{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Accessing Records of a Deceased Person Policy
1. Purpose
This policy outlines {{org_field_name}}’s approach to managing requests for access to records of a deceased person. It ensures compliance with legal and ethical obligations while maintaining confidentiality, sensitivity, and respect for the deceased and their loved ones.
As a Care at Home service registered in Scotland, {{org_field_name}} recognises that requests for records following a person’s death must be handled lawfully, sensitively and on a case-by-case basis. Access will only be provided where the requester has a legal right to the information, where disclosure is required by law or regulation, where disclosure is necessary for an investigation or safeguarding purpose, or where disclosure is otherwise justified and proportionate after senior management and information governance review. This policy provides clear guidance to staff, external parties, and Care Inspectorate inspectors on how such requests are managed efficiently and transparently.
Our approach ensures that requests are processed fairly, securely, and in compliance with relevant legislation, while also upholding the dignity and privacy of the deceased individual. This policy also aims to support families and legal representatives by ensuring a straightforward and respectful process. This policy recognises that UK GDPR and the Data Protection Act 2018 do not apply to information solely about a deceased person. However, confidentiality obligations may continue after death, and records may contain information about living people, including relatives, carers, staff, professionals or other third parties. Such information must continue to be protected and must not be disclosed unless it is lawful, necessary and proportionate to do so.
2. Scope
This policy applies to all records of deceased individuals who received care from {{org_field_name}}. It covers:
- Requests from:
- the deceased person’s personal representative, such as the executor or confirmed executor of the estate;
- a person who may have a claim arising out of the person’s death, but only to the extent that the requested information is relevant to that claim;
- a solicitor or legal representative acting with written authority from an entitled person;
- a court, procurator fiscal, police, local authority, NHS body, Care Inspectorate, SSSC, Adult Support and Protection body, or other statutory body acting within its legal powers;
- a family member, carer or next of kin, where they do not have automatic legal entitlement but the request can be considered carefully, lawfully and proportionately, taking account of confidentiality, the deceased person’s known wishes, the reason for the request and any risks of disclosure.
- Access under the Access to Health Records Act 1990 where the requested records are health records within the meaning of that Act. This policy also covers requests for care and support records that may not fall within the Access to Health Records Act 1990 but must still be managed in accordance with confidentiality duties, information governance requirements, Care Inspectorate expectations and any applicable legal or regulatory powers.
- Our internal procedures for handling, storing, and disclosing these records to ensure compliance with confidentiality and security standards.
- Requests from Care Inspectorate inspectors or other regulators who require access to records for scrutiny, investigation, complaint handling, enforcement, registration, improvement or public protection purposes. Staff must escalate such requests to the Registered Manager or nominated senior person immediately and must co-operate with lawful regulatory requests.
- Confidentiality and security measures to protect sensitive information from unauthorised access or disclosure.
It applies to all employees, contractors, and third-party agencies working with {{org_field_name}} who may be involved in processing such requests. Staff must ensure they adhere to the guidelines outlined in this policy when responding to record access requests.
This policy does not create a general right for relatives, friends or next of kin to access the deceased person’s full care record. Each request must be assessed individually and only the minimum necessary information will be disclosed.
3. Related Policies
To support the implementation of this policy, the following policies provide additional guidance and should be referred to when necessary:
- Confidentiality and Data Protection Policy – Covers how sensitive data is managed, stored, and protected.
- Records Management and Retention Policy – Outlines the timeframe for storing and disposing of records.
- Safeguarding Policy – Ensures that concerns related to the deceased’s well-being prior to death are appropriately managed.
- End-of-Life Care Policy – Defines best practices in supporting individuals at the end of their lives and how records should reflect this.
- Complaints and Compliments Policy – Details the process for handling disputes or grievances regarding record access requests.
4. Legislative and Regulatory Framework
This policy is informed by, and will be applied in accordance with, the following legislation, standards and guidance, as applicable to Care at Home services in Scotland:
- Access to Health Records Act 1990 – where the request relates to the health records of a deceased person and the requester is a person entitled to apply under the Act.
