Requests for personal information can come from many sources; deciding how to respond can be difficult to get right. There is always the risk of disclosing either too much or too little information. Being unclear about your approach can lead to headlines or enforcement action. You must achieve the right balance.
On the one hand, you must maintain confidentiality; you must not disclose personal information where there is no justification. However, it is often necessary to disclose: as part of joint working; to assist the police (among others); to meet individual rights of access, or when handling queries or complaints.
Any disclosure – over the phone; in person; letting someone view a file; sending the information via an email or in the post – must comply with the Data Protection principles.
- Individuals have a legal right (called Subject Access) to request access to their own personal information. You have to respond to a valid request within 40 days.
- Nobody else – whether an individual or an organisation – has an automatic right to access the personal information of someone else.
- You must review the information before any disclosure (Part 2 of our guide will look at this in detail).
Recognising the four main types of request
Subject Access Requests
1. Someone seeking their own personal information.
2. Someone using the individual’s Subject Access right on their behalf e.g. by a parent on behalf of their child; solicitors / client; advocate / client.
Request by organisations
3. They can ask you to disclose personal information, e.g. to assist an investigation. This would be a voluntary disclosure by you.
4. They can require you to disclose personal information, e.g. because of a court order or a legal requirement. This would be a compulsory disclosure by you.
In all cases, you must confirm the identity of the person making the request before (i) discussing their request or (ii) responding (i.e. making the disclosure).
- If the request is being made on behalf of someone else (2), always confirm the authority the requester is relying on to make the request on that person’s behalf, e.g. informed consent; power of attorney.
- If the request is from an organisation (3 & 4) always confirm the basis on which the request is being made – are you being asked to disclose or being told you must disclose?
In all cases, appropriate records must be maintained, e.g. proof of identity, a copy of the request (via an application form, or on headed paper if from an organisation); your rationale for withholding some or all of the personal information from the requester, or for disclosing the personal information to an organisation.
Next step – Reviewing personal information
You have correctly identified a request and located the personal information. Before making a disclosure, you must now review the personal information.
Part two of our guide will explain why, and what to look out for.