View 4LSCB Procedures View 4LSCB Procedures
View Portsmouth Children's Homes Procedures Manual View Portsmouth Children's Homes Procedures Manual

2.4 Access to Personal Records


This procedure applies to all staff in Adult and Children Social Care where a request for the disclosure of information held by the service has been made by a Data Subject, or their representative, whether this information is held electronically or on paper.


Confidentiality Policy


  1. Purpose
  2. Responsibility
  3. Reference
  4. Definitions and Legal Responsibilities
  5. Status of Records
  6. Processing Data Subject Requests
  7. Access to Records Flowchart
  8. Feedback
  9. Additional Information

1. Purpose

To detail the activities and processes carried out by Adult Social Care and Children and Families Social Care to effectively manage requests to access client information in accordance with legal requirements and government guidance.

2. Responsibility

The overall responsibility for access to records is with the Caldicott Guardians. Implementation of the procedure is the responsibility of the Assistant Heads in ASC and the Service Managers within Children and Families with delegated responsibility to Team & Unit Managers who should ensure:

  • That they understand the Data Protection implications for their team/unit;
  • That their team/unit is aware of this procedure and that they comply with it;
  • That all individuals are aware of their obligations under the law;
  • That where there is Joint Agency working the principles, objectives and standards included in this procedure are communicated and monitored.

Further guidance is available from the Social Care Information Governance Officer and the Caldicott Guardian.

3. Reference

Data Protection Act 1998.

4. Definitions and Legal Responsibilities

In this procedure requests from clients to have access to the information we hold on them will be known as Data Subject Requests. Except in the case of deceased individuals, access to all personal records for living individuals now comes under the Data Protection Act 1998. As part of the statutory function of Adult and Children's Social Care there is a requirement to record and keep information on services provided.

NB: You are only permitted to hold information on individuals where it is connected to the planning and delivery of their care or the statutory functions of the local authority

Individuals have a right:

When information is obtained -

  • To be informed whether personal data is to be processed (which includes being held or stored).

When disclosure of information is requested -

  • To be given a description of the data held, the purposes for which it was processed and to whom the data has been disclosed;
  • To be given a copy of the information (following redaction) (in an appropriate format);
  • To be given information as to the source of the data.

The person responsible for the data, the 'data controller' or "Access to records administrator" has 40 days in which to comply with a Data Subject Request.

5. Status of Records

Where requests are from service users currently receiving a service, the request should be made via the worker or team they are currently assigned to. It is good practice to share information regularly with service users during the Care Management process and there is no charge for existing service users to see their records. For people requiring a written copy of their records, request will be processed as listed in Section 6 Processing Data Subject Requests. Requests from persons no longer using a service will also be processed as listed in Section 6 Processing Data Subject Requests.

Combined requests for records that include other services or departments in addition to ASC should be processed by the Freedom of Information/ Data Protection Team. (E.g. education records). Such requests should be passed to the F.O.I /DPTeam immediately.

6. Processing Data Subject Requests

6.1 Provide Information

In every new service user information pack there will be a copy of the"Access to personal records form and guidance".

When a request for information about Access to Social Care Records is received

  • The Social Care publication 'Access to personal records form and guidance.' shall be given/sent to the requester;
  • The process is explained in the publication;
  • The access to records application form is also in the publication.

6.2 Application Received

The returned "access to personal records" form shall be accompanied by a £10 fee (this can be waived with the written approval of the Assistant Head of Service).

The 40 days in which the Data Protection Act 1998 requires a response to the request begins when all of the following have been received:

  • "Access to personal records form";
  • Payment of the £10 fee (if appropriate);
  • Satisfactory proof of identity.

6.3 Check Identity

To comply with the law, information relating to a Data Subject shall only be disclosed to the Data Subject or someone with their written consent or authority to receive it. On receipt of the access to personal records form, the Access to records administrator shall request evidence of the identity of the requester i.e.

  • Valid Passport; or
  • Driving Licence; or
  • Birth Certificate; or
  • Immigration/asylum status paperwork.

In conjunction with: Other proof of address, e.g. a named utility bill or bank statement ONLY ORIGINAL documents can be accepted.

The access to records administrator will take a copy of the documents. The original documents will be returned using recorded delivery (or secure mail) if received in the mail, along with the acknowledgement letter. If delivered in person return them originals to the person immediately after copying.

6.4 Log Request

The access to records administrator shall use Respond to log the request and to track it through the organisation. The date that each stage is completed shall be entered.

Copies of relevant correspondence or documentation in connection with the request shall be kept secure by the Access to Records Administrator.

6.5 Send Acknowledgement Letter

A letter of acknowledgement shall be sent by the Access to Records Administrator to the Data Subject at the address stated on the application form within 5 working days of receipt.

The letter shall include the name of the worker that will be handling the case if the case is an open case.

Any original proof of identity shall be returned with the acknowledgement letter using recorded delivery or secure mail.

6.6 Collate Information

Information relating to the Data Subject is to be obtained from all sources where it has been identified. The Access to Records Administrator shall liaise with the nominated sector representatives in arranging for the data to be transferred.

Paper files shall be transferred or collected from bases as required in secure wallets. These MUST NOT be sent in the internal mail.

6.7 Preparation and dispatch of files for disclosure.

The Access to Records Administrator shall prepare the files for disclosure. Further guidance about appropriate disclosure can be sought from the Information Governance Officer for Social Care, when necessary. Detailed information on what should be disclosed can be found in "access to records guidance" document.

