Our research found that people experienced multiple barriers when accessing their information. Challenging communication and long delays were the most commonly cited barriers.  

Organisations not releasing records, or providing redacted records without explaining why, also created a negative experience and distrust. 

We heard that bureaucratic, cold processes felt infantilising and removed agency from people. An empathetic, person-centred approach can make the difference between an empowering experience and an experience that causes emotional harm and distrust. 

The information contained within records, including the context surrounding personal information, can be a vital part of someone’s story.

Our research identified that applying exemptions was a challenging and time-consuming part of the job. As a result, some organisations take a risk averse ‘if in doubt, take it out’ approach, but this could mean that people don’t receive the information they are entitled to that helps them understand their life history.

Receiving a subject access request (SAR)

You could train all staff to handle requests for care records empathetically and understand how sensitive and important these records are to people. 

You could provide a single point of contact for people with care experience to ask questions to as they go through the request process. You could also offer them the opportunity to discuss their SAR when they first contact you. This would allow you to take the following actions: 

• Prepare people for what to expect

  Historic practices and past attitudes in social care were different from practices today. Records may contain upsetting or otherwise outdated language or descriptions used by professionals. You could flag this early on. This helps prepare people. If you do identify this kind of language and attitude as you prepare the response, if possible, clearly mark which parts of the record it is in so that people can decide when and how to read it. You can also let people know that records may include unreadable handwriting or handwritten notes. Where this is the case, you should give the person any additional information you hold that could aid their understanding.

• Offer support

  The records may contain difficult or unexpected material that does not meet the bar for the serious harm exemption, but nonetheless may be upsetting. For example, records may or may not reflect a person’s recollection of events. You could offer in-house support or advise the person to consider whether it would benefit them to access support from an advocacy service or a trusted friend while they review their records.

• Clarify the scope of the request

  In some cases, the person will only want a specific piece of information that you can disclose quickly. Having a conversation to understand what someone wants, and what they already know, can help you respond more quickly and may help you disclose more information. If the scope of the request is unclear and you hold a lot of information about the person, you can ask them to clarify what they want before you respond to their SAR. You should ask for clarification as soon as possible and you can pause the time limit until they respond. This is sometimes referred to as ‘stopping the clock’ - you can read more about stopping the clock in our detailed guidance.

• Provide choice

  Where it is practical to do so, you could give people a choice about a suitable time or date to receive their records. You could notify them when they will arrive, particularly if the records are large physical copies. Some people may wish to receive their records in batches, particularly if this means they get some information more quickly. Visually, redactions can be distressing so you could offer people a choice about the colour of the redactions. Legally, you must provide information in writing, or by other means, including, where appropriate, electronic means. But, you could discuss communication preferences with the people you support. Not everyone has easy or regular access to computers, phones, or the internet, so you could aim to offer a range of communication options. If a person requests information to be provided orally, you can do this. 

Identity check

If you’re confident about the person’s identity, you must respond to their request without delay and in any event within one month of receiving it.

Otherwise, you need to be satisfied that the information you disclose relates to the person who has requested it. You can ask for enough information to make that judgement, but you should be reasonable and proportionate about what you ask for. This means you should only request formal ID documents if necessary. Explain why this is a necessary part of the process. You could discuss what other ways their identity can be verified (eg through knowledge-based verification or by validating your previous contact with them, or both). Some care experienced people may not have formal or traditional forms of ID so having a process in place for knowledge based verification will be important.  

It is best not to ask people to re-provide ID due to delays in responding to their SAR. Keeping in touch with the person on a regular basis will allow you to test whether their contact information is still up to date.

Although you don’t need to keep copies of ID documents, you could keep a note of: 

• what ID documents the person provided;
• the date you verified them; and
• details of who in your organisation verified them.

Third-party requests

If you receive a SAR for care records from a third party acting on behalf of someone with care experience, you must be satisfied that: 

• the third party has authority to act on behalf of the person; and
• the person understands that their representative may have access to very sensitive information about them.  

