North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Similar documents
SUBJECT ACCESS REQUEST

Ideally 1 item which shows photographic identification (list 1) and two items which have proof of address (list 2) are required for an RA Card.

Data Protection Policy

Schools Subject Access Request Procedures

Data Protection Policy. Revisions and Editions Log

Individual Rights (Data Privacy) Policy

Subject Access Request Procedure

Data Protection Policy

Data Protection Policy

Data Protection Policy

Great Leighs Primary School. Data Protection and Freedom of Information Policy. Adopted: April Review Date: April 2018.

St. Paul s C of E Primary School

A Candidate s Guide to the NHS Employment Check Standards

Access to Personal Information Procedure

Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004 (SI 2004 No.

Staff Data Protection Policy

European College of Business and Management Data Protection Policy

Statutory Policy No 7 DATA PROTECTION POLICY

Freedom of Information Procedure Manual

Recruitment, selection and disclosure policy and procedure

GUIDANCE FOR CHECKING IDENTITY ON CRIMINAL RECORDS BUREAU DISCLOSURES

Privacy. Purpose. Scope. Policy. Appendix A

Park View Primary School

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

FREEDOM OF INFORMATION POLICY

Proper Handling of Data Correction Request by Data Users 1

NE03 - Bacra EPC Assessor Scheme Fit & Proper Person requirements

Freedom of Information Policy, Procedures and Requests

Environmental Information Regulations Decision Notice

Data Protection Act 1998 Policy

DATA PROTECTION POLICY STATUTORY

Access to Information

DBS basic checks - Responsible Organisation ID Guidance

CANDIDATE APPLICATION FORM

BACKGROUND INFORMATION

Guide for Municipalities

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

Freedom of Information Policy

Information Management Unit. Data Protection Policy for Schools BURNT TREE PRIMARY SCHOOL. Date Issued: September 30th 2015

Procedures for investigating breaches of competition-related conditions in Broadcasting Act licences. Guidelines

Information exempt from the subject access right (section 40(4) and

Beaufort Primary School and Beaufort Nursery

Freedom of Information Act 2000 (Section 50) Environmental Information Regulations Decision Notice

Making a Freedom of Information request

DATA PROTECTION (JERSEY) LAW 2005

Data Protection Policy

INTRODUCTION 3 ABOUT THE NTPF 4 CLASSES OF RECORDS HELD BY THE NATIONAL TREATMENT PURCHASE FUND 5 HOW TO OBTAIN INFORMATION UNDER THE FOI ACT 7

Freedom of Information Act 2000 (Section 50) Decision Notice

CCTV CODE OF PRACTICE

Form AN Application for naturalisation as a British citizen

Access to Health Records Policy

Guidance Notes for the DBS Documentary Evidence Sheet

Freedom of Information Policy

THE PIGGOTT SCHOOL FREEDOM OF INFORMATION POLICY AND GUIDANCE

Guidance for handling requests to access information from social work records received from the Police

Disclosure and Barring Service (DBS) and Employment Checks Procedure

As approved by the Office of Communications for the purposes of Sections 120 and 121 of the Communications Act 2003 on 21 June 2016

The LGOIMA for local government agencies

A Candidate s Guide to the NHS Employment Check Standards

Revised and enhanced identification checking guidelines (effective from 28 May 2012)

PART A APPLICANT S DETAILS AND DECLARATION. 1. Mortgage Intermediary name. 2. Mortgage Intermediary is (please tick appropriate):

Freedom of Information Act 2000 (Section 50) Decision Notice

CIH EPC Assessor Scheme POLICY DOCUMENT. (Ref: P3 EPC)

Freedom of Information Act 2000 (Section 50) Decision Notice

Data Protection Policy

AVIATION SECURITY IDENTIFICATION CARD (ASIC) APPLICATION

Legal Aid Ontario. Privacy policy

Basic DBS Online Disclosure Guide (ebulkplus) Applicant Guidance Notes

DISCLOSURE & BARRING SERVICE GUIDANCE NOTES PLEASE READ THESE NOTES CAREFULLY BEFORE COMPLETING YOUR DBS DISCLOSURE APPLICATION FORM

Applying for a Basic Disclosure Applicants

Safeguarding and Safer Recruitment Policy

An employer s guide to acceptable right to work documents

Freedom of Information Act Policy

REPRESENTATIVE OFFICES GENERAL REQUIREMENTS MODULE

Officials and Select Committees Guidelines

Identification checking guidelines

Identity Checking Form (ICF)

Making official information requests

Human Resources People and Organisational Development. Disclosure and Barring Service (DBS) Checks Guidelines for Managers and Employees

