Individuals have the right to obtain copies of the personal data held by organisations about them (this is known as a ‘data subject request’). Generally the right is limited to personal data about the person making the request (but see below relating to children and people who lack the ability to make the request themselves). A response to the request should be made within a month and generally no fee can be charged for providing this.
The Information Commissioner’s Office (ICO) has issued guidance about data protection rights and duties. This advises that authorities make available standard on-line subject access forms and most public bodies now do this. In addition the ICO has issued a template letter for making such a request.
Before providing the information in a data subject request, authorities must be satisfied that the request is made by the person to which the information relates – although ICO guidance stresses that they should be guided by the principle of ‘proportionality’ when deciding if further information is required to confirm identity before responding to a request.
Requests concerning children and people with impaired mental capacity
Requests can be made about information concerning another person – provided he or she agrees and provides appropriate evidence to this effect (for example a ‘letter of authority’). If the person lacks the necessary mental capacity to make the request themselves ICO guidance advises, however, that an attorney with authority to manage the person’s property and affairs (LPA) or a court appointed deputy will be able to make such a request. If there is no such person then the Code of Practice to the Mental Capacity Act 2005 advises on the applicable principles in such cases, including where there is no LPA or deputy:
16.19 Healthcare and social care staff may disclose information about somebody who lacks capacity only when it is in the best interests of the person concerned to do so, or when there is some other, lawful reason for them to do so.
16.20 The Act’s requirement to consult relevant people when working out the best interests of a person who lacks capacity will encourage people to share the information that makes a consultation meaningful. But people who release information should be sure that they are acting lawfully and that they can justify releasing the information. They need to balance the person’s right to privacy with what is in their best interests or the wider public interest … .
16.21 Sometimes it will be fairly obvious that staff should disclose information. For example, a doctor would need to tell a new care worker about what drugs a person needs or what allergies the person has. This is clearly in the person’s best interests.
16.22 Other information may need to be disclosed as part of the process of working out someone’s best interests. A social worker might decide to reveal information about someone’s past when discussing their best interests with a close family member. But staff should always bear in mind that the Act requires them to consider the wishes and feelings of the person who lacks capacity.
16.23 In both these cases, staff should only disclose as much information as is relevant to the decision to be made.
This approach is echoed by the Health and Social Care Information Centre guidance on ‘Confidentiality in health and social care’ (2013) which states that where a person lacks capacity to give valid consent to the sharing of personal information with family members and/or carers, the decision about information sharing is to be made in the person’s ‘best interests’.
Children have the same rights as adults over their personal data which they can exercise as long as they are competent to do so. Where a child is not considered to be competent, an adult with parental responsibility may usually exercise the child’s data protection rights on their behalf.