In trying to make a decision about keeping records foster carers need to grapple with the GDPR. Ideally there’d be advice from fostering services on this but at the moment many of them are struggling to get their own houses in order let alone worrying about foster carers.
This means that foster carers are pretty much in the dark when it comes to where they stand. We’re going to try to shine a little light on this but it is complex and so unfortunately this will not be a short article.
The nearest there is to expert advice comes from a guide created by CoramBAAF. This guide focuses its attention on fostering services but it does briefly touch on foster carers were it says;
While foster carers are deemed to be self-employed for tax purposes, case law takes into account the specific issue in dispute, and in some contexts foster carers may be seen as akin to employees.
Complying with The GDPR and DPA 2018 – A good practice guide
And goes on to suggest that given this it may be unnecessary to have a data processing agreement with foster carers. Given that this is pretty much the only guidance available this seems like a good place to start. In order to reach this conclusion the guide cites two recent judgements.
The first is Glasgow City Council v. Johnstone where Lord Summer wrote:
20)… This factor points to the existence of a contract of employment. I note that unlike “ordinary” foster carers the Claimants were paid a substantial fee and not just expenses. Unlike “ordinary” foster carers they were permitted to take a holiday and were not required to take the child with them.
23)… I expressly decline to consider whether the level of control exercisable under an “ordinary” foster care arrangement brings the contract within the scope of a contract of employment.
48)… I have sought to make it clear that there are certain specialities about the present case. I have not sought to address the position of the ordinary foster carer.
https://assets.publishing.service.gov.uk/media/5f490238d3bf7f0a2e1e5c51/Glasgow_City_Council__v_1__Mr_James_Johnston_2__Mrs_Christine_Johnston___UKEATS_0011_18_JW.pdf
From this it’s pretty clear this was not a case that was in anyway applicable to us ‘ordinary’ foster carers.
The second case was Armes v Nottingham County Council but the interesting thing about this case is that it makes no sense if in fact the law lords considered foster carers to be employed. The first finding in this case was that local authorities did not have a non delegable duty of care. This wouldn’t be possible if foster carers are in fact employed by local authorities as you can’t delegate a duty of your own organisation. The second part of Armes v Nottingham County Council considered the doctrine of vicarious liability and indeed this is where the ‘akin to employees’ quote comes – but again this was a case asserting that vicarious liablity was applicable despite the self employed status of foster carers. The case wouldn’t have made sense if the lords had considered foster carers to actually be employed.
The actual case law that determines foster carers employment status is W v Essex County Council1. This asserts that because the terms of the fostering agreement entered into between fostering services and foster carers are laid out in statute it cannot be a contract and in order to be employed it is a requirement that there is an employment contract.
So foster carers are still in fact self employed. In fact, rather sensibly most fostering services have ignored this particular bit of CoraamBAAF advice and do have data processing agreements with their foster carers. This in itself is an acknowledgement by the fostering services that foster carers are not employees because employees cannot be data processors.
So if we’re self employed with respect to employment legislation then where does this leave us. As the CoramBAAF guide suggests, with respect to data we receive or create for fostering services we are data processors. As it’s name suggests this role is one of processing data for some one else, a data controller. For foster carers the data controller, the person in charge and responsible for this data, is their fostering service and foster carers must have data processing agreements with their fostering service.
Fostering services are collecting this data for their purposes not foster carers. Their main purposes are monitoring placements and handling allegations as part of their duty of care to the children for whom they are the corporate parents. They are not collecting data to protect foster carers because they have no such duty of care to foster carers as was established in W v Essex County Council.
So who is responsible for protecting foster carers? The answer, as it is for all self-employed people, is themselves. So what does this mean in practice. Well it means that we as foster carers are responsible for ensuring we have enough information about a placement that we will be able to fulfil our duty of care to ourselves in the event of foreseeable risks.
But before we start collecting data to protect ourselves we need to be sure that we have what the ICO calls a Legitimate Interest. The ICO helpfully breaks this down into three parts;
The purpose test
The first test is do foster carers have a legitimate purpose for collecting this data. What are the benefits, if any, of keeping this data? This purpose can be things as trivial as holding customer information for direct marketing. Foster carers would be keeping records of our day to day care and the reasons for our decisions to protect ourselves, our family, including our foster children from life changing harm. It also has the purpose of protecting our livelihoods. This purpose is so clear, necessary, and overwhelming that it’s difficult to grasp that it’s been overlooked. The unique risks we face and their devastating consequences are directly addressed in the “The Children Act 1989 – Guidance and Regulations Volume 4: Fostering Services” which states;
3.68. Any allegation made by a child must be taken seriously and investigated, since it is of the utmost importance to keep children and young people safe. However, foster carers do face a risk of being the subject of false allegations and this can be extremely traumatic for those involved and their families. Allegations may result in the removal of the child who made the allegation and potentially other foster children in the household. Unfounded allegations therefore affect not just of the fostering household but also the placement stability of foster children. The 2010 Regulations and Volume 2 must be adhered to when moving a child from their placement.
