Data protection legislation (see Data Protection chapter) specifies the duties of organisations in relation to holding, storing and processing of the personal data of living individuals (referred to within the legislation as ‘data subjects’). The legislation terms staff who control the manner and the purpose of personal data processing ‘data controllers’.
It also gives data subjects the right to;
- know about and obtain information held on them by the local authority and other agencies;
- to consent to their information being held; and
- to be forgotten (have their information deleted) in relation to the data held about them.
Such information will either be held on IT databases or in hard copy.
2. People Eligible to Request and Receive Information
In most circumstances it is only people (the data subject) who the service holds information on who are allowed to receive information held about them. The information provided by the service must only relate only to them and no one else. If a solicitor makes a request on behalf of a client to access their case records, the solicitor must obtain written consent from the adult which allows the solicitor to receive the information. This consent must be sent to the service as part of the application.
Although there are no specific provisions in data protection legislation regarding access of records in relation to people who lack capacity, the Mental Capacity Act 2005 enables a third party to exercise subject access rights on behalf of such an adult. It is reasonable to assume, therefore, that an attorney with authority to manage the property and affairs of an adult will have the appropriate authority to request all assessment documentation relating to the person’s care needs, as this could impact on how much the person needs to pay towards their care. An attorney with authority to manage a person’s property and affairs would routinely only have access to documentation relating to the person’s finances, although they would – as previously mentioned – have access to their assessment and care and support records. The opposite is true for an attorney for health and welfare. The same applies to a deputy appointed by the Court of Protection, to make decisions about either a person’s property and affairs and or health and welfare.
3. Information People are entitled to Receive
In theory people (the data subjects) are allowed to receive all non-exempt information (see 3.1 Exempt Information below) held about them by the service. People making such requests should be asked what information they specifically want to see. This will reduce the likelihood of a request being denied due to the inclusion of exempt information.
3.1 Exempt information
In some circumstances it may not be possible to allow people to access to some or all of the information in their records, for example if it mentions another person (see 3.2 Third Party Information below), if giving them the information may cause them harm, or if it is needed for the prevention or detection of a crime. The person should usually be told the reason why it is not possible for them to access their records.
3.2 Third party information
Responding to a request may involve providing information relating to another individual who can be identified from that information. This is third party information. In most cases, the service will require written consent of that third party before disclosing the information to the data subject.
4. Making an Application
Subject Access Requests (SARs) must be made in writing in relation to information held by the service on the person. For more information and a suggested template letter see Find out how to Request your Personal Information.
The person making the request should find out from the organisation whether fees are payable.
The organisation must provide a copy of the information free of charge. It can charge a ‘reasonable fee’, however, when a request is manifestly unfounded or excessive, particularly if it is repetitive. It can also charge a reasonable fee to comply with requests for further copies of the same information (this does not mean that it can charge for all SARs). The fee must be based on the administrative cost of providing the information.
4.1 Requests that are manifestly unfounded or excessive
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the organisation can:
- charge a reasonable fee (as above); or
- refuse to respond.
Where it refuses to respond to a request, it must explain why to the individual, informing them of their right to complain and to a judicial remedy without unnecessary delay and at the latest within one month.
The service has one month to respond to a written request. This allows time for personal information to be collated from all involved departments within the service, analysed to ensure it does not contain exempt information (see Section 3.1, Exempt information) and decisions made about whether there is such information that cannot be given to the person.