Subject Access Request

• Individuals Rights
• Right of Subject Access
• Miscellaneous Exemption
• Subject Access - Local Authority Housing Records
• Subject Access - To Social Services Records
• Subject Access - Education records in England

Individuals' Rights

Principle 6 of the Data Protection Act 1998 states

"Personal Data shall be processed in accordance with the rights of data subjects under this Act." The Act gives rights to individuals in respect of personal data held about them by others. The rights are:

• Right to prevent processing likely to cause damage or distress
• Right to prevent processing for the purposes of direct marketing
• Rights in relation to automated decision-taking
• Right to take action for compensation if the individual suffers damage by any contravention of the Act by the Data Controller
• Right to take action to rectify, block, erase or destroy inaccurate data
• Right to make a request to the Commissioner for an assessment to be made as to whether any provision of the Act has been contravened.

Right of Subject Access

Upon making a request in writing (which includes transmission by electronic means) and upon paying the fee of £10.00 to the Data Controller an individual is entitled:

• To be told by the Data Controller whether they or someone else on their behalf is processing personal data relating to that individual,
• If so, to be given a description of:

a) the personal data

b) the purposes for which they are being processed, and

c) those to whom they are or may be disclosed,

• To be told, in an intelligible manner, of:
• all the information which forms any such personal data. This information must be supplied in permanent form by way of a copy, except where the supply of such a copy is not possible or would involve disproportionate effort or the data subject agrees otherwise. If any of the information in the copy is not intelligible without explanation, the data subject should be given an explanation of that information, e.g. where the Data Controller holds the information in coded form which cannot be understood without the key to the code, and
• any information as to the source of those data (but see paragraph 1.3 - in some instances the Data Controller is not obliged to disclose such information where the source of the data is, or can be identified, as an individual), and
• where a decision significantly affecting a data subject is, or is likely to be, made about them by fully automated means, for the purpose of evaluating matters about them such as their performance at work, their creditworthiness, their reliability or their conduct, they are entitled to be told of the logic involved in that process. The Data Controller is not required to do this where the information in question constitutes a trade secret. The Act does not define 'trade secret'.

A Data Controller must comply with a subject access request promptly and in any event within forty days of receipt of the request, or if later, within forty days of receipt of :

• The information required (i.e. to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks); and
• The fee (£10.00)

However, unless the Data Controller has received a request in writing, the prescribed fee and, if necessary, the said information the Data Controller need not comply with the request.

A Data Controller does not need to comply with a request where they have already complied with an identical or similar request by the same individual unless a reasonable interval has elapsed between compliance with the previous request and making the current request. In deciding what amounts to a reasonable interval, the following factors should be considered: the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.

The information given in response to a subject access request should be all that which is contained in the personal data at the time the request was received. Having received a request, the Data Controller must not make any special amendment or deletion, which would not otherwise have been made. The information must not be tampered with in order to make it acceptable to the data subject.

A particular problem arises when in complying with a subject access request they will disclose information relating to an individual other than the data subject who can be identified from that information, including the situation where the information enables that other individual to be identified as the source of the information (see paragraph 1.1). The Act recognises this problem and sets out only two circumstances in which the Data Controller is obliged to comply with the subject access request in such circumstances, namely:

• Where the other individual has consented to the disclosure of the information, or
• Where it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

The Act assists in interpreting whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned. In deciding this question regard shall be had, in particular, to: -

• Any duty of confidentiality owed to the other individual,
• Any steps taken by the Data Controller with a view to seeking the consent of the other individual,
• Whether the other individual is capable of giving consent, and
• Any express refusal of consent by the other individual.

Miscellaneous Exemption

Confidential references given by the Data Controller

Personal data, which consist of a confidential reference given or to be given by the Data Controller for specified purposes (education, training or employment, appointment to office of provision of any service), are exempt from subject access. This exemption is not available for such references where the Data Controller receives them.

