Subject access policy and procedure

Introduction

The London Borough of Enfield (LBE) is required under the Data Protection Act 2018, and the General Data Protection Regulation as amended by the Data Protection Act to provide an individual with a copy of all personal information held about them following a request from the individual. This is known as the right of subject access and such a request is referred to as a Subject Access Request (SAR) – sometimes Data Subject Access Request (DSAR). The legislation noted is referred to in the policy as simply 'the legislation'. LBE will ensure that appropriate controls are implemented and maintained in relation to the processing of SARs in accordance with the requirements of the DPA to ensure that the rights of subject access to information by staff and customers can be fully exercised.

This document provides a framework for LBE officers to meet legal and corporate requirements in relation to information requests that fall within the scope of the DPA legislation.

The Policy applies to all personal information created, received, used and stored by LBE irrespective of where or how it is held.

It must be noted that the legislation is a ‘legal’ requirement and the council can be fined for breaches. Individuals may also be prosecuted where data is not processed in accordance with the council’s procedures.

This policy must be read in conjunction with the LBE Data Protection Policy.

Aim of the policy

The aim of this document is to clarify LBE’s legal obligations and requirements for the processing of SARs and to ensure that all such requests:

• are processed according to the current guidelines
• define the framework for processing SARs

LBE will actively seek to meet its obligations and duties in accordance with the legislation and in so doing will not infringe the rights of its employees, customers, third parties or others.

Scope

The scope of this policy requires compliance with the legislation in the introduction.

The policy applies to any request from an individual to access their personal information held by any part of LBE.

This policy does not apply to access to information about deceased individuals.

This policy does not apply to any request that is not made by, or on behalf of, the data subject. This type of request, which includes sharing data between organisations, is dealt with under locally agreed procedures and/or Information Sharing Protocols.

This policy does not apply to information held by schools. To access school records individuals should be asked to contact the school last attended.

Related acts

This is not an exhaustive list.

Data Protection Act 2018

The Data Protection Act 2018 (DPA) governs how information about people (Personal Data) should be treated. It also gives rights to individuals whose data is held. The Act applies to all personal data collected at any time whether held on computer or in/as a manual record, with some exemptions. The Act is enforced by the Information Commissioner’s Office. Note that sections 29 through 113 of the Act do NOT apply to our processing, as they apply only to law enforcement and intelligence processing.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) as modified by the Data Protection Act 2018 (the 'applied GDPR') must be read in conjunction with the Data Protection Act.

Note that for UK residents due to Brexit, the rules applied are those in the 'Applied GDPR'. For EU residents the original GDPR applies.

Freedom of Information Act 2000

This Act extended some of the provisions of the Data Protection Act to unstructured information held by public authorities. It also made it a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information when a request has been made.

The Adoption and Children Act 2002

This Act restates and amends the law relating to adoption, and access to information which would enable an individual to obtain a certified copy of their birth records.

The Freedom of Information and Data Protection (appropriate limit and fees) Regulations 2004

These regulations allow an authority to refuse a request, or part of a request, if to respond to it would exceed an ‘appropriate limit’.

Individual’s right to access information

This right to access personal information is a basic principle of the legislation. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request is entitled to the following:

• Told whether any personal data is being processed
• Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
• Given a copy of the information comprising the data
• Given details of the source of the data (where this is available)

Further information on Subject Access Requests can be found on the Information Commissioner’s Office website.

The council cannot charge a fee for SARs unless they are clearly excessive or vexatious. In the event the council wishes to charge, the Data Protection Officer’s opinion should be sought.

Who can make a subject access request?

Every individual has the right of access to personal information held about them. This includes individuals about whom a file is held (for example, service users), or any other individual who is referred to directly in that file.

An individual is not usually entitled to know what is recorded about another individual without their consent.

A third party may act on behalf of the data subject in the circumstances below. The following types of third party request are fairly common:

• An adult acting on behalf of a child, for example, a parent or carer with parental responsibility
• An adult acting on behalf of an adult without capacity, for example, carer or advocate
• An adult acting on behalf of another adult who has capacity and has provided consent, for example, solicitor or carer

In some circumstances a combination of types may occur, for example, a solicitor acting on behalf of a parent acting on behalf of a child.

Other types of third party requests, which are not made on behalf of the data subject, are dealt with under the Data Protection Policy and in sections below. This includes data sharing between organisations and requests from the police.

Deciding if it is a subject access request

Council officers will need to determine whether a person’s request will be treated as a routine enquiry or as a subject access request. Any written enquiry that asks for information you hold about the person making the request can be construed as a subject access request, but in many cases there will be no need to treat it as such.

