The DPA gives you the right to have a copy of your personal data. This is generally known as a Subject Access Request (SAR).
How to make an effective Subject Access Request
You do not need to specifically refer to the DPA or use the phrase ‘Subject Access Request’. The most important thing is that we can identify you and what information you are asking for.
Everyone can make a written request to Camden for the information we hold about them. You might want to have a copy of your housing file, or your social care records or your housing benefit file. You can ask for all the information we hold about you or just for a small amount e.g. for particular documents or for a specific date range. Please only ask for the information you need, to save time and allow us to be more efficient.
The ICO recommend you include information such as:
- your full name, address, and contact telephone number
- any information that we use to identify you, such as a housing application number or any other unique identifiers
- details of the specific information along with relevant dates, for example:
- your housing benefit file
- emails between ‘name’ and ‘name’ between 2/8/2016 and 06/01/2018 about your complaint
- copies of statements (between 20010 and 2016) held in account number xxxxx
If you think it would help us locate the information, then an explanation of why you are seeking the information may be useful. If you can tell us about a specific team or officer that you think will have the information this will help us to find the information.
If you need us to make any reasonable adjustments for you due to disability, such as using Braille or large print, please contact us to discuss this.
Making a request on someone else’s behalf
If you are making a SAR for someone else we must be satisfied that you can act on their behalf. This may mean that they have given you their consent or you have the authority to represent them such as Power of Attorney. We will need to confirm the identity of the person you are representing and see evidence that you have been appointed to act on their behalf. If relying on consent we will need to check they have given informed consent as we need to be sure the person you represent understands what is being requested and the consequences of the request. We may contact the person to discuss this with them if appropriate.
Requests by parents or guardians about children
Parents often make SARs for information about their children. However, the personal data belongs to the subject of the data even if they are children. Children can have their own data when they are ‘competent’, which means the child can understand what it means to make a request and understand their rights. When a child is competent Camden should respond to the child.
In England, the law does not give an age to say when a child can be assumed to understand their rights and make a SAR: it depends on the individual child. The new Data Protection Act gives age 13 for ‘information services’ and we have used this as our basis. Where the child is aged 12 years or older we will normally contact them to confirm how we should go ahead. We will consider the child’s level of maturity and any views they may have about the disclosure of the information. In all requests made on behalf of children, Camden will carefully consider all the circumstances when deciding whether to respond directly to the parent or the child.
We will remove (redact) information if one of the exemptions applies. These exemptions include:
- Third party information. This is the most common exemption. Third party information means information about other people i.e. not the data subject themselves. We cannot refuse to disclose information just because it has come from a third party. Camden will consider if it is fair to disclose the information or not. Where the information is purely work related or already known to the data subject then it will be fair to release it.
We will disclose third party data with consent, or without consent if we consider it is reasonable to do so. When considering if it is reasonable to disclose without consent we will take the following into account:
- the type of information
- what the data subject already knows
- any duty of confidentiality to the third party
- any steps we have taken to consider consent or the third party’s views
- any express refusal of consent from the third party
The following will be disclosed without consent as there is an assumption in the law that this is reasonable:
- names and so on of health professionals involved in the data subject’s care
- names of children’s court officer
- names and so on of social workers
- names and so on of teachers and other education workers
- Legal advice where it is covered by legal professional privilege
- For crime and taxation reasons. An example is if the data subject is under investigation for benefit fraud, and giving them information is likely to make them destroy evidence or abscond we would be allowed to withhold the information.
- References given by Camden where given them in confidence and for the purposes of an individual’s education, training, or employment or the provision of a service by them.
- Management forecasts where disclosure is likely to prejudice the conduct of the business such as by causing unrest among staff.
- Negotiations with the requestor where disclosure would prejudice negotiations with the requestor, for example, information showing what Camden would pay to settle a court case.
- Health, social work or education records: when an appropriate professional tells Camden that release of the information in these records is likely to cause serious harm to the mental or physical health of the data subject or someone else, the information can be withheld.
- Legal prohibitions – such as where a specific piece of law forbids disclosure under a Subject Access request. Examples include adoption records and reports, Special Educational Needs (SEN) statements and Parental Order records.
Explaining the response
We must provide the information in a form that is understandable to the average person, so we must explain any technical terms, abbreviations, or codes that you would not be expected to know. We are not required to translate the information into other languages or offer explanations beyond those described above.