Access to your own personal information

Under the UK General Data Protection Regulation and Data Protection Act 2018 you also have the right to access any personal data that the council holds about you. This is commonly referred to as a subject access request.

You can make a subject access request by completing the online form.

by emailing: dataprotection@lancashire.gov.uk or in writing to:

The Information Governance Team
Lancashire County Council
PO Box78
County Hall
Preston
PR1 8XJ

We have one calendar month to respond to your request or three months in complex cases.

We do not charge a fee to deal with a request in most circumstances.

Your request must include your name and address, and proof of your identity so that we can be satisfied that you are entitled to the information. Acceptable proof of identity includes a copy of your passport or driving licence.

You can also make a request verbally, either in person to an employee or member of the County Council, or by telephone to 0300 123 6701 or by minicom to 01254 220 666. If you make a verbal request we will confirm our understanding of your request with you and confirm the address (email or postal) to which you would like a response sent. We must also be satisfied as to your identity when making a verbal request, and as such you should be prepared to provide evidence of identity.

Your request should include as much detail as possible so that we can locate your personal data quickly; for example, specifying which persons, services or teams within the County Council you have had any dealings.

Any personal data about a third party may be redacted from the information sent to you.

Any health information will need consent from a health professional prior to disclosure, this will usually be the doctor, nurse or psychiatrist who wrote the information.

If there are court documents within the personal data you will need to apply to the court to receive this information.

Any decisions of the court can be disclosed but any third party personal details will be removed.

For more details please refer to the Information Commissioner's Office website.

What the UK GDPR and the ICO say about identity verification

Recital 64 of GDPR states – “The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”

In the ICO’s detailed Right of Access Guidance (published October 2020) it states – “You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”

It continues to say – “You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual’s identity. You may already have verification measures in place which you can use, for example a username and password. However, you should not assume that on every occasion the requester is who they say they are. In some cases, it is reasonable to ask the requester to verify their identity before sending them information. How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.”

Neither UK GDPR, nor the ICO provide specific details on what would be considered reasonable and proportionate. This is left for organisations to judge.

At Lancashire County Council we ask for the following in most circumstances, however, each case is assessed individually, and the documentation needed may change depending on the circumstances.

Request category Documents or information needed
SAR received from the data subject
  • Proof of the data subject's ID
SAR submitted on behalf of the data subject, sent by a relative or other family member
  • Proof of the applicant's ID
  • Proof of the data subject's ID
  • Consent Form from the data subject if applicable (factors include age, capacity and the individual circumstances of the case)
  • Lasting/Enduring Power of Attorney* if applicable
SAR submitted by solicitors or another organisation
  • Signed Form of Authority and/or a Consent Form
SAR received from an employee or ex-employee
  • ID documentation not required if received from LCC corporate email system.
Requests about deceased persons
  • Lasting/Enduring Power of Attorney*, or evidence the applicant was the Personal Welfare Deputy or 'personal representative' (also known as the executor or administrator of the estate).
  • The purpose behind the enquiry so we can decide whether the information being requested is relevant and necessary, and balance this against the deceased person's enduring right to privacy.
* Power of Attorney needs to be checked to see what it has been awarded for i.e. health and care or financial affairs.

Valid proof of ID documents are a copy of a passport or driving licence.

We also accept 2 documents which confirm your current name and address on them. These should be official letters/documents, such as a NHS medical card, utility bill or bank statement.