- UK General Data Protection Regulation and Data Protection Act 2018 – these do not apply to information solely about a deceased person, but they continue to apply to information about living individuals contained within the records.
- Common law duty of confidentiality – confidentiality obligations may continue after death and must be considered before any disclosure is made.
- Public Services Reform (Scotland) Act 2010 – the statutory framework for the regulation of care services by the Care Inspectorate.
- The Social Care and Social Work Improvement Scotland (Requirements for Care Services) Regulations 2011 – including requirements relating to welfare, fitness of providers, personal plans and proper service operation.
- The Social Care and Social Work Improvement Scotland (Applications and Registration) Regulations 2011 – where relevant to records required for registration and ongoing regulatory compliance.
- Health and Social Care Standards: My support, my life – including dignity, respect, compassion, being included, responsive care and support, and wellbeing.
- SSSC Codes of Practice for Social Service Workers and Employers 2024 – including duties to respect confidential information, maintain accurate records, work lawfully, co-operate with investigations and promote public trust.
- Adult Support and Protection (Scotland) Act 2007 – where records relate to concerns that the deceased person may have been an adult at risk of harm.
- Adults with Incapacity (Scotland) Act 2000 – where previous decisions, welfare powers, guardianship or intervention orders affected the person’s care before death. Staff must note that welfare and financial powers generally do not give continuing authority to access records after death unless another legal basis applies.
- Human Rights Act 1998 – including respect for private and family life, dignity and lawful, proportionate decision-making.
- Equality Act 2010 – including the requirement to avoid discrimination and make reasonable adjustments when handling requests.
- Duty of Candour Procedure (Scotland) Regulations 2018 and Scottish Government Duty of Candour guidance – where death or harm may have resulted from an unintended or unexpected incident during care or support.
- Freedom of Information (Scotland) Act 2002 – relevant only where the organisation is a Scottish public authority or is responding on behalf of one. It does not generally apply to independent private care providers.
- Care Inspectorate guidance on records and notifications for adult care services – including records that registered services must keep and notifications that must be made to the Care Inspectorate.
- Records Management Code of Practice for Health and Social Care and relevant retention schedules – where applicable to the organisation’s commissioning, contractual or public authority arrangements.
5. Our Commitments
5.1 Handling Requests for Access to Records
{{org_field_name}} follows a structured process to handle requests efficiently and securely:
- Requests should normally be submitted in writing or by email to {{org_field_registered_manager_email}}. Where a requester cannot make a written request because of disability, communication need, literacy need or another reasonable barrier, staff will support the person to make the request in an accessible way and will record the request accurately.
- The service will not assume that next of kin has an automatic right of access. Before any disclosure is made, the requester must provide sufficient evidence of identity and authority, such as confirmation of appointment as executor, written authority from the executor or personal representative, evidence that they may have a claim arising from the death, a court order, or evidence of statutory authority.
- Requests under the Access to Health Records Act 1990 will be processed within the statutory timescale once the service has received sufficient information to identify the records and confirm the requester’s entitlement. Where the relevant health record has been added to within the 40 days before the request, access should be provided within 21 days. In other cases, access should be provided within 40 days. Where the request is not covered by the Access to Health Records Act 1990, the service will respond as soon as reasonably practicable and will normally aim to provide a written decision within 30 calendar days, unless the request is complex, disputed or subject to legal or regulatory investigation.
- Requests will be processed within 40 days, in line with the Access to Health Records Act 1990.
- A secure verification process is in place to ensure that records are only disclosed to entitled persons.
- Staff must not release records informally by telephone, text message, personal email, messaging application or verbal discussion unless this has been authorised by the Registered Manager or nominated senior person and a clear record is made of what was disclosed, to whom, when and why.
- Where legal disputes arise, records will not be released without proper legal guidance and a formal resolution.
- Where there is any doubt about entitlement, confidentiality, family dispute, possible claim, safeguarding issue, police/procurator fiscal involvement, Care Inspectorate investigation, complaint, media interest or potential reputational risk, the request must be escalated to the Registered Manager and Data Protection Officer or nominated information governance lead before any disclosure is made. Legal advice must be sought where appropriate.
