2.3 Access to Records
This procedure was refreshed and revised in February 2019 and should be re-read in its entirety.
1. Rights of Access by the Data Subject
The rights of a data subject to access personal information and records held by Children's Social Care Services are set out in Data Protection legislation (namely the EU UK General Data Protection Regulations EU2016/679 (UK GDPR) and Data Protection Act 2018). Under Data Protection legislation, those in respect of whom personal information is held in any form have a right of access to the information, unless any of the exemptions set out in Section 2, Exemptions to the Right of Access apply.
The right of access applies to both paper/hard copy records and records held electronically. It is important that electronic recording systems comply with the requirements for data subjects to easily find their story in a logical narrative.
Any request for personal information for a living individual is covered by the Data Protection Act.
The Freedom of Information (FoI) Act 2000 gives access to non personal information held by public authorities (this includes information on non-living individuals). Under the FoI Act anybody may request information in writing or via e-mail from a public authority (which includes all local authorities) and must receive a response within 20 working days. The FoI Act confers two statutory rights on applicants:
- To be informed in writing whether or not the public authority holds the information requested; and if so;
- To have that information communicated to him/her.
The FoI Act applies to all information whether recent or old. The FoI Act sets out 23 exemptions from rights of access to information. If the information is exempt, there is no right of access under the FoI Act. One of these exemptions relates to personal information which cannot form part of a Freedom of Information request.
2. Exemptions to the Right of Access
The Data Protection Act 2018 (Schedule 3) contains exemptions to the rights of access contained in Article 15 of the UK GDPR for health, social work, education and child abuse data. The right of access which is afforded to data subjects is restricted in the following circumstances:
- Where the right of access would prejudice carrying out social work because access to the information would be likely to cause serious harm to the physical or mental health of the data subject or some other individual;
- Where the records contain child abuse data; there is an exemption from Article 15 if the application of that provision would not be in the best interests of the data subject. (“Child abuse data” is defined in the Act as personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse. For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18);
- Where the person is incapable of managing his or her affairs (for example where the person is a child under the age of 14);
- Where complying with the right of access would mean disclosing information which was given by the data subject in the expectation that it would not be disclosed or is information which the data subject expressly indicated should not be disclosed;
- Where the data is processed by a court, consists of information supplied in a report or other evidence given to the court in the course of proceedings, the data may be withheld by the court in whole or in part from the data subject.
Access can also be refused if:
- Disclosing information to the data subject would involve disclosing information relating to third party who can be identified from the information. Unless (a) the other individual has consented to the disclosure of the information to the data subject, or (b) it is reasonable to disclose the information to the data subject without the consent of the other individual;
- Where disclosure may prevent the detection or investigation of a crime or jeopardise public or national security.
Access requests can also be refused if they are 'manifestly unfounded or excessive' (for example if an identical or similar request has been received from the same person and already been complied with).
These exemptions do not justify the total withholding of information but only those records/parts of records which are covered by the exemptions. The remainder of the case records should be made available to the data subject.
The exemptions above do not apply where disclosure is required by a court order or is necessary for the purpose of or in connection with any legal proceedings.
For the procedure in relation to access to Adoption Case Records - see Access to Birth Records and Adoption Case Records Procedure.
You can seek further advice from the Data Protection Team if you are unsure about application of exemptions. E-mail: firstname.lastname@example.org.
3. Offering an Informal Approach
The practice of all staff when working with children and families should be to encourage routine sharing of information, including providing copies of key documents on an ongoing basis (e.g. minutes from Child Protection Conferences, notes from Core Group Meetings, copies of Care Plans etc.).
If a person currently in receipt of services asks to see a particular document or wants to have information about a particular aspect of their case records, their social worker should discuss this with them to see whether the request can be dealt with informally by showing them the relevant part of the file or providing a copy of relevant documents.
It should fully explained to data subjects and also to staff dealing with this type of information that highly personal details around for example, the reasons for children taken into care can have high emotional impact. Forewarning and support to data subjects can be highly appropriate in some circumstances.
4. Handling Formal Requests for Access
Those making a formal request for access to their records should be asked to put the request in writing and the social worker/local authority case worker should assist them to do this as necessary. Unless the request is from a looked after child, their parent/guardian or care leaver the request should be passed to the FOI/Data Protection Team who will handle the request.
All requests for information from the police should be passed to the FOI/Data Protection Team who will co-ordinate these types of request made under Part 2 of the Data Protection Act.
If the request is from a looked after child or care leaver, this is dealt with by the social work team or leaving care team who is currently or formerly supporting the young person. The request should be made in writing and the social worker / local authority case worker should assist them to do so as necessary. If a request is received by a care leaver who is not known to the leaving care team, the care leaver must provide photographic identification (i.e. passport, driving licence or a proof of age card) before a search of the records is made. Where the person making the request does not have a passport or driving licence, consideration should be given to accepting other forms of identification.
It should be note that if the data subject is well known to services confirmation of identity should not be unduly bureaucratic.
The receipt of the written request should be recorded by the social worker/local authority case worker, who must verify the identification of the person making the request.