Any information contained in the record that either identifies another individual or is provided by another individual, is to be redacted, unless there is consent to disclose. Further guidance can be obtained in the Access to Records Guidance.

The Access to Records Administrator will send the redacted file for sign off to the Senior Manager as nominated by the Caldicott Guardian along with a notification of how many working days remain out of the 40 allowed to process the request.

The Access to Records Pathway is attached with this document and identifies the process that needs to be followed.

7. Access to Records Flowchart

Click here to view Access to Records Flowchart

According to the wishes expressed by the client, and taking into account the volume of information as well as the complexity and sensitivity of the information the record contains, the Access to Records Administrator shall either: -

  • Make arrangements for the Data Subject to collect their records; or
  • Send a copy of the records requested in the post (sent registered post) with a covering letter; or
  • Make arrangements for the Data Subject to view their records with support.

The access to Records Administrator can offer to source and provide support to the Data Subject while they are viewing the records, bearing in mind the emotional response that viewing the records may evoke.

This stage completes the requirement to inform Data Subjects of the records held on them. The requirement is that this stage is completed within the 40 day time period. From this stage the 40-day time scale no longer applies.

A copy of the "redacted" records as viewed or sent to applicant must be held by the access to records administrator. These will be held electronically in a secure manner.

8. Feedback

Feedback forms will be sent with each set of records despatched or given when viewed. Each feedback form will be hand numbered in sequence and entered on the feedback spreadsheet.

The results of the feedback forms will be logged on the feedback spreadsheet and used to review and improve the service.

Should there be any response to feedback forms required from comments, the access to records administrator will discuss with line manager.

As part of the feedback process a complaints form will be given, and therefore any case requiring further investigation can be dealt with in the complaints system.

9. Additional Information

  • Data Subject Requests for access cover both manual and electronic records. No information is to be removed unless it meets any of the conditions detailed in the access to records guidance document. A request for information does not have to state `access request' or `data protection' to constitute a data subject request;
  • The law states that you do not have to respond to a request unless you have received it in writing. However, a verbal request is acceptable where the client would have difficulty in completing a written request (i.e. illiterate, visually impaired). Any verbal request shall be notified immediately to the Information Governance Officer (Social Care);
  • All requests for access to records shall be completed within forty days of receipt of the information required to satisfy yourself as to the identity of the person making the request;
  • If a data subject request has already been complied with, and an identical or similar request is received from the same individual, there is no obligation to comply with the second request unless a reasonable interval has elapsed;
  • Any codes or acronyms used in the information supplied to the Data Subject are to be accompanied by an interpretation;
  • Failure to comply with the request will mean that the Department is in breach of the sixth data protection principle and the ICO may take action;

    The 6th Data Protection Principle is: "Personal data shall be processed in accordance with the rights of the data subject under this Act";
  • Requests can be refused if, in the opinion of the Caldicott Guardian, it is considered that to release the data would cause significant harm to the data subject or others.

Guidance on specific issues:

  • What to do if a Data Subject considers that their record is incorrect
    The client shall be advised to discuss the situation with the Access to Records Administrator in an attempt to have the records amended. If this avenue is unsuccessful then they may pursue a complaint under the Complaints procedure. They could further complain to the Information Commissioner, who may rule that the information is rectified, blocked, erased or destroyed;
  • Requests from others for subject access
    Where the Data Subject is incapable of managing his or her own affairs, a person appointed by a court, or with the written consent from the data subject, to manage those affairs may seek access to the records. Access shall be restricted to the information necessary for the appointee to carry out his or her functions. Any decision to disclose information shall be justified (on the grounds that the recipient has a demonstrable need to know/for the care of that person/it is in the person's best interests).

Associated documents:
  1. General
    Clear Desk Policy SSPO-0010A
    Social care record guarantee SSRD-0077
    Information governance reporting procedure SSPR- 0179 (ASC draft version only- please use corporate guidance until published- Jan Boucher)
    Information governance reporting form SSFM-0407 (ASC draft version only- please use corporate guidance until published- Jan Boucher);
  2. General/Corporate
    In addition to the individual documents listed here there is a raft of corporate policy and procedure including the Corporate Information governance policy that is stored on the web;
  3. Records - employment
    Employees who are also service users Procedure SSPR-0113
    Employees who are also service users Form SSFM-0025
    Social care database pre employment check procedure SSPR-0166
    SWIFT access and guidance declaration SSFM-0393;
  4. Access to records - personal
    Access to records application form and guidance SSFM-027
    Access to records guidance SSRD- 0078
    Access to records feedback form and spreadsheet SSFM-0409
  5. Record Management
    Records management (paper and electronic) SSPR-0145
    Case recording procedure SSPR-0148
    Hazard recording procedure SSPR-0176
    Fair processing SSFM-0408
    Safehaven Procedure SSPR-0177
    Information sharing pocket guide SSRD-0079
    File transfer and information sharing (paper and electronic) SSPR-0178 (ASC draft version only- please use corporate guidance until published- Jan Boucher).
Approval (Sign off):

Rob Watt (Head of Adult Social Care)

Angela Dryer (Assistant Head of ASC & Caldicott Guardian)

Vaughan Tudor Williams (Senior Manager for Specialist Services and C & F Caldicott Guardian)

Mike Staniforth (Quality & Performance Management Officer)
Revision History: Replaces 2004 procedure to accommodate revisions to access to records process.
Distribution All Adult Social Care Managers, CC Children and families via Stephen Kitchman (Head of Service) and Vaughan Tudor -Williams (Senior Manager and Caldicott Guardian)