Data Protection for Foster Carers: GDPR and Safe Recording

Looking after a child in care inevitably involves handling sensitive information—health, education, family background, court orders and daily observations. In the UK, foster carers are expected to record what’s necessary for the child’s plan and safety while protecting privacy under the UK GDPR and the Data Protection Act 2018 (DPA 2018). This guide explains what that means in practice—what to record, how to store it, what you can share, and how to stay compliant day-to-day.

1) The basics: what rules apply?

Two frameworks matter most:

• UK GDPR principles: personal data must be processed lawfully, fairly, and transparently, kept accurate, limited to what’s necessary, secure, and not kept longer than needed. These “Article 5” principles underpin everything a carer does with information.
• DPA 2018: provides UK-specific rules and exemptions (e.g., for safeguarding/crime) that sometimes modify GDPR rights and duties.

In fostering, the local authority or IFA is typically the data controller. Foster carers act on the service’s instructions, using agency policies (handbooks, recording guidance, retention schedules). You should always follow your service’s recording policy—and ask your supervising social worker (SSW) if in doubt. National Minimum Standards expect carers to keep good records that respect confidentiality.

2) Lawful basis: why you’re allowed to record

Every time you write a log, save a photo or share information with school or health, there must be a legally valid reason—your lawful basis. For children’s social care, the controller (LA/IFA) usually relies on public task or legal obligation; you, as the carer, record under their policy/instructions. When the information is special category data (health, ethnicity, religion, sexual orientation, etc.), UK GDPR also requires an Article 9 condition—commonly health/social care or substantial public interest (safeguarding).

Key point: you don’t normally need “consent” to record care-planning or safeguarding information, because the lawful basis is different. If you do use consent (e.g., optional publicity), it must be freely given and withdrawable—ask your SSW first.

3) What to record—and what not to

Record what is necessary and proportionate to the child’s plan and safety:

• Daily logs: factual, time-stamped notes on health, education, routines, contact, behaviour, significant events and actions taken.
• Schedule 6/7 events (England): accidents, injuries, restraints, allegations, missing episodes, medication errors, complaints—report and record without delay.
• Life-story items: memorabilia and photos (handled safely) help a child understand their history, as encouraged by Standard 26.

Avoid opinions, labels or unnecessary detail. Write in neutral, descriptive language (“who/what/where/when”), and link to the plan or risk assessment when relevant. Several councils publish clear recording do’s/don’ts for carers—check your local guidance.

4) Safe storage: paper, phones and the cloud

Services consistently stress the same fundamentals:

• Paper: keep in a locked cabinet; don’t leave files on tables, cars or shared areas.
• Digital: use password-protected devices and agency-approved systems; enable device encryption and auto-lock; don’t store records in personal email or consumer clouds unless the agency has approved it.
• Photos & media: where a child’s image is needed for records or life-story work, store and upload promptly to the service’s system; remove from your phone when directed; never post on social media.
• When a placement ends: return all documents and media to the agency; do not keep copies.

5) Sharing information: schools, health and contact

Fostering depends on appropriate information sharing—for safety, education and health outcomes. The legal route is your controller’s lawful basis and, where relevant, UK GDPR/DPA exemptions (e.g., safeguarding). Good practice is to share the minimum necessary with the right person and record why you shared it. National practice manuals and procedures sites remind carers that confidentiality and sharing both sit within Regulations and Standard 26.

If you receive a Subject Access Request (SAR) from a parent or young person, do not respond directly. Notify your SSW/agency immediately; the controller handles SARs and applies any lawful exemptions (e.g., to avoid serious harm or to protect third-party data).

6) Special category data & safeguarding: get this right

Many foster records include health, ethnicity, religion, biometrics/photos, or sexual life/sexual orientation—all special category data under UK GDPR. Processing must satisfy Article 6 and an Article 9 condition (e.g., health/social care or substantial public interest for safeguarding). If you’re unsure whether a planned note or photo is appropriate, ask your SSW and log the reason for processing.

The DPA 2018 includes exemptions that sometimes limit disclosure or modify rights where necessary for safeguarding, crime and taxation, or regulatory functions. Controllers—not individual carers—decide when an exemption applies.

7) Retention and disposal

Keep records only for as long as the service’s policy states. Typically, carers upload or hand over records regularly; agencies keep the official file. On ending a placement (or ending approval), hand back and securely delete any digital files from your devices as instructed. Many local policies explicitly require carers not to retain copies.

8) Breaches and near-misses

A data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. If you lose a diary, send an email to the wrong recipient, or a phone with photos goes missing, tell your SSW immediately. Controllers must assess and sometimes report to the ICO and notify affected individuals. Sector resources (e.g., CoramBAAF) provide practical checklists agencies use for training and response.

9) Practical day-to-day checklist for carers

Before you write it

• Is this necessary for safety, planning, education or health?
• Is it factual and proportionate? Could a shorter note do?
• Am I including special category data? If yes, is it clearly linked to the plan or risk?

When you store it

• Paper in a locked place; digital in an approved system or encrypted device.
• No personal cloud drives or family email accounts unless authorised.
• Keep apps (and messaging) professional: use agreed channels; avoid WhatsApp for formal records unless your service has a clear policy.

When you share it

• Share the minimum necessary with the right professional.
• Note who, what, why, and when you shared.
• Route SARs and unusual requests straight to the agency.

When things go wrong

• Report immediately; follow instructions on containment (e.g., remote-wipe a device, contact recipient to delete an email). Training and policies should cover this; ask for refreshers.

10) How Standard 26 connects the dots

Standard 26 of the Fostering National Minimum Standards expects accurate, child-centred records that help children understand and reflect on their history—while respecting privacy. In practice: write clear, neutral notes; store securely; share appropriately; and support the child to keep safe memorabilia. That is exactly what UK GDPR asks of you: necessary, accurate, secure and time-limited processing with a clear legal basis.

Final word

Good recording keeps children safe, supports school and health, and protects you as a professional carer. If you stick to four questions—Do I need it? Is it accurate? Is it secure? Who needs to see it?—you’ll meet the spirit of UK GDPR and the fostering standards. When in doubt, check your agency’s recording policy, ask your SSW, and remember that privacy and good care go hand in hand.