(For example, I work for W.H.Smith and whilst in their employment I make a subject access request (SAR), I have also applied for a job in Woolworths, W.H.Smith must provide me with a copy of all my personal data EXCEPT the reference they have sent to Woolworths - If I then make a SAR to Woolworths they would have to seek consent from W.H.Smith before disclosing the confidential reference)

Subject Access - Local Authority Housing Records

Compliance Advice

The Data Protection Act 1998 came into force on 1st March 2000. It gives all individuals who are the subject of personal data ("data subjects") a general right of access to the personal data, which relates to them. Personal data may take the form of computerised or, in some cases, paper records. The Act also sets out specific rights in relation to local authority housing records whether these are held in computerised or paper form. These rights are known as "subject access rights".

Which records are covered?

This paper explains the rights of local authority tenants in relation to housing records.

The Act gives right of access to tenancy records, which are held by any of the following:

• In England and Wales, "Housing Act local authorities" and housing action trusts established under the 1988 Housing Act.

The records covered relate to residential rather than commercial tenancies. The tenants may be current or past tenants or applicants for tenancies. The records themselves may be held in the form or computer or paper records.

The Data Protection Act calls organisations, which hold personal data, "Data Controllers". Technically the data controllers for housing records are the local authorities themselves rather than the housing departments, although for practical purposes subject access requests in relation to tenancy records are often best directed towards the housing departments.

Making a subject access request

Subject access requests must be made in writing to data controllers who are allowed up to 40 days in which to respond. Tenants are entitled to be told if any personal data are held about them and, if it is:

• To be given a description of the data
• To be told why the data are held
• To be told who the data may have been given to
• To be given a copy of the data with any technical terms explained
• To be given any information available to the controller as to the source of the data
• To be given an explanation as to how any automated decision taken about them have been made.

London Borough of Hackney charges a fee of £10.00 for responding to a subject access request. We may also ask for any information, which we need in order to verify the identity of the person making the request and to locate the data (for instance the address of the property or dates of the tenancy).

Information, which may be withheld

Although in principle individuals have access to all the personal data held about them, there are a few exceptions. In particular personal data may be withheld if:

• In that particular case it might prejudice the prevention and detection of crime, the prosecution or apprehension of offenders or the assessment or collection of any tax or duty to provide a copy;
• The data identify other people who have not consented to the disclosure of their data and where, on balance, it appears wrong to provide it;
• The disclosure of the data might cause serious harm to the data subject or another individual.

Subject Access - To Social Services Records

Compliance Advice

The Data Protection Act 1998 came into force on 1st March 2000. It gives all individuals who are the subject of personal data ("data subjects") a general right of access to the personal data, which relates to them. These rights are known as "subject access rights". Requests for access to records and for other information about those records are known as "subject access requests." Personal data may take the form of computerised or, in some cases, paper records. In most cases there is no right of access to paper records until October 2001. However, there are important exceptions, which include local authority social work records.

Which records are covered?

This paper explains the right of access to social work records.

The Act gives the right of access to social work records, which are held by the following:

• In England and Wales, a local social services authority

The records themselves may be held on computer or paper.

Who is entitled to make a request?

Subject access requests may be made to individuals to whom the data relate irrespective of age or any other criteria. A data subject can make a request through agents such as a solicitor or advice worker, although they may be asked for evidence that they are acting on behalf of the data subject.

In cases where data subjects are incapable of understanding or exercising their rights, for instance because they are too young or suffer from a severe mental handicap, then subject access requests may be made by parents or other persons who are legally able to act on behalf of the data subjects.

In many cases a Social Services Department may choose to disclose information about a client who is incapable of exercising his or her rights to a parent or other third party. However, it cannot be compelled to make the disclosure if the third party does not act on behalf of the data subject in law.

Making a subject access request

Subject access requests must be made in writing to data controllers who are allowed up to 40 days in which to respond. (The "data controller" is technically the organisation responsible for the data, in this case local authority as a whole. For practical purposes it is often easiest, however, to approach its social services department directly.) Data subjects are entitled to be told if any personal data are held about them and if it is;

• To be given a description of the data
• To be told why the data are held
• To be told who the data may have been given to
• To be given a copy of the data with any technical terms explained
• To be given any information available to the controller as to the source of the data
• To be given an explanation as to how any automated decision taken about them have been made.

London Borough of Hackney charges a fee of £10.00 for responding to a subject access request. We may also ask for any information, which we need in order to verify the identity of the person making the request and to locate the data (for instance names of relevant social workers, dates of contact with the department.)