3.69. In addition to the negative impact on the child’s welfare and education of being moved to a new placement, there is the cost and impact on the local authority of having to find a new suitable placement for the children. There are also consequences for the fostering service, as badly handled allegations can lead to carers leaving fostering altogether.
The Children Act 1989 – Guidance and Regulations Volume 4: Fostering Services
The necessity test
The second test is – is it necessary for foster carers to hold this data for this purpose? Clearly somebody needs to be holding this information because foster carers definitely need the protection these records provide. But don’t the local authority hold this data in the form of daily logs for our benefit and wouldn’t we just be unnecessarily duplicating sensitive personal data? In order to answer this we need to establish if the local authority actually holds these weekly logs for the purpose of protecting foster carers from allegations and are these logs sufficient to protect foster carers?
Is there a regulatory duty for the local authority to protect the third parties they use to ‘accommodate’ the children in their care i.e. foster carers? The daily logs are kept for the purpose of fulfilling a regulatory requirement to care for the children they are responsible for and to monitor the care provided by foster carers. There are plenty of regulatory duties on local authorities for the protection of looked after children, many of which are to do with the supervision and support of foster carers but there is no such regulatory duty to protect foster carers. They do have duties to ensure that allegations are dealt with quickly (see minimum standard 22) and they do have duties to support us in the care we deliver (see minimum standard 21) but the underpinning legislation on record keeping is actually contained in schedule 2 of Fostering Service Regulations 2011 and only covers incident notification. There is also minimum standard 26 on record keeping but none of the underpinning legislation confers a duty on fostering services to keep records to protect foster carers from allegations.
This isn’t at all surprising because, as we established above, we are in fact self-employed third party contractors. Local authorities have a duty of care to their staff and to the children in their care. They have a duty to support and supervise their foster carers as part of this care to the child; they have a duty to investigate allegations and to provide support to foster carers who are the subject of allegations; but they do not have a regulatory duty of care to foster carers comparable to the duty they have to their staff. In fact, if a local authority was to offer a level of care to foster carers beyond these regulations they would be stepping in the direction of employment as was found in Glasgow City Council v Johnstone. Employers have a duty of care to their employees and a much more limited duty of care to contractors. Contractors have to ensure their own care; where they are subject to foreseeable harm they must make provisions to protect themselves from such harm.
And then there’s the practical side of how allegations are handled. A foster carer subject to an allegation will need access to all the files in order to protect themselves and their family. As long as this is a current looked after child who resides in the same local authority as the foster carer then there’s a fair chance these can be accessed fairly quickly. But what if you’ve moved or this is a historical allegation? It seems likely you would need a court order to get this data released by which time immeasurable harm may already have been done. Furthermore, if you check with your service provider often they only keep this data on foster carers files for a limited time (eg Staffordshire LA keeps them for 10 years). Remember these are not foster carer’s records – but service records kept for the purpose of protecting the child and from a regulatory standpoint they are not held for the purpose of protecting foster carers – they may well be kept for the speedy handling of allegations but this is very different than protecting and defending foster carers.
The final issue over necessity is are the logs the service collects sufficient for the purpose of protecting a foster carer facing an allegation. In many ways a daily journal on what is happening in a placement is exactly what is required in the case of an allegation and much of the information a foster carer will need will be similar to what they record for their daily logs. But there are many issues around this data that a foster carer may wish to note for additional context, for example, many foster placements start with missing or incorrect placement information. This is the type of additional background information that would give vital context to the often chaotic circumstances of caring for a child with complex behavioural issues but it needs to be recorded . For their monitoring needs, the service wants concise factual records and they certainly don’t want or need details that don’t directly affect the child. Foster carers facing challenging behaviours that they are struggling with – for example self harm, psychosis, aggression, verbal or physical abuse, sexualised behaviour – will often want to keep much more extensive records; including what advice they received and by whom. The reality is the more they record at the time the better off they will be if faced with an allegation.
It’s clear from this that despite some duplication of data the necessity test is clearly passed. We need clear, contemporaneous records that we can access when needed in order to protect ourselves, our families including our foster children, and our livelihoods. We cannot rely on the local authority to collect this data on our behalf because they do not have a regulatory basis to do so. The data they do collect is not readily accessible to foster carers. The data they hold is not kept long enough to be of help when foster carers face historical allegations. And finally the logs the service collects could be inadequate when foster carers are faced with an allegation as they are only about the child.
The necessity test also asks if there is a less intrusive way we could achieve the same purpose. It’s difficult to imagine a less intrusive data process than one where foster carers log their day to day activity and decisions for the single purpose of handling allegations. No one other than a court or the foster carer or the child – both of whom were already party to this activity in the first place – would ever have access to this data. This is such a narrow and specific purpose that the level of intrusion in most cases will be negligible.
As a specific example, we had a young person who stole something very valuable and that put the young person at great personal risk. The lead up to this was extensive and the implications were very serious involving multiple other agencies. All this would be logged in far greater detail in our records than is possible in our weekly reports together with any additional information we felt was necessary to fully explain our handling of the issue. If a young person subsequently asked to see this data they’d get a very detailed record of an event that they were already well aware of. They are also well aware that, as their foster carers, we already knew all this information. No one who didn’t know about this event would ever get to know about it other than in the specific case of an allegation.
The balancing test
This test balances the benefits of retaining data against a child’s rights to not have unnecessary data collected. The GDPR makes a specific point that children’s data needs careful consideration. Recital 38 of the UK GDPR states that:
“Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”
Recital 38 of the UK GDPR
The first issue we need to address is does this data fall into “the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child”. Clearly it does not.
The ICO provides a series of questions that we must think about when assessing the issue of balancing interests. These, together with our answers are;
What is the nature of your relationship with the individual?
Our relationship is one of delegated parental care.
Is any of the data particularly sensitive or private?
By its very nature – the records we need to keep will be extremely sensitive. For example if a child exhibits sexualised behaviour our records need to note this and how we dealt with this. Most importantly it will record who we informed and how we did this.
Would people expect you to use their data in this way?
We think it’s fair to say that our children would expect us to be the custodians of the history of their stay with us. We would argue that, whether we log this information or not, we are nevertheless the custodians of their histories while in our care. The logs simply formalise this and help us remember these events accurately. Like all foster carers, we currently keep detailed daily logs and our children are aware that we do this – we explain that we are keeping a diary and even the youngest understand this. We do not explain to our younger children that these are subsequently sent to ‘their corporate parent’ so they can monitor and support us because they simply would not understand this and it would cause them worry. This illustrates very clearly how our children expect us to have these records much more than they expect their ‘corporate parent’ to have them.
Are you happy to explain it to them?
As the previous answer showed, this already happens. Where possible we even involve them in the creation of this ‘diary’.
Are some people likely to object or find it intrusive?
Many people keep personal diaries including many parents – there is nothing inherently intrusive about this practice . Furthermore, we all hope that the information we record will never be used or seen for the purpose for which it was collected.
What is the possible impact on the individual?
The ICO asks a data controller to assess the impact by addressing the following questions:-
- a barrier to individuals exercising their rights (including but not limited to privacy rights);
- a barrier to individuals accessing services or opportunities;
- any loss of control over the further use of personal data;
- physical harm;
- financial loss, identity theft or fraud; or
- any other significant economic or social disadvantage (such as discrimination, loss of confidentiality or reputational damage).
It is difficult to see how any of these apply to historical logs held simply for the purposes of handling allegations. In the absence of an allegation, it’s difficult to imagine any impact because no one would have access to them. In the event of an allegation the swift resolution of the issues is fundamental to reducing the harm to the child themselves – one could argue having accurate records of their care is a child’s fundamental right. The more information that can be produced to explain why this allegation has arisen and the context in which this allegation occurred can be fundamental to issues like saving a placement and protecting a child’s rights..
How big an impact might it have on them?
It’s difficult to imagine a situation where background context being brought to an allegation could have a negative impact for the person bringing the allegation. Even if the records are disputed they will provide key information on the context which could well be of interest to a child bringing an allegation particularly in the case of a historical allegation.
Having done this it’s appears that the balancing test is passed fairly comprehensively for foster carers. A lot of the confusion around retaining records has arisen because the records we need as foster carers will be similar to the records the service needs to monitor and support us. There will sometimes be clear differences but often the data will be similar. But data protection is about the purpose the data is held not the data itself.
- W v Essex County Council [1998] 3 WLR 534; [1998] 3 All ER111 ↩︎