of that provision would not be in the best interests of the data subject. ("Child abuse data" is defined in the Act as personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse. For this purpose, "child abuse" includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18);
3. Where the person is incapable of managing their affairs;
4. Where complying with the right of access would mean disclosing information was which given by the data subject in the expectation that it would not be disclosed or is information which the data subject expressly indicated should not be disclosed;
5. Where the data is processed by a court, consists of information supplied in a report or other evidence given to the court in the course of proceedings, the data may be withheld by the court in whole or in part from the data subject.

Access can also be refused if:

• Where disclosure may prevent the detection or investigation of a crime or jeopardise public or national security;
• Disclosing information to the data subject would involve disclosing information relating to third party who can be identified from the information. Unless (a) the other individual has consented to the disclosure of the information to the data subject, or (b) it is reasonable to disclose the information to the data subject without the consent of the other individual; However, the law on SAR has now evolved and it is considered acceptable to disclose third party data where either:
  • The identity of the third parties described is known to the requestor and where it describes events the requestor was present for;
  • Where the event described was significant in the requestor's biography, whether they were there or not.

Access requests can also be refused if they are 'manifestly unfounded or excessive' (for example if an identical or similar request has been received from the same person and already been complied with).

These exemptions do not justify the total withholding of information but only those records / parts of records which are covered by the exemptions, and only to the extent that disclosure would prejudice the purposes described. These are not blanket exemptions. The remainder of the case records should be made available to the data subject.

The exemptions above do not apply where disclosure is required by a court order or is necessary for the purpose of or in connection with any legal proceedings.

For the procedure in relation to access to Adoption Case Records - see Adopted Persons' Access to Birth Records and Adoption Case Records Procedure (Now managed by Adoption South East).

3. Offering an Informal Approach

The practice of all staff when working with children and families should be to encourage routine sharing of information, including providing copies of key documents on an ongoing basis (e.g. minutes from Child Protection Conferences, notes from Core Group Meetings, copies of Care Plans etc.).

If a person currently in receipt of services asks to see a particular document or wants to have information about a particular aspect of their case records, their social worker should discuss this with them to see whether the request can be dealt with informally by showing them the relevant part of the file or providing a copy of relevant documents.

4. Handling Formal Requests for Access

All requests should be logged with the Data Protection Team regardless of who is to process them.

Those making a formal request for access to their records do not need to make the request in writing but it may be helpful to encourage them to do so if they are willing. The social worker / local authority case worker should assist them to do this as necessary. The receipt of the written or verbal request should be recorded by the social worker / local authority case worker, who must verify the identity of the person making the request.

If the person making the request is not currently known to the service they will be asked to provide photographic evidence of their identity, such as a passport or driving licence before a search of the records is made. Where the person making the request does not have a passport or driving licence, consideration should be given to accepting other forms of identification.

Once the identity of the data subject has been confirmed, all case records held on the person should be located and collected. All indexes and computer records should be checked, across all departments within Children's Social Care Services.

The social worker / local authority case worker should then carefully check the case records to ensure they are complete and that the information is provided in an intelligible and easily accessible form, using clear and plain language. The whole file should also be checked to ascertain whether any of the material comes within the exemptions to the rights of access and would, therefore, need to be removed / redacted (see Section 2, Exemptions to the Right of Access).

Where people other than the requestor have provided information to social workers in an expectation of confidence, this should be considered prior to disclosing this information under SAR. There can be no absolute expectation that their identity can be protected and it will come down to a balancing of their rights against those of the data subject. When it is not possible to obtain their consent, discretion may be used to release information where there is no possibility of serious harm or it would be considered reasonable to disclose the information without the consent of the other individual.

An appointment should be made at the earliest opportunity to share relevant information from the case records with the person making the request. The data subject should be reminded too bring appropriate proof of identity.

A social worker / local authority case worker should be available to explain the contents of the file, to answer questions and to help the person understand the information recorded.

