Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
ADM 201 Service Records and Registry
Lesson 8 of 10ADM 201

Releasing and Disclosing Records: Requests and Subject Access

Lesson Overview

Records are kept so that they can be used, and using them often means giving information out: a member asks for a copy of their own service record, a commander needs a member's qualifications to plan a task, another unit asks to confirm a posting, an outside body requests confirmation of service, a member's next of kin asks after them. Lesson 04 taught the principles that govern personal data, held only where there is a reason, seen only by those who need it. This lesson is about the moment those principles are tested in practice: when someone asks for a record and the administrator must decide whether, and how, to release it. That decision is one of the most consequential the orderly room makes, because a record wrongly withheld frustrates work the force needs done, and a record wrongly released cannot be called back, the personal data of a national, once disclosed to the wrong person, is disclosed for good. Getting release right, every time, is how the orderly room serves the force without betraying the people whose service it holds.

The lesson takes the act of disclosure in three parts. First, the questions every release must answer before anything leaves the orderly room: who is asking, what are they entitled to, and for what purpose, so that release is a decided act and not a reflex to whoever asks confidently. Second, subject access, the particular and important case of a member asking for their own information, which they are generally entitled to, and how that is handled properly, distinguished from a third party asking about them. Third, the disciplines that make any release safe: verifying the requester before disclosing, releasing only what the entitlement and purpose justify rather than the whole file, redacting what must not be shared, and recording every disclosure so that what was released, to whom, when, and on what basis can always be answered. Underneath all of it sits one rule: a disclosure cannot be undone, so the decision is made before the record leaves, never after.

This is the knowledge layer. The hands-on work this feeds, taking a request for a record, verifying the requester, deciding and limiting what may be released, redacting and recording the disclosure, is practised and signed off in person where supervision allows, in a working orderly room, on records you are appointed to handle. By the end you will be able to answer the three questions, who, entitled to what, for what purpose, before any release; handle a subject access request from a member for their own information and distinguish it from a third-party request; verify a requester's identity and authority before disclosing anything; release only what the entitlement and purpose justify, redacting what must not be shared; record every disclosure so it can be accounted for; and apply the rule that a disclosure is irreversible and so is decided before the record leaves.

Key Terms

  • Disclosure (release): giving information from a record to someone, whether a copy, a confirmation, or an answer to a query; the act this lesson governs, and one that cannot be undone once made.
  • Requester: the person asking for the information, who may be the subject of the record, a person acting within the force, or an outside party, each with a different entitlement.
  • Subject: the person the record is about; a national whose personal data the force holds and whose interest in that data the release decision must protect.
  • Subject access request: a request by the subject for their own personal information, which the subject is generally entitled to receive, subject to proper identity verification and to limited, justified exceptions.
  • Entitlement: what a given requester is allowed to receive, which depends on who they are and why they need it; the question that decides whether and how much is released.
  • Need to know: the principle that a requester within the force receives only the information their task actually requires, not whatever they ask for; the working form of data minimisation in disclosure (Lesson 04).
  • Identity verification: confirming the requester is who they claim to be before anything is released, because a disclosure to an impostor is a disclosure that cannot be recovered.
  • Authority to receive: confirming that a requester asking about someone else actually has a proper basis, a task, a role, a consent, to receive that person's data.
  • Redaction: removing or obscuring, in a released copy, the parts that the requester is not entitled to see, so that what is justified can be shared without disclosing what is not.
  • Disclosure record (release log): the recorded note of what was released, to whom, when, on what authority, and for what purpose, so that every disclosure can be accounted for afterwards.
  • Third party: anyone who is not the subject of the record; a third-party request for a person's data is held to a higher test than the subject's own request.

The three questions before any release

The heart of safe disclosure is a habit of mind: before any information leaves the orderly room, three questions are answered, deliberately, every time. Who is asking? What are they entitled to? For what purpose? Only when all three have honest answers does anything get released, and the answers shape not just whether to release but how much. The discipline matters because the natural pull is the opposite: someone asks confidently, often someone senior or in a hurry, and the easy thing is to hand over the record because asking felt like authority. It is not. The confidence of the asker is not the entitlement to receive, and an administrator who releases to whoever asks firmly has no control over the personal data they were trusted to hold. The three questions are how the administrator keeps that control, courteously and consistently, answering everyone the same way: tell me who you are, what you are entitled to, and why, and I will release what that justifies.

Take the questions in turn. Who is asking decides which test applies, because the subject asking for their own record, a member of the force asking for a task, and an outside body asking about a national are three different situations with three different entitlements. Establishing who the requester really is, not merely who they claim to be, is the first gate, and it is why identity verification comes before anything is shared. What are they entitled to is the substance: the subject is generally entitled to their own information; a person within the force is entitled to what their task requires and no more, on a need-to-know basis; an outside party is entitled only to what a proper basis allows, often very little, and frequently the right answer to an outside request is to confirm nothing without the subject's consent or a lawful requirement. For what purpose both justifies and limits: a stated, legitimate purpose is what makes a release proper, and it also bounds it, because the purpose tells you exactly how much is needed, which is usually far less than the whole file. A commander planning a task needs a member's qualifications, not their medical history; answering the purpose is what stops a reasonable request from becoming an over-disclosure.

