Information Disclosure Protocol

Title
Title
Title
Title
Version
Author
Next Review Date
Notes
V1 (February 2025)
Emma Kitcher, Data Protection Officer
February 2026
New Draft
V2 (October 2025)
Emma Kitcher, Data Protection Officer
October 2026
Added Data Use and Access Act 2025 and included reference to Part 5, Section 78 of the Act in relation to proportionate and reasonable searches (Undertaking Searches)
V3 (March 2026)
Caroline Oliver
October 2026
Added Holiday Club into policy

Contents

    INTRODUCTION
    QUICK REFERENCE POINTS
    KEY DEFINITIONS
    SCOPE
    KEY LEGISLATION / FRAMEWORK
    NOMINATED INDIVIDUALS / TEAMS
    TYPES OF DISCLOSURE
    WHAT IS A SUBJECT ACCESS REQUEST?
    SARS VIA OTHER ORGANISATIONS
    UNDERTAKING SEARCHES
    CHARGING FOR SARS
    TIMEFRAMES FOR SARS
    CONFIRMING IDENTITY
    SENDING DIGITALLY
    EXEMPTIONS FROM SAR RELEASE
    CRIME AUTHORITY REQUESTS
    HOW DO WE APPLY THE CRIME AUTHORITY EXEMPTIONS?
    OTHER DISCLOSURES
    APPLICATION AND AUDIT

INTRODUCTION

The UK GDPR provides the right for individuals to access their personal data. This includes seeing who has accessed their data.
The right helps individuals to understand how and why you are using their data, and check you are doing it lawfully. This right is commonly referred to as ‘subject access’.
Data protection law also permits disclosures to third parties such as the courts, the police and those having a claim arising from the death of an individual.

QUICK REFERENCE POINTS

  • There are a wide variety of routes by which information may be sought from us and disclosed
  • It is a complex framework and requires support from the Data Protection Officer
  • When a request to disclosure information is received, find the suitable chapter within this protocol and take note of the rules
  • Specialist training is provided by the Data Protection Officer

KEY DEFINITIONS

Personal Confidential Information            
This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.

SCOPE

This protocol applies to all staff, whether temporary or permanent who are involved in the disclosure of personal data, including disclosing personal data to the data subject themselves.
Disclosures to the individual or to third parties may relate to service users, customers, staff or visitors’ personal data.

KEY LEGISLATION / FRAMEWORK

  • UK GDPR / Data Protection Act 2018 as amended by the Data Use and Access Act 2025
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality

NOMINATED INDIVIDUALS / TEAMS

The UK Information Commissioner informs us that Subject Access Requests (SARs) should be directed to and processed by a suitably trained individual or team. Staff that receive requests should contact the  Data Protection Officer.

TYPES OF DISCLOSURE

  • There are a number of routes by which information can be sought from Hopscotch Nurseries.
  • Subject Access Request (a person is asking for information you hold about them)
  • Disclosures to third parties for which there is a legal exemption to data protection principles (the courts, the police etc)
  • Disclosures to third parties where explicit consent has been provided by the individual

WHAT IS A SUBJECT ACCESS REQUEST?

  • A Subject Access Request involves an individual asking for information that is already held about them.
  • An individual can ask for information themselves, or they can instruct a solicitor or other representative to request the information
  • The request does not need to be in writing, and you must accept requests in any form, for example, on the telephone, in person or even via social media.

SARS VIA OTHER ORGANISATIONS

  • A data subject can ask anyone to request their information on their behalf.
  • In this instance, seek Data Protection Officer advice before responding so that it can be determined whether the requestor has sufficient authority to make the request.

UNDERTAKING SEARCHES

  • Hopscotch Nurseries will respond to Subject Access Requests (SARs) by carrying out reasonable and proportionate searches for personal data.
  • The organisation will take appropriate steps to identify relevant data held in structured systems and accessible records but are not required to search every system or retrieve information if doing so would involve disproportionate effort in terms of time, cost, or technical burden.
  • Where a request is broad or unclear, we may seek clarification from the requester and pause the response timeframe until we receive it.
  • All searches will be documented, and any exclusions or limitations will be explained to the requester along with their right to complain to the Information Commission

CHARGING FOR SARS

  • Charging is only for very limited circumstances – repeat copies is main one
  • Data subjects are entitled to have all their information without having to explain why they need it.
  • We should always contact the data subject to let them know what they are doing in relation to their request
  • Postage costs cannot be applied

TIMEFRAMES FOR SARS

  • There is a one-month legal time frame for responding to SAR requests
  • However, the ICO says;
  • If you process a large amount of information about an individual, you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request.
  • You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information.
  • Therefore, when you are communicating with a solicitor for example, in relation to an excessive request, the legal time frame has not yet begun.
  • If you are being chased to respond and the requestor has not yet refined the request in a satisfactory way, contact the Data Protection Officer

CONFIRMING IDENTITY

  • The identity of the person making the request must be validated, using “reasonable means”.
  • If you have doubts about the identity of the person making the request, you can ask for more information
  • However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality
  • You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request.
  • The period for responding to the request begins when you receive the additional information

