AMENDMENTIn December 2018, this guidance was extensively updated to reflect the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).
The rights of a data subject to access personal information and records held by Children's Services are set out in Data Protection legislation (namely the EU General Data Protection Regulations (GDPR) and Data Protection Act 2018). The right of access, commonly referred to as a Subject Access Request, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why the authority is using their data, and check that is being done lawfully.
The right of access applies to both paper/hard copy records and records held electronically. It is important that electronic recording systems comply with the requirements for data subjects to easily find their story in a logical narrative.
For further information on 'Right of Access' visit the Council's website at and read the 'Access your information' page.
The Freedom of Information Act 2000 gives access to non personal information held by public authorities. Under the Act anybody may request information in writing or via e-mail from a public authority (which includes all local authorities) and must receive a response within 20 working days. The Act confers two statutory rights on applicants:
The Act applies to all information whether recent or old. The Act sets out 23 exemptions from rights of access to information. If the information is exempt, there is no right of access under the Act. One of these exemptions relates to personal information which cannot form part of a Freedom of Information request.
The Data Protection Act 2018 (Schedule 3) contains exemptions to the rights of access contained in Article 15 of the GDPR for health, social work, education and child abuse data. The right of access which is afforded to data subjects is restricted in the following circumstances:
Access can also be refused if:
Access requests can also be refused if they are 'manifestly unfounded or excessive' (for example if an identical or similar request has been received from the same person and already been complied with).
These exemptions do not justify the total withholding of information but only those records/parts of records which are covered by the exemptions. The remainder of the case records should be made available to the data subject.
The exemptions above do not apply where disclosure is required by a court order or is necessary for the purpose of or in connection with any legal proceedings.
For the procedure in relation to access to Adoption Case Records - see Access to Birth Records and Adoption Case Records Procedure.
The practice of all staff when working with children and families should be to encourage routine sharing of information, including providing copies of key documents on an ongoing basis (e.g. minutes from Child Protection Conferences, notes from Core Group Meetings, copies of Care Plans etc.).
If a person currently in receipt of services asks to see a particular document or wants to have information about a particular aspect of their case records, their social worker should discuss this with them to see whether the request can be dealt with informally by showing them the relevant part of the file or providing a copy of relevant documents.
Those making a formal request for access to their records should be asked to put the request in writing and the social worker/local authority case worker should assist them to do this as necessary – however it should be made clear that requests can also be made verbally or by social media.
All requests should be forwarded to the CS Information Governance team, (e-mail GDPR@derbyshire,gov.uk), who will then process the request, liaise with relevant managers/workers over information exempt from disclosure and obtain approval from Head of Service to release information within statutory timescales – see Section 5, Timescales.
If the person making the request is not currently known to the service they will be asked to provide photographic evidence of their identity, such as a passport or driving licence before a search of the records is made. Where the person making the request does not have a passport or driving licence, consideration should be given to accepting other forms of identification e.g. confirmation that the requestor is receiving a service from the authority, by their current worker.
Once the identity of the data subject has been confirmed, all case records held on the person should be located and collected. All indexes and computer records should be checked, across all departments within Children's Services.
The worker should then carefully check the case records to ensure they are complete and that the information is provided in an intelligible and easily accessible form, using clear and plain language. The whole file should also be checked to ascertain whether any of the material comes within the exemptions to the rights of access and would, therefore, need to be removed/redacted (see Section 2, Exemptions to the Right of Access).
An appointment should be made at the earliest opportunity to share relevant information from the case records with the person making the request. The data subject should be reminded too bring appropriate proof of identity.
A social worker/local authority case worker should be available to explain the contents of the file, to answer questions and to help the person understand the information recorded.
Where the person making the request has specific needs in relation to language, literacy or disability, arrangements must be made to present the information in a suitable format and to involve approved interpreters as needed.
Offering interpretative and supportive counselling may be advisable in certain cases, as well as using a number of interviews to disclose the information in stages.
The data subject should be provided with a copy of the data. A fee may be charged for any requests for additional copies.
Access must be given to disclosable information within 1 month of receiving the request (or 1 month from the point at which the identity of the data subject is confirmed or any relevant fees are paid).
In certain circumstances, for example when responding to particularly complex or multiple requests, the authority can take a further 2 months to provide data. If this is the case, the person requesting the information must be informed of the delay within 1 month of their original request and the reasons for the delay explained to them.
Requests from children should be treated in the same way as requests from adults. In each case a judgement should be made by the social worker/local authority case worker as to whether the child making the request for access understands the nature of their request. Where appropriate, a parent/carer should be asked to provide written confirmation that the child understands the nature of the application.