Information, which may be withheld

In principle individuals have a right to be given a copy of all the information contained in their social work files. There are, however, times when the Act allows the social services department to withhold some information. The main exceptions are:

If the information on a file identifies other people, then it will often be right to remove that information unless the third parties have agreed to the disclosure. (This is likely to apply to information identifying social workers or other social work professionals unless to disclose it would cause them serious harm.)

• If the disclosure of the information would prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental health of the data subject or any other person would be likely to be caused;
• If, in the case of requests made on behalf of the data subject by a person able to exercise their legal rights, the data subject has expressly asked that some or all of the information should not be disclosed or if they have provided the social services department with information on the assumption that it will not be disclosed;
• If in that particular case it would hinder the prevention and detection of crime or the prosecution or apprehension of offenders to provide it.

Subject Access - Education records in England

Compliance Advice

The Data Protection Act 1998 came into force on 1 March 2000. It gives all individuals who are the subject of personal data ("data subjects") a general right of access to the personal data which relates to them. These rights are known as "subject access rights". Requests for access to records and for other information about those records are known as "subject access requests." Personal data may take the form of computerised or, in some cases, paper records.

The Act also sets out specific rights for school students in relation to educational records held within the state education system whether these are held in computerised or paper form. Educational records are the official records for which head teachers are responsible. The rights of students lie alongside the rights of parents to obtain copies of the educational records relating to their children. These are set out in separate education regulations The Education (Pupil Information) (England) Regulations 2000.

This paper explains the rights of both students and parents in relation to official educational records. (The leaflet does not set out to explain the general right of access to personal data not forming part of the official record, for instance records held by individual teachers for their own use, or records held by independent schools. This is described in the leaflet, "Using the law to protect your information," also available from the Data Protection Commissioner.)

Pupil Rights

The Data Protection Act gives all school students, regardless of age, the right of access to their school pupil records. Requests to see or receive copies of records should be made in writing to head teachers.

In addition to the right to be given a copy of the educational record, students are entitled to be given a description of the personal data which makes up the record, together with details of the purposes for which the data are processed, the sources of the data (if known) and the individuals or organisations to which the data may have been disclosed.

A period of up to 15 school days is allowed in which to respond to a subject access request. (The equivalent period for other types of record is up to 40 days.) If asked to provide a hard copy of the record, a fee may be charged according to the number of pages. (See below for the scale of charges.) Students may be asked for information to verify their identity if is necessary, for instance in the case of former pupils who may not be currently known to the school. They may also be asked for information necessary to locate the data held about them. For instance a student may be asked to supply the dates between which he or she attended the school.

While in principle students have a right of access to the whole of their educational records, in exceptional cases some information may be withheld. The main exemptions are for information which might cause harm to the physical or mental health of the student or a third party, information which may identify third parties (for example other pupils, although not teachers), and information which forms part of some court reports. Information may also be withheld if in that particular case it would hinder the prevention and detection of crime or the prosecution or apprehension of offenders to provide it.

If students are incapable of understanding or exercising their own rights under the Data Protection Act, (for instance because they are too young), parents can, of course, make subject access requests on their behalf.

If a request for information under the Act is refused or ignored, the matter can be referred to the Data Protection Commissioner or an application for disclosure can be made to a court.

Parents rights

In addition to the subject access right which can be exercised by pupils or by parents acting on behalf of pupils, parents have their own independent right of access to the official educational records of their children under the separate education regulations referred to in footnote 1. In essence the information to which parents are entitled and the exemptions are the same as for pupils although there is no parental right of access to information which does not form part of the official record. Requests to see or receive copies of the educational records of their children should be made in writing to head teachers. If asked to supply a hard copy of the record, a fee covering the cost of supplying the information may be charged. This is set by the governing body. A parent seeking access to an education record does not, however, have a right of redress under the Data Protection Act unless he or she is acting on behalf of their child. If a parent is not given a copy of his or her child's records, in the first instance he or she should contact the governing body and, after that, the DfEE or, as a last resort, the courts.

Because parents have an independent right of access to pupil records, the students themselves have no right to prevent their parents from obtaining a copy of their school records.

Back to top

Page updated: 28 May 2008