North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Transcription

1 North Yorkshire County Council Subject Access Request Guidance and Procedure Data Protection Act 1998 The Data Protection Act 1998 (the Act), section 7 (1) gives individuals certain rights with regards to their personal data including the right to access the personal data which the County Council holds about them. A person is entitled to the information which is personal data, to be told what it is used for, who it may be passed on to, any information available to the County Council about the source of the data and an explanation as to how any automated decision taken about them may be made. Requests for access to personal data are called Subject Access Requests. This document provides guidance on recognising, handling and disclosing information under a subject access request. What is Personal data? Personal data is personal information about a living individual, who can be identified from that information, or from that information considered alongside any other information about the individual. Personal data may take any of the following forms: Computer input documents; Information processed by computer or other equipment (e.g. CCTV); Information in medical, social work or school pupil records etc; Information in refined structured manual records; Personal information held in any manual form by a public authority. In effect this means that for the County Council any information relating to an identifiable individual, regardless of how it is structured, falls within the scope of the Act. There are however special rules governing personal information held in any manual form by a public authority, referred to as category e data. Identifying a request A subject access request must be made in via letter or . It is not necessary for the applicant to make reference to the Data Protection Act and reference may mistakenly be made to the Freedom of Information Act. Regardless of this fact, if the request relates to personal information about a living individual it should be dealt with as a subject access request. Any requests for information which would be dealt with in the normal course of business do not need to be handled as subject access requests, for example how many payments have I made so far this year? Other requests such as please send me a copy of my staff records must be dealt with as subject access requests. On receiving a subject access request The handling of subject access requests, including those for information held in Contact Point but with the exception of requests for information made about social care records, is dealt with by the Data Management Team, and all subject access requests, except those relating to social care records, should be forwarded to this team as soon as possible after receipt by the County Council. September

2 Requests which have been received via should be forwarded onto and any requests which have been submitted via letter should either be passed in person onto a member of the Data Management Team or, if received into an outlying office, scanned to electronic form and ed to this address or faxed, with the original being forwarded to the Data Management Office. Once received by the Data Management Office the request will be logged on the electronic tracking system. Request for access to information in social care records are dealt with by the appropriate social care team and should be forwarded to the customer services centre in the first instance. Requests for schools records are dealt with by the schools themselves and so a letter explaining this would be sent by the Data Management Office to the applicant, advising them to forward their request to the school directly. An acknowledgement will be sent to the applicant. Some requests are mixed requests and may pertain to some information which should be dealt with under the Freedom of Information Act and some information which should be dealt with under the Data Protection Act. Each request should be considered on a case by case basis. However, when sending the acknowledgement to the applicant it may be necessary to indicate which parts of the request will be dealt with under the Data Protection Act and Freedom of Information Act, as they are subject to different requirements (for example the timescales in which they must be replied to), and information released under the Data Protection Act would not necessarily be released to another applicant. This should be then be reinforced when the information is provided. Identification With all subject access requests handled by the Data Management Team it will be necessary for this Team to verify the identification of the applicant to ensure that personal data is not disclosed to the wrong individual (a list of accepted identification documents can be found in appendix 1.) After receiving a request, this information should be requested from the applicant promptly. Requests may be received from another source on behalf of the applicant, for example from a solicitor acting on an individual s behalf, or an individual with power of attorney. In such a circumstance there must be accompanying documentation verifying that the person requesting the information about another individual has authorisation to do so. Children In the case of information being requested about a child the Act does not specify an age at which a child can independently make a request for their information. Such a request for information should take account the following factors: Whether the child wants someone with parental responsibility for them to be involved Whether the child properly understands what is involved. As a general guide, a child of 12 or older is expected to be mature enough to understand the request they are making. It may be the case that a child is mature enough at an earlier age or may lack sufficient maturity until a later age, and so requests should be considered and clarified on a case-by-case basis. This will mean determining whether they are of sufficient maturity to request the information themselves and may mean asking someone who works with the child within the County Council. September