If the request is usually dealt within the normal course of business, then the response should be treated as such. Examples of such requests might be:

• “I’ve lost the guarantee number for my fridge. Can you tell me what it is please?”
• “How many payments did I make into my account last month?”

The following are likely to be treated as formal subject access requests:

• “Please send me a copy of my staff records.”
• “I have a right to see all the invoices issued to me for the last 3 years. Please send copies to me.”
• “I am a solicitor acting on behalf of my client and request a copy of his medical records. An appropriate authority is enclosed.”

If there is any doubt about how to respond, go back to the individual or their representative and clarify the situation.

When responding to a request for personal information in any situation staff must ensure that they check that the identity of the person is genuine.

Third party requests

Where LBE receive a request from a third party (for example, a family member or a representative/solicitor acting for a data subject), information can only be released where the data subject has given consent. The consent must be in writing with a signed authority/letter from the data subject.

There is no requirement on LBE to verify the identity of the data subject if the request is made via a trusted party, for example, a solicitor. However it is recommended that the solicitor’s credentials be checked on the Law Society website to avoid possibly fake requests.

If a request is made by a third party over the phone, where the data subject is not present, officers should advise the third party to put the request in writing and send it to LBE on their headed paper (if the request is from a public/private organisation), with signed consent from the third party, clearly stating what information is required and the purpose for which it is required.

LBE can then properly consider the request by providing only the information that is necessary to meet the request

Members of Parliament or elected councillors

Where LBE receives a request for information from a Member of Parliament or a Councillor, and where the MP/Councillor represents the ward in which the data subject lives, it is generally accepted that they are acting on behalf of, and with the consent of their constituents. Written consent therefore of the data subject may not always be provided or be practical in these circumstances.

Members are their own data controllers and have to ensure that the person they are supporting have provided the necessary identification before information is supplied to them and have the authority to act as a third party representative on behalf of someone else if relevant.

Members would be required to declare that they are the ward representative and that they are requesting the information in the context of a request received by a data subject.

Where there is no reason to believe that the request is not genuine, it would be permissible to release information to the MP or Councillor. It would be good practice however in these cases for officers to telephone the data subject to confirm that a request has been received and to obtain verbal consent to release the information in order to aid the MP or Councillor to carry out their official duties of representing their constituents.

Where personal data in special categories (see GDPR Article 9) is being released or requested, it would be good practice for officers to seek written consent from the data subject.

If there is any doubt as to whether a request should be processed, officers should obtain advice from their Manager, Departmental Data Coordinator or another senior officer. A good practice e-guidance note on the release of information to Councillors can be obtained from the Information Commissioners website

Health, safety and welfare of data subjects

Personal data should only be disclosed over the telephone in emergencies (for example, to the Police, Social Services, Medical Professional), where the health, safety or welfare of the data subject would be at stake. If data has to be disclosed by telephone, it is good practice to ask the third party for their switchboard number and to call them back. If in doubt, get advice from a senior member of staff.

Disclosure to the Police and law enforcement agencies

The Data Protection Act includes exemptions which allow personal data to be disclosed to law enforcement agencies without the consent of the individual who is the subject of the data, and regardless of the purpose for which the data were originally gathered. In particular, personal data may be released if:

• failure to provide the data would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty.
• failure to provide the information would put vulnerable individuals at risk
• the information is required for safeguarding national security

Normally, requests for information under the crime/tax exemption will be made by the Police, but it may also involve requests from other organisations that have a law enforcement role such as Department of Works and Pensions Benefit Fraud Section.

It should be noted however that the council is under no obligation to provide information to a law enforcement agency. Before providing the information, the requesting agency must provide a sufficient explanation of why the information is necessary to the extent that not providing it may prejudice an investigation. This is to satisfy the relevant information holder that the disclosure is necessary. We need to ensure that the information is being provided to a genuine and properly authorised investigation.

If we are not satisfied that there are valid grounds for releasing the information, the legislation does not oblige us to release information, neither does the exemption require LBE to disclose all personal information, in all circumstances. Key questions to ask are:

• Am I sure the person is who they say they are? (for this reason particular care should be taken if the request is made over the telephone). If in doubt, ask for the request to be made by email or in writing on headed paper.
• Is the person asking for information to prevent or detect a crime or catch or prosecute an offender? Is there a risk to a vulnerable individual?
• If I do not release the personal information, will this significantly harm any attempt by the police to prevent crime or catch a suspect? (The risk must be that the investigation may very well be impeded).
• If I do decide to release personal information to the police, what is the minimum I should release for them to be able to do their job?

