A report by the Information Commissioner’s Office has warned of insecure transfers of sensitive personal information between independent fostering and adoption agencies and local authorities.
The ICO report, which was compiled from 10 advisory visits made by the watchdog to agencies, found that highly sensitive personal information – including medical history, marital status, sexuality, relationship information, employment, criminal convictions and religious beliefs – concerning foster carers and looked after children was "routinely emailed" between agencies and local authorities for the purpose of arranging foster care placements, without encryption safeguards in place.
"The lack of such safeguards increases the risk that the information could be inappropriately accessed," the watchdog said.
The ICO said there appeared to be a number of factors contributing to this practice:
- "It was reported that local authorities are often reluctant to accept encrypted information via email as their IT security systems block the messages and it can be time consuming and difficult to liaise with their IT team to unblock them.
- In addition, it was suggested that local authorities may not wish to deal with a multitude of encryption programs being used by different agencies.
- Foster agencies in particular often send this information without encryption because they feel that if they do not provide a quick means for local authorities to access their foster carer’s information, a local authority will simply use another fostering service."
Other common problems found by the ICO were: a general lack of appropriate staff training; insufficient guidance for carers; a failure to encrypt sensitive personal information held on mobile devices; a failure to adopt secure printing procedures; a failure to change passwords on a regular basis; and a lack of information security breach procedures.
The report also said that the nature of the sector and the significant volume of sensitive personal data being created and exchanged within it lead to "a real risk that some of the information processed/held is either excessive, retained for longer than necessary, or both".
The ICO did however report that most agencies had adequate system access controls in place so that only those staff that needed to see sensitive information could access it.
The watchdog praised one agency for commissioning an audit of its information security to identify potential weaknesses in its approach.
The ICO said it was working with the Nationwide Association of Fostering Providers, the British Association for Adoption and Fostering and The Fostering Network to address the issues raised. Appropriate data protection guidance for the sector will be developed.
The ICO report can be viewed here.
John-Pierre Lamb, ICO Group Manager in the Good Practice team, said: “The work fostering and adoption agencies carry out is vital to helping some of the most vulnerable young people in society.
“Keeping their sensitive personal information secure must be recognised as an important part of this process and agencies must have the necessary safeguards in place to keep this information safe whether it’s in the office, at home or on the road.”
Lamb said the report should be seen by agencies and local authorities “as a wake-up call” to take action before it was too late.
Harvey Gallagher, chief executive of the NAFP, said: “The ICO found some good practice with regard to the internal controls put in place by agencies. But the significant challenge is at the interface between local authorities and independent providers where local services are under significant pressure.
“We could do much more to streamline some of the unnecessarily complicated information gathering that makes the task of handling that information so much more difficult.”