3 Fee & Clarification Where appropriate the County Council is entitled to charge a 10 fee for access to personal data. This will be requested from the applicant by the Data Management Team. The applicant does have the right to see everything we hold about them, subject to exemptions to providing information stated in the Act. However in order to identify any information relating to the applicant in such a vast organisation as the County Council it may be necessary for the Data Management Team to contact the applicant for more information or clarification. For example, it may be necessary for the applicant to indicate which services they may have received from the County Council or when they had any dealings with the County Council. Gather information from directorates The County Council has 40 calendar days to respond to a subject access request once the necessary identification has been received, any fee has been paid and sufficient clarification as to what information is being requested has been received from the applicant. The Data Management Team will forward a copy of the actual request received to the responsible officer to obtain copies of all documents relevant to the request. These documents must then be provided to the Data Management Team in a timely fashion and not later than 7 days from the officer receiving the request for the documents. Where the officer is having difficulty gathering the information, the officer must contact the Data Management Team within that 7 days, to make them aware of any such difficulties. Category e data Where the request includes unstructured personal information, the Freedom of Information Fees Regulations can be taken into account. These do not affect the fee that can be charged in most instances, but do place a limit on the amount of time an authority is required to spend in providing the information (an appropriate level of 450 or 18 hours, over which we are not obliged to provide the information.) With unstructured information, which may be hard to locate, the County Council need not provide this information unless the applicant provides sufficient information which is reasonably required to locate the information requested. Amendments to information After receiving a request it is possible to make the usual routine amendments and deletions to personal data, however data should never be deleted to avoid disclosure, even if the data could cause embarrassment to the County Council. Exemptions The Act does allow for a number of exemptions which prohibit the disclosure of information. The exemptions are as follows: National Security Prevention and detection of crime and taxation purposes Health, Education and Social Work Special Purposes (must meet certain criteria) - Journalism September

4 - Artistic purposes - Literary purposes Judicial appointments and Honours Crown employment and Crown or Ministerial appointments Management forecasts/management planning Negotiations with the requester Corporate Finance Examination scripts Legal professional privilege Information publicly available by law Statistical or research data that does not identify an individual Confidential references given by the County Council (but not received by the County Council) If any exemption is engaged and the information is to be withheld a written response should be sent to the applicant informing them that the County Council does not hold any information which it is required to disclose, stating the exemptions applied and the reasoning for this. In certain circumstances it may not be appropriate to divulge the exemption applied, for example if to do so may endanger others or hinder the detection of a crime, in which case the exemption applied should not be stated each request should be dealt with on a case by case basis. If all information is exempt and no information can be disclosed, any fee paid should be refunded. Information involving Third Parties A potential conflict may arise if an applicant s personal data contains details of a third party where the disclosure of such information may breach the third party s rights to privacy or confidentiality. Section 7(4) of the Act provides that if the request cannot be complied with without disclosing information relating to another individual who can be identified, then it is not necessary to comply with the request unless: the third party has consented to the disclosure; or it is reasonable in all the circumstances to comply with the request without the consent of the third party individual. When considering whether it is possible to comply with the request without revealing information which relates to and identifies a third party individual it is necessary to take into account not only the information which may be disclosed, but also any information which the applicant may have, or obtain which may identify the third party individual. For example, if an employee has requested to see their personnel file, even if the third party individual is only referred to by their job title then it is likely they will still be identifiable based on information already known to the employee making the request. Where the third party is the source of the information held about the applicant, there may be a strong case for their identification if the applicant needs to correct any damaging inaccuracies. However, requests should be dealt with on a case by case basis, with regard to the Durant v Financial Services Authority case, when the Court of Appeal decided it would be legitimate for the Financial Services Authority (the data controller) to withhold the name of one of its employees who did not consent to disclosing the requested information because Mr Durant (who made the request) had abused them on the telephone. Confidentiality A disclosure of third party information should not be made if there would be a breach of confidence, for example where relatively sensitive information has been September