The request form must ask the requester to specify:
- their full name, address, contact details and relationship to the deceased person;
- the records or information requested;
- the reason for the request;
- the legal basis or authority relied upon;
- whether they are acting for themselves or on behalf of another person or organisation;
- whether urgent timescales apply, for example because of court proceedings, a procurator fiscal request, police investigation, complaint, Adult Support and Protection inquiry or Care Inspectorate investigation.
5.2 Assessing Entitlement and Deciding What Can Be Disclosed
Before records are disclosed, {{org_field_name}} will assess:
- whether the requester is legally entitled to the information requested;
- whether the request relates to health records, care records, social care records, medication records, complaints, incidents, safeguarding records or mixed records;
- whether the deceased person had previously expressed a wish that information should not be disclosed;
- whether disclosure could cause serious harm to any person;
- whether the records contain information about living third parties, including family members, staff, professionals or other people using services;
- whether third-party information can be redacted;
- whether disclosure is necessary and proportionate for the stated purpose;
- whether a statutory body has requested the information under lawful powers;
- whether disclosure may affect an ongoing investigation, complaint, Adult Support and Protection inquiry, criminal investigation, procurator fiscal process, legal claim, Care Inspectorate scrutiny or SSSC matter.
The service will disclose only the minimum necessary information required for the lawful purpose. Full records will not be disclosed where a summary, extract or redacted copy would meet the purpose of the request.
Where access is refused in full or in part, the requester will be given a clear written explanation, unless doing so would prejudice an investigation, breach confidentiality, place someone at risk, or be contrary to legal advice.
5.3 Confidentiality and Ethical Considerations
To uphold privacy and ethical standards:
- Records will only be released where there is a clear lawful basis, legal entitlement, statutory power, regulatory requirement or other justified and proportionate reason for disclosure.
- All disclosures will be logged, detailing the requester, reason for access, and approval process.
- Information about living third parties, including relatives, carers, staff, professionals and other people using services, will be redacted unless disclosure is lawful, necessary and proportionate, or the relevant person has given valid consent. Staff names may usually remain where they are relevant to the care provided, but personal staff information, employment matters, addresses, contact details or irrelevant comments must not be disclosed.
- Where the deceased person had clearly stated, while alive, that particular information must not be shared after death, this will be respected unless there is an overriding legal, regulatory, safeguarding or public interest reason to disclose it.
- Staff are trained to handle such requests with professionalism and sensitivity, ensuring the dignity of the deceased and respect for their loved ones.
- All staff must respond compassionately to bereaved relatives and representatives but must not allow sympathy, pressure or family conflict to override confidentiality, legal requirements or safe information governance.
- The Data Protection Officer {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} will oversee complex cases to ensure compliance with legal requirements.
5.4 Requests from the Care Inspectorate and Other Statutory Bodies
Care Inspectorate inspectors and other statutory bodies may require access to records as part of inspection, complaint handling, investigation, enforcement, registration, improvement activity or public protection work. Staff must co-operate with lawful regulatory and statutory requests and must escalate such requests immediately to the Registered Manager or nominated senior person.
Where the Care Inspectorate, police, procurator fiscal, local authority, NHS body, Adult Support and Protection body, SSSC, court or other statutory body requests records, the service will:
- verify the identity and authority of the person making the request;
- record the legal or regulatory basis for the request, where this is provided;
- provide records securely and within any required timescale;
- retain a copy or audit trail of what was disclosed, when, how and to whom;
- avoid delaying urgent safeguarding, criminal justice or regulatory requests unnecessarily;
- seek legal or senior advice where the request is unclear, unusually broad or disputed.
Nothing in this policy should be used to obstruct a lawful inspection, investigation, adult protection inquiry, criminal investigation, court process or regulator request.
5.5 Notification of Death and Linked Records
Where a person using the service dies, {{org_field_name}} will follow its Care Inspectorate Notifications Policy and submit the required notification to the Care Inspectorate without delay through the appropriate Care Inspectorate system. The service will also follow any relevant commissioning, local authority, NHS, Adult Support and Protection, police, procurator fiscal, safeguarding, incident reporting and Duty of Candour procedures.
