Skip to main content
Caption: floating buttons
View East Riding Safeguarding Children Partnership View East Riding Safeguarding Children Partnership
spacer_valid 2
View Working Together View Working Together
Caption: main heading

2.4.1 Access to Personal Information (including Subject Access Request Guidance)


Information Commissioner’s Office (ICO) – Rights of Access

Information Commissioner Toolkit for Public Authorities on Dealing with Vexatious Claims – a toolkit to help councils decide when a Freedom of Information (FOI) applicant is vexatious, issued by the Information Commissioner’s Office (ICO).

Information Commissioner  Guidance on Subject Access Requests – includes reminders that Subject Access Requests can be submitted by various means, including via social media, and do not have to contain the words 'subject access request'.

Please see relevant section of Forms Library to access the required template.


  1. Policy
  2. Principles of Access to Personal Information
  3. Procedure for Accessing Personal Information

1. Policy

Every individual who comes into contact with Children’s Social Care Services has a right to see what information is kept about themselves in our records, in line with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and the Human Rights Act 1998. All Children’s Social Care Services staff should ensure that they comply with the requirements of the Data Protection Act 2018 at all times.

The right of access applies to both paper / hard copy and manual records and records held electronically. It is important that electronic recording systems comply with the requirements for data subjects to easily find their story in a logical narrative.

2. Principles of Access to Personal Information

Any information recorded about living, identifiable individuals is covered by the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. All personal information held by Children’s Social Care Services must be registered under the Act.

The principles of the Data Protection Act 2018 apply not only to data held electronically, but also to manually processed records of personal data. All staff who have access to personal information and who may be in a position to disclose that information to others, have to comply with the requirements of the Act and an individual can be held personally responsible for any breach of the Act.

  1. All Children’s Social Care Services staff must comply with the Data Protection Principles (details of which can be found in the "Data Protection Act Guidelines for Managers" issued by IT Services and is available on the Council's Intranet) and East Riding of Yorkshire Council's procedures. All personal information held about an individual must be recorded and used only for the purposes of enabling Children's Social Care to carry out its functions. Criminal offences may be committed where the use of the information is not in accordance with the terms of the Act;
  2. Personal information held by Children’s Social Care Services, regarding a data subject, should only be the minimum needed for the department to carry out its duties;
  3. All Children’s Social Care Services staff are obliged to ensure that any personal information is accurate and, where necessary, kept up to date;
  4. Personal data should not be kept for any longer than is necessary for Children's Social Care to fulfil its statutory functions. Staff should refer to the Retention and Destruction of Case Records Procedure for details of retention periods;
  5. Appropriate security measures should be operated to ensure that only authorised and appropriate staff members are able to access personal information on data subjects;
  6. An individual who makes a subject access request is entitled to be supplied with a copy of all of the information that forms any such personal data, unless it would involve a disproportionate effort to provide the information. Explanation of any coded forms should be supplied to make the information intelligible to the individual.

3. Procedure for Accessing Personal Information

  1. Individuals must apply in writing to the Council's Data Protection Officer to find out what information is held about them;
  2. All requests by data subjects for access to personal information held by Children's Social Care about them must be responded to within 1 month of receipt. It is still necessary to reply to a data subject access request, even if no personal data is held about the individual;
  3. Failure to reply to a request for access to information, or deliberately delaying to provide the details of the personal information held, is not acceptable. The individual may either apply to a court or complain to the Information Commissioner that there has been a breach of the Act;
  4. Children’s Social Care Services will need to be satisfied as to the identity of the individual making the request. The individual should give any information, which the data user reasonably requires, for the purpose of processing the request;
  5. All staff should encourage children and young people with whom they are actively involved, to access their case records on an ongoing basis. All information recorded should be shared with the child/young person as a normal part of any direct work being undertaken with them, where the child or young person is of sufficient age and understanding and the sharing of this information is in the interests of the child/young person;
  6. A request from a child for access to personal information is to be treated as though an adult had made it, if Children’s Social Care Services are satisfied that the child has the capacity to make the request;
  7. If a child or young person does not have sufficient understanding to make their own request, a person with parental responsibility can make the request on behalf of the child. Where a parent applies on behalf of a child, Children’s Social Care Services should satisfy itself that the child lacks the capacity to make the request, or has the capacity and has authorised the parent to make it on their behalf. Children’s Social Care Services also needs to be satisfied that the parent is acting in the interests of the child and can refuse to disclose information to the parent where it is likely to result in serious harm to anyone, including the child;
  8. If there are genuine reasons for suspecting that an individual has improperly made a subject access request in the name of another, the Registrar advises that Children’s Social Care Services should report the matter to the Police;
  9. If any individual suffers damage because of inaccurate information held about them, they are entitled to claim compensation from Children’s Social Care Services;
  10. Exemptions to the Right of Access;