5 provided to the County Council in the expectation that it would not be disclosed. Such an expectation may result from the relationship between the parties, for example doctor/patient, employer/employee etc. and examples include medical information or personal financial details. However, confidentiality should not always be assumed. For instance, just because a letter is marked 'confidential', a duty of confidence does not necessarily arise (although this marking may indicate an expectation of confidence) or there may be other factors (see Gaskin Case guidance below) which mean that an obligation of confidence does not arise. In most cases where a clear duty of confidence does exist, it will usually be reasonable to withhold third party information unless consent of the third party to disclose has been gained. Consent The clearest grounds for disclosing information will be to obtain consent and, whilst there is no obligation to do so, an attempt should be made to gain consent unless it is clearly reasonable to disclose without trying to get consent, for example, where the information concerned will be known to the requesting individual anyway. If a request is for the disclosure of information to which the third party has previously objected, it must be considered whether releasing it would breach the data protection principles. In practice, it may not always be appropriate to try to obtain consent (for instance, if to do so would inevitably involve a disclosure of personal data about the applicant to the third party individual). It may be difficult to get consent; the third party may be difficult to find, they may refuse to give consent, or it may be impractical or costly to try to get their consent in the first place. When making any such decision it will be necessary to be able to justify and keep a record of the course of action taken and reasoning, including, for example, why consent was not sought or why it was not appropriate to try to do so in the circumstances. In such situations, it will then be necessary to consider whether it was 'reasonable in all the circumstances' to disclose the information anyway. Section 7(6) of the Act provides a non-exhaustive list of factors to be taken into account when deciding what would be 'reasonable in all the circumstances' when deciding whether to disclose without consent. These are: any duty of confidentiality owed to the third party individual; any steps you have taken to try to get the consent of the third party individual; whether the third party individual is capable of giving consent; and any express refusal of consent by the third party individual. The Gaskin Case & third party information The Gaskin Case highlights that circumstances relating to the individual making the request may also be relevant in assessing how reasonable it is to disclose third party information - in particular how critical access to the third party information is in preserving the rights of the individual making the request. In this case, the individual, who had been in local authority care for most of his childhood, wanted to see the local authority records relating to him as they were the only coherent record of his early childhood and formative years. The court held that the local authority had to weigh the public interest in preserving confidentiality against the individual's right to access information about his life, even where consent to release the information had been withheld. September

6 Disclosure of names of members of staff Names of staff acting in the course of their duties or who is already well known to the individual making the request, would be more likely to be disclosed than information relating to an otherwise unknown individual. Generally it is accepted that information regarding social workers or other health professionals will be disclosed. However if there is good reason to think that disclosure of a name could put an individual at risk it may not be fair processing to disclose the name of that individual. Withholding third party information If the consent of the third party individual has not been received and it not would be reasonable in all the circumstances to disclose the third party information, then it should be withheld. However, further to section 7(5) of the Act, we are obliged to communicate as much of the information requested as possible without disclosing the identity of the third party individual which, as our obligation is to provide information rather than documents, may be achievable by redacting names or editing the documents. References The Act applies differently to references which have been given by an employer and those which have been received by an employer. If an individual requests a copy of a confidential reference written by an employee of the County Council about them relating to training, employment or providing a service, an exemption in the Act exists so this information is not required to be disclosed. However, the County Council may choose to provide the information. For example, it would seem reasonable to provide a copy if a reference is wholly or largely factual in nature, or if the individual is aware of an appraisal of their work or ability. References received from another person or organisation fall under the Act and should be considered under the normal rules of access, however within North Yorkshire County Council s recruitment policy the standard documents for requesting references from other people/organisations inform them that any reference they provide may be disclosed to the subject of the reference under a subject access request, thereby gaining their consent for disclosure. In some circumstances a reference or part of a reference may have been marked confidential. In such cases it needs to be considered whether the information is actually confidential and further it will be necessary to weigh the referee s interest in having their comments treated confidentially against the individual s interest in seeing what has been said about them, particularly where this has had a significant impact on the individual, such as preventing them from taking up a provisional job offer. When considering whether it is reasonable in all the circumstances to comply with a request, account should be taken of: any express assurance of confidentiality given to the referee; any relevant reasons the referee gives for withholding consent; the potential or actual effect of the reference on the individual; the fact that a reference must be truthful and accurate and that without access to it the individual is not in a position to challenge its accuracy; that good employment practice suggests that an employee should have already been advised of any weaknesses; and any risk to the referee. Legal Proceedings September

