Subject Access Request Redaction Policy

The following principles apply to all such requests for information.
•    Requester is the named individual asking for a copy of the information
•    Data Subject is the person the data is about; they must be the focus of the data
•    The Requester and Data Subject may not be the same person.

There are conditions where someone other than the Data Subject may obtain access to that person’s data.

General principles

These principles are common to all Subject Access Requests. Where there are exceptions to these principles, it will be noted below.

• The council provides an electronic copy of the information being released. The default is digital; paper copies may be supplied on request only
• The council will use the most efficient method to provide the information requested. This may include grouping requests together and seeking consent from multiple Data Subjects – allowing the council to process information once rather than multiple times
• The council will provide personal information about a Data Subject only with validated identity or authorisation
• Where the request is for personal data of more than one person, the council will wait for a set period for consent or authorisation from all the Data Subjects before processing the request – this will be explained to the Requester as early as possible in the process
• When a Data Subject does not consent to release their personal data to a third party, the council will process only that part where authority / consent is given
• Third party owned data will only be released on receipt of written consent of that third party. Release of data will be in line with the instructions of the third party. Where consent is unrestricted, the council will release the data only in accordance with its own redaction policy
• At all times the council will follow the legal requirements of relevant legislation regarding processing of personal data
• A record of each Subject Access Request will be made on the relevant line of business system
• Reports and non-personally identifiable statistics will be made using Subject Access Request data as part of monitoring and process improvement by the council.

Data Subject data

The UK GDPR identifies personal data as below:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The Information Commissioner’s Office (ICO) define “identifiable” as below:

“If you can distinguish an individual from other individuals, then that person is ‘identified’ or is ‘identifiable’. Often an individual’s name together with some other information will be sufficient to identify them.

A name is perhaps the most common means of identifying someone. However, whether any potential identifier, including a name, actually identifies an individual depends on the context.

By itself, the name ‘John Smith’ may not always be personal data because there are many individuals with that name. However, if the name is combined with other information (such as an address, a place of work, or a telephone number) this is often sufficient to clearly identify one individual.”

This means that while the council holds information with the name of a Data Subject, unless there is some other information that allows us to confirm that is the Data Subject, it may not be identifiable and therefore we may not release that information under a Subject Access Request.

For example, where a Data Subject ‘John Smith’ makes a Subject Access Request for their social care file, it is reasonable to assume that within the social care file for ‘John Smith’, every reference to that name is the Data Subject making the request. Unless there is clear evidence to the contrary. Where ‘John Smith’ is listed in a report on current social care cases, that name alone is not enough to identify that this is the Data Subject in this case.

The council conducts reasonable searches for information relating to the Data Subject to comply with their request.

Where information does not clearly identify the Data Subject, it will be withheld. It is the council’s decision whether the Data Subject is clearly identifiable.

For correspondence with the Requester / Data Subject, the council will not routinely release this under a Subject Access Request. Because this information is already in the possession of the Requester / Data Subject it is considered repetition and not a fair use of public resources to provide this information.

Where correspondence with the Requester / Data Subject cannot be separated from other information held by the council, it will be released in full – no redactions will be applied specifically to that data only. This includes:

• Information about other Data Subjects
• Information owned by another Data Controller
• Duplicate information.

Where a Requester explicitly requests copies of correspondence with the Requester/Data Subject the council will consider this and decide on a case by case basis.

Third Party Access

Where the Requester is not the Data Subject, they may still have authority to access the personal data of the Data Subject. The council will follow the principles below in determining if the Requester has adequately demonstrated their authority to access the data.

Where the council is not satisfied the Requester has demonstrated authority to access the Data Subject’s personal data, the request will be refused.

Where the requester is asking for information relating to themselves and one or more third parties, the council will require written consent for release, as detailed below.
The council will set a timescale for receipt of this consent. If consent is not received by the date given the council will only process the requester’s own data.

1)    The Requester is a parent acting on behalf of a biological or legally adopted child
The Requester must always provide proof of their own identity and the council must be satisfied of this before it will consider providing information relating to another Data Subject.

Proof is required in the form of a full birth certificate (not the short form as this does not identify both parents).

Other possible documents include Court Orders and similar Court documents – where a Court of England and Wales accept the identity of a person as the parent of a child, the council will do the same.

