The parent or guardian of a nine year-old makes a subject-access request under the Data Protection Act to see their child's medical records. Are you obliged to honour this request?
No. Whether a day old or 100 years old, the Data Protection Act provides each person (the ‘data subject') with rights in relation to their personal data—rights which are accorded to no one else.
Of course, there are exemptions (for example, ensuring that invoking the act doesn't stand in the way of legal process). Also, some (non-absolute) parental rights may come into play, but as data controller you still have the right to refuse—because it's at your own risk. Consequently, it is vital that you record in the data subject's notes a detailed description of the reasoning used in making your decision, thus leaving yourself with that all-important audit trail.
Remember: even if, in your opinion, the child is too young to understand the implications of the subject-access request, the personal data you hold about them is still their personal data; it doesn't belong to the parent or guardian. It is the child who has right of access to the data held about them—even though, where young children are concerned, these rights are likely to exercised by the parent.
Before responding, you should consider whether the child is mature enough/has capacity to understand their rights; whether they are able to understand (in broad terms) the purpose of the subject-access request; and whether they'll be able to interpret the information.
If you're confident that the child can understand their rights, then you can release the records (again, at your own risk), but you should respond to the child, rather than the parent.
In England, individuals aged over 16 have full capacity; 12-16 year olds are presumed to have capacity, but this can be blocked; and those under 12 are assumed not to have capacity (but this can also be challenged).
In the case of a nine year-old, you may wish to consider:
- The child's level of maturity and their ability to make decisions like this and understand the information to be sent. You may consider talking to the child to assess this
- The content of the child's medical records
- Your duty of confidence to the child
- Any court ruling in relation to parental responsibility/primary carer
- The possible consequences of allowing the parent to see the child's medical records; for example, if there are allegations of abuse.
- How the child feels about their parent having access to their medical records.
The bottom line is that you can refuse the subject-access request made by the parent. In such a case, you should refer the parent to the Information Commissioner's Office, with an explanation for your refusal. The ICO can then make the decision on whether or not the request should be honoured.
Subject-access requests must be dealt with within 40 days or less. You must supply a permanent copy of the requested personal data, and you can charge an administration fee of up to £50 for medical records (this does not mean you can charge a flat rate of £50; the fee must be proportional to the administration involved).
David Taylor is the principle data protection act practitioner at Data Protection Consultancy