Where the person making the request has specific needs in relation to language, literacy or disability, arrangements must be made to present the information in a suitable format and to involve approved interpreters as needed.

Offering interpretative and supportive counselling may be advisable in certain cases, as well as using a number of interviews to disclose the information in stages.

The data subject should be provided with a copy of the data. A fee may be charged for any requests for additional copies.

5. Timescales

Access must be given to disclosable information within 1 month of receiving the request (or 1 month from the point at which the identity of the data subject is confirmed or any relevant fees are paid).

In certain circumstances, for example when responding to particularly complex or multiple requests, the authority can take a further 2 months to provide data. If this is the case, the person requesting the information must be informed of the delay within 1 month of their original request and the reasons for the delay explained to them.

6. Applications by Children

Requests from children should be treated in the same way as requests from adults. In each case a judgement should be made by the social worker / local authority case worker as to whether the child making the request for access understands the nature of their request. Where appropriate, a parent / carer should be asked to provide written confirmation that the child understands the nature of the application.

Children with disabilities have the same rights as others to have access to information held about them. No assumption should be made about their level of understanding. This should be assessed on an individual basis as with all children.

A child of sufficient understanding should be allowed regular access to information held about them, consistent with their best interests. Relevant assessments, plans and records should be routinely shared with unless one of the exemptions set out above applies.

A child should be encouraged to contribute to their case record, including when there is disagreement about an entry in the file.

7. Applications by Parents / Those with Parental Responsibility

Even if a child is unable to understand the implications of a request, any data held about them is still their personal data and does not belong to anyone else, including a parent. It is the child who has the right of access to information held about them, even though, in the case of young children their rights are likely to be exercised for them by people with parental responsibility.

Before responding to a request for access to information held about a child, it should be considered whether the child is mature enough to understand their rights. If they are, they should be responded to rather than the parent. If the social worker / local authority case worker is unsure about whether a child is able to understand what it means to make a request and how to interpret the information they receive as a result they should consider:

• The child's level of maturity and ability to make decisions like this;
• The nature of the personal data;
• Any court orders relating to parental responsibility that may apply;
• Any consequences of allowing those with parental responsibility access to the child's information. This is particularly important if there have been allegations of abuse;
• Any detriment to the child if people with parental responsibility cannot access this information;
• Any views the child has on whether their parents should have access to information about them.

An application by a parent or those with parental responsibility can be refused if it would mean disclosing information which was provided by the child in the expectation that it would not be disclosed, or if the child expressly indicated that it should not be disclosed.

Regardless of whether or not a child is capable of understanding the request or has consented to the parent making the request, it is important that a parent should only be given access to the information about the child if the worker in consultation with their manager is satisfied that the request is made in the child's and not the parent's interests.

8. Applications by Care Leavers

For further information, see Children Act 1989 Guidance and Regulations - Volume 3: Planning Transition to Adulthood for Care Leavers.

Statement by Head of Safeguarding and Principal Social Worker, Brighton and Hove Children's Services:

All Care Leavers and those who had been supported through Children's Social Care have the right to full access to their childhood care files. Access to this information can have a positive impact on people's lives. The value of these files, and the need for us to promote this right of access, is recognised by us in Brighton & Hove City Council and we aim to offer all care leavers support and kindness in what can be a difficult and challenging process.

When an application has been received from a care leaver, it is important that the request is acknowledged promptly and in writing, or by using another appropriate forms of communication if required. The process and timescales for dealing with such requests should be explained, as well as any additional support services that the authority is able to provide.

An acknowledgement should be sent to the care leaver within 10 working days confirming that their records exist. The acknowledgement should also indicate when they are likely to receive information from the case records and clarify that:

• The local authority will attempt to locate all existing records relating to the care leaver, including registers from children's homes. Legislation requires that a child's case record must be kept until the 75th anniversary of the child's date of birth;
• There is a statutory duty to respond to a subject access request within 1 month;
• The care leaver will need to produce proof of their identity before the organisation can disclose any personal information. However, if the person is already known to the service the proof of formal ID is not required.

