Appendix 4
Individuals' Rights of Access - Procedures for Handling Requests for Access to Information - (Subject Access)
All partners will have internal procedures in place for handling and responding to requests for access to personal data. The following procedures will be used for dealing with requests that refer to information held for Crime and Disorder purposes.
- On receipt of a request, if the request refers only to information owned and processed by your Organisation, you should follow your standard procedures for dealing with requests.
- If personal data is identified as shared, or belonging to another partner organisation, it will be your responsibility to contact the data owner. An example of this would be information that is held jointly in the Youth Offending Teams. The data owner should be contacted via the nominated contact person to determine whether they wish to claim an exemption to withhold the information under the provisions of the Data Protection Act.
These provisions allow for situations where information is held:
- For the prevention or detection of crime
- For the apprehension or prosecution of offenders
- For the assessment or collection of any tax or duty (Section 29 (1) of the 1998 Act)
- For certain types of information held for health, education and social work purposes, statutory instruments have been published, and are available on the internet at: www.homeoffice.gov.uk
- That is relevant to the making of judicial appointments
- In respect of a claim to legal professional privilege
- For preparing statistics or carrying out research
- Where disclosures are prohibited by law e.g. information contained in adoption records
- Where orders have been made modifying the right to subject access e.g. data held by financial regulatory bodies.
Decisions for withholding information should be taken with care, and if necessary, professional advice sought. They should also be formally recorded in case of subsequent dispute. There is no requirement to inform the individual requesting access that information has been withheld from them for these purposes.
Third Party Information
Where you cannot comply with the request without disclosing information relating to another individual who can be identified from that information, you are not obliged to comply with the request unless:
- The other individual has consented (in writing) to the disclosure of the information to the individual making the request, or
- It is reasonable in all the circumstances to comply with the request without the consent of the other individual. In determining whether it is reasonable, regard shall be had, in particular to:
- Any duty of confidentiality owed to the other individual
- Any steps taken by the data owner with a view to seeking the consent of the other individual
- Whether the other individual is capable of giving consent, and
- Any express refusal of consent by the other individual.
All correspondence and action taken should be recorded, and notes of meetings made where possible, in case of subsequent dispute from the individual that their request for information has not been adequately met.
40 Day Time Limit
Requests must be dealt with as quickly as possible, so that you can respond to the request within the 40 day statutory requirement from the date that sufficient information is received from the individual that enables you to process the request.