7 In practice, subject access rights are often used by individuals who are in dispute with the County Council. In some cases, they may intend to begin or have already begun legal proceedings against the County Council and seek to use the Act as a way of obtaining additional information to assist in such proceedings. The Act does not provide any exemptions to disclosing information where civil legal proceedings are contemplated or ongoing, and failing to comply with a subject access request in such circumstances will, unless an exemption under the Act applies, amount to a breach of the Act. Disclosure of information to a third party controller Generally the Act would not allow a disclosure to a third party data controller unless the individual had been informed of the disclosure or an exemption can be applied, such as for the prevention and detection of a crime. Response Once all of the information relevant to the request has been received by the Data Management Office, the information will be looked at with regard to the provisions above. The Data Management Office will identify which information can be released, which contains third party data and which is subject to any exemptions. Any information which may be subject to an exemption or relates to a third party will be considered following the appropriate legislation and guidance and consent from third parties will be sought as required. The information to be disclosed may include abbreviations or technical terms that the individual may not understand. An appropriate explanation of such terms should be provided in the response to the applicant so that the information may be understood. A response will be collated to include all of the information we are able to disclose with an appropriate explanation of why any information is being withheld. The information can either be provided in the body of a letter or copies of the relevant documents (with any necessary redactions made.) The information we are able to disclose should be supplied in a permanent form except where the individual agrees or where it is impossible and would require significant cost or would involve undue time or effort. An alternative would be to allow the individual to view the information. Where any individual or external organisation is named in the response they will be informed as appropriate prior to the response being sent that this information is being disclosed. Once the response has been collated and cleared, a copy of all information will be retained by the Data Management Office, clearly indicating which information has been disclosed and which has been withheld, and the response will be sent out to the applicant by recorded delivery. Complaints procedure If the applicant is unhappy with the way in which their request was dealt with or the response received, the applicant can ask the Data Management Team for the information to be reviewed. The applicant also has the right to seek an independent review from the Information Commissioner. In addition, if the applicant believes that the personal information the County Council holds about them is inaccurate, the Act gives them the September

8 right to ask the County Council to correct it. The request must be made in writing to the service unit who holds the information. If it is clear that the information held is inaccurate then the information should be corrected as soon as possible. If however we believe that the information held is accurate and it would be erroneous to amend the information as requested by the applicant a note should be made on the file of the differing opinions and the file should reflect both views. The Act also provides the right for an applicant to ask us to cease processing their personal information if it is causing unnecessary or significant damage or distress. Such a request should be in writing and directed to the Data Management Office who will considered whether it is possible to comply with the request, with particular consideration to the County Council s statutory duties. Contact Details Data Management Office datamanagement.officer@northyorks.gov.uk Telephone: ext Fax: Customer Services Centre for social services subject access requests cru.customer.services@northyorks.gov.uk Produced by the Data Management Office, September September

9 Appendix 1 REGISTRATION AND AUTHENTICATION EXAMPLES OF DOCUMENTARY EVIDENCE One example required from each of the following categories (copies only). Personal identity current signed passport residence permit issued by Home Office to EU Nationals on sight of own country passport current UK photocard driving licence current full UK driving licence (old version) old style provisional driving licences are not acceptable current benefit book or card or original notification letter from the Department for Work & Pensions confirming the right to benefit building industry sub-contractor s certificate issued by the Inland Revenue recent Inland Revenue tax notification current firearms certificate birth certificate adoption certificate marriage certificate divorce or annulment papers Application Registration Card (ARC) issued to people seeking asylum in the UK (or previously issued standard acknowledgement letters, SAL1 or SAL2 forms); GV3 form issued to people who want to travel in the UK but do not have a valid travel document Home Office letter IS KOS EX or KOS EX2 police registration document HM Forces Identity Card Active in the Community Active in the Community documents should be recent (at least one should be within the last six months unless there is a good reason why not) and should contain the name and address of the registrant record of home visit confirmation from an Electoral Register search that a person of that name lives at that address recent original utility bill or certificate from a utility company confirming the arrangement to pay for the services at a fixed address on prepayment terms (note that mobile telephone bills should not be accepted as they can be sent to different addresses and bills printed from the internet should not be accepted as their integrity cannot be guaranteed) local authority tax bill (valid for current year) current UK photo card driving licence (if not used for evidence of name) current full UK driving licence (old version) (if not used for evidence of name) bank, building society or credit union statement or passbook containing current address recent original mortgage statement from a recognised lender current local council rent card or tenancy agreement current benefit book or card or original notification letter from the Department for Work & Pensions confirming the rights to benefit court order September