The Registered Manager or nominated senior person will ensure that the following records are reviewed and secured after the person’s death:
- personal plan and risk assessments;
- daily care notes and visit logs;
- medication records;
- incident, accident and near miss records;
- communication with relatives, representatives, professionals and commissioners;
- complaints, concerns or compliments;
- Adult Support and Protection or safeguarding records;
- hospital admission, discharge or end-of-life care information held by the service;
- Care Inspectorate notifications and related correspondence;
- Duty of Candour records, where applicable.
Records must not be altered after death except to add clearly dated, factual post-death entries. Any correction must be transparent, dated, signed or electronically attributable, and must not overwrite or obscure the original record.
5.6 Storage, Retention, and Security of Records
To ensure secure and appropriate record-keeping:
- Records relating to a deceased person will be retained in accordance with {{org_field_name}}’s Records Retention and Disposal Schedule, applicable legal requirements, Care Inspectorate expectations, contractual requirements, commissioner requirements and relevant Scottish health and social care records management guidance. The retention period must be sufficient to support inspection, complaint handling, legal claims, safeguarding review, Duty of Candour processes, Adult Support and Protection matters, regulatory scrutiny and audit. Records must not be destroyed where there is an active request, complaint, investigation, claim, inspection, safeguarding concern, police/procurator fiscal matter or legal hold.
- Electronic records are stored securely, with encrypted access to protect against unauthorised retrieval.
- Paper records are archived securely and destroyed according to approved retention schedules.
- Where the service is commissioned by, contracted to, or acting on behalf of an NHS body, local authority or Health and Social Care Partnership, the service will check and follow any contractual or written records retention requirements issued by that body.
- Access to records is limited to designated personnel, and all access attempts are logged for audit purposes.
- A destruction record must be kept when records are securely destroyed. The destruction record must include the person’s name or unique identifier, record type, date range, disposal date, disposal method, authorising person and reason for disposal. Destruction must be suspended immediately if a request, complaint, claim, investigation, inspection or safeguarding concern arises.
5.7 Handling Disputes and Appeals
In cases where record access is denied or disputed:
- Where access is refused in full or in part, {{org_field_name}} will provide a written explanation that is clear, respectful and specific enough for the requester to understand the decision, unless providing detail would breach confidentiality, prejudice an investigation, create risk of harm or conflict with legal advice.
- The requester may ask for an internal review of the decision. The review will be carried out by a senior person who was not the original decision-maker, wherever practicable. The review will consider the requester’s authority, the reason for the request, the type of records requested, confidentiality duties, the deceased person’s known wishes, third-party information, legal advice and any regulatory or safeguarding issues.
- Legal advice will be sought where necessary, particularly in cases involving conflicting claims to access records.
- If the requester remains dissatisfied, they will be signposted to the most appropriate external route. This may include the Information Commissioner’s Office for data protection or information rights concerns, the Care Inspectorate where the concern relates to the quality or safety of the care service, a solicitor for legal entitlement disputes, or the relevant statutory body where the request forms part of an investigation.
5.8 Staff Training and Compliance
To ensure all staff members are well-equipped to manage record access requests:
- All employees will receive induction and refresher training appropriate to their role on confidentiality, accurate record keeping, secure records handling, responding to requests for records, confidentiality after death, redaction, Care Inspectorate notification duties, Duty of Candour, Adult Support and Protection escalation and the SSSC Codes of Practice 2024.
- A designated Data Protection Officer oversees compliance with this policy and provides guidance on complex cases.
- Staff must understand that they must not promise relatives, friends or next of kin access to records and must not disclose records without authorisation. All requests must be referred to the Registered Manager, Data Protection Officer or nominated information governance lead.
- Regular audits are conducted to ensure adherence to legal and ethical record-keeping practices.
- Training and audits will include sample checks of deceased person record requests, redaction decisions, disclosure logs, Care Inspectorate notifications, complaint links and retention decisions.
