Recording and Data Protection: Logs, Photos and GDPR

Foster carers record everyday life so professionals can understand a child’s needs, progress and risks. Done well, recording protects the child and you; done badly, it can breach privacy, undermine trust, and cause problems at school or in court. This guide explains what to record, how to store it safely, when photos or videos are appropriate, and how UK GDPR principles apply in a foster home.

Why recording matters (and what “good” looks like)

Purpose before paperwork

Ask yourself: Why am I writing this down? Records must have a clear purpose—safeguarding, health, education, contact, or decisions made—and be factual, proportionate, and child-centred. Avoid commentary that’s opinionated or speculative. If you offer an interpretation, label it clearly (“My observation/opinion”).

The core principles to follow

UK GDPR principles translate well to daily fostering practice:

• Lawfulness, fairness, transparency: The child (in an age-appropriate way) and those with parental responsibility should know what is recorded and why.
• Purpose limitation: Record only what’s needed for care planning, safeguarding or legal duties.
• Data minimisation: Keep entries concise and relevant—not a minute-by-minute diary.
• Accuracy: Separate facts from feelings; correct errors quickly.
• Storage limitation: Keep records only as long as policy says.
• Integrity and confidentiality: Keep data secure (locked, encrypted, access-controlled).

What to record (and what to leave out)

Keep: facts that affect safety, health, education or contact

• Significant events: injuries, disclosures, missing episodes, risky behaviour, police calls.
• Health: GP, dentist, immunisations, medication given (time/dose), health appointments and outcomes.
• Education: attendance issues, homework support, meetings (PEP/EHCP), school updates.
• Contact: dates, who attended, venue, what went well/what didn’t, practical issues; avoid judging birth family—describe behaviour, not character.
• Daily living highlights: achievements, new skills, friendships, mood changes that persist.
• Decisions: who decided, when, and why (e.g., curfew agreement, safety plan).

Avoid: unnecessary detail or identifiers

• Gossip, third-hand information, or speculation.
• Excessive routine notes (e.g., what they wore) unless relevant to a plan or concern.
• Names of peers/teachers unless essential—use roles (“class teacher”) or initials.

Tip: Imagine your note being read in a PEP review, by the child at 18, or in court. If it doesn’t help understanding or decision-making, it probably doesn’t belong.

How to write strong entries

Factual, structured and timely

Use a simple structure: Date/Time → Event/Observation → Action Taken → Outcome/Next Steps. Write in the same day while details are fresh. If you correct an entry, note when and why.

Language that protects dignity

Use neutral, respectful wording (“became upset and left the room” rather than “had a meltdown”). Record behaviour and impact, not labels.

Photos, videos and social media

When a photo is appropriate

Photos can support life-story work and show progress (first day at school, celebrations, achievements). They can also evidence damaged property or injuries (as advised by your SSW). Keep to necessary and proportionate images and follow the child’s plan.

Consent and restrictions

• Check the care plan and school/photo consent forms before taking or sharing images.
• Some children must not be identifiable online; turn off location tagging, avoid uniforms/street signs, and never post on public social profiles.
• For contact sessions, follow agency/court rules—photos may be restricted or supervised.

Storage and sharing

• Store images in the approved system (agency portal/secure app).
• If you must hold them temporarily on a device, encrypt the device and upload promptly; then delete local copies.
• Never share images via personal social media, group chats, or unapproved cloud folders.

Devices, messaging and email

Secure-by-default

• Phone and laptop: enable PIN/biometrics, automatic lock, and full-disk encryption.
• Backups: use agency-approved, UK/EEA-hosted or contractually compliant cloud services.
• Email: use the official email for case information; avoid sending personal data to or from private accounts.

Messaging apps

• Use agency-approved apps for case discussions. Avoid forwarding sensitive information into WhatsApp groups. If a professional messages you informally, move the decision record back into the official system (“As agreed via call/text at 15:30, curfew extended to 9pm. SSW to update plan.”).

Paper notebooks vs digital systems

Paper (if allowed)

• Keep the minimum at home, in a locked cabinet.
• Number the pages, use black ink, and don’t tear out pages.
• Move key information into the official digital record as soon as possible.

Digital (preferred)

• Use the agency’s recording portal or app.
• Don’t store permanent files on a shared family laptop profile.
• Keep filenames neutral (e.g., “PEP-minutes-2025-09-14.pdf”).

Subject access requests (SAR) and the child’s right to know

Who can see records?

Children and those with parental responsibility may ask to see information held about them. If a SAR arrives, do not self-edit—notify your SSW/agency. Some information may be withheld (e.g., third-party data, risk to the child), but decisions are taken by the data controller, not the carer.

Write today for tomorrow’s reader

Assume the child may read your entries at 18. Keep tone compassionate, clear, and free of unnecessary detail that could harm relationships.

Data retention and disposal

Know your schedule

Your agency/local authority sets retention periods. As a carer, you usually hand back records when a placement ends; keep only what policy allows. For any paper you’re permitted to dispose of, use cross-cut shredding or the agency’s confidential waste route.

Photographs, doorbells, dashcams and home CCTV

Minimise capture, maximise privacy

• Video doorbells/CCTV: Check placement rules and local policies. Cameras must not record bathrooms/bedrooms. Inform visitors if recording is active and ensure footage is secure, retained briefly, and accessible only to authorised adults.
• Dashcams: If used, never publish footage online. Retain only if required for an incident and share via the official route.

Breaches and near misses

What counts as a breach?

Loss, unauthorised access, or disclosure of personal data—e.g., emailing a school report to the wrong address or losing a paper diary.

What to do immediately

1. Contain: retrieve or secure the data if possible.
2. Report: inform your SSW/agency same day; they’ll decide if the ICO and data subjects must be notified.
3. Record and learn: note what happened, why, and how you’ll prevent a repeat (e.g., double-check email recipients, use password-protected attachments).

Courts, evidence and professional standards

Notes that stand up

Courts value contemporaneous, factual notes. Avoid emotive adjectives; stick to who, what, when, where, how, and include actions taken (“Applied first aid; attended UTC at 19:10; discharge letter uploaded.”).

Sharing with schools and health

Share only what’s necessary for the task (medication plan, risk alerts, attendance actions). Use secure channels. Log what you shared, with whom, and why.

Practical do’s and don’ts (quick checklist)

Do

• Date/time-stamp every entry and sign/initial if on paper.
• Use the official system for logs, documents and photos.
• Keep devices locked and encrypted; change passwords regularly.
• Explain to the child (in simple terms) what you record and why.
• Record decisions and who authorised them.
• Report data breaches immediately to your SSW.

Don’t

• Store case notes in personal email, Notes apps, or family cloud folders.
• Post identifiable images online (including school logos, street signs).
• Include unnecessary third-party names or speculation.
• Keep records longer than policy allows.
• Share documents via messaging apps unless expressly approved.

Final word: safe, simple, child-centred

If you hold one idea from this guide, make it this: record with purpose. Every line should help keep a child safe, support their progress, or explain a decision. Pair that with tight privacy habits—approved systems, minimal data, secure devices—and you’ll meet both professional expectations and UK GDPR standards while protecting the child’s dignity and your own.