Digital Recording and Data Protection for Foster Carers (UK)

Good records keep children safer, help professionals make better decisions, and protect you as a carer. In 2025, most fostering services ask carers to write and submit logs digitally. That means everything from a photo of homework on your phone to a medication entry in your laptop becomes personal data—and, very often, special category data—with legal duties attached. This article explains what to record, how to keep it safe, and what the law expects, in clear, everyday terms for foster carers in England.

Why digital recording matters—and who controls the data

Digital recording isn’t just admin. Timely, factual notes help social workers spot patterns, track progress, and act quickly if something isn’t right. Because the data is about a child, it gets extra protection in law: UK GDPR says children’s data deserves specific safeguards and plain-language handling that puts their interests first.

In most cases, your fostering service (local authority or IFA) is the data controller and sets the rules on what you record, how you store it, who you share it with, and how long it’s kept. As a carer, you handle the information on their behalf and must follow their policies, training, and systems. Councils’ privacy notices make this explicit—for example, Buckinghamshire states its fostering service is the data controller.

Your role under UK GDPR

Carers generally act under the controller’s instructions (your agency’s policies, templates, portals). The ICO’s controller/processor guidance explains the split in responsibilities and why controllers must be able to demonstrate compliance with data protection principles. Practically, that means you keep accurate, necessary records and follow the security measures your service specifies.

Lawful bases and special category data (health, identity, beliefs)

Fostering involves processing a lot of sensitive information. Every piece of processing must have a lawful basis under Article 6 UK GDPR; public authorities usually rely on public task. When the information is sensitive (health, ethnicity, sexuality, etc.), there also must be an Article 9 special category condition—most commonly substantial public interest for safeguarding or social care. Services’ privacy notices and the ICO’s guidance set out these routes.

What this means day to day

You don’t need to get fresh consent each time you write a daily log or share an urgent concern. You’re recording and sharing because your service has a legal duty to safeguard and promote the child’s welfare. The key is to record only what’s necessary, keep it accurate, and share it with the right people for the right reasons.

What to record, how to write it, and who can read it

The Fostering Services: National Minimum Standards require carers to keep appropriate written records, including medication and health entries, and to present them clearly and non-stigmatisingly. Local recording policies build on this and explain exactly what your service expects in daily logs, incident reports, and contact notes.

Write entries that are factual, dated, and signed/attributed. Distinguish what you saw from what you thought; note who said what, and capture any actions taken or agreed. Avoid unnecessary third-party details; include links to relevant plans and emails if your portal allows.

Subject access and the child’s rights

Children and care leavers can ask to see information held about them via a Subject Access Request (SAR). The controller must respond within one month, with a possible extension if a request is complex. Write as if your notes will be read later by the young person; it’s both respectful and legally wise.

Storing information securely at home

Digital security starts with your household setup. Use a dedicated, password-protected user account on any device you use for fostering. Turn on full-disk encryption (BitLocker on Windows, FileVault on Mac), set auto-lock to a short timeout, and keep software and antivirus up to date. Your service may also require a separate email address for fostering or the use of secure portals.

Email, messaging and portals

Follow your agency’s instructions. Many services insist on secure portals or password-protected documents for anything sensitive. If email must be used, password-protect attachments and share passwords separately. Some services warn against older, less secure email providers and set rules for any messaging apps. When in doubt, send via the approved system and log that you’ve done so.

Photos, videos and social media

Photos and videos are personal data. Get explicit permission through the child’s social worker before taking or sharing images, and follow any restrictions in the care plan. Never post identifying information or images of a fostered child on social media; this creates obvious safeguarding risks and can breach confidentiality. If a young person posts their own images, alert the social worker and discuss online safety with them.

Sharing information lawfully and safely

Sharing is allowed—and essential—when it’s in the child’s best interests and necessary for safeguarding or care planning. The ICO’s data-sharing guidance for children confirms you may share where there’s a compelling reason, such as safeguarding; London’s safeguarding procedures emphasise having a legal basis under Articles 6 and 9. Share the minimum necessary, with the right people, and record why you did it.

If you move agency, regulations require the timely transfer of relevant records between services (typically within one month), so don’t delete or withhold information—work with your supervising social worker to ensure safe handover.

Retention and disposal: how long to keep things

You should not decide retention periods yourself. Your controller sets them. In England, fostering regulations and local procedures typically require foster carer records to be kept for at least 10 years after approval ends, and for refused/withdrawn applications at least 3 years. Dispose of anything you hold locally only when your service tells you it’s been captured in their system or the retention period has expired; when disposing, shred paper and securely wipe devices.

Note that some categories—such as adoption or certain children’s home records—are held for many decades (often 75–100 years) by the responsible authority, which underlines why carers should channel records into the official system rather than stockpiling local copies.

Data breaches: what to do within 72 hours

A personal data breach is any security incident that leads to accidental or unlawful loss, alteration, or unauthorised disclosure of personal data. If you email a log to the wrong school, lose a notebook, or your phone with un-uploaded photos is stolen, tell your supervising social worker immediately. Controllers must assess and—if there’s risk to rights and freedoms—report to the ICO within 72 hours, even if some details must be supplied later. Do not try to fix it quietly.

What counts as reportable?

Incidents that expose a child’s identity, location, health or school data tend to be risky and therefore notifiable. The 72-hour rule is taken seriously in practice and in enforcement, so escalate promptly and follow your service’s breach process.

Practical, everyday habits that keep you safe

Start each placement by confirming exactly where to record and how to send logs, photos and forms. Keep your daily log up to date, ideally the same day, and upload it to the portal rather than leaving copies on your device. Use strong, unique passwords and a password manager if your agency allows. Avoid storing documents in general cloud folders attached to personal accounts unless this is explicitly approved. If you must work offline briefly, keep files in an encrypted area and delete local copies once uploaded. When writing, remember a SAR may be made one day; write with empathy, clarity and respect.

Frequently asked questions carers raise

Can I keep my own “backup” of logs at home?

Only if your fostering service says so. As a rule, the official record is the one in the controller’s system. Keeping extra copies increases risk and complicates retention. Ask your supervising social worker before retaining anything locally.

Can I use WhatsApp or text with school or health?

Use the official channel. If your agency permits messaging for quick coordination, don’t share sensitive details there; follow with a proper note in the official record and a secure upload.

Can the child see what I’ve written?

They can request it through a SAR, and services must usually respond within one month. That’s why neutral, factual, and child-respectful language matters.

Do I need consent to share concerns?

No. You share under lawful bases like public task and substantial public interest for safeguarding. Share what’s necessary with professionals who need to know, and record your reasons.

Final word

Digital recording is part of the professional role of every foster carer. When you write clear, timely entries and keep them secure, you strengthen safeguarding, help professionals make good decisions, and protect yourself. Anchor your practice to three ideas: record what matters and nothing more, store and share it safely through approved systems, and escalate issues fast—especially potential breaches. If anything is unclear, ask your supervising social worker; they speak for the data controller and will make sure your recording stays both useful and lawful.

Key sources for carers

• ICO guidance on children’s data, lawful bases and special category data; SAR timelines; breach reporting obligations.
• DfE National Minimum Standards (recording and health/medication) and local recording policies that implement them.
• Retention and transfer expectations under the Fostering Services (England) Regulations 2011 and local procedures.
• Safeguarding-led data sharing principles for children.