An investigation by the Information Commissioners Office (ICO) found “highly sensitive” information about children and adults is routinely emailed between independent agencies and local authorities for the purposes of arranging care placements without encryption safeguards being put in place.
The information includes the medical history, marital status, relationship information, employment, criminal convictions and religious beliefs of the prospective foster carer/adopter; as well as medical history, birth parent information, placement history, educational achievement, behaviour issues and ethnicity details for children awaiting a foster carer or adopter.
In an attempt to secure a quick match for one of their carers with a looked-after child, agencies will often send unencrypted information to a local authority believing that if they don’t the council will use another provider.
The ICO said another factor behind the lax security practices is that local authorities appear reluctant to accept encrypted information via email as their IT security systems block messages making it time consuming to access them.
The majority of the 10 independent agencies audited by the ICO failed to encrypt mobile devices, such as laptops and USB sticks, used to process, store or transport personal data, increasing the risk of data breach.
It states: “If lost of stolen, any such devices containing sensitive personal data could be easily accessed. Where such losses occur and encryption has to been used to protect the data, the ICO is more likely to pursue regulatory action.”
Last year, the ICO issued two councils with penalties totalling £150,000 after sensitive information about the care of young people was lost by children’s services.
Other issues highlighted in the report include lack of training for staff on good data security practice, and staff being allowed to use home computers to carry out work involving sensitive personal data. There is also a lack of “secure methods” for carers to record progress made by children, with information usually stored and transferred using ISP “clouds” and webmail systems.
However, most agencies were found to have adequate “system access” controls in place so that personal information could only be accessed by authorised staff.
John-Pierre Lamb, ICO group manager, said: “Agencies must have the necessary safeguards in place to keep this information safe, whether it is in the office, at home or on the road.
“The worst breaches of the Data Protection Act can lead to a penalty of up to £500,000, but when you consider the sensitivity of the information this sector is responsible for, the human cost could be far more significant.
“Agencies and the councils they work with should see this report as a wake-up call and take action before it’s too late.”
The ICO is working with the British Association for Adoption and Fostering, the British Association of Fostering Providers and the Fostering Network to help councils and agencies address the problems.