SENDING DIGITALLY

  • If the request is made electronically, the information should be provided in a commonly used electronic format and this can often reduce costs.
  • The Data Protection Officer can assist to highlight information that requires redaction
  • Redact third party information and scan paper records to PDF
  • Send email to individual to confirm they are happy to have information emailed and understand inherent risks with digital transfer, check email address and ask them to confirm receipt
  • Send over several emails where necessary
  • If you are required to provide paper copies, you can request collection, but you cannot insist
  • If a solicitor insists on paper copies (will not accept an email copy) you may charge a fee as can be viewed as excessive

EXEMPTIONS FROM SAR RELEASE

Third Party Exemption

  • If the requested information contains information about a third party, and releasing it may breach your duty of confidentiality towards that person you should;
  • Consider whether it is reasonable to ask their consent
  • Consider whether it might be reasonable to release the information without their consent
  • Redact the information related to the third party
  • Names of professionals are generally not redacted
  • It may sometimes be reasonable to release information about a third party – speak to your Data Protection Officer if you have any concerns

Other Exemptions

  • There may be other exemptions to releasing information such as;
  • Confidential references
  • Publicly available information
  • Crime and taxation (where releasing information would prejudice investigation or apprehension or offenders)
  • Management information / forecasting
  • Negotiations with the requester
  • Legal advice and proceedings
  • Where these additional documents exist, it is important to;
  • Acknowledge any confirmation from police about whether releasing the information would prejudice their activities.
  • Whilst you are obtaining these confirmations, if they are taking some time, you could release what you do have.
  • Information must not be amended (beyond redaction) for the purposes of releasing under Subject Access Rights.
  • When information is released, it is good practice to include;
  • Information about what has been redacted and why (unless that would make them aware of the nature of the information that has been withheld)
  • A link to our transparency notice
  • If you believe that any of these exemptions are applicable, you should contact your Data Protection Officer for support.

CRIME AUTHORITY REQUESTS

  • If you are asked to disclose information in relation to;
  • the prevention and detection of crime;
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of a tax or duty or an imposition of a similar nature.

Which Exemptions Apply to Data Disclosed for These Purposes?

  • The individual may not have a right to be informed about the disclosure
  • The individual may not be able to object or withdraw consent
  • The individual does not need to be notified in the event of a data breach associated with the disclosure
  • There is no need to comply with the principles of fairness and transparency
  • You can make these disclosures even if you collected the data for something different
  • However – the above exemptions only apply where doing so would prejudice the law enforcement purposes.
  • For example, to inform the individual of the disclosure would affect our ability to detect crime and so we are applying the exemption to the Right to be Informed.
  • In 2023, The National Police Chief’s Council introduced a  new form  for requesting information from third parties. Consent forms or other forms should no longer be accepted for these purposes.

HOW DO WE APPLY THE CRIME AUTHORITY EXEMPTIONS?

  • Hopscotch Nurseries and Holiday Clubs cannot be expected to fully investigate how the information disclosed might help or hinder a law enforcement case or to what extent the information is necessary for such a case
  • However, the Data Protection Officer will obtain confirmation from the requestor that the exemptions have been considered and applied appropriately.

Ensuring the Information is Strictly necessary?

  • In order to satisfy this criterion, the information requested must not be disproportionate to the nature of the crime.
  • The law enforcement officer does not have blanket entitlement to a victim and / or suspects entire medical record.
  • If the request does not already state this - you must ask the law enforcement officer to confirm that they are only requesting what is necessary to investigate / prevent the criminal activity and that not having everything they have asked for would prejudice the case.
  • You should ask this, even if the individual has consented to releasing the entire medical record

Do we have to notify the individual that we have received the request / are releasing their information?

  • Data protection law permits the information to be released without informing or obtaining consent from the data subject, but ONLY where informing them or obtaining consent would prejudice the case
  • If not already stated in the request, ask the requestor to confirm informing / consent would prejudice law enforcement purposes

OTHER DISCLOSURES

  • There are lots of other instances where disclosure might be permitted either by an There are lots of other instances where disclosure might be permitted either by an exemption under the Data Protection Act 2018 or by another law that orders the release.
  • A court order is legally binding on the organisation / person it orders to disclose information. If the organisation receives a court order for information you must provide the information. If you believe there is a compelling reason to withhold certain information, speak with you Data Protection Officer to discuss the reasons.
  • Disclosure to your legal advisers to defend against a claim. You may disclose information to your legal advisers to support in a legal claim, however, it is important to ensure that only relevant information is provided and both the proportionality and minimisation principle are still adhered to consult your Data Protection Officer for advice.
If the request you receive is not on the list, please consult your Data Protection Officer for advice.

APPLICATION AND AUDIT

Compliance with this protocol will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol.
  • Anyone involved with disclosures should be provided with this policy and attend the Data Protection Officer quarterly specialist training webinar
  • Staff should actively engage with the Data Protection Officer around disclosure requests
  • The organisation will keep a log of all information rights requests to ensure that we are responding in a consistent and timely way. Information about requests or disclosures should not be kept in the data subject’s record.
  • Staff must confirm that they have read and understood this protocol
  • This protocol will be reviewed annually or sooner in the event of significant learning or change
  • This protocol should be read in conjunction with the other protocols in the Data Protection and Security policy suite