Catholic Safeguarding Advisory Service logo

Catholic Safeguarding Advisory Service (CSAS)Procedures Manual

Access to Records


This procedure only applies to the aspects of church work in connection with the protection of children and adults.

This procedure has been designed to comply with the Data Protection Act 1998.

In common with most organisations the Dioceses and Religious Congregations of the Catholic Church need to keep records in order to provide an efficient and effective service in safeguarding vulnerable people. All office holders involved in Child and Adult Protection work have a duty to:

  • Keep information about individuals confidential and in a secure place;
  • Keep information for specific legal purposes;
  • Ensure that the information is accurate and up to date; and
  • Keep information for no longer than required for legal purposes.

All individuals have rights under the Data Protection Act to ask to see their personal records. Subject access requests can be complicated to deal with and professional advice should be sought at an early stage, particularly if the request may be made for the purposes of intended litigation, when the disclosure will need to be undertaken in accordance with Durham County Council v D (2012) EWCA Civ 1654. Those dealing with subject access requests should always notify their insurers that a request has been received in case it is connected to actual or contemplated litigation when the insurers should deal with the request.

Decisions concerning access to personal records must be taken by the Bishop or Congregation Leader, advised by the Safeguarding Co-ordinator in consultation with their Diocesan or Regional Religious Safeguarding Commission where necessary and in line with this policy.

Right of access to personal records

Subject to a limited number of exemptions defined by Part Four of the Data Protection Act (see Disclosure of Catholic Church Child and Adult Protection Records in Court Proceedings), any living person who is the subject of personal information held and processed by the Catholic Church Safeguarding System may access records containing information about him/her. The information comprising this data includes factual information, any expressions of opinion, and the intentions of the Diocese or Religious Congregation in relation to the individual. Where access is refused, the individual may appeal to the courts or the Information Commissioner.

However the Data Protection Act does not oblige the Diocese or Religious Congregation to disclose personal records to an individual in all circumstances: a person does not have the right to know what is recorded about someone else, e.g. one family member is not entitled to see information about another member without that person's consent.

In addition, the Diocese or Religious Congregation would not be obliged to give disclosure if in complying with the request it would disclose information about another person unless the other person has given consent to the disclosure, or it is nevertheless 'reasonable in all the circumstances' to comply with the request. Where neither of these circumstances apply, as much of the information requested should be disclosed where this is possible without revealing that person's identity, whether by omission of names or other identifying particulars. 

There may be occasions where it is 'reasonable in all circumstances' to comply with the request without that other person's consent. This includes the disclosure of identifiable details about a 'source' who has contributed information to a record held by a Diocese or Religious Congregation. 

When disclosing information which identifies another person without that person's consent it is necessary to determine what is 'reasonable in all circumstances' to comply with the request. Factors to consider are:

  • Any duty of confidentiality owed to that person;
  • Any steps taken with a view to seeking consent of the other person to the disclosure;
  • Whether the other person has the capacity to give consent; and
  • Any express refusal of consent by another person.
Requests by, or on behalf of, a child or a young person under eighteen

Rights of access to Catholic Church Child and Adult Protection records extend to children and young people under eighteen who understand what it means to exercise that right. Where a child or a person under eighteen makes a request for access to their records, the Bishop or Congregation Leader, advised by the Safeguarding Co-ordinator, must decide whether or not a child or young person has sufficient understanding to justify agreement to the request.

If a child or young person under eighteen does not have sufficient understanding to make his or her own request, the person with parental responsibility can make the request on the child's behalf. Where a parent applies on behalf of a child, the receiving Safeguarding Co-ordinator must be satisfied that the child is not able to make an informed decision to make a valid application or is able to make an informed decision and has authorised the parent to make the application. Where the child is not able to make an informed decision, the receiving Safeguarding Co-ordinator also needs to be satisfied that the request made by the parent on the child's behalf is in that child's interest.