If the records cannot be located, the care leaver should be informed as soon as possible about the steps that will be taken to try to locate them. If records have been transferred to another local authority, the care leaver should be provided with relevant contact details. If the authority becomes aware that the case records do not exist, there should be no delay informing the care leaver. When records have been destroyed or mislaid, the care leaver must be informed as soon as possible and assistance given to help them locate other information and registers that may be available, such as, health and education records.

It is important that the local authority case worker has telephone or direct contact with the care leaver to introduce themselves and explain the process. This also provides an opportunity for the care leaver to discuss what they are hoping to obtain from their records, how they would like these to be shared and what they already know about their family and history. The local authority case worker can also identify any support the care leaver would like to receive. The care leaver should be assured that they will receive comprehensive information about their family background and time in care including information already known to them. It is important to offer to telephone the care leaver after they have received and read their records and to inform them that the case worker remains available to answer any questions or discuss concerns they may have.

Local authorities should respond to requests from a direct descendant of a care leaver if information about family history is being sought. Disclosures would not normally be made to a family member if it is known that the relationship was unhealthy and that this would not align with the care leaver's wishes.

9. Applications by Agents

A request for access to records may be made through an agent (for example, a solicitor).

It is the agent's responsibility to produce satisfactory evidence that they have authority to have access to the records. This will always include proof of their identity.

The relevant Team Manager will decide whether the representative will be allowed access, having sought Legal Advice if necessary.

10. Application on Behalf of Deceased Persons

Where a request is received for access to the records of someone who has died, the person making the application should be asked to explain in writing their relationship to the deceased person, what information is needed and why. The local authority case worker should make a decision in consultation with their manager and advise the applicant in writing of the decision with reasons.

11. Rectification or Deletion of Records

If a person considers that any part of the information held on their records is inaccurate, they have (Under Articles 16 and 17 of the GDPR) the right to apply verbally or in writing for it to be rectified.

Local authorities have 1 month to respond to any such requests.

If a request for rectification is received, the local authority should take reasonable steps to establish that the data is accurate and to rectify the data if it is factually inaccurate. This does not require the local authority to alter any opinions to which the data subject may object. However, if opinions could have been expressed with greater sensitivity, consideration can be given to altering the expression.

What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort a local authority should put into checking its accuracy and, if necessary, taking steps to rectify it.

Erasure can only take place following the expiry of the retention period. The case record must continue to contain the evidence of what information formed part of referrals and what actions/decisions were taken, even if the referral is subsequently shown to be inaccurate. Rectification in this circumstance consists of inviting the data subject to submit a supplementary statement of their own which is then appended to the record.

If the request is denied, an explanation should be given for the reasons and the request should be acknowledged as part of the record.

A local authority can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If a local authority considers that a request is manifestly unfounded or excessive you can:

• Request a "reasonable fee" to deal with the request; or
• Refuse to deal with the request.

12. Refusal of Access

If the social worker or local authority case worker considers there are reasons to refuse a request for access to all or any part of the records (see Section 2, Exemptions to the Right of Access), this should be discussed with their manager and advice from the Data Protection Team should be obtained if necessary.

The manager should be asked to make a final decision on refusal of access, having sought legal advice if required. If refused, the date of the request and reason for refusal must be recorded in the file.

The decision and the reasons for it should be confirmed in writing to the person requesting access, or in a format appropriate to the needs of the person concerned.

13. Appeals Process

The data subject concerned has the right to apply to the court for an order to disclose, correct or erase information held. They may also request an internal review of the refusal to disclose by a different person. They also have a right of appeal to the Information Commissioner who may make an assessment about whether the law has been complied with an issue enforcement proceedings to make the local authority comply with the request if necessary and/or recommend an application to court alleging a failure to comply with data protection legislation.