Where the child is aged 13 or above, specific written consent needs to be provided from the child using a different contact to the requester.

Only if there is medically certified lack of capacity for the child should the need for consent be waived.

Where no written proof is available, the council may accept a supporting statement from a key worker. This will depend on the circumstances of the case.

Where the Requester is an Adoptive Parent, the

2)    The Requester is a legal representative acting on behalf of the data subject

Commonly a practicing solicitor registered within the UK. They must provide authentication information for the data subject and documented authority from the Data Subject that the solicitor is acting on their behalf.

Litigation Friend is not recognised by the council as a legal representative with authority to access personal data under the Data Protection Act.

3)    The requester has an appropriate Power of Attorney that has been invoked

In all cases where a Requester wishes to act on behalf of a Data Subject, they must demonstrate their own identity to the council.

The Requester must also provide the evidence of the Power of Attorney and evidence the Power is invoked or provide evidence of consent from the Data Subject.

For financial information only, this will be a Power of Attorney for Financial Affairs. As this may be invoked at any point from the date of its registration, the Requester will still need to provide consent from the Data Subject or evidence of medical certification the Data Subject lacks capacity.

For all other information this will be a Power of Attorney for Health and Welfare.

This may only be invoked after the point where the Data Subject is medically assessed as lacking capacity.
To ensure the Requester has the authority to act on behalf of the Data Subject, they must provide medical certification the Data Subject lacks capacity.

Third party personal data

Where the information relates to third party individuals

The council applies the following principles for managing names of third party persons.

Application of these principles is determined for each case individually – the council does not use a ‘blanket’ approach to releasing or withholding information.

Names that may be released

Names of professionals may be left in such as:

• Council keyworkers, case workers and senior officers
• Teaching staff and senior school staff
• Third party consultants and professionals acting in their professional capacity
  • NHS medical and consultant staff (Solicitors, Advocates, Litigation Friend, Charitable bodies)
  • Case officers in third party organisations (Probation, Courts, Prison Service, Non-NHS medical including psychological and psychiatric care).

Names of some private individuals may be released. This will depend entirely on the circumstances of the case. Such names may include:

• Parents and siblings of a Data Subject – see below
• Partner or spouse of the Data Subject.

Names that must be withheld

• Names of any private individuals other than the above
  • Wider family ‘cousins’, ‘aunts’, ‘uncles’ are to be withheld
  • Siblings – including half-siblings - unless they are living in the home at the same time as the requester and the requester was old enough to remember this
  • Any other person – neighbours, friends, any person not acting in a professional capacity.

The council will also withhold the following information:

• Contact details of any professionals:
  • Mobile phone number
  • Personal work email address
  • Individual building address (unless widely known as a public office)
• Identities of Police workers – any person indicating they work for the police or have a police email address
• Identities of junior staff of any kind. Job roles include terms such as:
  • Support / Clerical / Administrative / Assistant / Junior.

Other third party – release

• Where it is clear the Requester / Data Subject has already got the information, it may be released, such as:
  • Notes of a meeting where the Requester / Data Subject is present along with other persons, professional and personal
  • Communication with third party individuals including the Requester / Data Subject – an email exchange where the requester is To, From or CC along with other persons
  • Communication can be from a person in a support role – their name and details can be released in this circumstance – the Requester / Data Subject already has that information

As noted above, where practical, correspondence with the Requester / Data Subject will not be released to avoid using public resources.

Other third party – withhold

Data Subject records may include information about other Data Subjects.

Views, opinions and thoughts of an individual are personal data about that individual. 

This information will be withheld unless it’s release is specified above.

Third party owned information

Where information is owned or controlled by a third party person or organisation, the council will not provide that information without the written consent of that person or party.

The council will identify each third party Data Controller and contact them separately for consent to release the data they own.

To ensure the council meets its statutory deadlines, requests for consent will be time sensitive and a response deadline will be provided at the point of asking for consent.

Only where a Data Controller consents to release in writing by the deadline given will the council release that data.

Consent to release will be either in full or partial. Where consent is partial, the council will only release information as explicitly instructed by the third party Data Controller – seeking clarity if uncertain.

In all other circumstances the council will withhold third party owned data and cite the reason in the redaction log.