Where a Safeguarding Co-ordinator considers that granting access to a parent is likely to result in serious harm to anyone, including the child, the receiving Safeguarding Co-ordinator will need to decide whether to refuse access in consultation with the Diocesan or Regional Religious Safeguarding Commission.

Requests made through another person (an agent)

If an individual is able to make an informed decision (i.e. he/she has capacity), and if he or she has appointed an agent, that person can make a valid request for access on behalf of the individual. The receiving Safeguarding Co-ordinator must ensure that suitable evidence of the agent's authority is given and that the agent's identity and relationship to the individual is also confirmed; such evidence would normally be provided in writing. Where the receiving Safeguarding Co-ordinator is satisfied that the data subject (i.e. the individual) has authorised the agent to make the request, the Co-ordinator must deal with the request in the same manner as if it had been made by the individual.

An individual who is profoundly physically disabled may not be able to give written consent for an agent to seek access on his or her behalf. Where the individual is unable to give such consent, Safeguarding Co-ordinator should give them as much assistance as possible where they believe the individual wishes to instruct an agent to seek access on his or her behalf. 

Dealing with requests for access for personal records

Best practice in recording is based on key principles of partnership, openness and accuracy. Effective recording is part of the total service and constructing and sharing records with individuals is integral to this process. Gaining clearance to share information provided by another person with an individual in the normal course of day to day work is also an important way of ensuring that access to records is maximised.

For the above reasons many individuals will be aware of the content of records through the ordinary work process. A formal request for access to personal records should, wherever possible, be made in writing. Where a person is unable to make a written application without support or where English is not the first language, help and support should be made available, if necessary by referring the individual to an advocacy service or by arranging interpreters where required.

The maximum period, in which a response must be provided to any request for personal access to records is forty days, however a response should be given as soon as practically possible. The forty-day period commences at the point a written request has been received and where any further information necessary to confirm the identity of the person making the request has been obtained. 

Access should normally be provided on Church premises and the case-file should not be removed from this location.

Information that include details about another person

If any other person is mentioned in the record and disclosure would allow her or him to be identified, the person's consent must be obtained before disclosure. Alternatively it is possible to decide that it is 'reasonable' in all the circumstances to disclose without obtaining the person's consent. This provision is likely to be of particular relevance when a request is received for access to very old files and the possibility of tracing other identified persons is remote. Where a decision is required to disclose without consent, legal advice should be sought.

Where the Church does not hold the personal information requested, the receiving Safeguarding Co-ordinator should inform the applicant as quickly as possible.

Access can be refused where a similar request from the same individual was recently granted. In deciding what amounts to a reasonable interval, the following factors should be considered:

  • The nature of the information;
  • The purpose for which the information is processed; and
  • The frequency with which the information is altered.

Additionally, a response is not required unless sufficient details are provided to permit location of the information together with satisfactory identification of the individual making the request.

Information to be disclosed

The information to be disclosed is all the data held about the individual requesting access unless the data is subject to any exemptions or another person has refused to consent to the disclosure of data identifying him/her. On no account must the record be altered to make it acceptable to the individual.

Information disclosed must be that held at the time the request is received. Account may be taken of any amendment or deletion made between the time of the request and when it is supplied in practice. 

Wherever possible the individual should be provided with a permanent copy of the information requested unless the individual says that this is not necessary. 

Some of the material to be disclosed may already be known to the individual, however consideration should still be given to assist the individual 'take in' the material or explain anything that she or he does not understand.

Where the Individual considers that information is inaccurate

Simple factual corrections, e.g. to names or dates of birth can be made to the record immediately and should be signed and dated by the person facilitating access. The correction and the circumstances in which it was made i.e. during the provision of access should be recorded.

If the individual wishes to query or comment on a judgement or opinion about him/her, a written record of the query/comment should be appended to the original recordings. This should then be signed and dated by the Safeguarding Co-ordinator involved. 