Freedom of Information Act 2000 (FOIA) Decision notice

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Cranleigh Primary C of E School Headteacher Recruitment 2018 Application Guidance & Pre-employment Checks

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Identity verification and standards of evidence

GUIDELINE FOR PROTECTION OF PERSONAL INFORMATION

ID checking guidelines for DBS check applications

Data Protection Act 1998

UCL Immigration and Right to Work A Manager s Guide to Acceptable Right to Work Documents

Definitions The following terms have these meanings in this Policy: a. Act Personal Information Protection and Electronic Documents Act;

PROCESSING FOIA REQUESTS

The OIA for Ministers and agencies

Decision 070/2005 Ms R and the Scottish Tourist Board (operating as VisitScotland)

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

FREEDOM OF INFORMATION ACT 2000 (SECTION 50) DECISION NOTICE. Dated 5 June Public Authority: Newry and Mourne Health and Social Services Trust

Practice Directions Directives de procédure

FREEDOM OF INFORMATION ACT 2000 POLICY

Recognised Wine Laboratory New Renewal

Access to Personal Information. by John Woulds

CHURNET VIEW MIDDLE SCHOOL POLICY FOR FREEDOM OF INFORMATION ACT 2000

King Edward s School RECRUITMENT, SELECTION AND DISCLOSURE POLICY AND PROCEDURE

Transcription:

North Yorkshire County Council Subject Access Request Guidance and Procedure Data Protection Act 1998 The Data Protection Act 1998 (the Act), section 7 (1) gives individuals certain rights with regards to their personal data including the right to access the personal data which the County Council holds about them. A person is entitled to the information which is personal data, to be told what it is used for, who it may be passed on to, any information available to the County Council about the source of the data and an explanation as to how any automated decision taken about them may be made. Requests for access to personal data are called Subject Access Requests. This document provides guidance on recognising, handling and disclosing information under a subject access request. What is Personal data? Personal data is personal information about a living individual, who can be identified from that information, or from that information considered alongside any other information about the individual. Personal data may take any of the following forms: Computer input documents; Information processed by computer or other equipment (e.g. CCTV); Information in medical, social work or school pupil records etc; Information in refined structured manual records; Personal information held in any manual form by a public authority. In effect this means that for the County Council any information relating to an identifiable individual, regardless of how it is structured, falls within the scope of the Act. There are however special rules governing personal information held in any manual form by a public authority, referred to as category e data. Identifying a request A subject access request must be made in via letter or email. It is not necessary for the applicant to make reference to the Data Protection Act and reference may mistakenly be made to the Freedom of Information Act. Regardless of this fact, if the request relates to personal information about a living individual it should be dealt with as a subject access request. Any requests for information which would be dealt with in the normal course of business do not need to be handled as subject access requests, for example how many payments have I made so far this year? Other requests such as please send me a copy of my staff records must be dealt with as subject access requests. On receiving a subject access request The handling of subject access requests, including those for information held in Contact Point but with the exception of requests for information made about social care records, is dealt with by the Data Management Team, and all subject access requests, except those relating to social care records, should be forwarded to this team as soon as possible after receipt by the County Council. September 2008 1

Requests which have been received via email should be forwarded onto datamanagement.officer@northyorks.gov.uk and any requests which have been submitted via letter should either be passed in person onto a member of the Data Management Team or, if received into an outlying office, scanned to electronic form and emailed to this email address or faxed, with the original being forwarded to the Data Management Office. Once received by the Data Management Office the request will be logged on the electronic tracking system. Request for access to information in social care records are dealt with by the appropriate social care team and should be forwarded to the customer services centre in the first instance. Requests for schools records are dealt with by the schools themselves and so a letter explaining this would be sent by the Data Management Office to the applicant, advising them to forward their request to the school directly. An acknowledgement will be sent to the applicant. Some requests are mixed requests and may pertain to some information which should be dealt with under the Freedom of Information Act and some information which should be dealt with under the Data Protection Act. Each request should be considered on a case by case basis. However, when sending the acknowledgement to the applicant it may be necessary to indicate which parts of the request will be dealt with under the Data Protection Act and Freedom of Information Act, as they are subject to different requirements (for example the timescales in which they must be replied to), and information released under the Data Protection Act would not necessarily be released to another applicant. This should be then be reinforced when the information is provided. Identification With all subject access requests handled by the Data Management Team it will be necessary for this Team to verify the identification of the applicant to ensure that personal data is not disclosed to the wrong individual (a list of accepted identification documents can be found in appendix 1.) After receiving a request, this information should be requested from the applicant promptly. Requests may be received from another source on behalf of the applicant, for example from a solicitor acting on an individual s behalf, or an individual with power of attorney. In such a circumstance there must be accompanying documentation verifying that the person requesting the information about another individual has authorisation to do so. Children In the case of information being requested about a child the Act does not specify an age at which a child can independently make a request for their information. Such a request for information should take account the following factors: Whether the child wants someone with parental responsibility for them to be involved Whether the child properly understands what is involved. As a general guide, a child of 12 or older is expected to be mature enough to understand the request they are making. It may be the case that a child is mature enough at an earlier age or may lack sufficient maturity until a later age, and so requests should be considered and clarified on a case-by-case basis. This will mean determining whether they are of sufficient maturity to request the information themselves and may mean asking someone who works with the child within the County Council. September 2008 2

