61. Access to records can be important for victims and survivors who wish to understand their past, including decisions about their care, the circumstances in which the abuse took place and why the abuse was able to continue.[1]
62. Relevant records include those made about an individual child, for example attendance records, social care records and safeguarding records. Social care records may set out details of referrals, general assessments and visits relating to children in care. Safeguarding records may include safeguarding concerns or allegations and details of any actions taken. There may also be records which, although not personal to specific victims and survivors, are relevant to establishing what happened at an institution, for example safeguarding policies and procedures, personnel files, and details of investigations or disciplinary procedures.
63. During the Inquiry’s work, concerns have been raised about access to records.[2] One Victims and Survivors Forum member described how “a lack of closure meant being unable to move on and achieve in other areas of life. There is a feeling of perpetual childhood”.[3] The manner in which institutions dealt with victims and survivors accessing and viewing their records was also often criticised for being unsupportive, defensive and critical. Being unable to easily access records can compound victims and survivors’ sense of feeling let down by the institutions responsible for their care and lead to perceptions of cover-up.[4]
64. These records are often of significance in criminal and civil proceedings. Their absence may mean that prosecutions cannot proceed or that claims for compensation fail, preventing victims and survivors from obtaining redress.[5] One Victims and Survivors Forum member stated:
“I applied to CICA [Criminal Injuries Compensation Authority] but I was turned down due to no longer having access to the police and court records because my abuse happened over 50 years ago and the records were not kept that far back. So I just gave up.”[6]
65. In previous reports and inquiries into child sexual abuse, recommendations relating to records management were the second most frequently identified area for change.[7] The Inquiry has also made recommendations to improve systems and processes in a number of institutions.[8] Nonetheless, given the importance of this issue, the Inquiry examined whether wider improvements to access to records are required.
66. Relevant UK legislation does not stipulate how long organisations should keep personal data – simply that organisations must not keep data for longer than is necessary in accordance with their own policies.[9] Retention periods for records which may contain information about child sexual abuse therefore vary.
67. The retention of records by institutions in the context of child sexual abuse cases is particularly important. It can take decades for victims and survivors to feel able to disclose sexual abuse and so retention periods need to be sufficiently long to ensure that the records survive. The Inquiry encountered cases where records had been destroyed in accordance with the retention policies in place at the time and the absence of those records subsequently hindered police investigations into allegations of child sexual abuse.[10]
68. There may also be issues when organisations cease to exist or are replaced by new organisations. Some Victims and Survivors Forum members stated that they were informed that the relevant organisation had closed down, or was no longer operating from the same site, which had led to records being destroyed.[11]
69. Often little regard is given to the value of records for victims and survivors of child sexual abuse, and retention periods may be too short to allow for delayed disclosure. Specific records relating to child sexual abuse should be subject to a longer retention period, reflecting their inherent value to survivors. This would allow for delayed disclosure and recognise the difficulties that may be faced by victims and survivors in being able or ready to access this information.
70. Most new records are now electronic, which should allow for easier identification of relevant records. Nevertheless, the Inquiry recognises that this is a complex area with the potential to affect a range of organisations, and may place a new burden on some. However, data protection legislation requires organisations to have in place appropriate retention periods, and to ensure that data are not kept for longer than is necessary. A longer retention period is in the public interest and is justified.
71. Where an organisation has identified that it holds records that are known to relate to allegations or cases of child sexual abuse, that material should be retained for 75 years with review periods as appropriate. This reflects the requirement to retain records relating to looked after children and care homes until the individual’s 75th birthday.[12] Those relating to adoption are kept for 100 years.[13]
72. Under the Data Protection Act 2018, victims and survivors have a legal right to request copies of records containing their personal information. This is known as the right of access or subject access request.[14] Responding to these requests may require institutions not only to identify the relevant records but also to consider, and if necessary redact, information relating to third parties before disclosing them. For example, a record may need redacting if it contains sensitive information about another individual and it is not reasonable to disclose that information. Attempting to obtain third-party consent may also contribute to the time taken. As a result, accessing personal records can be a lengthy and complex process where the time limits set out in the 2018 Act are not met.
73. Victims and survivors have faced difficulties when requesting their records from institutions. One Victims and Survivors Forum member described their experience as “a war of attrition”.[15] Issues may include long delays, procedural hurdles, and poor communication and explanations from the institutions.[16] The Inquiry also received evidence that some institutions did not respond appropriately to requests for access to records.[17] For some complainants, the search for records and the lack of communication and explanation was difficult and upsetting.
74. Victims and survivors may also need practical and emotional support when accessing their records. Reading records may bring back traumatic memories and cause distress.[18] Records that are redacted may also cause frustration, particularly if there is no explanation as to why they are redacted.[19]
75. The Information Commissioner’s Office (ICO) already has a general guide setting out how organisations should respond to subject access requests. However, the content is for all sectors and does not recognise the particular challenges faced by victims and survivors of child sexual abuse. The Data Protection Act 2018 (the 2018 Act) requires the Information Commissioner to prepare four codes of practice.[20] Two codes of practice have been developed by the ICO, with two more under development.[21] There is provision in the 2018 Act for the Secretary of State to make regulations requiring the ICO to prepare other codes of practice.[22] The Inquiry recommends that the issue of access to records about child sexual abuse is addressed in a new code of practice.
The Inquiry recommends that the UK government directs the Information Commissioner’s Office to introduce a code of practice on retention of and access to records known to relate to child sexual abuse.
The retention period for records known to relate to allegations or cases of child sexual abuse should be 75 years with appropriate review periods.
The code should set out that institutions should have: