Information Commissioner's Office
Printable version E-mail this to a friend

Report highlights data protection challenges for fostering and adoption agencies

A report published by the Information Commissioner’s Office (ICO) today has highlighted the challenges independent fostering and adoption agencies are facing when looking after sensitive personal information.

The report summarises the key findings from 10 advisory visits carried out by the ICO with independent fostering and adoption agencies in England. These agencies regularly process significant amounts of sensitive personal information relating to the care and wellbeing of vulnerable children. They need to share this information with other organisations, notably local authorities who will then also have responsibility for making sure the information is handled correctly.

The ICO found a number of common problems that put the security of sensitive personal information at risk. These included insecure transfers between agencies and local authorities, and between carers and agencies. There was also a general lack of appropriate staff training, insufficient guidance for carers, and a failure to encrypt sensitive personal information held on mobile devices, such as laptops and memory sticks.

On a more positive note, most agencies had adequate system access controls in place so that sensitive personal information could only be accessed by those staff that needed to see it. One agency also demonstrated good practice by commissioning an information security audit in order to highlight and address areas of weakness. 

Announcing the publication of the report John-Pierre Lamb, ICO Group Manager in the Good Practice team, said:

“The work fostering and adoption agencies carry out is vital to helping some of the most vulnerable young people in society. Keeping their sensitive personal information secure must be recognised as an important part of this process and agencies must have the necessary safeguards in place to keep this information safe whether it’s in the office, at home or on the road.

“The worst breaches of the Data Protection Act can lead to a monetary penalty of up to £500,000, but when you consider the sensitivity of the information this sector is responsible for, the human cost could be far more significant.

“Agencies and the councils they work with should see this report as a wake-up call and take action before it’s too late.”

Last year the ICO issued two councils with monetary penalties totalling £150,000 after sensitive information relating to the care of young people was lost by their social services departments.

The ICO is working with the Nationwide Association of Fostering Providers (NAFP), the British Association for Adoption and Fostering (BAAF) and The Fostering Network to address the issues raised in the report and help them produce appropriate data protection guidance for the sector.

Welcoming the ICO report Harvey Gallagher, Chief Executive of the Nationwide Association of Fostering Providers (NAFP) said:

“NAFP welcomes this report – there's clearly much more we could be doing to ensure that information about children and carers is handled securely. As providers of services, it is our responsibility to ensure this happens and we should make every effort to get this right.

“The ICO found some good practice with regard to the internal controls put in place by agencies. But the significant challenge is at the interface between local authorities and independent providers where local services are under significant pressure.

“We could do much more to streamline some of the unnecessarily complicated information gathering that makes the task of handling that information so much more difficult. NAFP looks forward to working with ICO over the coming months to raise the standard of information handling in fostering to ensure we are the best we can be.”

Responding to the report Jacqui Lawrence, Fostering Development Consultant at the British Association for Adoption and Fostering (BAAF) said:

“BAAF welcomes this report in highlighting some of the complexities around processing personal data. Local authorities and independent fostering and adoption agencies need to work together to ensure good practice is implemented. In a world of changing technology and an increased need to share and process sensitive personal information, agencies need to be constantly aware of their roles and responsibilities as data controllers.”

Helen Keaney, Practice Support Team Manager at the Fostering Network, said:

"We're pleased to welcome ICO's report, which highlights really important learning for independent fostering providers and local authorities.

"We shall be working with the ICO and other stakeholders to ensure that the issues raised in the report are understood and addressed, in particular developing appropriate data protection guidance for the sector."


Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070.

Resilience & Cyber4Good