If the person seeking access feels that part of the record should be deleted the Safeguarding Co-ordinator must decide whether or not to comply with this request. Where the Safeguarding Co-ordinator does not agree that the information is inaccurate, a note must be made that the individual regards the information as inaccurate. This should be referred to the Commission.

A copy of any corrected data should be sent to the individual.

Grounds for refusing access

Exemptions from the requirements to provide information to individuals may be available in the following circumstances: where the matter involves the prevention or detection of crime, it is not necessary to inform an individual:

  • That personal data is held about her/him for the purposes of the prevention or detection of crime, or to apprehend or prosecute offenders;
  • That information about her/him has been disclosed to other organisations where it is required for any of these purposes (e.g. the police);
  • That it has received information from an organisation which had it in its possession for any of these purposes;
  • That it is holding personal data about him/her if the provision of such information would be likely to prejudice any of these purposes.

Requests should be treated on a case by case basis and use of the exemption should be the exception rather than the rule. Where any doubt exists, the Safeguarding Co-ordinator should consult the Safeguarding Commission.

In practice, restrictions on the right of access should be exceptional and confined to cases where there is serious potential for serious harm e.g. where there is sufficient risk to the safety of a child, e.g. where a child protection plan is in place and where disclosure would prejudice that plan.

Where access is refused

Any notification of refusal to disclose personal data should be given as soon as possible and in writing, even if the decision has also been given in person. The reason for the decision to refuse access should be recorded and explained to the individual unless there is good reason not to do this.

Internal access to Services for Children and Young People records

Personal information relating to individuals should only be disclosed to those directly involved in the case. 

Volunteers and informal carers may also need to be given some personal information about an individual. Any disclosure of personal information should take place in accordance with established policy and procedures and wherever possible with the consent of the subject.

On occasions it may be necessary to disclose personal information about an individual to persons responsible for quality assurance and service planning; however, where it is possible the information should be anonymised. This may also be necessary where a formal complaint has been made and an investigation is required. 

Disclosure of Catholic Church Child and Adult Protection Records in Court Proceedings

Requests for the disclosure of Catholic Church Child and Adult Protection records, i.e. case files and related material, may come from parties involved in either civil or criminal proceedings and may be made before any proceedings have started. Any party making such a request by telephone must be asked for written confirmation.

No voluntary disclosure should be given to anyone other than the individual (i.e. the data subject) and then only those personal records that he/she is entitled to and are appropriate under the Data Protection Act 1998. Before disclosure is given, the Safeguarding Co-ordinator should seek immediate legal advice as to the principles of disclosure and the extent of the same. The legal advice should be obtained either through the Diocesan or Congregational Insurance Officer or alternatively, by contacting the Insurance Manager at the Catholic Church Insurance Association.

In Civil cases any claim for damages, or intimation of such a claim, should have been reported to the relevant insurers, including PL insurers (National Policy for Responding to Concerns and Allegations of Abuse in the Catholic Community in England and Wales).

The Insurers will have appointed solicitors. These solicitors will manage any disclosure issue which arises in the pursuit of such civil actions.

Where the Diocese or Religious Congregation receives a disclosure request, the receiving Safeguarding Co-ordinator should not respond but should pass the request forthwith to the insurance intermediary or direct to the solicitors. The solicitors will then manage and respond to the disclosure request.

In Criminal proceedings the police / prosecuting authorities have a legitimate interest in obtaining evidence, including documents, and may request voluntary disclosure from the Diocese / Religious Congregation even though they also have rights to obtain disclosure by means of a court order. Where disclosure is requested, it should not ordinarily be acceded to unless the request is supported by a court order.

Where the Diocese or Religious Congregation receives a disclosure request in the course of criminal proceedings, the receiving Safeguarding Co-ordinator should seek immediate legal advice. This legal advice should be obtained either through the Diocesan or Congregational Insurance Officer, or alternatively where no such assistance is available, by contacting the Insurance Manager at Catholic Church Insurance Association (CCIA).