Guide for all staff involved in processing Subject Access...

SUBJECT ACCESS REQUEST

GUIDE FOR CHILDREN’S SERVICES STAFF INVOLVED WITH PROCESSING SUBJECT

ACCESS REQUESTS

UNDERSTANDING DATA SUBJECT RIGHTS AND ACCESS TO PERSONAL INFORMATION

Customer Relations Team 2016

Guide for all staff involved in processing Subject Access Requests

INTRODUCTION

It is the East Riding of Yorkshire Council’s obligation to ensure compliance with the Data Protection Act 1998. The Information Commissioner, who oversees compliance and promotes good practice, requires all organisations and individuals who process personal data to comply with the eight data protection principles of ‘good information handling’. It is important to read the councils Data Protection Policy in conjunction with this Subject Access Request guidance.

http://insight.eastriding.gov.uk/corporate-information/policies-and-procedures/

The East Riding of Yorkshire Council is committed to ensuring that the personal data it holds is used fairly and lawfully and in a non-discriminatory manner.

THE AIM OF THIS GUIDANCE

To help you make the correct decisions when dealing with Subject Access Requests and the redaction of information.

To advise you on how to prepare a file. To advise how you can provide access.

WHO THIS GUIDANCE APPLIES TO

SENIOR CUSTOMER RELATIONS OFFICER.DESIGNATED SAR OFFICER (LOCALITY TEAMS). SUPPORT SERVICES.SENIOR MANAGER.HEAD OF SERVICE.

This guidance is coded in the above colours to enable those who it applies to be directed to the guidance relevant to their role within the process.

2




However it is advisable to read the full guidance to gain an understanding of the full process in completing a Subject Access Request.

There is also a flow-chart showing the SAR process and the stages where involvement from the above individuals and services is needed.

DATA SUBJECT RIGHTS

The Data Subject is the person whose information we hold. The Data Subject has a right to:

Know if we or others on our behalf are processing their personal data.

Have description of the data we hold about them. Know why we hold the data. Know the source of the data. Know who we have shared the data with. Request a copy of the personal data we held about them at the

time the request was received (Subject Access Request); Require us to correct inaccuracies or irrelevancies in their records

and to tell others we gave the inaccurate data to that is was incorrect.

Require us to stop processing their personal data if it is not justified.

Seek compensation for damage or distress our use of their data might have caused.

Appeal to the Information Commissioner or the courts if access is refused or if the legally prescribed timescales are exceeded;

OUR RESPONSIBILITIES TO PROTECT AND ASSURE THE DATA SUBJECT’S ACCESS RIGHTS. We should:

3


Record personal data in a way that promotes people’s rights of access and privacy (e.g., keeping family members’ individual, personal data separate).

Gain consent to share third party data with those it’s about. Give them information informing them of their rights. Let them know if their records are held jointly (in which case they

only need to apply to one organisation) or separately (in which case they need to apply separately to each organisation) so they can exercise their right of access to all their personal data.

Maintain and store records so they can be retrieved when required in accordance with the Council’s Records Management/Governance policy.

Locate all the applicant’s personal data that the applicant has identified. If we don’t hold an applicant’s personal data, inform them of that fact. We must respond.

Not alter data once a request is received, except for routine recording, not even to make the record more acceptable to the subject.

To provide a complete copy of their data that they are entitled to.

HOW OFTEN ARE DATA SUBJECTS ALLOWED TO APPLY FOR ACCESS?

We can refuse access if we’ve already complied with an identical or similar request from the same person, unless a reasonable interval has elapsed. A ‘reasonable interval’ depends on:

The nature of the data held Why the data in being processed. How often we routinely provide a copy of their records to them. How often the data is amended or added to.

4


WHAT DATA SUBJECTS ARE NOT ENTITLED TO

Information if it would be likely to prejudice the carrying out of social work because of the risk of serious harm to the physical or mental health or condition of the data subject or someone else.

Information that in giving it could hinder the prevention or detection of a crime.

Information that is legally privileged. Information in adoption records (this would need to be dealt with by

the relevant adoption team under their regulations). Information provided in confidence (breach of confidence) Someone else’s information (Third party) Certain information without consent from its source to share the

information.

DUTY OF CONFIDENCE

A duty of confidence arises between a member of the public and a professional where one party has information relating to another party in circumstances that give rise to an expectation that it will remain confidential e.g.