    The Data Protection Act 2018 (Schedule 3) contains exemptions to the rights of access contained in Article 15 of the UK GDPR for health, social work, education and child abuse data. The right of access which is afforded to data subjects is restricted in the following circumstances:
    1. Where the right of access would prejudice carrying out social work because access to the information would be likely to cause serious harm to the physical or mental health of the data subject or some other individual;
    2. Where the records contain child abuse data; there is an exemption from Article 15 if the application of that provision would not be in the best interests of the data subject. (“Child abuse data” is defined in the Act as personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse. For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18);
    3. Where complying with the right of access would mean disclosing information was which given by the data subject in the expectation that it would not be disclosed or is information which the data subject expressly indicated should not be disclosed;
    4. Where the data is processed by a court, consists of information supplied in a report or other evidence given to the court in the course of proceedings, the data may be withheld by the court in whole or in part from the data subject.

      Access can also be refused if:
      • Disclosing information to the data subject would involve disclosing information relating to another individual who can be identified from the information. Unless (a) the other individual has consented to the disclosure of the information to the data subject, or (b) it is reasonable to disclose the information to the data subject without the consent of the other individual;
      • Where disclosure may prevent the detection or investigation of a crime or jeopardise public or national security.

Access requests can also be refused if they are ‘manifestly unfounded or excessive’ (for example if an identical or similar request has been received from the same person and already been complied with).

These exemptions do not justify the total withholding of information but only those records / parts of records which are covered by the exemptions. The remainder of the case records should be made available to the data subject.

The exemptions above do not apply where disclosure is required by a court order or is necessary for the purpose of or in connection with any legal proceedings.

For the procedure in relation to access to Adoption Case Records - see Access to Birth Records and Adoption Case Records Procedure.

  1. On receiving a request for access to any information held by Children’s Social Care Services, staff should provide the person making the request with a copy of the relevant Leaflet and the Council's Subject Access Request Form (available via the Council's Intranet or Internet Website), and advise them to send the request to the Data Protection Officer at County Hall, Beverley;
  2. Staff should advise the person making the request that they should provide sufficient information with their request, to make it possible to identify the individual and locate the personal information held by Children's Social Care;
  3. Following notification from the Data Protection Officer that a request for access to personal information has been received, a search for any information held by Children's Social Care should be undertaken;
  4. If no personal data is held, the individual should be informed within 1 month;
  5. If personal information is held, the request should be sent to the appropriate Team Manager for further action. The appropriate Team would be that covering the child's home address at the time that they were involved with Children's Social Care;
  6. A review of the information held regarding the data subject should be undertaken, and any third party consents should be obtained, where it is reasonable to do so, for their details to be disclosed;
  7. If it is felt that any information held should not be disclosed to the person making the Subject Access Request, consideration must be given as to whether any exemptions apply, under the Data Protection Act 2018, and the person making the request should be informed, in writing, of the reasons for the information being withheld;
  8. If no exemptions apply, arrangements should be made within 1 month of an appropriate request being received, for the data subject to have access to their personal information held by Children's Social Care;
  9. Copies of any personal information should be supplied;
  10. Information given in response to a subject access request should be all the personal information held at the time of the request, unless one or more of the exceptions apply;
  11. If the data subject makes an application for any information to be rectified or deleted, which they consider to be inaccurate, a decision must be made on whether to comply with this request and the data subject must be informed in writing of the Council's response with a full explanation of the reasons for refusing to amend the information. Local authorities have 1 month to respond to any such requests.