Subject access request

Under the General Data Protection Regulations (GDPR), individuals have the right to find out and obtain copies of the personal information held about them by the Council. This request is known as a Subject Access Request (SAR).

• Confirmation that the personal data is held by the Council
• The categories of the personal data
• A copy of the personal data 
• Details on why it is being used
• Who it has been/will be shared with
• How long it will be held for
• The source of the personal data
• Details of the rights to rectification, erasure and objection
• Details if the Council uses computer systems to make judgements or take decisions about the individual
• An electronic copy of the personal data
• The right to complain to the Information Commissioner’s Office.

• It would be likely to affect personal information about other individuals
• It would prejudice the prevention and detection of crime or apprehension or prosecution of offenders
• The personal information is already available, for example through public registers
• It relates to confidential references given by the Council
• It is personal information that would prejudice negotiations
• The information is an examination script 
• The personal information is subject to legal professional privilege
• It is personal information which Social Work or Education professions consider would be significantly harmful to release.

• Your own social worker
• A nominated social worker
• Additional direct support from the child care and placement team
• Support from an independent agency.

The General Data Protection Regulations (GDPR) aims to empower the individual, providing transparency and allowing individuals to question and challenge the way organisations hold and use information about them.

To support this GDPR provides a set of rights that each person maintains over their information while in the care of organisations.

These rights are:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision making including profiling.

It is the responsibility of each employee of the Council to recognise requests from individuals to exercise these rights.

On receipt of a request the employee will inform the Council’s Data Protection Officer. The request will be sent immediately to dpo@eastdunbarton.gov.uk

The most commonly used right is that of access. Every individual has the right to request access to the personal information that the Council holds about them.

This is known as a Subject Access Request. These procedures offer guidance on how to deal with such a request and are produced in line with the Council Data Protection Policy.

Any service area may receive a request from an individual to access their personal information. It may come in the form of a letter, email or a telephone call, anywhere the individual advises that they wish to obtain the information held about them.

It is the Council’s duty to recognise this type of request and initiate our Subject Access Procedures in order to confirm the identity of the individual making the enquiry.

The Council has produced a Subject Access Request form, which is used to formalise requests for access to personal information. This form demands that the enquirer satisfy the Council as to their identity as well as advise what personal information is required.

Requests for personal information are often mistakenly submitted as Freedom of Information requests. If a request for personal information is submitted under the heading of a Freedom of Information enquiry then a refusal under the Freedom of Information (Scotland) Act 2002 must be issued, along with a copy of the Council’s Subject Access Request Form. The receipt of the Subject Access Request form will start the formal Subject Access procedures

Individuals often empower an agent to act on their behalf when seeking copies of their own information. This could be a family member, friend, the Citizen’s Advice Bureau, an advocacy organisation or a solicitor. The Council requires a formal mandate as evidence that the agent has the individual’s authority to do so.

Individuals are not allowed to obtain the personal information of another person without that individual’s authority.

In Scotland a child of 12 and over is eligible to access their own records as long as they can prove suitable maturity. However, there is no legal reason why a child aged 11 or younger cannot access their records if they can demonstrate suitable maturity. If in doubt, please seek advice.

Parents may make an access request on their child’s behalf if the child is under 12 or unable to demonstrate suitable maturity, for example due to lack of capacity. The Council must be satisfied that the request is being made on behalf of, or in the interests of, the child.

Parents do however have a statutory right of access to their child’s education records. Requests of this nature are dealt with under the Pupils' Educational Records (Scotland) Regulations 2003.

Any request to obtain another person’s information without that individuals consent should be treated as a Freedom of Information Enquiry. The Council’s Freedom of Information/ Data Protection Officer will advise.

When satisfied with the validity of the request the data must be provided to the individual in an intelligible form within one month.

Where a request is particularly large or complicated the Council can advise the enquirer that additional time is required to respond. If this is clearly the case, the Council must write out to the individual as soon as is possible to explain that additional time is required.

If a request is clearly unreasonable, by being vast in scope or a repeatedly made, then the Council can charge a reasonable fee for providing the response. The Council may also refuse a request on these grounds. To do so the agreement of the Council’s Data Protection Officer and Strategic Lead must be obtained.

The timescale to calculate a month will start the day after the request is received.

The Council will respond on the corresponding date the next month.

If the time period starts on the 31st day of the month and there is no corresponding 31st day the next month then the response must be issued on the 30th of the next month.

