The dilemma of having to balance data security with getting the job done promptly was raised in a report published by the Information Commissioner’s Office (ICO). The data security watchdog highlighted how independent fostering and adoption agencies have to look after sensitive personal information.
The report noted that foster agencies often send personal information – such as criminal convictions and medical history – about foster carers without encryption because the agencies feel that if they do not provide a quick means for councils to access their foster carer’s information, a local authority will simply use another fostering service.
The report summarises the findings from ten advisory visits by the ICO with independent fostering and adoption agencies in England. These agencies regularly process sensitive personal information relating to the care and wellbeing of vulnerable children. They need to share this information with other organisations, notably local authorities who will then also have responsibility for making sure the information is handled correctly.
The ICO found a number of common problems that put the security of sensitive personal information at risk. These included insecure transfers between agencies and local authorities, and between carers and agencies. There was also a general lack of appropriate staff training, not enough guidance for carers, and a failure to encrypt sensitive personal information held on mobile devices, such as laptops and memory sticks. If lost or stolen, any such devices containing sensitive personal data could be easily accessed. Where such losses occur and encryption has not been used to protect the data, the ICO says that it’s more likely to pursue what it terms ‘regulatory action’.
Fostering agencies often require carers to provide them with updates about looked after children but they do not provide secure methods such as VPNs by which to do this. Sensitive personal information is therefore processed on home computers and stored in the ‘cloud’ in ISP or webmail accounts (Hotmail, Gmail etc.). As data controllers, agencies are responsible for this information and they must ensure it is stored and transmitted and eventually disposed of securely.
On a more positive note, most agencies had adequate system access controls in place so that sensitive personal information could only be accessed by those staff that needed to see it. One agency also demonstrated good practice by commissioning an information security audit in order to highlight and address areas of weakness.
John-Pierre Lamb, ICO Group Manager in the Good Practice team, said: “The work fostering and adoption agencies carry out is vital to helping some of the most vulnerable young people in society. Keeping their sensitive personal information secure must be recognised as an important part of this process and agencies must have the necessary safeguards in place to keep this information safe whether it’s in the office, at home or on the road.
“The worst breaches of the Data Protection Act can lead to a monetary penalty of up to £500,000, but when you consider the sensitivity of the information this sector is responsible for, the human cost could be far more significant. Agencies and the councils they work with should see this report as a wake-up call and take action before it’s too late.”
Last year the ICO fined two councils a total of £150,000 after sensitive information relating to the care of young people was lost by their social services departments. The ICO says that it’s working with the Nationwide Association of Fostering Providers (NAFP), the British Association for Adoption and Fostering (BAAF) and The Fostering Network to address the issues raised in the report and help them produce appropriate data protection guidance for the sector.
Harvey Gallagher, Chief Executive of the Nationwide Association of Fostering Providers (NAFP) said: “NAFP welcomes this report – there’s clearly much more we could be doing to ensure that information about children and carers is handled securely. As providers of services, it is our responsibility to ensure this happens and we should make every effort to get this right.
“The ICO found some good practice with regard to the internal controls put in place by agencies. But the significant challenge is at the interface between local authorities and independent providers where local services are under significant pressure.
“We could do much more to streamline some of the unnecessarily complicated information gathering that makes the task of handling that information so much more difficult. NAFP looks forward to working with ICO over the coming months to raise the standard of information handling in fostering to ensure we are the best we can be.”
Jacqui Lawrence, Fostering Development Consultant at the British Association for Adoption and Fostering (BAAF) said: “BAAF welcomes this report in highlighting some of the complexities around processing personal data. Local authorities and independent fostering and adoption agencies need to work together to ensure good practice is implemented. In a world of changing technology and an increased need to share and process sensitive personal information, agencies need to be constantly aware of their roles and responsibilities as data controllers.”
And Helen Keaney, Practice Support Team Manager at the Fostering Network, said: “We’re pleased to welcome ICO’s report, which highlights really important learning for independent fostering providers and local authorities. We shall be working with the ICO and other stakeholders to ensure that the issues raised in the report are understood and addressed, in particular developing appropriate data protection guidance for the sector.”