A doctor has information about patients A contact through the Early Help & Safeguarding Hub where the

member of the public wishes to remain anonymous A social worker has information about service users provided by a

third party.

THIRD PARTY INFORMATION.

Third party information is information about someone else other than the data subject. It would include references to their family and friends, other

5


non-Council professionals and agencies. Consideration needs to be given as to whether this information should be released.

Information from someone else is not the same thing e.g. people who have referred concerns about them such as relatives and non-council professionals and agencies acting in their professional capacity. In circumstances where information is provided by non-council professionals and agencies acting in their professional capacity consideration needs to be given to gaining consent before releasing the information.

For information provided by a member of the public/relative you would have to consider if this was provided in confidence and if so this would not be releasable, you could not seek consent as this would then be a breach of duty of confidence to the referrer.

INFORMATION ABOUT OUR OWN STAFF

Our own staff (including foster carers, others employed as agents for children’s social care) acting in their official capacity are “relevant person’s”. Staff acting in their personal capacity are third parties. This is an important distinction; redaction of references to them acting within their official capacity may only be undertaken if there is a clear risk of harm to someone, ordinarily consent is not needed to share information referring to them as a professional.

INFORMATION FROM HEALTH PROFESSIONALS

This applies to personal information about the physical or mental health or condition of the data subject.

Correspondence from health professionals and agencies is often stamped as confidential. In this context “confidential” usually means “this contains

6


sensitive, personal information and must be transmitted and stored safely.” It does not mean necessarily that it is restricted from the data subject. However it is important that you consult with the most recent health professional responsible to gain consent to either release the information or withhold the information. Alternatively you can inform the data subject that they will need to approach the appropriate agencies directly to request the information. The latter process is advisable in most case as the agency can then make the decision as to what they can share and whether the release of information would pose a risk. If a decision is made to request the data subject approaches the other agencies this needs to be explained in a timely manner to the data subject to avoid unnecessary delay.

INFORMATION FOR OTHER PROFESSIONALS AND AGENCIES

The default for any information we handle, including any that other professionals/agencies give us apart from health information, should be to disclose it to data subjects. Dependent on what the information is consideration needs to be given to contacting the professional to gain their view of releasing the information. In most cases professionals will expect their name and business contact details to be released, however consideration may need to be given if the release of the information poses a risk of harm where objections are made by the professional. If you are unable to contact the professional you will need to consider if it is reasonable to release the information without consent. Consider informing the data subject to approach the professional/agency directly to request the release of information.

ACCESS RIGHTS OF CHILDREN

The right of access extends to children who can understand what it means to exercise that right. (Fraser Guidelines) they can therefore apply for

7


their information as an adult. The fact of making a request is probably sufficient evidence that they do understand, provided we are sure the child really has made the request.

If a parent with Parental Responsibility wants to access their children’s record’s, if the child is of such an age that it is considered they would not understand what is means to exercise their rights then they can access the child’s information as long as we are satisfied this is not against the best interest of the child. For further clarification, if a child is 12 years old or above the parent who has Parental Responsibility will need to seek consent from the child to access records. In some cases where we think a child over 12 may have been coerced into giving consent it is good practice to contact the child and explore with them their understanding of a what a subject access request is and what they have consented to share with their parents.

In both these instances we must take into account if granting such access would be likely to result in harm to someone. Refusal of access on grounds allowed in the: Subject Access Modification/Social Work Order 2000. This enables you to consider withholding information if it is likely to prejudice the carrying out of social work by causing serious harm to the physical or mental health or condition of the data subject or another person. This order does confirm that the identity of social workers as relevant people should be disclosed but also confirms that this can be overruled if there is a strong likely hood of serious harm being caused to the social worker.

WHAT IS REASONABLE TO DISCLOSE

The Data Protection Act does not provide any guidance on what is reasonable in all circumstances to disclose, there can be a conflict

8


between the data subjects rights of access and a third party to privacy, careful consideration needs to be given to this dilemma. If you cannot respond to a SAR without disclosing information about another individual (third party) who could then be identified from that information, you are not obliged to disclose it as a duty not to breach confidence unless consent has been given by that individual or if you think it reasonable in all the circumstances to disclose it without consent. Decisions should always be taken on a case by case basis after careful consideration of all the circumstances surrounding each case. If in doubt seek legal advice and discuss this with you line manager, customer relations team or data protection team.

THIRD PARTY INFORMATION AND CONSENT to consider

Do we have a duty of confidence to the third party whose personal information we are considering disclosing?

