A Subject Access Request (SAR) or Data Access Request (DAR) is a legally binding request under the UK GDPR and Data Protection Act 2018 that allows individuals, including looked after children and care leavers, to obtain copies of their personal data. For social care professionals, handling these requests requires a dual approach: ensuring strict legal compliance within the mandatory one-calendar-month deadline, while employing a trauma-informed lens to safely deliver what is often the only written narrative of a child’s early life.
Drawing upon over seven years of frontline health and social care experience and anchored in NVQ Level 4 operational leadership standards, Looked After Child Limited views the SAR process as far more than a bureaucratic exercise. When a care-experienced individual requests their files, they are asking for their history. How we manage, redact, and deliver that history can significantly influence their emotional wellbeing, placement stability, and long-term trust in the system.
Here is how professionals across the sector—from residential workers and foster carers to social workers and data officers—must handle Data and Subject Access Requests both legally and morally.
Table Of Contents
1. The Legal Framework: Timelines and Compliance
Under current data protection legislation, any individual has the right to access the personal information an organization holds about them. In the context of children’s social care, this process is strictly regulated.
- Recognizing a Request: A SAR does not need to include legal terminology, nor does it require a specific form. A young person stating to a House Manager, “I want to see everything the local authority has written about me,” is a valid, legally binding Subject Access Request. It can be made verbally, via email, or even over social media.
- The Timeline: Upon confirming the identity of the requester, the organization has one calendar month to provide the requested information. This can be extended by a further two months if the request is exceptionally complex, but the requester must be notified of this extension within the first month.
- Verifying Identity: Before releasing sensitive social care data, professionals must be absolutely certain of the requester’s identity. While a young person currently living in your residential home will not need to provide a passport to staff who know them, a care leaver approaching a local authority years later will need to provide proportionate identification (e.g., photo ID and proof of address) to prevent fraudulent data breaches.
- Assessing Competency: Children have the same data rights as adults. Generally, a child aged 12 or 13 is considered to have sufficient maturity (Gillick competence) to understand and exercise their data rights. If a child is competent, they can make their own request, and professionals should respond directly to them rather than a parent or carer, unless the child has explicitly consented otherwise.
2. The Moral Responsibility: Trauma-Responsive Practice
To a data controller, a file is a collection of chronologies, incident reports, and risk assessments. To a looked after child, it is the missing puzzle pieces of their identity.
The terminology used by professionals in care records is often clinical, deficit-focused, and highly sanitized. Reading decades-old reports detailing abuse, family breakdown, or the reasons for moving foster placements can be deeply destabilizing. Our moral responsibility is to ensure that legal compliance does not supersede human compassion.
The Challenge of Redaction
One of the most complex operational tasks in processing a SAR is redaction—the removal of third-party information. Under GDPR, you cannot indiscriminately disclose information about other identifiable individuals (such as parents, siblings, or the individuals who reported safeguarding concerns) without their consent, unless it is “reasonable” to do so.
However, over-redaction causes immense distress. Receiving a file heavily obscured by black marker can feel like a secondary trauma, erasing the context of a child’s life. Professionals must carefully balance a third party’s right to privacy with the care-experienced person’s right to family life. For example, redacting the names of siblings a child was separated from in early life requires a rigorous, recorded justification balancing these competing rights.
(Note: For highly granular, raw case studies analyzing the psychological fallout of poorly managed file disclosures on care leavers, authorized professionals can access the secure Lived Experience Vault. In this public-facing guide, our focus remains strictly on operational safeguarding and procedure.)
3. Operational Best Practices for Professionals
When a DAR or SAR is initiated, health and social care professionals must operate collaboratively to ensure the process is safe, legal, and supportive.
- Clarify and Support: If a young person requests their entire file (which could be thousands of pages), gently help them refine their request. Ask what specific periods or answers they are looking for. Do they want to know why they were placed in care? Are they looking for medical history? Refining the search yields faster, more relevant answers.
- Apply the Serious Harm Exemption Carefully: Under data protection law, there is a specific exemption for health and social care data: information can be withheld if disclosing it would likely cause serious harm to the physical or mental health of the data subject or another person. This is a high threshold. It cannot be used simply because the information is upsetting; it must be backed by a professional assessment that severe harm would result.
- Ensure Placement Stability: Foster parents and residential workers must be informed (with the young person’s consent) when a SAR is being processed. The period surrounding file disclosure is highly sensitive. Carers need to act as protective factors, providing heightened emotional availability and routine to mitigate the risk of placement breakdown.
- Deliver Compassionately: Never post a box of raw, redacted files to a young person without support. Best practice dictates that a social worker or trusted professional should offer to sit with the individual, help them decode institutional jargon, and provide immediate emotional support as they process their narrative.
Frequently Asked Questions (FAQs)
Q: Can a foster parent or residential keyworker make a SAR on behalf of a looked after child? A: Only if they have the legal authority to do so. If the child is deemed competent (usually 12+), the child must give explicit consent for the carer to act on their behalf. If the child is younger or lacks capacity, those with Parental Responsibility (PR)—which usually includes the Local Authority and sometimes the birth parents—must authorize the request.
Q: What happens if redacting third-party data makes the record completely unreadable? A: Data officers must perform a balancing test. If removing third-party data makes the young person’s own data unintelligible, the professional must decide if it is reasonable to disclose the third-party information without consent. This decision must document why the requester’s right to access their life story outweighs the third party’s privacy rights in that specific instance.
Q: Can we refuse a young person’s request if we believe reading the files will upset them? A: No. Upset, anger, or sadness are natural reactions to trauma and do not meet the legal threshold for refusing a request. A request can only be restricted under the “Serious Harm Exemption” if a qualified professional determines that disclosure would cause serious physical or mental harm.
Q: Is a Data Access Request the same as a Freedom of Information (FOI) request? A: No. An FOI request allows individuals to ask for non-personal, public organizational data (like local authority budgets or policies). A SAR/DAR is specifically for an individual requesting their own personal data. If an FOI request asks for personal data, it must legally be treated and processed as a SAR.
“`
0 Comments