Children with disabilities have the same rights as others to have access to information held about them. No assumption should be made about their level of understanding. This should be assessed on an individual basis as with all children.
A child of sufficient understanding should be allowed regular access to information held about them, consistent with their best interests. Relevant assessments, plans and records should be routinely shared with unless one of the exemptions set out above applies.
A child should be encouraged to contribute to their case record, including when there is disagreement about an entry in the file.
Even if a child is unable to understand the implications of a request, any data held about them is still their personal data and does not belong to anyone else, including a parent. It is the child who has the right of access to information held about them, even though, in the case of young children their rights are likely to be exercised for them by people with parental responsibility.
Before responding to a request for access to information held about a child, it should be considered whether the child is mature enough to understand their rights. If they are, they should be responded to rather than the parent. If the social worker / local authority case worker is unsure about whether a child is able to understand what it means to make a request and how to interpret the information they receive as a result they should consider:
An application by a parent or those with parental responsibility can be refused if it would mean disclosing information which was provided by the child in the expectation that it would not be disclosed, or if the child expressly indicated that it should not be disclosed.
Regardless of whether or not a child is capable of understanding the request or has consented to the parent making the request, it is important that a parent should only be given access to the information about the child if the worker in consultation with their manager is satisfied that the request is made in the child's and not the parent's interests.
When an application has been received from a care leaver, it is important that the request is acknowledged promptly and in writing, or by using another appropriate forms of communication if required. The process and timescales for dealing with such requests should be explained, as well as any additional support services that the authority is able to provide.
An acknowledgement should be sent to the care leaver within 10 working days confirming that their records exist. The acknowledgement should also indicate when they are likely to receive information from the case records and clarify that:
If the records cannot be located, the care leaver should be informed as soon as possible about the steps that will be taken to try to locate them. If records have been transferred to another local authority, the care leaver should be provided with relevant contact details. If the authority becomes aware that the case records do not exist, there should be no delay informing the care leaver. When records have been destroyed or mislaid, the care leaver must be informed as soon as possible and assistance given to help them locate other information and registers that may be available, such as, health and education records.
It is important that the local authority case worker has telephone or direct contact with the care leaver to introduce themselves and explain the process. This also provides an opportunity for the care leaver to discuss what they are hoping to obtain from their records, how they would like these to be shared and what they already know about their family and history. The local authority case worker can also identify any support the care leaver would like to receive. The care leaver should be assured that they will receive comprehensive information about their family background and time in care including information already known to them. It is important to offer to telephone the care leaver after they have received and read their records and to inform them that the case worker remains available to answer any questions or discuss concerns they may have.
Local authorities should respond to requests from a direct descendant of a care leaver if information about family history is being sought.
A request for access to records may be made through an agent (for example, a solicitor).
It is the agent's responsibility to produce satisfactory evidence that they have authority to have access to the records. This will always include proof of their identity.
The relevant Head of Service will decide whether the representative will be allowed access, having sought Legal Advice if necessary.
Where a request is received for access to the records of someone who has died, the person making the application should be asked to explain in writing their relationship to the deceased person, what information is needed and why and provide proof of death i.e. presentation of a death certificate. The local authority case worker should make a decision in consultation with their manager and advise the applicant in writing of the decision with reasons.
If a person considers that any part of the information held on their records is inaccurate, they have (Under Articles 16 and 17 of the GDPR) the right to apply verbally or in writing for it to be rectified or deleted.
Local authorities have 1 month to respond to any such requests.
If a request for rectification is received, the local authority should take reasonable steps to establish that the data is accurate and to rectify the data if necessary.
What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort a local authority should put into checking its accuracy and, if necessary, taking steps to rectify it.
A local authority can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If a local authority considers that a request is manifestly unfounded or excessive you can:
If the social worker or local authority case worker considers there are reasons to refuse a request for access to all or any part of the records (see Section 2, Exemptions to the Right of Access), this should be discussed with their Head of Service and legal advice should be obtained if necessary.
The Head of Service should be asked to make a final decision on refusal of access, having sought legal advice if required. If refused, the date of the request and reason for refusal must be recorded in the file.
The decision and the reasons for it should be confirmed in writing to the person requesting access, or in a format appropriate to the needs of the person concerned.
The data subject concerned has the right to apply to the court for an order to disclose, correct or erase information held. They also have a right of appeal to the Information Commissioner who may make an assessment about whether the law has been complied with an issue enforcement proceedings to make the local authority comply with the request if necessary and/or recommend an application to court alleging a failure to comply with data protection legislation.
Only valid for 48hrs