Skip to main content


View NSCB Procedures View NSCB Procedures

3.2 Access to Records/Subject Access Request


This chapter was updated in July 2016 and should be re-read throughout.


  1. What is a Subject Access Request?
  2. SAR Procedure
  3. Requests made by Another Organisation
  4. Requests Not Covered by this Procedure
  5. Requests for Access to Records of a Deceased Person
  6. Advice and Support

1. What is a Subject Access Request?

Subject Access Requests can also be called Access to Records Requests. A Subject Access Request (SAR) is simply a written request made by, or on behalf of, an individual for the personal information which the Council holds about them. A request is made under the Data Protection Act 2018 (DPA). The request does not have to be in any particular form. Nor does it have to include the words ‘subject access’ or make any reference to the DPA. Indeed, a request may be a valid SAR even if it refers to other legislation, such as the Freedom of Information Act (FOIA).

For information to be personal data, it must relate to a living individual and allow that individual to be identified from it (either on its own or along with other information likely to come into the Council’s possession).

Most Subject Access Requests are managed centrally by the Complaints and Information Team. This procedure provides guidance to all staff receiving requests for information and explains where specific responsibilities lie across the Council.

2. SAR Procedure

  1. People can ask to see the information the Council holds about them by making a 'Subject Access Request' in writing. An emailed request is as valid as one sent in hard copy. Any written request received should be forwarded to the Complaints and Information Team (C&IT) at The Council’s website has a request form which includes all the detail needed to deal with the request. Individuals can be directed to the form, which makes the process easier; however any written request is a valid one. Click here to view the form;
  2. Requests can be made via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual wants someone else to act for them;
  3. To avoid personal data about one individual being sent to another either accidentally or as a result of deception, C&IT need to be satisfied about the identity of the requester and will ask them for forms of identification, unless the requester is already known. If the request is being made by a 3rd party on behalf of the data subject, then evidence of consent will be asked for;
  4. In the event of a parent requesting their child’s records, if the child is 12 or over consideration will be given to obtaining their consent;
  5. The DPA requires that the information supplied to the individual is in intelligible form. At its most basic, this means the information should be understandable by the average person. C&IT will usually supply this information electronically on an encrypted disc, unless there is a specific request for it to be in paper form;
  6. The Council is required to respond to a Subject Access Request promptly and in any event within 40 calendar days of receiving it;
  7. C&IT will download records direct from Mosaic, and request others from Solutions4Data and the Records Management Service, these will be scanned and saved electronically. Records will be redacted in accordance with the DPA (see the main exemptions applied in Annex A);
  8. Each case will be redacted by one officer in C&IT and the peer reviewed by another. The Senior Practitioner with quality control a sample (10%) of cases;
  9. If cases are very large, C&IT will liaise with the requestor about their priorities and carry out partial releases. C&IT will also speak to the requester to refine their request in appropriate cases;
  10. Performance against the KPI is reported to the Information Management Group quarterly.

3. Requests made by Another Organisation

Request received from an outside agency (i.e. CAFCASS, Ofsted, Health or Social Worker) wanting VERBAL or WRITTEN confirmation of specific information from a file are dealt with the Safeguarding Children Information Management Team (CIMT – Safeguard).
Email: (Please also see Annex B).

Request received from outside agency wishing to visit to VIEW files held are dealt with by the locality team who handled the case at the time. (Please also see Annex C).

4. Requests Not Covered by this Procedure

The Complaints and Information Team manage most SARs unless it is a request relating to HR records.

Other types of request for information are dealt with elsewhere in the Council.

Day to day business: If, in the course of a normal working relationship, a service user asks a worker to see the current records that the worker has made about them this should not be treated as a 'Subject Access Request'. Staff should share the records they have made with the data subject as a matter of good practice and this should be recorded as part of ongoing work with the service user.

Requests from members of the public or third parties asking for a copy of a specific item of information only (e.g. an assessment, or a specific letter or document) should in the first instance be forwarded to the responsible team manager who produced that document; the team manager should make the decision whether or not to disclose and if any redactions are needed (further guidance given in the procedure below).

Cases in which there is an existing legal claim (or the possibility of one): for example, Beechwood and Operation Xeres, these MUST be referred to the Risk and Insurance Team in the first instance:

Police requests: refer to Legal Services in the first instance.

Court ordered requests: refer to Legal Services in the first instance.

Adopted Adults: refer to the Support After Adoption Team.

HR records: Please contact your HR department Practitioner or alternatively telephone HR Duty Desk's telephone number which will direct you to the appropriate place. Telephone: 0115 977 4433.

5. Requests for Access to Records of a Deceased Person

Data on a deceased person is confidential however it is not covered by the Data Protection Act but instead by the Freedom of Information Act.

In deciding whether to allow access to an individual requesting information in relation to a deceased person we will need to consider any responsibility of confidentiality to that deceased person.

We should also consider the rights of the applicant and data subject under the Human Rights Act, Article 8 - the right to respect for a private and family life.

6. Advice and Support

Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a SAR. Information may be exempt because of its nature or because of the effect its disclosure is likely to have. There are also some restrictions on disclosing information in response to a SAR where this would involve disclosing information about another individual, for example.

The Complaints and Information Team can offer advice on what information can and cannot be disclosed (see also Annex A).

The first point of advice in respect of requests for access to records is Complaints and Information Team:

County Hall,
West Bridgford,
0115 9772788.

Data controller - the data controller is Nottinghamshire County Council as a legal entity.

Data subject - an identified or identifiable, living individual who is the subject of personal data.

The Information Commissioners Office (ICO) produces good practice guidance and other information relating to access to records and data protection which can be found at