- Staff are encouraged to report any concerns about improper or unauthorised record access to senior management.
6. Monitoring and Compliance
To uphold the integrity of our record management processes, {{org_field_name}} will:
- Conduct regular audits of record access logs, disclosure decisions, redaction decisions, Care Inspectorate notifications and post-death record management to ensure that procedures are followed and that records remain accurate, secure and available for inspection or investigation.
- Maintain a Deceased Person Records Access Register containing:
- name or unique identifier of the deceased person;
- date of death, where known;
- date the request was received;
- name and contact details of requester;
- relationship or role of requester;
- evidence of identity and authority checked;
- records requested;
- decision made;
- records disclosed or withheld;
- redactions applied;
- method of disclosure;
- date of response;
- name and role of decision-maker;
- whether legal, DPO, commissioner, Care Inspectorate, police, procurator fiscal or safeguarding advice was sought.
- Maintain up-to-date staff training, ensuring all employees understand their responsibilities under this policy.
- Implement recommendations from the Care Inspectorate, ensuring alignment with best practices.
- Review any learning from complaints, incidents, Duty of Candour events, Adult Support and Protection matters, Care Inspectorate feedback, SSSC matters, audits or legal advice and update this policy and staff training accordingly.
- Ensure compliance with all legal obligations through internal governance reviews and risk management assessments.
7. Procedure for Staff
When a request is received for records of a deceased person, staff must follow the steps below.
Step 1: Receive the request respectfully
- Acknowledge the request sensitively.
- Do not confirm or disclose detailed information until authority has been checked.
- Record the date, time, requester’s details and what is being requested.
- Forward the request to the Registered Manager or nominated senior person the same working day.
Step 2: Verify identity and authority
- Ask for proof of identity.
- Ask for evidence of authority, such as executor confirmation, solicitor authority, court order, statutory request, or evidence of a potential claim arising from the death.
- Do not assume that next of kin has automatic access rights.
- Record what evidence was checked.
Step 3: Identify the type of records requested
- Confirm whether the request relates to health records, care records, medication records, personal plans, daily notes, incident records, safeguarding records, complaints, correspondence or mixed records.
- Identify whether the records include information about living third parties.
- Check whether there are ongoing investigations, complaints, legal claims, Adult Support and Protection matters, Care Inspectorate involvement, SSSC involvement, police involvement or procurator fiscal involvement.
Step 4: Decide whether disclosure is lawful and proportionate
- Consider the requester’s entitlement and the purpose of the request.
- Consider the deceased person’s known wishes.
- Consider whether disclosure could cause harm or breach another person’s confidentiality.
- Consider whether a summary, extract or redacted record is more appropriate than full disclosure.
- Seek advice from the Data Protection Officer, legal adviser, commissioner or relevant statutory body where needed.
Step 5: Prepare records securely
- Make a working copy for redaction.
- Do not alter the original record.
- Redact irrelevant third-party information and confidential information that should not be disclosed.
- Check redactions before release.
- Keep an audit trail of the redaction and approval process.
Step 6: Respond securely
- Send records by secure email, encrypted transfer, recorded delivery or another approved secure method.
- Include a covering letter explaining what has been provided and, where appropriate, what has been withheld and why.
- Record the disclosure in the Deceased Person Records Access Register.
Step 7: Retain the audit trail
- Keep the request, evidence of identity and authority, decision record, redaction copy, final disclosed copy, covering letter and disclosure log in line with the Records Retention and Disposal Schedule.
- Do not destroy related records while a complaint, investigation, claim, inspection or legal hold is active.
8. Policy Review
This policy will be reviewed annually, or sooner if there are changes to legislation, Care Inspectorate guidance, SSSC Codes of Practice, Health and Social Care Standards, records management guidance, commissioning requirements, organisational structure, digital systems, or learning from complaints, incidents, inspections, Duty of Candour events, Adult Support and Protection matters or legal advice.
Any updates to this policy will be communicated to all relevant staff and stakeholders to ensure continued compliance and best practices in handling deceased individuals’ records.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.