Fee & Clarification Where appropriate the County Council is entitled to charge a 10 fee for access to personal data. This will be requested from the applicant by the Data Management Team. The applicant does have the right to see everything we hold about them, subject to exemptions to providing information stated in the Act. However in order to identify any information relating to the applicant in such a vast organisation as the County Council it may be necessary for the Data Management Team to contact the applicant for more information or clarification. For example, it may be necessary for the applicant to indicate which services they may have received from the County Council or when they had any dealings with the County Council. Gather information from directorates The County Council has 40 calendar days to respond to a subject access request once the necessary identification has been received, any fee has been paid and sufficient clarification as to what information is being requested has been received from the applicant. The Data Management Team will forward a copy of the actual request received to the responsible officer to obtain copies of all documents relevant to the request. These documents must then be provided to the Data Management Team in a timely fashion and not later than 7 days from the officer receiving the request for the documents. Where the officer is having difficulty gathering the information, the officer must contact the Data Management Team within that 7 days, to make them aware of any such difficulties. Category e data Where the request includes unstructured personal information, the Freedom of Information Fees Regulations can be taken into account. These do not affect the fee that can be charged in most instances, but do place a limit on the amount of time an authority is required to spend in providing the information (an appropriate level of 450 or 18 hours, over which we are not obliged to provide the information.) With unstructured information, which may be hard to locate, the County Council need not provide this information unless the applicant provides sufficient information which is reasonably required to locate the information requested. Amendments to information After receiving a request it is possible to make the usual routine amendments and deletions to personal data, however data should never be deleted to avoid disclosure, even if the data could cause embarrassment to the County Council. Exemptions The Act does allow for a number of exemptions which prohibit the disclosure of information. The exemptions are as follows: National Security Prevention and detection of crime and taxation purposes Health, Education and Social Work Special Purposes (must meet certain criteria) - Journalism September 2008 3

- Artistic purposes - Literary purposes Judicial appointments and Honours Crown employment and Crown or Ministerial appointments Management forecasts/management planning Negotiations with the requester Corporate Finance Examination scripts Legal professional privilege Information publicly available by law Statistical or research data that does not identify an individual Confidential references given by the County Council (but not received by the County Council) If any exemption is engaged and the information is to be withheld a written response should be sent to the applicant informing them that the County Council does not hold any information which it is required to disclose, stating the exemptions applied and the reasoning for this. In certain circumstances it may not be appropriate to divulge the exemption applied, for example if to do so may endanger others or hinder the detection of a crime, in which case the exemption applied should not be stated each request should be dealt with on a case by case basis. If all information is exempt and no information can be disclosed, any fee paid should be refunded. Information involving Third Parties A potential conflict may arise if an applicant s personal data contains details of a third party where the disclosure of such information may breach the third party s rights to privacy or confidentiality. Section 7(4) of the Act provides that if the request cannot be complied with without disclosing information relating to another individual who can be identified, then it is not necessary to comply with the request unless: the third party has consented to the disclosure; or it is reasonable in all the circumstances to comply with the request without the consent of the third party individual. When considering whether it is possible to comply with the request without revealing information which relates to and identifies a third party individual it is necessary to take into account not only the information which may be disclosed, but also any information which the applicant may have, or obtain which may identify the third party individual. For example, if an employee has requested to see their personnel file, even if the third party individual is only referred to by their job title then it is likely they will still be identifiable based on information already known to the employee making the request. Where the third party is the source of the information held about the applicant, there may be a strong case for their identification if the applicant needs to correct any damaging inaccuracies. However, requests should be dealt with on a case by case basis, with regard to the Durant v Financial Services Authority case, when the Court of Appeal decided it would be legitimate for the Financial Services Authority (the data controller) to withhold the name of one of its employees who did not consent to disclosing the requested information because Mr Durant (who made the request) had abused them on the telephone. Confidentiality A disclosure of third party information should not be made if there would be a breach of confidence, for example where relatively sensitive information has been September 2008 4