You must ensure that it does not go against their expectations or wishes, if the third party is:

• someone acting with parental responsibility for a person aged under 18 (or 16 in Scotland); or
• appointed by court to manage the affairs of a person who is incapable of managing their own affairs. 

This is because there is an exemption on disclosure of social work data in these circumstances. 

In other cases, if it’s appropriate, you could contact the care experienced person to discuss any concerns, unless they’ve made it clear they don’t want you to contact them.

Sensitive redactions 

You must apply exemptions carefully, on a case-by-case basis and not in a blanket fashion. You must be able to justify why you’ve applied an exemption.

Where the decision is finely balanced, you should keep an account of your reasoning. This helps you comply with the accountability principle and allows you to revisit decisions if necessary, such as when you receive a complaint.

The ‘rights of others’ exemption allows you to withhold information that is about other people. It’s designed to protect the privacy of other people. But it’s not a blanket way to withhold all information about others if that information relates to the requester and decisions made about them in care. You should follow the three-step process set out in our detailed third-party guidance to determine what to disclose. 

Prioritise redacting third-party, and other information, which has the highest potential to cause harm. There will be some information about third parties which is too sensitive and confidential to release unless you’re able to obtain the consent of the third party. 

You should avoid disclosing pages of text that have been wholly or largely redacted as this can be visually jarring and distressing. It’s poor practice. Instead, you could consider extracting the information that you can share and putting it in a separate document. 

Providing context to the information you can provide is key to helping people understand. You must provide enough contextual information to make the response intelligible and easy for the person to understand. For example, if you extract personal information such as a person’s name and provide it without context, it’s unlikely that you’ll have complied with your legislative requirements. It’s often better to leave information in, unless an exemption applies, rather than disclose a file of 100 pages where only someone’s name is visible.

Ensuring security when providing the records

You must securely provide a person with a copy of their personal information in response to a SAR. If you have concerns about security, you should work with the person to address this, rather than withhold the information.  

Some people may not have a safe and secure place to store or access the records you provide. For example, where there is a risk that other people could access their records, they have no fixed address, or they are in prison. You could offer them the choice to read their records in a safe and secure space at your premises. Make sure you give them enough time to read and absorb the record. Remember they still have the right to a copy of their information. 

Remote access systems 

If you provide information to people using a remote access system, you must ensure they are also able to download a copy in order to comply with the SAR. Remember, not everyone may have easy access to a computer or the digital skills to use a remote system. They may need assistance in using the system or accessing and downloading the information. Discuss this with the person requesting the information and offer this assistance if required. You should make it clear that they have a right to make a reasonable request for their information to be provided in a different format. Ultimately, if someone is unable to use, or does not want to use, a secure online platform to access their information, you should respond to the SAR using alternative methods.

Reading the information in a care record can be emotionally difficult, distressing and potentially traumatic. A person with care experience may not feel ready to access their records immediately after you respond to their request. If you provide time-limited access to a secure platform, discuss with the person when they would like to be able to access their information. You should give someone a reasonable amount of time to access their information and to download a copy to read in their own time. 

You should ensure that downloading a copy is not unduly onerous (eg having to download a number of individual files). Where possible, ensure people can download the information in one document and give them clear instructions on how to access it. If you have to provide the record in multiple documents, you must ensure they are intelligible and clearly labelled. Receiving a large volume of poorly labelled or ordered records can have a negative impact on someone, both for physical and digital records. 

Providing the response 

Remember that you must provide the information to the person (or their appointed representative). A person isn’t required to take action to receive the information (eg by collecting it from your premises), unless they agree to do so.

Help people understand the language and terminology in their records and about data protection. Avoid using overly technical or legalistic language and provide clear explanations when they are necessary. You could have a glossary of commonly used terms such as redactions, exemptions, personal data, processing, or third-party data.

You could put records in chronological order. This will help people make sense of their history in care more easily. If it is not feasible, explain that some records may not be in chronological order and why.

Continuous improvement

You could ask for feedback from people in care and who have recently left care about your right of access process so you can make improvements.