Releasing information to the Police, is a complex area, if in doubt, seek guidance from your Manager or a senior officer. Further guidance can be obtained via the ICO website.

Do not be bullied into disclosing data if you have any doubt as to the validity of the request. Either ask the third party to submit the request in writing and/or or refer the request to senior staff. If in doubt, always ask your Manager or your Departmental Data Coordinator for advice and support.

Requests from the Police or other law enforcement agencies will usually be classified as OFFICIAL-SENSITIVE and must not include the data subject’s name when logging the case in the corporate SARs system. These records will need to be maintained under the OFFICIAL-SENSITIVE classification requirements within the respective business area.

Requests from third parties that should be refused

Requests from agencies, such as an estate agent, debt recovery firm, landlord, seeking information on a person who is being pursued for debt or other actions must be refused unless the consent of the data subject has been obtained. They should be informed that personal information will only be provided under the direction of a court order. Debt in particular is a civil matter not a criminal one, and as such the exemptions for prevention and detection of crime do not apply.

There is an exemption to the above where the provision of the data is in the public interest. For example, if the council would be liable to pay the debt if the information is not provided, there may be a public interest reason for doing so. However this must be balanced against risk to the data subject (for example, protection from abuse for vulnerable individuals).

Data Protection Officer

The Data Protection Officer (DPO) should be contacted for advice on Subject Access Requests. The DPO may also receive SARs which should be passed to Complaints and Information for handling.

Departmental Data Coordinator

Departmental Data Coordinators (DDCs) will work with the respective business areas in their Department to monitor and facilitate the processing of SARs in their Department.

Training and awareness

All LBE employees have a responsibility to ensure that they and the staff they manage have undertaken the corporate Data Privacy and Information Security training and have sufficient awareness of the legislation so that they are able to comply with the requirements.

All staff undertaking the processing of SARs must ensure that they follow the policies and procedures outlined in this document.

Managers should encourage and make time for their staff to attend any further Data Privacy and Information Security training or awareness opportunities that may arise.

Supporting policies

This policy should be read in conjunction with the following policies and procedures:

• Data Protection Policy
• Information Classification and Handling Policy
• Freedom of Information Policy
• Security Incidents Reporting Procedure

Appendix 1 - Procedure for dealing with subject access requests

Introduction

The London Borough of Enfield (LBE) is required under the legislation to provide an individual with a copy of all personal information held about them following a request from the individual. This is known as the right of subject access and such a request is referred to as a Subject Access Request (SAR).

All SARs MUST be made in writing. If the request is made verbally, staff should provide advice and assistance to the individual. Note that a SAR application is valid as long as a sufficient description of the information required is submitted along with the appropriate ID. There is no obligation for the applicant to complete the council forms.

A request for information can arrive in any part of the organisation, and must be dealt with locally by those authorised to process SARs. All SAR requests must be logged with Complaints and Information for tracking and compliance purposes, but they are NOT responsible for fulfilling the requests. An audit trail of all documentation must be maintained with relevant teams/departments. All requests must be acknowledged within 10 days (see template letter below in Appendix 2).

In many cases a Freedom of Information (FOI) request is received by the Department’s FOI Lead Officer which subsequently turns out to be a SAR on closer inspection of the request. The FOI Lead Officer will need to pass the request to the respective Departmental Data Coordinator (DDC) or SAR officer as appropriate.

Subject Access Requests received centrally by the Data Protection Officer (DPO) will be passed to Complaints and Information for appropriate processing.

DDCs will cascade any requests to the relevant contacts within their business area, ensure that all relevant data stores are checked and that all information held is provided to the requestor within the deadline provided.

The timescale within which requests must be resolved is 1 Calendar Month from receipt of the request and provision of suitable ID.

Procedures for dealing with an initial request

The ‘Access to Personal Information (Subject Access) Application Form’ can be used to obtain all the necessary information described in this section. This can be found in Appendix 2.

Adult Social Services also have a booklet available called ‘Your Records Your Rights - Accessing your personal information’ which contains an application form. The booklet and form is also available from the council website and can be used to make a request.

On receiving a request for information, it must be established whether the individual asking is the data subject or a third party.

If the request is from the data subject, the following must be in place before any information is disclosed:

• The request in writing (this includes email)
• Proof of identity of the requester
• Sufficient details to locate the information

The time to respond does not start until these are in place.

If the request is from a verified solicitor or elected member, 2.6 does not apply.

Photocopies of the following are acceptable as proof of identity:

• Passport
• Driving Licence
• Two different utility bills and/or bank statements, from within the past 3 months
• Verification by a council officer who has been working with that individual. This verification should be recorded on the corporate SAR system.

Individuals are required to detail the information they are seeking access to. If this is not clear the requester can be asked for more details. The timescale stops while clarification is sought.

Requests for further information and suitable IDs should be sought within five working days after receiving the original SAR so as to avoid unnecessary delays.

Requests on behalf of children

A parent does not have an automatic right to information held about their child. The right belongs to the child and the parent acts on their behalf, providing the parent has Parental Responsibility. Once the child reaches sufficient maturity, the child can exercise their own right, and the parent must act with the child's consent.

Where parents have separated, consideration should be given to the ‘best interests’ of the child in releasing information to the requesting parent.

In England and Wales the age at which the child reaches sufficient maturity is judged to be the age of 13, but this may vary according to factors particular to that child.

For a child insufficiently mature the following is required:

• the request in writing
• proof of identity of the requester (adult)
• proof of the responsibility of the adult for the child
• proof of identity of the data subject (child)
• sufficient details to locate the information

For a child sufficiently mature the following is required:

• the request in writing
• proof of identity of the requester (adult)
• proof of child's consent for the adult to access their information
• proof of identity of the data subject (child)
• sufficient details to locate the information

Requests on behalf of adults

1. For an adult acting on behalf of an adult without capacity the following is required:
2. the request in writing
3. proof of identity of the requester (adult)
4. proof that the requester may act on behalf of the data subject
5. proof of identity of the data subject (in some circumstances)
6. sufficient details to locate the information

Please see the Mental Capacity Act 2005 Summary and Guidance for Staff for more information on assessing capacity and who may act on behalf on an individual who lacks capacity.

For an agent acting on behalf of an adult with capacity the following is required:

• the request in writing
• proof of identity of the requester - if a solicitor, a letter on headed paper will normally be sufficient
• written consent of the data subject
• sufficient details to locate the information

Important note

Where a third party is asking for information on behalf of the data subject, the best interests of the data subject should be paramount when considering the information for release.

Procedure for providing information

Information should generally be provided to the subject via the same medium used for the request unless the requestor asks otherwise.

Team managers must ensure that a member of staff in the service responsible for the information should examine the information for anything that should be withheld before prior to the disclosure of the information. If anything of concern is identified they should consult the DDC who will take into account their views when assessing the information for release. The DDC will consult the DPO or Legal Services if further clarification is required.

Any information falling under an exemption will need to be either removed or redacted. This will be by either blanking out or blacking out the information. The minimum of information will be removed.

Where information has been withheld, in most cases the requester will be provided with a letter/email explaining what has been withheld and why. It will also include details of how to complain.

In some circumstances confirming or denying that a particular piece of information is held may result in release of information that should be withheld (for example, explaining that information is being withheld because it relates to a criminal investigation would reveal that an investigation has taken place or is underway, perhaps prejudicing that investigation, or on occasions where no data is held, but to confirm this may help limit searches for an individual). In these and other circumstances it may be necessary to refuse to confirm or deny that the information is held. A ‘neither confirm nor deny’ response should not be taken as an indication that the information requested is or is not held by the council.

Where the information cannot be easily understood without explanation, supporting information should also be provided. A record of what has been provided and withheld, with reasons, will be kept by the business area.

The legislation gives a right to a copy of the information in permanent form, and in easily accessible electronic format. A copy of the information will be provided unless the requester agrees otherwise or it would involve disproportionate effort.

The information provided must also include (references are to the GDPR):

• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
• where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
• the right to lodge a complaint with a supervisory authority
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

The requester may be offered the opportunity to view the information on council premises in the presence of a relevant council officer who is able to give appropriate support.

Where a requester views the information by appointment they should be attended by a member of staff from the department responsible for the information.

If the amount of information is large, the council will consider whether it would involve disproportionate effort to provide copies. If so the requester will be offered an appointment to view only, but be given the facility to copy information when they attend. An alternative is to ask the requester to refine the request further.

If the personal data is unstructured (not filed by reference to the data subject) the council will refuse requests where it would exceed the appropriate limit (for example, 18 hours of work) to locate, retrieve and extract the information.

When providing the information the council will consider the needs of the requester including facilities for translation or providing the information in another format.

The information should be transferred to the requester in a secure manner, for example by recorded or special delivery or hand delivery or collection.

Using the information whilst a SAR is being processed

Personal information may be used as normal while an access request is being processed. Routine amendments may be made.

It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information when a request has been made. This offence can be committed by the council or any member of staff and is punishable on summary conviction by a fine.

Complaints

Complaints about the council’s processing of personal data will be dealt with in accordance with the council’s Corporate Information Compliance Complaints Procedure.

The Data Protection Officer is responsible for advising on and adjudicating complaints. Individuals do have a right to request that the Information Commissioner make an assessment of compliance of particular circumstances, who can be contacted on the Information Commissioner's Office website, or by post to:

The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Releasing and withholding personal information

Information about members of staff or others acting in a professional capacity

The information requested will normally include mentions of members of staff or other professionals involved with the individual. This may include records of attendance at meetings, email exchanges, reports written and decisions taken. The names of the professionals involved will normally be released. The exceptions are where:

• the member of staff may be endangered by release of the information
• the information relates to the private life of the member of staff (rather than the professional life). This includes home addresses and telephone numbers.

If there is any doubt, please advise your DDC of any concerns you have.

Information about all other third party individuals (including relatives or carers)

Information about non-professionals will normally be withheld, unless there is reason to believe that the other person would be content for it to be released.

The following will be considered:

• Any views the third party has given about sharing their information, including any consents or refusal of consents
• The expectations of the third party about what might happen to their information
• Whether the third party is capable of consent
• Any duty of confidentiality owed to the third party

A professional’s judgement may be sought as it will be based on recent contact with the data subject and third party.

Where there is no recent professional involvement with the data subject the decision will be taken based on the content of the information held.

In certain cases it may be appropriate to write to the third party asking for consent.

Deceased individuals are still owed a duty of confidentiality

Therefore information about third parties who are deceased may be withheld if releasing would be a breach of confidentiality.

Legal advice

This includes legal advice from the council’s Legal Services or any other legal professional acting on the council's behalf.

The principle is based upon the need to protect a client's confidence that any communication with his/her professional legal adviser will be treated in confidence and not revealed without consent. This is to ensure there is the greatest chance that justice is administered to the client.

There are 2 categories of legal professional privilege:

• Advice privilege - where no litigation is contemplated or pending
• Litigation privilege - where litigation is contemplated or pending. Litigation is the taking of a legal action by one party against another in which an issue is being taken to a court of law for a judge or magistrate to decide.

If a file contains legal advice, the client concerned should be consulted to find out whether they consider legal professional privilege applies to the information.

If legal professional privilege does apply to the information, this information can only be released if the client agrees to waive the privilege.

Information contained in social care records – serious harm arising from releasing

Information contained in Social Care Records may be withheld if releasing it would 'be likely to prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental health or condition of the data subject or any other person would be likely to be caused.'

Criminal investigations

Information may be withheld if releasing it would be likely to prejudice the prevention or detection of crime or apprehension or prosecution of offenders.

In particular any information obtained from the police who are using it for this purpose, will be withheld.

In the case of doubt over a particular piece of information, the police will need to be consulted.

Definitions

Personal data is defined as data relating to a living individual who can be identified from the data and other information, which is in the possession of, or is likely to come into the possession of the data controller. This includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

A Data Subject is an individual who is the subject of the data.

A Data Controller is an organisation, for example, Enfield Council, or person that determines the purposes for which and the manner in which any personal data are to be processed.

A Data Processor is any person (other than an employee of the Data Controller, but including a legal person such as a limited company) who processes personal data on behalf of the Data Controller, for example, out-sourced work.

Processing means obtaining, recording, viewing, holding or carrying out any operation on data and includes organisation, alteration, retrieval, disclosure and destruction of the data.

A Third party is any individual who is not the data subject.

Subject access right - An individual is entitled to:

• be informed of what information a data controller holds about that individual
• be informed of the reasons for processing
• be informed of those to whom it is disclosed
• have access to the personal information held

An individual is entitled to receive a copy of the information held, in a permanent format, unless the effort involved is disproportionate or the individual agrees otherwise.

Redaction means removing or blacking out information from a document in order to withhold a piece of information.

Legal professional privilege is defined as the right of the individual or entity to consult lawyers about their legal position and to have the privacy of those consultations respected. In most circumstances such information is privileged from disclosure.

The Caldicott Guardian is a senior manager with responsibility for overseeing the arrangements for the use and sharing of service user personal and sensitive information.

Appendix 2

View the SAR application form (PDF, 253.39 KB).

Appendix 3

View SAR standard letters (PDF, 163.91 KB).

Policy details

Author - Complaints Team
Owner - Information and Data Governance Board
Version - 1.7
Reviewer - Information and Data Governance Board
Classification - Official
Issue status - Final
Date of first issue - 06.09.2012
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.05.2023
Date of next review - 30.04.2024