This procedure is to be followed when anyone asks to access their adult social care records.


Subject Access Requests (Hull City Council)

1. Introduction

The Data Protection Act 2018 specifies the duties of local authorities and other agencies in relation to holding, storing and processing of the personal data of living individuals (referred to as data subjects). Such information will either be held on IT databases or in hard copy.

Under the Data Protection Act, people who request information from the council that it holds are called ‘data subjects’, and staff who control the manner and the purpose of personal data which is collected and stored are called ‘data controllers’. It also gives data subjects the right to;

  • know about and obtain information held on them by the local authority and other agencies,
  • consent to their information being held and
  • be forgotten (have their information deleted) in relation to the data held about them.

2. Principles

The only people who have the right to see a person’s file are the person themselves or someone who holds a current lasting power of attorney to make welfare decisions on person’s behalf and the person has been assessed as lacking the mental capacity to make their own decisions about their welfare.

Family members and other third parties such as an advocate or a solicitor cannot access a person’s records unless the person has the mental capacity to decide whether or not to give them access and has given written consent.

Under the Data Protection Act 2018, only records which relate to a living person can be accessed. The only exceptions to this are under the Access to Health Records Act 1990, where an NHS body or the executor of the person’s will requests the records to support a retrospective claim for Continuing Health Care funding for someone has since died, or where a Court Order has been obtained.

In order to establish an audit trail, all requests must be in writing.

3. Procedural Steps

Step Action By Whom
1. Requests for access to records must be made in writing. If someone has made the request over the phone or face to face, they must be asked to put the request in writing, either by letter or by completing the online form. However, if a person receiving direct services simply wants to see what people have written about them on the diary sheet, this should be shared with them. If someone wants to see their file or wants a copy of their file, the full procedure should be followed. This is because there may be parts of the file which contain third party information which the person does not have the right to access without the written consent of that third party.

If the person is requesting access to the full file, identification must also be produced, preferably photo identity such as a passport or driving licence although if these are not available, a birth certificate, rent book, bank statement or current utility bill are acceptable. These must be originals, not photocopies.

The person making the request should find out from Hull City Council whether fees are payable. The Council must provide a copy of the information free of charge. However, it can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. It can also charge a reasonable fee to comply with requests for further copies of the same information (this does not mean that it can charge for all subject access requests / SARs). The fee must be based on the administrative cost of providing the information.

The request must be passed to the Data Protection Officer.

Person taking request
2. Upon receipt of the request, the Data Protection Officer will log the request on the Cyclops system. Data Protection Officer
3. The Data Protection Officer will check that the person making the request has the right to see the file, i.e. that they are the person about whom the file is kept, or that they hold a current lasting power of attorney to make welfare decisions on behalf of someone who lacks mental capacity or that they have the written consent of the person to whom the file refers to access their records. Data Protection Officer
4. If the person has the right to access the records, the Data Protection Officer will send a letter acknowledging receipt of the request and giving a date by which the person can expect to receive the file. They have one month to respond to a written request. Data Protection Officer
5. The Data Protection Officer will identify where the file is kept. If it is with a team, they will request it be sent. If it is in storage, they will contact the archive holder and request it be sent. Data Protection Officer
6. Upon receipt of the file, the Data Protection Officer will check the file and remove any third party information (called redacting), then photocopy it and mark it as for the person who has requested the information. Data Protection Officer
7. A covering letter will be prepared to be sent with the file which informs the person of their right to complain if they are unhappy with the service, first to us then to the Information Commissioner. It will also inform the person that if the file contains factual inaccuracies, they have the right to have them corrected. Data Protection Officer
8. The information which can be shared will be sent to the person by recorded delivery unless they want to come in to Adult Social Care offices and pick it up. Data Protection Officer
9. If the person states that the file does contained factual inaccuracies, these will be checked out and the file amended where relevant. A copy of these amendments will then be sent to the person. Data Protection Officer
Was this helpful?
Thanks for your feedback!