10.2 Access to Records – Central Bedfordshire APPP Hub

CQC Quality Statements

Theme 3 – How the local authority ensures safety in the system: Safe systems, pathways and transitions

We statement

We work with people and our partners to establish and maintain safe systems of care, in which safety is managed, monitored and assured. We ensure continuity of care, including when people move between services.

What people expect

When I move between services, settings or areas, there is a plan for what happens next and who will do what, and all the practical arrangements are in place.

I feel safe and supported to understand and manage any risks.

1. Introduction
2. People Eligible to Request and Receive Information
- 2.1 Capacity
3. Information People are entitled to Receive
- 3.1 Exempt Information
- 3.2 Third Party Information
4. Making an Application
- 4.1 Requests that are manifestly unfounded or excessive
5. Timescales
6. Further Reading
- 6.1 Relevant chapter
- 6.2 Relevant information

1. Introduction

Data protection legislation (see Data Protection Act: Legislation and Practice chapter) specifies the duties of local authorities and other agencies in relation to holding, storing and processing of the personal data of living individuals (referred to within the legislation as data subjects). The Council is a ‘data controller’ and is registered with the Information Commissioner’s Office – Z169787X.

It also gives data subjects certain information rights, but this is dependent on the lawful basis for processing the personal information.

All data subjects have the right to ask for a copy of the information.

2. People Eligible to Request and Receive Information

In most circumstances it is only people (data subject) who the council holds information on who are allowed to receive information held about them by the local authority. The information provided by the local authority must only relate only to them and no one else.

If a solicitor makes a request on behalf of a client to access their case records, the solicitor must obtain written consent from the adult which allows the solicitor to receive the information. This consent must be sent to the local authority as part of the application.

2.1 Capacity

Although there are no specific provisions in data protection legislation regarding access of records in relation to people who lack capacity, the Mental Capacity Act 2005 enables a third party to exercise subject access rights on behalf of such an adult. It is reasonable to assume, therefore that an attorney with authority to manage the property and affairs of an adult will have the appropriate authority. The same applies to a person appointed by the Court of Protection to make decisions about such matters.

3. Information People are entitled to Receive

In theory people (the data subjects) are allowed to receive all non-exempt information (see 3.1 Exempt Information below) held about them by the local authority. People making such requests should be asked what information they specifically want to see. This will reduce the likelihood of a request being denied due to the inclusion of exempt information.

3.1 Exempt Information

In some circumstances it may not be possible to allow people to access to some or all of the information in their records, for example if it mentions another person (see 3.2 Third Party Information below), if giving them the information may cause them harm, or if it is needed for the prevention or detection of a crime. The person should usually be told the reason why it is not possible for them to access their records.

Correspondence between local authority departments and its legal services department is privileged and therefore also exempt from disclosure.

3.2 Third Party Information

It is important to ensure that when disclosing personal information to a requester, information relating to another individual who can be identified from that information, is not disclosed.

4. Making an Application

Subject Access Requests (SARs) can be written or verbal, and it can be made to any part of an organisation including social media.

4.1 Requests that are manifestly unfounded or excessive

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the organisation can:

charge a reasonable fee (as above); or
refuse to respond.

Where it refuses to respond to a request, it must explain why to the individual, informing them of their right to complain and to a judicial remedy without unnecessary delay and at the latest within one month.

5. Timescales

The local authority has one month to respond to a written request. This allows time for personal information to be collated all involved departments within the local authority, analysed to ensure it does not contain exempt information (see 3.1 Exempt Information) and decisions made about whether there is such information that cannot be given to the person.

If you receive a request for information, an information rights request or a complaint, or concern about the way information has been handled you must notify the Information Governance Team straight away email address: [email protected], so that they can formally coordinate the request and ensure that only the information a data subject or requester is entitled to is disclosed.

CBC customers or clients can be invited to submit requests via Information Governance on the Council’s website.

Information about the Council’s policies and guidance regarding information, data protection and security can be found here: MyCentral: Data protection Information (F5).