   THREE QUESTIONS BEFORE ANYTHING LEAVES THE ORDERLY ROOM

   1. WHO is asking? ........ decides which test applies + must be
        |                     VERIFIED (not just claimed)
        |     subject (the person themselves)
        |     within the force (for a task)
        |     outside / third party
        v
   2. ENTITLED to WHAT? ..... the substance
        |     subject ........ generally their OWN information
        |     within force ... only what the TASK requires (need to know)
        |     outside ........ only what a proper basis allows (often
        |                       nothing without consent / a requirement)
        v
   3. For what PURPOSE? ..... justifies AND limits
              a legitimate purpose makes release proper, and bounds it:
              "qualifications for a task" =/= the whole file
              (medical history not needed -> not released)

   RELEASE ONLY when all three have honest answers, and only as much
   as they justify. The asker's CONFIDENCE is not an entitlement.

Subject access: a member's own record

The most common and most important release is the subject access request: a member asking for their own information. The starting point is openness, not suspicion. The record is the account of that member's own service, and they are generally entitled to see it and to have a copy; the force holds the record on their behalf as much as on its own, and a member who wants to know what their record says is exercising a normal and proper right, not making a nuisance. An orderly room that treats a member's request for their own record as an imposition has the relationship backwards. So the default for a subject access request is to grant it, helpfully and within a reasonable time, once the member's identity is confirmed.

That said, subject access is handled with two pieces of care. The first is identity: even a subject must be verified, because the danger of subject access is the impostor, the person claiming to be the member in order to obtain the member's data. Verifying that the requester really is the subject, by whatever the orderly room's standard requires, is what keeps an open right from becoming an open door. The second is the limited exceptions: a member's own record may occasionally contain something that is properly withheld even from them, most commonly information about a third party that is tangled into the member's record and cannot be released without disclosing that other person's data, or material whose release a specific rule restrains. These exceptions are narrow and are the reason a subject access request is answered by an administrator who knows the rules and not handed over wholesale; the approach is to release the member's own information fully and to withhold or redact only the specific things that a clear rule protects, explaining as far as is proper that something has been withheld. The contrast with a third-party request is sharp and worth holding onto: where the subject's own request begins from "yes, with identity confirmed," a third party's request about that member begins from "no, unless there is a proper basis," because someone else asking about a national's service must show a right to receive it before anything is shared.

The disciplines that make a release safe

Whatever the request, four disciplines turn a release decision into a safe act, and they apply to subject access and third-party requests alike. The first is verify before you disclose. Identity and, for a third party, authority to receive are confirmed before anything leaves, never after, because the whole danger of disclosure is its irreversibility: a record released to an impostor or to someone with no right to it is released for good, and no apology recovers it. Verification is the gate, and it is closed until the requester is established. The administrator who discloses first and verifies later has, in the cases that matter, already lost.

The second is release only what is justified. The entitlement and the purpose decide how much, and the answer is almost never "the whole file." A confirmation that a member holds a qualification can often be given without releasing the record at all; a commander's task need is met by the relevant qualifications, not the member's full history; an outside confirmation of service may be a single fact. Releasing the minimum that satisfies the legitimate purpose is the working form of the need-to-know and data-minimisation principles of Lesson 04, applied at the moment of disclosure. The third is redact what must not be shared. When a justified release sits in a document that also contains things the requester is not entitled to, the answer is not to refuse the whole nor to hand over everything, but to release a copy with the protected parts removed or obscured, so the entitled information is shared and the rest is not. The fourth is record the disclosure. Every release is noted, what was released, to whom, when, on what authority, and for what purpose, so that the orderly room can always answer, later, what left its hands and on what basis. This disclosure record is part of the audit trail of the file exactly as a minute is in Lesson 03, and it is what turns release from an untraceable act into an accountable one. Together these four, verify, limit, redact, record, are how the administrator gives the force what it legitimately needs from the records while keeping faith with the national whose data it is, and they all rest on the single rule that governs the whole lesson: because a disclosure cannot be undone, the decision is always made before the record leaves, never after.

   FOUR DISCIPLINES OF A SAFE RELEASE  (subject access + third party)

   1. VERIFY BEFORE YOU DISCLOSE
        identity (and, for a third party, AUTHORITY to receive)
        confirmed FIRST -> a release to an impostor cannot be recovered

   2. RELEASE ONLY WHAT IS JUSTIFIED
        entitlement + purpose decide HOW MUCH; rarely the whole file
        (a confirmation often beats a copy) -> need-to-know (Lesson 04)

   3. REDACT WHAT MUST NOT BE SHARED
        justified info inside a doc with protected parts ->
        release a copy with the protected parts removed/obscured
        (not "refuse all", not "hand over all")

   4. RECORD THE DISCLOSURE
        what / to whom / when / on what authority / for what purpose
        -> the release is accountable, part of the file's audit trail

   THE RULE UNDER ALL FOUR: a disclosure is IRREVERSIBLE, so the
   decision is made BEFORE the record leaves, never after.