What steps, if any, did we take to gain consent from the third party? Are their whereabouts unknown or cannot be found out? Are they capable of giving consent? Did they expressly refuse consent? Would seeking consent from the third party disclose the subject’s

personal information? What does the subject already know or is likely to find out? If they

already know this information, then we are not disclosing it. Is the third party information confidential, sensitive or harmful? Was the source “a relevant person” Only the likelihood of serious

harm would justify refusal of access. Subject Access Modification/Social Work Order 2000.

Can it be edited to protect the third party’s identity appropriately?

9


INFORMATION WOULD BE WITHHELD IF:

Consent is not given; and It is not clear if it’s reasonable to disclose the information without it;

and The information cannot be edited appropriately to remove

identifying references to the third party.

WHERE INFORMATION IS HELD

Supervision notes are generally released under a SAR as long as the information relates to the data subject and does not contain personal information in relation to the workers practice etc. If this is the case this will need to be redacted.

E-mails

Emails are no different from any other record containing information about the data subject.

‘Restricted’ information on file

This by its very nature means there are reasons to withhold the information. When the information is no longer restricted then consideration needs to be given to releasing this to the data subject.

Child Case Management data base/ONE system/E-start

10


All information held on these data bases belong to Young people’s support and safeguarding services and consideration needs to be given to releasing this information in a SAR if the data subject or agent acting on their behalf requests all records.

SUBJECT ACCESS REQUESTS v INFORMATION SHARING

Requests made from a social worker from another local authority is not considered a subject access request but information sharing and should therefore be dealt with under normal business by the relevant social work team. Requests for personal information without the consent of the data subject can be made under exemptions outlined in the Data Protection Act, an example of this is Sections 29(3) and 35 of the Act which covers the release of personal information because it is needed to prevent or detect a crime, or catch and prosecute a suspect. Disclosures to the police are not mandatory except in cases where the council is served with a court order requiring information.

For the request to be complied with it needs to be:

In writing. Reference which exemption the data is being sought under. Clearly state the information requested. State the consequences of not complying with the request.

Only the minimum information needed to comply with the request should be released and legal services should be involved in collating, redacting and distributing the data. Information not related to the investigation should not be released.

Guardians/CAFCASS are also entitled by virtue of their role as officers of the court, to have access to the records of children subject to court proceedings.

11


ACCESS REQUESTS MADE BY AN AGENT ON BEHALF OF THE DATA SUBJECT

Data subjects who can understand their right of access can appoint an agent to act for them such as a solicitor or parent of a child 12 years or over.

Agents should provide:

Evidence of their authority Evidence of Parental Responsibility Confirm their identity and relationship to the data subject in writing.

We must be satisfied that the data subject has authorised the agent to act for them. Sometimes people are not able to given written consent for an agent to act on their behalf. We must help them as much as possible to signify their consent, and satisfy ourselves that they have given consent for the agent to act for them.

PREPARATION AND REDACTION

SENIOR CUSTOMER RELATIONS OFFICER.DESIGNATED TEAM MANAGER (LOCALITY TEAMS). SUPPORT SERVICES. To collate files

Locating and preparing files is likely to be resource intensive and can be tasked to support services, however, it is important to consider what information you need as it is likely that both historical paper files and electronic files will need to be collated. Be specific in terms of what you need for example:

CCM contacts, CCM indexed documents

CCM case records, CCM assessments12


Historical files from archive.

ALL RECORDS NEED TO BE CONVERTED TO A PDF DOCUMENT. NEVER SEND OUT A WORD DOCUMENT AS REDACTIONS ARE NOT SECURE ON WORD DOCUMENTS.

You will need to consider what other services/professionals within the directorate have also been involved in the past and where does this service/professional record their involvement, liaising and working together with other services/professionals is important to ensure when a request is made for all records to be released under a SAR we fully comply with this request. Failure to fully disclose information can have implications for the local authority. The Information Commissioner (ICO) can instigate Regulatory Action to exercise its powers to bring about compliance of the Data Protection Act 1998.

SENIOR CUSTOMER RELATIONS OFFICER.DESIGNATED TEAM MANAGER (LOCALITY TEAMS).

When using the redaction software, it is advised that once all documents have been collated create TWO FOLDERS called:

FILES FOR REDACTION

REDACTED FILES

Within the files for redaction folder copy all the documents that are relevant to the SAR go through each document redacting information that is not to be shared. Once you have completed the document if there are any redactions this will be added to its name e.g. (CASE NOTE 20.12.2016 REDACTED) by the SOFTWARE, if you have not needed to redact any information YOU will need to rename the document as (CASE NOTE 20.12.2016 DONE) this will help you keep track of what documents have been dealt with.

You are advised to rename documents that you are not releasing as (CASENOTE 20.12.2016 DO NOT SEND) adding the reason why e.g. 3rd party info/privileged) this process will enable you to effectively filter

13


what can and cannot be released. These DO NOT get saved into the REDACTED folder.

Once you have gone through each document you are advised to save all records that are named REDACTED or DONE into the folder titled: REDACTED FILES. As you have saved the redacted files into another folder the files in the folder files for redaction will be left in their original state, therefore the Area Manager checking redacted files is able to view what has been redacted.

This process of redaction is for advice and guidance only, however it has proved to be effective in managing the process and avoiding confusion when you have multiple documents to look through. Spending some time getting to know the capabilities of the redaction software is useful as it will help reduce the time spent on redacting. https://helpx.adobe.com/acrobat/using/removing-sensitive-content-pdfs.html

This is a useful link to help you gain a greater understanding of removing sensitive content from PDF documents with the redaction software currently used by the local authority.

SENIOR MANAGER.HEAD OF SERVICE or DESIGNATED OFFICER

Consider how you are going to present the information to the service user. The size of the file to be released will determine the best way to present it. Consider organising the files into subject areas, for example.

Contacts and Referrals Case notes & diary records Correspondence

A covering letter should always be included explaining why redactions have taken place, e.g. third party/privileged information. (See appendix for templates)

14

https://helpx.adobe.com/acrobat/using/removing-sensitive-content-pdfs.html

https://helpx.adobe.com/acrobat/using/removing-sensitive-content-pdfs.html


Once you have completed the redaction process you will need to arrange for the appropriate senior manager to check the redactions within the electronic folders you have created. Once they are satisfied that no sensitive data is being released they will need to sign the Control Record and send it back to you. You will then need to get authorisation from the Head of Service or Designated Officer in their absence to release the data; the Head of Service or Designated Officer will need to also sign the Control Record as an agreement to release the information, a copy of the fully complete Control Record will then be sent to the Data Protection team. SAR exemption request from the police do not require the head of service signature before release. DO NOT SEND THE CONTROL RECORD TO THE SERVICE USER.

STORING OF RECORDS PRIOR TO DISPATCH. How to avoid data protection breaches.

Careful consideration needs to be given to how you are storing hard copies of records prior to dispatching them. It is advisable to ensure they are stored by themselves in a Box/Leaver Arch folder, this will avoid other records not relevant becoming attached to them and being sent out by mistake. Take care when storing electronic records that have been redacted, ensure you are storing them in the correct file always double check before you press save. Should a data protection breach occur please refer to the Data Protection Breach Policy and Guidance on the intranet or contact the Data Protection Team for advice and guidance on the course of action to take.

SENIOR CUSTOMER RELATIONS OFFICER.DESIGNATED TEAM MANAGER (LOCALITY TEAMS). SUPPORT SERVICES.

DISPATCH/SHARING INFORMATION

How this is done will be dependent on how the person requesting the information wishes to receive the information, the initial request form that they fill in from the Data Protection team requires them to highlight if they want to receive the information by email or Registered Post. However any

15


correspondence requesting a SAR can be made to the Data Protection Team and this will start the process, therefore, it may not be clear how they wish to receive the information this will need to be explored with them or the Data Protection team. Electronic dispatch of information will be difficult on large files and hard copies posted under RECORDED DELIVERY maybe the only way to dispatch the information. A final check of the documents going out at this stage will help to reduce data protection breaches.

There are occasions when consideration needs to be given to a face to face meeting with the person if there is the potential for the information to cause some distress or upset. If this is the case then arrangements will need to be made to meet with the person requesting the information either by inviting them in for a meeting to a local office or if appropriate undertaking a home visit.

In these circumstances where the information may cause distress it is important that the person requesting the information is made aware of what emotional support is available to them. Individual circumstances will determine how and where access should be arranged.

STORING

SENIOR CUSTOMER RELATIONS OFFICER.DESIGNATED TEAM MANAGER (LOCALITY TEAMS).

SAR’s undertaken by the Senior Customer Relations Officer,

The copies of records dispatched are saved within case records held by the customer relations team. A contact is created on CCM by the Senior Customer Relations Officer under Access to records request and saved as information sharing.

Designated team managers completing the SAR process.

Currently the arrangements in place are that all redacted records are stored within the customer relations team case records along with the completed control record so they can be cross referenced with any future SAR’s. The Control Record needs to be fully completed with what has been dispatched for the purpose of referring back or you are challenged about what has been released. Once this process has been completed please arrange for all redacted records and the completed control record to be sent to the customer relations team for storage. Once this has been completed please delete any working documents, should you need to refer back to redacted records or the control record these will be available

16


within customer relations. The retention requirement for records dealt with as a Subject Access Request is 25 years.

LEGAL FRAMEWORK

The Data Protection Act 1998 covers computerised and manual records; and has no cut off before which records are excluded from subject access rights. Data subjects can now see their personal information regardless of date.

The Data Protection (Subject Access Modification) (Social Work) Order 2000 provides that personal information held for the purpose of social work are exempt from the right to access where disclosure to the data subject would be likely to prejudice the carrying out of social work by being likely to cause serious harm to the physical or mental health or condition of the data subject or another person.

The Data Protection (Subject Access Modification) (Health) Order 2000 applies a similar exemption to personal health information. We’re not obliged to supply information to a data subject where it would be likely to cause serious harm to their or another person’s physical or mental health or condition. Consult the health professional responsible for the clinical care of the data subject.

The Data Protection (Subject Access Modification) (Education) Order 2000 applies a similar exemption to personal education information. We’re not obliged to supply information to a data subject where it would be likely to cause serious harm to their or another person’s physical or mental health or condition, or in some circumstances would disclose information as to whether the data subject is or has been the subject, or may be at risk, of child abuse; and where disclosure would not be in the best interest of that data subject.

Adopted people have a right under different legislation to their birth and adoption information.

17


REMEMBER

Forty calendar days is the current statutory timescale to respond under the Data Protection Act 1998. (This includes weekends and bank holidays)

See appendix for covering letter templates.

TEMPLATE LETTER 1

PRIVATE AND CONFIDENTIAL Our Ref:Enquiries to:E-Mail: Tel. Direct:Date:

Dear

1998 Data Protection Act: Subject Access Request:

Please find enclosed a copy of your records held by East Riding of Yorkshire Council at the time of your subject access request. Within the records shared with you there may be a number of redactions (Blacked out words) this will have taken place on information that is either third party or privileged information where consent to share the information with you has not been sought or given.

If you have any queries about the information sent to you or you wish to discuss any of the information in detail please contact me at ………………………………………………….

18


Yours sincerely

TEMPLATE LETTER 2


Dear

Re 1998 Data Protection Act: Subject Access Request.

I can confirm that all the records held by the East Riding of Yorkshire Council that you have specifically requested have been prepared and are ready for your attention, however, a number of the records are historical and not straightforward to read and it may be useful to arrange to meet with you to go through these records so I can explain as much as possible the information contained in them.

If you agree could you please contact me on ………………………. to arrange a meeting to go through the records. If you have any queries or you would like to have the records sent to you without a meeting to discuss them please contact me so this can be arranged.

Yours sincerely

19


TEMPLATE LETTER 3


Dear

Re 1998 Data Protection Act: Subject Access Request

Following your request to have access to personal information held by the East Riding of Yorkshire Council I am contacting you to inform you that I have searched our records and cannot find any records relating to your subject access request.

If you wish to discuss this further please contact me on …………………………………

Yours sincerely

20


TEMPLATE LETTER 4

PRIVATE AND CONFIDENTIAL Our Ref:Enquiries to:E-Mail: Date:

Dear

RE 1998 Data Protection Act: Subject Access Request.

“Copy specific request from information found on SAR form”

Following you subject access request to personal information held by the East Riding of Yorkshire Council I am writing to let you know that I have searched records specific to your request, unfortunately I have not found any information that I am able to release to you as part of your subject access request as the information is exempt from subject access. It is exempt because it is information in relation to a 3rd party and consent to share this information has not been sought or given. If the information belongs to another agency for example the Police or Health Service I would advise you to go direct to the source of the information and make a Subject Access Request.

Yours Sincerely

21


22

Guide for all staff involved in processing Subject Access...

Documents

Transcript of Guide for all staff involved in processing Subject Access...