Requests received on 29th, 30th or 31st January must be answered on 28th February.

Where the due date falls on a weekend the request must be issued the Monday after that weekend.

Each service area is responsible for identifying, collating and providing the enquirer with the personal information held by their service remit.

A data subject is entitled to receive:

• Confirmation that their personal information is held by the Council
• A copy of that personal data
• Details on why it is being used
• Who it has been/ will be shared with
• How long it will be held for
• The source of the information
• If the Council uses computer systems to monitor or take decisions about the individual.

The individual is entitled to request the information about them held in both the Council’s electronic and manually held records. This includes the notes and work emails of all East Dunbartonshire Council employees.

The Freedom of Information/ Data Protection Officer will provide advice and assistance to each service area dealing with a Subject Access Request and where necessary will visit that service area to assist with their request.

Where the individual requesting information was formerly or is currently under Local Authority Care additional support will be offered in order to assist them make the request and understand the information being provided.

Where required, all workers must ensure that these individuals are given the option of support from their own Social Worker, an allocated Social Worker, the Child Care Planning and Placement Team or an external third party.

Before any personal data is released each part should be analysed to determine if it is subject to an exemption.

Common exemptions that could affect the Council are:

• Information that would prejudice the investigation or prevention of crime
• Regulatory activity
• Information available under another enactment e.g. information held in birth/marriage/death registers, electoral roll, planning applications etc.
• Legally privileged information
• Examination scripts
• Personal references given by the Council.

In particular medical, social work and education records are subject to a number of special exemptions which govern their disclosure.

In the majority of cases the Council’s need to refuse to provide information will be because the information contains information that may identify another living individual.

If the personal information of an enquirer contains that of another person, then decisions must be taken over how far we are able to release the data.

If possible, the other individual should be contacted, and his/ her permission sought to release the information.

If this is not possible then the Council should investigate how far we are able to release the enquirer’s details without identifying the other person.

If in turn this is not possible then the Council must decide if it is appropriate to release the other person’s information to the enquirer or exempt it from our response.

• The following are not a reason for non-disclosure of an individual’s personal data
• The document includes subjective comments
• The documents may cause employee’s professional or personal embarrassment
• The document demonstrates that policy and/or procedure was not followed
• The documents shows that the Council or an employee has been at fault.

The Freedom of Information/ Data Protection Officer will provide advice and guidance to each service area in the use of exemptions. He/ she will visit that Service area to work through the information and help prepare the response.

The Council’s use of exemptions should be recorded. Enquirers are entitled to challenge the Council’s response and may appeal to the Information Commissioner’s Office (ICO) should they be unhappy or feel that more information should have been provided.

Enquiries requiring the input of a single service area will be responded to directly by that service area.

Should the service area wish to assist the enquirer by inviting them to look through their information along with a Council Officer, then a copy file will be prepared. Enquirer’s are not allowed to look through the Council’s working files in case of any accidental loss or damage.

The response will contain a covering letter briefly advising the enquirer what is contained in the response and providing the Freedom of Information/ Data Protection Officer’s details to revert back to if they should be unhappy with the response.

Where requests require input of more than one service area then each service area will respond directly, unless the enquirer requests a single response. Each area will respond as per the procedures given above.

In the event that the enquirer wants a single collated response, the service areas will prepare the information along with a covering letter but return this to the Freedom of Information officer in a sealed envelope labelled with the Enquirer’s name and which service area the information is from. The Freedom of Information/ Data Protection Officer will send all the information in a single response.

Having responded to an enquiry, a close off sheet will be sent electronically to the Freedom of Information/ Data Protection Officer who will use these as evidence of the response on the tracking database.

Subject Access Request Responses must be sent to the individual by special delivery post or electronically using Egress Switch.

If the individual has requested the information in another format, e.g. pdf or Braille, then this request should be honoured as far as is practicable.

Every Subject Access Request must be closed on the Council’s SAR Tracking Database once it has been responded to.

The Council’s Information Management Team will attach a copy of the completed close-off sheet to the database entry.

If you need further information on the process, or have suggestions about any improvements we could make to this guidance, please contact:

Freedom of Information/Data Protection Officer
East Dunbartonshire Council,
Legal & Democratic Services
Broomhill Industrial Estate
Kilsyth Road
Kirkintilloch
G66 4QF
Telephone No. 0141-578 8057

Email: foi@eastdunbarton.gov.uk