Once the identity of the data subject has been confirmed, all case records held on the person should be located and collected. All indexes and computer records should be checked, across all departments within Children's Social Care Services.
The social worker / local authority case worker should then carefully check the case records to ensure they are complete and that the information is provided in an intelligible and easily accessible form, using clear and plain language. The whole file should also be checked to ascertain whether any of the material comes within the exemptions to the rights of access and would, therefore, need to be removed/redacted (see Section 2, Exemptions to the Right of Access).
There should be no disclosure of the identity of third parties or other sources of information, and, any other information supplied by third parties should not usually be disclosed without the third party's consent. When it is not possible to obtain consent, discretion may be used to release information where there is no possibility of serious harm or it would be considered reasonable to disclose the information without the consent of the other individual.
An appointment should be made at the earliest opportunity to share relevant information from the case records with the person making the request. The data subject should be reminded to bring appropriate proof of identity.
A social worker/local authority case worker should be available to explain the contents of the file, to answer questions and to help the person understand the information recorded.
Where the person making the request has specific needs in relation to language, literacy or disability, arrangements must be made to present the information in a suitable format and to involve approved interpreters as needed.
Offering interpretative and supportive counselling may be advisable in certain cases, as well as using a number of interviews to disclose the information in stages.
The data subject should be provided with a copy of the data. A fee may be charged for any requests for additional copies.
Access must be given to disclosable information within 1 calendar month of receiving the request (or 1 month from the point at which the identity of the data subject is confirmed or any relevant fees are paid).
In certain circumstances, for example when responding to particularly complex or multiple requests, the authority can take a further 2 calendar months to provide data. If this is the case, the person requesting the information must be informed of the delay within 1 month of their original request and the reasons for the delay explained to them. A large case file does not constitute a complex case under the Data Protection Act.
The timescale can only be extended with the agreement of the person requesting access. Where he or she refuses to agree an extension, access should be given to all information open to disclosure at that point.
6. Applications by Children
Requests from children should be treated in the same way as requests from adults. In each case a judgement should be made by the social worker/local authority case worker as to whether the child making the request for access understands the nature of their request. Where appropriate, a parent/carer should be asked to provide written confirmation that the child understands the nature of the application.
Broadly the guidance around UK GDPR suggests children of the age of 14 or above deemed capable of taking decisions around the use of the personal data.
Children with disabilities have the same rights as others to have access to information held about them. No assumption should be made about their level of understanding. This should be assessed on an individual basis as with all children.
A child of sufficient understanding should be allowed regular access to information held about them, consistent with their best interests. Relevant assessments, plans and records should be routinely shared with unless one of the exemptions set out above applies.
A child should be encouraged to contribute to their case record, including when there is disagreement about an entry in the file.
7. Applications by Parents / Those with Parental Responsibility
Even if a child is unable to understand the implications of a request, any data held about them is still their personal data and does not belong to anyone else, including a parent. It is the child who has the right of access to information held about them, even though, in the case of young children their rights are likely to be exercised for them by people with parental responsibility.
Before responding to a request for access to information held about a child, it should be considered whether the child is mature enough to understand their rights. If they are, they should be responded to rather than the parent. If the social worker / local authority case worker is unsure about whether a child is able to understand what it means to make a request and how to interpret the information they receive as a result they should consider:
- The child's level of maturity and ability to make decisions like this;
- The nature of the personal data;
- Any court orders relating to parental responsibility that may apply;
- Any consequences of allowing those with parental responsibility access to the child's information. This is particularly important if there have been allegations of abuse;
- Any detriment to the child if people with parental responsibility cannot access this information;
- Any views the child has on whether their parents should have access to information about them.
Northamptonshire County Council will always seek proof of Parental Responsibility (PR) and would request a child's written consent if they were aged 12 or over at the time of the request. If 16 plus, the child young person will be asked to make their own request or give their parent written authority to make a request.
An application by a parent or those with parental responsibility can be refused if it would mean disclosing information which was provided by the child in the expectation that it would not be disclosed, or if the child expressly indicated that it should not be disclosed.
Regardless of whether or not a child is capable of understanding the request or has consented to the parent making the request, it is important that a parent should only be given access to the information about the child if the worker in consultation with their manager is satisfied that the request is made in the child's and not the parent's interests.
8. Applications by Care Leavers
When an application has been received from a care leaver, it is important that the request is acknowledged promptly and in writing, or by using another appropriate forms of communication if required. The process and timescales for dealing with such requests should be explained, as well as any additional support services that the authority is able to provide.
N.B. If the applicant was Looked After and is older than 25 years old at the time of request, then the application for information should be handled through the Subject Assess Request procedure managed by the Freedom of Information and Data Protection Team in Business Intelligence and Performance Improvement. Such requests that fall into this category should be passed to this team as quickly as possible. Cases can be referred by e-mail to email@example.com.
An acknowledgement should be sent to the care leaver within 10 working days confirming that their records exist. The acknowledgement should also indicate when they are likely to receive information from the case records and clarify that:
- The local authority will attempt to locate all existing records relating to the care leaver, including registers from children's homes. Legislation requires that a child's case record must be kept until the 75th anniversary of the child's date of birth;
- There is a statutory duty to respond to a subject access request within 1 calendar month;
- The care leaver will need to produce proof of their identity before the organisation can disclose any personal information. However, if the person is already known to the service the proof of formal ID is not required.
If the records cannot be located, the care leaver should be informed as soon as possible about the steps that will be taken to try to locate them. If records have been transferred to another local authority, the care leaver should be provided with relevant contact details. If the authority becomes aware that the case records do not exist, there should be no delay informing the care leaver. When records have been destroyed or mislaid, the care leaver must be informed as soon as possible and assistance given to help them locate other information and registers that may be available, such as, health and education records.
It is important that the local authority case worker has telephone or direct contact with the care leaver to introduce themselves and explain the process. This also provides an opportunity for the care leaver to discuss what they are hoping to obtain from their records, how they would like these to be shared and what they already know about their family and history. The local authority case worker can also identify any support the care leaver would like to receive. The care leaver should be assured that they will receive comprehensive information about their family background and time in care including information already known to them. It is important to offer to telephone the care leaver after they have received and read their records and to inform them that the case worker remains available to answer any questions or discuss concerns they may have.
Local authorities should respond to requests from a direct descendant of a care leaver if information about family history is being sought.
9. Applications by Agents
A request for access to records may be made through an agent (for example, a solicitor).
It is the agent's responsibility to produce satisfactory evidence that they have authority to have access to the records. This will always include proof of their identity.
The Freedom of Information and Data Protection Team will decide whether the representative will be allowed access in the vast majority of such applications. It may be that in some circumstances that Legal Advice may be need to be consulted with the Team Manager for the relevant social work team, if required and/or necessary.
10. Applications by Professionals
Sharing relevant information with others working with children, including those from other local authorities, is necessary in order to safeguard children and ensure they receive the best possible care.
A request may be received to view records, this section outlines the action that must be taken when a request of this nature is received. (In an emergency, the NSCP Information Sharing protocol should be followed).
- A request to view records should be granted once the following has been confirmed;
- A consent form (in any format) where parents have given consent to access their records;
- Strategy meeting minutes which demonstrate the need to gather information for the Section 47 Enquiry (ideally a consent form should be taken – there may be circumstances where it has not been possible to obtain a consent form).
Once access has been granted and information has been shared, a record should be made on the electronic file stating the following information:
- Full name, post title and organisation of person who looked at the record;
- Date the record was accessed;
- Why the records was accessed.
Those requesting access to records may also request to take hard copies. Before hard copies of records are taken, copies of the records taken most be scanned and uploaded to Care Store. A note should be added to the relevant CareFirst file. The note must list the records that were taken.
11. Application on Behalf of Deceased Persons
Where a request is received for access to the records of someone who has died, the person making the application should be asked to explain in writing their relationship to the deceased person, what information is needed and why. The local authority case worker should make a decision in consultation with their manager and advise the applicant in writing of the decision with reasons.
12. Applications from Police Authorities, Prisons or Government Agencies
Any requests from Police Authorities, Her Majesty's Prison Service or any Government Organisations should be passed over to the Freedom of Information/Data Protection Team to process.
For Police requests this includes any requests for information concerning anyone aged 17 or over at the time of an alleged offence. A request for a person's records aged 17 or under at the time of an alleged offence will be dealt with under the National Protocol and by LGSS Law Ltd.
13. Rectification or Deletion of Records
If a person considers that any part of the information held on their records is inaccurate, they have (Under Articles 16 and 17 of the UK GDPR) the right to apply verbally or in writing for it to be rectified or deleted.
Local authorities have 1 month to respond to any such requests.
If a request for rectification is received, the local authority should take reasonable steps to establish that the data is accurate and to rectify the data if necessary.
What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort a local authority should put into checking its accuracy and, if necessary, taking steps to rectify it.
Each representation will be considered, investigated and remedied on a case by case basis. Where a social worker is unclear as to what action to take, managers in the business should be consulted and any actions recorded in line with audit and quality management purposes.
A local authority can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If a local authority considers that a request is manifestly unfounded or excessive you can:
- Request a "reasonable fee" to deal with the request; or
- Refuse to deal with the request.
14. Refusal of Access
If the social worker or local authority case worker considers there are reasons to refuse a request for access to all or any part of the records (see Section 2, Exemptions to the Right of Access), this should be discussed with their manager and legal advice should be obtained if necessary.
The manager should be asked to make a final decision on refusal of access, having sought legal advice if required. If refused, the date of the request and reason for refusal must be recorded in the file.
The decision and the reasons for it should be confirmed in writing to the person requesting access, or in a format appropriate to the needs of the person concerned.
The Data Protection Team will be able to provide assistance for complex cases.
15. Appeals Process
The data subject concerned has the right to apply to the court for an order to disclose, correct or erase information held. They also have a right of appeal to the Information Commissioner who may make an assessment about whether the law has been complied with an issue enforcement proceedings to make the local authority comply with the request if necessary and/or recommend an application to court alleging a failure to comply with data protection legislation.