In Practice: Two requests in one morning

Corporal Adeyemi handles two requests for the same member's information in a single morning, and the difference between them is the whole of this lesson. The first comes from the member herself, Private Okello, who asks for a copy of her service record because she is preparing an application and wants to check what it says about her courses. Adeyemi's starting point is openness: it is her own record, and she is entitled to it. He does not treat the request as a nuisance. But he does verify that the requester is genuinely Private Okello, to the orderly room's standard, because the one real danger of subject access is an impostor seeking her data. Identity confirmed, he prepares a copy of her record. In reviewing it he notices one section that records a detail about another member, tangled into an entry that concerns them both; that third party's data he cannot release even to Okello, so he redacts that single item, releases the rest of her own record in full, and notes plainly that one item has been withheld because it concerns another person. He records the disclosure, what was released to whom and when and why, on the file.

The second request comes an hour later by telephone, from someone who says he is calling from an outside body and asks Adeyemi to "just confirm" Okello's rank, posting, and dates of service. The caller is brisk and sounds official. Adeyemi treats this request the opposite way round, because the requester is a third party and the default is not "yes" but "no, unless there is a proper basis." He cannot verify the caller's identity or authority to receive over an unverified phone call, and he has no consent from Okello and no lawful requirement in front of him. So he discloses nothing. Courteously, he explains that he cannot confirm any member's details to an outside party without the proper basis, and sets out how a legitimate request should be made in writing so that the requester's authority and the member's position can be established. He records the request and his refusal. Had he done the easy thing and "just confirmed" the details to a confident voice, he would have disclosed a national's data to an unverified stranger, irreversibly, on nothing but the caller's tone.

By mid-morning Adeyemi has served the force and protected the national in the same two acts. Okello has her own record, fully and promptly, with only what a clear rule protects withheld. The outside caller has been declined, correctly, and pointed to the proper channel. Both requests were for the same data; one began from "yes, with identity confirmed" because it was the subject's own, the other from "no, unless a proper basis is shown" because it was a third party's, and Adeyemi answered each by its real entitlement rather than by how confidently it was asked. That is releasing records the right way: who, entitled to what, for what purpose, verified before disclosing, limited and redacted to what is justified, and recorded so it can always be accounted for.

Check Your Understanding

  1. State the three questions an administrator answers before any release, and explain how each shapes not just whether to release but how much. Why is the confidence of the person asking never, by itself, an entitlement to receive?

  2. Explain how a subject access request, a member asking for their own record, is handled, including the starting point, the identity care it still requires, and the narrow exceptions. How does it differ in default from a third party asking about that same member, and why?

  3. Describe the four disciplines that make a release safe (verify, release only what is justified, redact, record) and the single rule beneath them about irreversibility. For each discipline, explain what harm it prevents, and why "release a redacted copy" is often the right answer when a justified release sits in a document containing protected information.

Reflection (write a short paragraph): A disclosure cannot be undone: once a national's personal data is given to the wrong person, no apology recovers it. Think about how that irreversibility should change the way an administrator responds to a confident, hurried request to "just confirm" something. Why is it harder to hold the line, to verify first and release only what is justified, when the asker sounds official and impatient, and what does it take in an administrator's character, not just their knowledge, to keep faith with the person whose data it actually is?

Summary

  • Records are kept to be used, and use often means releasing information, but a disclosure cannot be undone: a record wrongly withheld frustrates the force, and a record wrongly released to the wrong person is disclosed for good. Getting release right every time is how the orderly room serves the force without betraying the national whose data it holds.
  • Before any release, answer three questions: who is asking, what are they entitled to, and for what purpose. The answers decide both whether to release and how much, and the asker's confidence is never an entitlement.
  • Who is asking decides the test: the subject is generally entitled to their own information; a person within the force gets only what their task requires (need to know); an outside party gets only what a proper basis allows, often nothing without consent or a lawful requirement.
  • Handle a subject access request from openness: the member is generally entitled to their own record, granted helpfully once identity is verified, with only the narrow exceptions (chiefly a third party's data tangled into the record) withheld or redacted. This begins from "yes, with identity confirmed," where a third-party request begins from "no, unless a proper basis is shown."
  • Make every release safe with four disciplines: verify identity and authority before disclosing; release only what the entitlement and purpose justify, rarely the whole file; redact what must not be shared rather than refusing all or releasing all; and record what was released, to whom, when, on what authority, and why.
  • Because disclosure is irreversible, the decision is always made before the record leaves, never after; the administrator who discloses first and verifies later has, in the cases that matter, already lost.
  • Cross-references: applies the need-to-know, data-minimisation, and access-control principles of ADM 201 Lesson 04 (Retention, Disposal, and Confidentiality) at the moment of disclosure; records each release as an audit-trail entry like a minute in ADM 201 Lesson 03 (Registry); rests on the accuracy and integrity standard of ADM 201 Lesson 10; and aligns with the records and data security of CIS 220 (Identity, Access, and Records Security).

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 8 · Knowledge Check

Question 1 of 3

What three questions are answered before any release?