SCOPE OF THIS CHAPTER
This procedure is to be followed when anyone asks to access records held by Adult Social Care in a customer’s file.
February 2019: This chapter has been amended to reflect the Data Protection Act 2018, which came into force in May 2018. Section 1, Introduction is new and steps 1 and 4 in Section 3, Procedural Steps have been updated.
The Data Protection Act 2018 specifies the duties of local authorities and other agencies in relation to holding, storing and processing of the personal data of living individuals (referred to as data subjects). Such information will either be held on IT databases or in hard copy.
The legislation terms people who request information from the council that it holds on them ‘data subjects’ and staff who control the manner and the purpose of personal data processing ‘data controllers’. It also gives data subjects the right to;
- know about and obtain information held on them by the local authority and other agencies,
- to consent to their information being held and
- to be forgotten (have their information deleted) in relation to the data held about them.
The only people who have the right to see a customer’s file are the customer him/herself or someone who holds a current lasting power of attorney to make welfare decisions on the customer’s behalf and the customer has been assessed as lacking the mental capacity to make their own decisions about their welfare.
Family members and other third parties such as an advocate or a solicitor cannot access a person’s records unless the customer has the capacity to decide whether or not to give them access and has given written consent.
Under the Data Protection Act 2018, only records which relate to a living person can be accessed. The only exceptions to this are under the Access to Health Records Act 1990, where an NHS body or the executor of the customer’s will requests the records to support a retrospective claim for Continuing Health Care funding for someone has since died, or where a Court Order has been obtained.
In order to establish an audit trail, all requests must be in writing.
3. Procedural Steps
|1.||Requests for access must be made in writing. If someone has made the request over the phone or face to face, they must be asked to put the request in writing, either by letter or by completing the online form. However, if a customer of direct services simply wants to see what people have written about them on the diary sheet, this should be shared with them. If someone wants to see their file or wants a copy of their file, the full procedure should be followed. This is because there may be parts of the file which contain third party information which the customer does not have the right to access without the written consent of that third party.
If the person is requesting access to the full file, identification must also be produced, preferably photo identity such as a passport or driving licence although if these are not available, a birth certificate, rent book, bank statement or current utility bill are acceptable. These must be originals, not photocopies.
The person making the request should find out from Hull City Council whether fees are payable. The Council must provide a copy of the information free of charge. It can charge a ‘reasonable fee’, however, when a request is manifestly unfounded or excessive, particularly if it is repetitive. It can also charge a reasonable fee to comply with requests for further copies of the same information (this does not mean that it can charge for all SARs). The fee must be based on the administrative cost of providing the information.
The request must be passed to the Data Protection Officer.
|Person taking request|
|2.||Upon receipt of the request, the Data Protection Officer will log the request on the Cyclops system.||Data Protection Officer|
|3.||The Data Protection Officer will check that the person making the request has the right to see the file, i.e. that they are the person about whom the file is kept, that they hold a current lasting power of attorney to make welfare decisions on behalf of someone who lacks Capacity or that they have the written consent of the person to whom the file refers to access their records.||Data Protection Officer|
|4.||If the person has the right to access the records, the Data Protection Officer will send a letter acknowledging receipt of the request and giving a date by which the person can expect to receive the file. They have one month to respond to a written request.||Data Protection Officer|
|5.||The Data Protection Officer will identify where the file is kept. If it is with a team, they will request it be sent. If it is in storage, they will contact the archive holder and request it be sent.||Data Protection Officer|
|6.||Upon receipt of the file, the Data Protection Officer will check the file and remove any third party information, then photocopy it and mark each page ‘client copy.’||Data Protection Officer|
|7.||A covering letter will be prepared to be sent with the file which informs the customer of their right to complain if they are unhappy with the service, first to us then to the Information Commissioner. It will also inform the customer that if the file contains factual inaccuracies, they have the right to have them corrected.||Data Protection Officer|
|8.||The information which can be shared will be sent to the customer by recorded delivery unless the customer specifies they want to come in to Adult Social Care Headquarters and pick it up.||Data Protection Officer|
|9.||If the customer states that the file does contained factual inaccuracies, these will be checked out and the file amended where relevant. A copy of these amendments will be sent to the customer.||Data Protection Officer|