Accessing a deceased person's records

The GDPR / Data Protection Act 2018 only applies to living individuals, so an application for access to a deceased person's records held by us cannot be made under the usual subject access route. Please see the guidance below if you are considering an application of this nature.

Access to deceased person's records - SIRO Guidance

Each request will be dealt with on an individual basis depending upon the deceased person's contact with us.

The Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) only apply to living individuals and therefore cannot be used to access personal information for a deceased person. This means that any request for a deceased's personal information will be considered individually and on its own merits.

However, this does not mean that there is an automatic right of access to the deceased's personal information.

How to apply

If you seek access to a deceased individual's records which you believe are held by us, your request should be made to the service holding the information, in the first instance.

When applying you will need to provide as much information as possible to allow us to locate the individual's records and help us to make the necessary considerations.

We will ask for:

• details of the deceased:
  • name
  • date of Birth
  • date of death (if not providing a copy of the Death Certificate - see below)
  • last known address

• confirmation that the person has died if not providing a death certificate (such as a letter granting Probate or Letters of Administration)

• proof that you, as the applicant, are a personal representative (see 'Who can apply')

• your identification as the person requesting the deceased's personal information, which must show your name and address

• if it is known to us that there are more than one personal representatives, you may be asked to provide a signed letter of authority from any other personal representatives

Who can apply

In considering a request for access to a deceased's personal information, we will be required to ask for two forms of identification. Firstly we require proof that the applicant is a personal representative - a copy of the letter of representation or a copy of the Will that proves the applicant is an executor, as well as proof of the personal representative's name and address (if not on the letters of representation).

We may ask for additional proof of identity where this is necessary.

Personal representatives

We acknowledge that a personal representative is someone who has legal authority to represent the deceased person.

Consideration of requests about the deceased

The main elements that will be considered when dealing with requests for information about the deceased are as follows:

• Is the information requested already publicly available?
• Is the requester the personal representative (the person who is entitled to administer the estate of the deceased person under the law relating to wills and probate? This will be by virtue of either a grant of probate (if the deceased person left a will) or letter of administration (if they died intestate) of the deceased.
• Is the information requested special category (as defined by the GDPR)?
• Was the information being requested originally provided in confidence?
• Does the information requested contain personal data relating to any third parties (such as carers, relatives, social care staff or social workers and healthcare staff)?

Circumstances under which records may be released

We will only release the records of deceased individuals in the following circumstances:

• the request has been made by the deceased person's 'personal representative' (also known as the executor or administrator of their estate)
• the request has been made by an individual who held a Health and Welfare Lasting Power of Attorney for the deceased person when they were alive
• the request has been made by an individual who held a Financial Affairs Lasting Power of Attorney for the deceased person when they were alive (although they would only be entitled to information about paying their bills, collecting their benefits, or selling their home)
• the request has been made by an individual who was a Personal Welfare Deputy for the deceased person when they were alive, providing the request does not go against any decision made by an attorney acting under a Lasting Power of Attorney
• the request has been made by an individual who has proof that they have a claim arising from the deceased individual's death
• the information requested is already known to be in the public domain; we will attempt to signpost the requester to the information where possible
• there is sufficient evidence to support the assumption that the deceased individual would have given their consent to the release of their personal information if they were still alive

If one or more of the above criteria can be met, the request will then be considered in detail by the service.

Possible exemptions

Some or all of the following exemptions may be applicable.

Information accessible to the applicant by other means

If the personal information requested is already in the public domain, for example, where an open session at a court or inquest has been held, this would not need to be disclosed.

Although there is a presumption that the majority of personal information in social care records is confidential, some may already have been made public, for example the cause of death is included on the death certificate which is a public document.

Personal information

The deceased's personal information may contain the personal information of another person(s), known as a "third party". As stated above a third party may include carers, relatives, social care staff or social workers and healthcare staff.

If the deceased's records do contain another's personal information, then consideration of any duty of confidence to that individual, and of obligations under the GDPR and Data Protection Act may apply.

Information provided in confidence

In most cases the personal information being requested will relate to sensitive personal information about the deceased, especially where it is contained within a social care or health record. Due to the very personal and sensitive nature of these records, it is likely that they continue to be subject to a duty of confidence after the individual's death.

It is generally assumed that this personal information would have been provided in confidence.

We must show that the information had been obtained from another person. This will usually be met for social care records as these are concerned with the welfare and care of an individual. It is very likely that the information will have been obtained from the individual themselves, or the professionals involved in their care.

If we believe that disclosure of the deceased's personal information would be likely to give rise to an actionable breach of confidence then disclosure may be refused. Case precedent establishes that the duty of confidence continues after death and that this can be transferred to the personal representative. If the Council establishes in principle that a personal representative might exist who could take legal action against any breach of confidence then disclosure may be refused.

Other legislation

Medical or Health Records will only be available through the Access to Health Records Act 1990 and you will be required to contact the deceased's GP or the relevant health professionals involved in the deceased's care.

Section 115 of the Crime and Disorder Act 1998 permits data to be disclosed to the Police, Probation Service, Health and Local Authorities, for the purpose of reducing and preventing crime and disorder.

The common law Duty of Confidence means that the Council owes a duty of confidence to service users and others from whom it obtains personal information for the discharge of its statutory functions.