Data Protection Act 2018

The Data Protection Act 2018 came into force on 23 May 2018 (it replaced the Data Protection Act 1998) and is the UK’s implementation of the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. The Data Protection Act 2018 (DPA 2018) provides a legal framework for all data protection in the UK and has introduced new requirements for how organisations process personal data, as well as expanding the rights of individuals to control how their personal information is collected and processed. 

Fostering services across the UK must comply with this legislation, in order to be more accountable for data protection and consider issues of data compliance. This brief guidance outlines some key issues when considering data protection legislation for everyone involved in fostering.

About data protection

Data protection legislation controls how your personal information is used by organisations, businesses or the government. Fostering services have access to a variety of personal data including sensitive personal data when working with fostering applicants, foster carers, children and young people, birth families, social care staff workforce, fostering panel members and so on.

Everyone responsible for accessing and using data within the fostering system (dependant on your role and responsibilities) has to follow strict rules called ‘data protection principles’. 

The main concepts and principles under the UK Data Protection Act 2018 has incorporated the new elements and important enhancements from GDPR, so therefore public authorities and fostering services will need to consider some new areas as well as doing some things differently. For example, there is a requirement to clarify the difference in data protection law between a personal reference and a confidential reference. 

Both the DPA 2018 and GDPR refer to sensitive personal data as “special categories of personal data” and says this is more sensitive and so needs more protection i.e. racial or ethnic origin, health, political opinions, religious or philosophical beliefs, or trade union membership, genetics, biometrics (where used for ID purposes) and data concerning a person’s sex life or sexual orientation.  See DPA 2018 Schedule 1.

Principles of Data Protection 

The following principles should apply in terms of data protection:

  • Public authorities and fostering services are responsible for what and how they process, record and store personal data.  
  • Fostering services have a legal responsibility to ensure that all data they obtain is accurate, relevant, up to date, and that it is securely stored for no longer than it is necessary, or in accordance with record retention policies as stipulated by relevant legislation. 
  • Data protection polices must adhere to individual rights in terms of deleting and sharing data,  gaining and managing consent and provision to access data held about an individual in accordance with regulations and set timescales. 
  • Services must adhere to upholding children’s rights and ensure specific protection for this group.
  • Public authorities and fostering agencies will need to appoint a Data Protection Officer. 
  • Public authorities and fostering services have a responsibility to notify the Information Commissioners Office (ICO) to report a breach, as well as individuals where high risk instances will impact on individual rights.