provided to the County Council in the expectation that it would not be disclosed. Such an expectation may result from the relationship between the parties, for example doctor/patient, employer/employee etc. and examples include medical information or personal financial details. However, confidentiality should not always be assumed. For instance, just because a letter is marked 'confidential', a duty of confidence does not necessarily arise (although this marking may indicate an expectation of confidence) or there may be other factors (see Gaskin Case guidance below) which mean that an obligation of confidence does not arise. In most cases where a clear duty of confidence does exist, it will usually be reasonable to withhold third party information unless consent of the third party to disclose has been gained. Consent The clearest grounds for disclosing information will be to obtain consent and, whilst there is no obligation to do so, an attempt should be made to gain consent unless it is clearly reasonable to disclose without trying to get consent, for example, where the information concerned will be known to the requesting individual anyway. If a request is for the disclosure of information to which the third party has previously objected, it must be considered whether releasing it would breach the data protection principles. In practice, it may not always be appropriate to try to obtain consent (for instance, if to do so would inevitably involve a disclosure of personal data about the applicant to the third party individual). It may be difficult to get consent; the third party may be difficult to find, they may refuse to give consent, or it may be impractical or costly to try to get their consent in the first place. When making any such decision it will be necessary to be able to justify and keep a record of the course of action taken and reasoning, including, for example, why consent was not sought or why it was not appropriate to try to do so in the circumstances. In such situations, it will then be necessary to consider whether it was 'reasonable in all the circumstances' to disclose the information anyway. Section 7(6) of the Act provides a non-exhaustive list of factors to be taken into account when deciding what would be 'reasonable in all the circumstances' when deciding whether to disclose without consent. These are: any duty of confidentiality owed to the third party individual; any steps you have taken to try to get the consent of the third party individual; whether the third party individual is capable of giving consent; and any express refusal of consent by the third party individual. The Gaskin Case & third party information The Gaskin Case highlights that circumstances relating to the individual making the request may also be relevant in assessing how reasonable it is to disclose third party information - in particular how critical access to the third party information is in preserving the rights of the individual making the request. In this case, the individual, who had been in local authority care for most of his childhood, wanted to see the local authority records relating to him as they were the only coherent record of his early childhood and formative years. The court held that the local authority had to weigh the public interest in preserving confidentiality against the individual's right to access information about his life, even where consent to release the information had been withheld. September 2008 5

Disclosure of names of members of staff Names of staff acting in the course of their duties or who is already well known to the individual making the request, would be more likely to be disclosed than information relating to an otherwise unknown individual. Generally it is accepted that information regarding social workers or other health professionals will be disclosed. However if there is good reason to think that disclosure of a name could put an individual at risk it may not be fair processing to disclose the name of that individual. Withholding third party information If the consent of the third party individual has not been received and it not would be reasonable in all the circumstances to disclose the third party information, then it should be withheld. However, further to section 7(5) of the Act, we are obliged to communicate as much of the information requested as possible without disclosing the identity of the third party individual which, as our obligation is to provide information rather than documents, may be achievable by redacting names or editing the documents. References The Act applies differently to references which have been given by an employer and those which have been received by an employer. If an individual requests a copy of a confidential reference written by an employee of the County Council about them relating to training, employment or providing a service, an exemption in the Act exists so this information is not required to be disclosed. However, the County Council may choose to provide the information. For example, it would seem reasonable to provide a copy if a reference is wholly or largely factual in nature, or if the individual is aware of an appraisal of their work or ability. References received from another person or organisation fall under the Act and should be considered under the normal rules of access, however within North Yorkshire County Council s recruitment policy the standard documents for requesting references from other people/organisations inform them that any reference they provide may be disclosed to the subject of the reference under a subject access request, thereby gaining their consent for disclosure. In some circumstances a reference or part of a reference may have been marked confidential. In such cases it needs to be considered whether the information is actually confidential and further it will be necessary to weigh the referee s interest in having their comments treated confidentially against the individual s interest in seeing what has been said about them, particularly where this has had a significant impact on the individual, such as preventing them from taking up a provisional job offer. When considering whether it is reasonable in all the circumstances to comply with a request, account should be taken of: any express assurance of confidentiality given to the referee; any relevant reasons the referee gives for withholding consent; the potential or actual effect of the reference on the individual; the fact that a reference must be truthful and accurate and that without access to it the individual is not in a position to challenge its accuracy; that good employment practice suggests that an employee should have already been advised of any weaknesses; and any risk to the referee. Legal Proceedings September 2008 6

In practice, subject access rights are often used by individuals who are in dispute with the County Council. In some cases, they may intend to begin or have already begun legal proceedings against the County Council and seek to use the Act as a way of obtaining additional information to assist in such proceedings. The Act does not provide any exemptions to disclosing information where civil legal proceedings are contemplated or ongoing, and failing to comply with a subject access request in such circumstances will, unless an exemption under the Act applies, amount to a breach of the Act. Disclosure of information to a third party controller Generally the Act would not allow a disclosure to a third party data controller unless the individual had been informed of the disclosure or an exemption can be applied, such as for the prevention and detection of a crime. Response Once all of the information relevant to the request has been received by the Data Management Office, the information will be looked at with regard to the provisions above. The Data Management Office will identify which information can be released, which contains third party data and which is subject to any exemptions. Any information which may be subject to an exemption or relates to a third party will be considered following the appropriate legislation and guidance and consent from third parties will be sought as required. The information to be disclosed may include abbreviations or technical terms that the individual may not understand. An appropriate explanation of such terms should be provided in the response to the applicant so that the information may be understood. A response will be collated to include all of the information we are able to disclose with an appropriate explanation of why any information is being withheld. The information can either be provided in the body of a letter or copies of the relevant documents (with any necessary redactions made.) The information we are able to disclose should be supplied in a permanent form except where the individual agrees or where it is impossible and would require significant cost or would involve undue time or effort. An alternative would be to allow the individual to view the information. Where any individual or external organisation is named in the response they will be informed as appropriate prior to the response being sent that this information is being disclosed. Once the response has been collated and cleared, a copy of all information will be retained by the Data Management Office, clearly indicating which information has been disclosed and which has been withheld, and the response will be sent out to the applicant by recorded delivery. Complaints procedure If the applicant is unhappy with the way in which their request was dealt with or the response received, the applicant can ask the Data Management Team for the information to be reviewed. The applicant also has the right to seek an independent review from the Information Commissioner. In addition, if the applicant believes that the personal information the County Council holds about them is inaccurate, the Act gives them the September 2008 7

right to ask the County Council to correct it. The request must be made in writing to the service unit who holds the information. If it is clear that the information held is inaccurate then the information should be corrected as soon as possible. If however we believe that the information held is accurate and it would be erroneous to amend the information as requested by the applicant a note should be made on the file of the differing opinions and the file should reflect both views. The Act also provides the right for an applicant to ask us to cease processing their personal information if it is causing unnecessary or significant damage or distress. Such a request should be in writing and directed to the Data Management Office who will considered whether it is possible to comply with the request, with particular consideration to the County Council s statutory duties. Contact Details Data Management Office Email:datamanagement.officer@northyorks.gov.uk Telephone: ext. 5896 Fax: 01609 760067 Customer Services Centre for social services subject access requests Email: cru.customer.services@northyorks.gov.uk Produced by the Data Management Office, September 2008. September 2008 8

Appendix 1 REGISTRATION AND AUTHENTICATION EXAMPLES OF DOCUMENTARY EVIDENCE One example required from each of the following categories (copies only). Personal identity current signed passport residence permit issued by Home Office to EU Nationals on sight of own country passport current UK photocard driving licence current full UK driving licence (old version) old style provisional driving licences are not acceptable current benefit book or card or original notification letter from the Department for Work & Pensions confirming the right to benefit building industry sub-contractor s certificate issued by the Inland Revenue recent Inland Revenue tax notification current firearms certificate birth certificate adoption certificate marriage certificate divorce or annulment papers Application Registration Card (ARC) issued to people seeking asylum in the UK (or previously issued standard acknowledgement letters, SAL1 or SAL2 forms); GV3 form issued to people who want to travel in the UK but do not have a valid travel document Home Office letter IS KOS EX or KOS EX2 police registration document HM Forces Identity Card Active in the Community Active in the Community documents should be recent (at least one should be within the last six months unless there is a good reason why not) and should contain the name and address of the registrant record of home visit confirmation from an Electoral Register search that a person of that name lives at that address recent original utility bill or certificate from a utility company confirming the arrangement to pay for the services at a fixed address on prepayment terms (note that mobile telephone bills should not be accepted as they can be sent to different addresses and bills printed from the internet should not be accepted as their integrity cannot be guaranteed) local authority tax bill (valid for current year) current UK photo card driving licence (if not used for evidence of name) current full UK driving licence (old version) (if not used for evidence of name) bank, building society or credit union statement or passbook containing current address recent original mortgage statement from a recognised lender current local council rent card or tenancy agreement current benefit book or card or original notification letter from the Department for Work & Pensions confirming the rights to benefit court order September 2008 9

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback