Data Protection


Families for Children Designated Data Protection Officer is the Head of Business

All employees with access to employee records and who are responsible for processing personal data should receive training and guidance information on the key aspects of the Data Protection Act/UKGDPR and their responsibilities under the Act.

All contractors or agency staff whose duties involve processing personal data should be made aware of the contents of the Data Protection Policy and their responsibilities under the policy.

1. Data Protection Principles

The Data Protection Principles state that personal data must be:

  • Fairly and lawfully processed;
  • Processed for limited purposes and not in any manner incompatible with those purposes;
  • Adequate, relevant and not excessive;
  • Accurate;
  • Not kept for longer than is necessary;
  • Processed in accordance with individual rights;
  • Secure;
  • Not transferred to countries without adequate protection.

2. Data Protection Act 1998 / General Data Protection Regulation (UK GDPR)

Legal duty to protect any information collected on individuals as per the principles outlined above. The agency uses technologies and encryption software to safeguard data, and keep strict security standards to prevent any unauthorised access to it.

Website – we maintain log files that allow us to record visitors' use of the site and these provide us with statistical information on how people use the site and what content people are viewing. Log files do not contain any personal information and they are not used to identify any individual patters of use of the site.

The policy does not confer contractual rights on individuals.

3. Privacy Notice

Families for Children is committed to protecting users privacy when using our communication systems and website

Our Privacy Notice explains how we use information given to us and the ways in which we protect privacy accordingly. Our Privacy Notice is part of the overall Data Protection Policy of the agency and is replicated on our website.

Our Privacy Notice applies only to the agency website and so users are advised that wherever we link to other sites not covered by this, we will title links appropriately so that the user is aware that they are being forwarded to a Third Party site. Full Privacy Notice is in Appendix 1: Privacy Notice.

4. Information Collected and How it is Used

Families for Children collect personal data from a variety of sources over time. In most instances this will be specifically used to respond to an enquiry or information request or to provide appropriate goods and services or to enable us to review, develop and improve the services on offer.

Key points of information gathering:

  1. Prospective adopters Initial contact with agency through email, website, telephone or face to face;
  2. Applicants completing the Registration of Interest Form;
  3. Obtaining checks and references on prospective adopters during Stage 1 of the assessment process, including medical, DBS and personal references;
  4. During Stage 2 Assessment of prospective adopters;
  5. Linking and Matching prospective adopters with children and Court process;
  6. When applying on behalf of adopters and their families for adoption support services and the relevant funding;
  7. When applying for employment by the agency;
  8. When applying to be a volunteer for the agency.

4.1 For Service Users

All information gathered on prospective adopters is to inform their suitability to become adoptive parents. It is essential that this is a robust assessment of strengths and vulnerabilities due to the needs of the children being potentially placed with them. This is outlined in the Adoption Act 2002 which provides the framework for implementing plans for adoption and is the principal piece of legislation from which the Statutory Guidance for Adoption 2014 is drawn.

All information gathered on adopters and their families regarding adoption support is to inform the best interventions to support them through difficulties or crisis and to prevent placement breakdown.

Express consent is gained for any information gathered, and no information is passed onto third parties unless there is clear permission to do so. Service Users are advised fully as to the identity and nature of the third party and they are asked to "opt in" to this sharing of information. It is never assumed that they are consenting to information sharing. The only exception to this is where we are compelled by law by a court order or similar to disclose specific information.

Under the Adoption Act 2002 we are obliged to keep Adoption Records for 100 years.

Website – Cookies are pieces of data that are often created when you visit a web site and are stored in the cook directory of your computer either temporarily or permanently. We only set first party cookies that aid in your use of the site and Google Analytics cookies which track web use but DO NOT collect any personal user data.

4.2 For Employees/volunteers

Throughout employment and for as long a period as is necessary following the termination of employment, the Agency will need to keep information about an employee for purposes connected with their employment, including information relating to their recruitment and termination of employment.

The records may include:

  1. Information gathered from the individual and references obtained during recruitment; details of terms and conditions of employment;
  2. Payroll,
  3. Tax and national insurance information;
  4. Information about employee performance;
  5. Details of grade and job duties;
  6. Health records;
  7. Absence records including holiday records and self-certification forms;
  8. Details of any disciplinary investigations and proceedings;
  9. Training records;
  10. Contact names and addresses;
  11. Dependant information;
  12. Correspondence with the Agency and other information provided to the Agency by the individual.

The Agency believes that processing this information is consistent with its employment relationship with employees and with the principles of the Data Protection Act 1998/GDPR 2018.

The information that is held will be for management and administrative use only but the Agency may, from time to time, need to disclose some information to relevant third parties (e.g. where legally obliged to do so by the Inland Revenue or where requested to do so by the employee for the purposes of giving a reference).

The Agency may also transfer information about an employee to another Agency office solely for purposes connected with individual's career or the management of the Agency's business.

Sensitive Information

Employees should also be aware that the Agency might hold the following information about them, for which disclosure to any person will only be made for the purposes set out below:

  • Health information for the purposes of compliance with health and safety and occupational health obligations; for the purposes of personnel management and administration, for example, to consider how an employee's health affects their ability to do their job, and if disabled, whether any reasonable adjustments can be made to assist them at work; for the purposes of monitoring and management of sickness absence and for purposes of administration and management of insurance, pension, sick pay and other related benefits in force from time to time;
  • Information in connection with unspent convictions to enable the Agency to assess suitability for employment;
  • Information relating to racial and ethnic origin for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins with a view to enabling such equality to be promoted or maintained;
  • Information relating to religious beliefs for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different religious beliefs with a view to enabling such equality to be promoted or maintained.

5. Keeping Data Secure

The Agency has in place appropriate physical and electronic measures, security policies and managerial procedures to safeguard and secure personal data that we have under our control from unauthorised access, improper use, alteration, unlawful or accidental destruction or accidental loss.

  1. Website – the website is hosted on an independent server that is held in a different physical location to that of the Agency's email and data server. They are not on the same network and they do not communicate between each other (e.g. no data exchange);
  2. Emails – we use encrypted email system Egress when sending personal information externally or documentation electronically;
  3. Server Security – access to the Agency's server is controlled by a username and password. The server is protected by a router which each user has to authenticate with before they can access the server. The router also provides a firewall to the network. Sensitive data on the server is restricted to authorised personnel only. The server is physically stored in a locked computer room with restricted access. The server itself has anti-virus software running real-time to scan emails and files;
  4. Adopters Database – this is accessed by known personnel only, all of whom have their own individual log in and passwords;
  5. Paper Records – these are kept to a minimum and stored in locked cabinets access to which is restricted to staff only. Keys are stored separately to the cabinets;
  6. Administrative Processes – these are designed to ensure that no data is stored unnecessarily – with the destruction of (for example) ID information used for DBS applications immediately the DBS has been applied for;
  7. Office bases – all are locked offices with security measures in place. Public access is restricted to certain areas only, (i.e. on training or information days) and only with staff supervising at all times;
  8. HR files are stored in a separate folder on the server with limited access to Senior Management Team and key HR staff only.

All employees who process and have access to personal data must act in a responsible and confidential manner and adhere to the following security arrangements at all times:

  • Personnel files should be stored in lockable filing cabinets in the HR Team or other authorised office;
  • Personnel files should not be removed from the office in which they are stored;
  • Any personal data that is held by the employee's line manager or other departments e.g. pensions, payroll, this data must be kept securely in a lockable cabinet;
  • All automated personal data must be password protected;
  • Security passwords should not be disclosed to other users. Employees are responsible for ensuring that their password is protected, kept confidential and is changed on a regular basis;
  • When using automated systems for access and processing of personal data, employees should ensure that they close down the relevant applications when leaving their work-station;
  • E-mail and faxes containing personal data should be used with care. All copies of e-mails and fax messages containing personal data should be held securely by the recipients;
  • Personal data sent within the internal mail should be placed in sealed envelopes and marked as "Strictly Confidential.";
  • If personal data is to be disposed of, it should be shredded and under no circumstances left in a waste paper basket.

Suspected breaches of the above security arrangements will be dealt with under the Agency's Disciplinary Procedure.

6. Data Accuracy and Disclosure of Personal Information

Service Users have the right to request a copy of the information held on them by the agency. We have a separate policy on Subject Access Requests for this process.

If inaccurate data is held, the individual can request that it be updated, unless the information is third party or gathered as part of a safeguarding process. Third Party Information cannot be shared without permission of the named third party.

Records are easily updated on the database and electronic files and an email sent to the service user advising that the requested changes have been made.

Employees have the responsibility to ensure that the Agency is informed of any change in personal information e.g. change of name, address, telephone number, next of kin. Changes should be confirmed to the Business Manager on the Change of Personal Details Form. The Business Manager will also be responsible for informing other relevant departments e.g. Payroll, Pensions, Agency Secretariat of notified changes.

In order to ensure that records are accurate and up to date every employee will be provided with a copy of his / her basic personal data e.g. address, emergency contact details on a bi-annual basis and asked to identify any inaccuracies or amendments.

Personnel files should be spring cleaned at annual intervals to remove old, inaccurate and irrelevant data.

Employees have the right to request access to their personal information, this process is outlined in the agency policy on Subject Access Requests.

Disclosure of Personal Information

Access to personal data must be restricted to those who have a genuine requirement for legal, administrative or management purposes.

The Agency has a responsibility to its employees to be cautious in responding to any external requests for information about them.

Employees with access to personal data should be made aware that those seeking information might be using deception to gain access to information to which they are not entitled. Therefore, staff should always establish the identity of the person making the request for disclosure before responding. Particular care should be taken with telephone requests and where possible, any requests for information should be obtained in writing.

Where those requesting information maintain the employer is under a legal duty to respond, staff should ensure the request is received in writing and spells out the basis on which it is asserted there is a legal duty.

Unless prevented by law, employees should be informed at the time a non-routine disclosure is made and wherever practical, a copy of the information should be made available to the employee.

Sensitive personal data (i.e. any data relating to ethnicity, racial origin, political opinions, religious beliefs, trade union membership, physical or mental health and sex life) must not be disclosed to a third party without the individual's consent.

All employees and contractors who have access to employee data should be aware that it is a criminal offence to knowingly or recklessly disclose personal information about other employees without the Agency's consent.

Families for Children are aware of the need for affirmative consent and do not seek consent by omission or presumption. We have clear consent points in the Adoption process for adopters particularly at the point of them registering their interest with us to become adopters and later for adoption support services. We rely on a lot of information to inform our assessment and matching process, so we are clear to obtain detailed consent as appropriate.

At the point of asking for consent we will be clear in our explanation as to why the consent is required, and will specify what we will do with any data gathered and any third parties that may be included in that.

A record will be kept of when the consent was received and how it was obtained and a note of when that consent will expire. This will be done on the electronic record for the adopters, as well as on critical dates' list on the database. Database will flag up when the consent is due to expire to enable us to update and refresh the consent.

If people wish to withdraw their consent to all, or any aspects of the service, they can contact us via email to state which specific consents they wish to withdraw, or they can be sent a new consent form to complete and return which will supersede the original.

Employees and Volunteers give consent for use of their personal data at the point of recruitment and can request that this be changed in writing.

8. Requests for Deletion of Data

If an individual requests that data held by the agency be deleted, the request in the first instance should be made in writing (email or letter) and passed to the Designated Data Protection Officer named at the top of this policy. DPO will then make a decision in line with relevant legislation as to whether this can be acted upon, and advise the individual accordingly.

Adoption records fall under the jurisdiction of the Adoption Act which has a records retention policy of 100 years for adoption records, this overrides the data protection legislation. However the individual can request that their current contact details are deleted or that they are not contacted for marketing or fundraising purposes;

All employee data has to be held for statutory reasons, and is retained for six years after the employee leaves the Agency, this overrides the data protection legislation.

The individual will then be advised of what action has been taken.

9. Data Breaches

Data breaches can easily happen and so it is important that there is a robust reporting and action system.

Major breaches need to be immediately reported to the Head of Operations (in terms of social work practice) and Data Protection Officer to decide on immediate action and to establish the scale of the breach, who was effected and by what.

Parties will need to be advised of the breach and what action the agency is taking to rectify it and to prevent it happening again

Minor data breaches – these need to be reported to Head of Operations and appropriate action taken to minimise the impact and ensure that all parties are aware.

All data breaches need to be recorded on the Data Breach Log – even if the data breach is not of our making, but we are involved in resolving them (e.g. Local Authority may disclose information on our adopters).

10. Photographs

to Adoption Link/Match and SWAC) – adopters need to be aware what these photos are being used for and why.

Staff have photos as ID on their HR file and for their FFC ID cards. The latter needs to be returned to FFC once their employment with the agency has ceased.

Photographs of children (adopted or birth children) can only be used with express permission of the parents.

11. Children

No contact would be made direct with children. All contact with children is done through their parents until they are 16 when if they want communication in their own right we can arrange them to give consent to being contacted.

Appendix 1: Privacy Notice

Website Privacy Statement

Families for Children is committed to protecting your privacy when using this website.

This statement explains how we use information you give us and the ways in which we protect your privacy. We may be required to change it from time to time so we recommend checking this statement occasionally.

This privacy statement applies only to our web site. Wherever we link to other sites not covered by this privacy statement we will title links appropriately so the user is aware that they are being forwarded to a third party site.

The Data Protection Act (1998). The DPA has been superseded by the EU General Data Protection Regulation (GDPR)

We treat all personal information (which means any data from which you can be identified, including your name, address, e-mail address etc.) that you provide to us, or that we obtain from you, in accordance with the provisions of the Data Protection Act. Under this Act, we have a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data, and keep strict security standards to prevent any unauthorised access to it.

We also maintain log files that allow us to record visitors' use of the site. Log files provide us with statistical information on how people use the site and what content people are viewing. Log files do not contain any personal information and they are not used to identify any individual patterns of use of the site.

Currently, all organisations in the UK that collect, process or store personal information must comply with the Data Protection Act (1998). The DPA will be superseded by the EU General Data Protection Regulation (GDPR) on 25 May 2018.

Among other stipulations, the GDPR introduces new rules on international data transfers, documenting data processing activities, performing data protection impact assessments and appointing data protection officers. It also mandates notifying the local data protection authority (in the UK, the Information Commissioner's Office) within 72 hours of a breach's discovery.

The Data Protection Act 1998 and GDPR can be reviewed at The Information Commissioner's Office web site at

The information we collect

We collect personal data from any e-mails which you send to us or requests for information via our enquiry forms which is collated on our in-house database. This includes:

  • Name and age;
  • Contact information including email address and phone number;
  • Demographic information such as postcode and county
  • Other information, subject to it being demonstrated as being of relevance.

How the Data will be used

The personal data we collect will in most instances be specifically used to respond to an enquiry or information request or to provide you with a service you have requested or for any other purposes to which you have given your consent.

We may use the information to improve our products and services.

We may periodically send emails or post about our services as well as events/news items that we think you may find interesting using the email address which you have provided.

From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone or post.

Occasionally it may be used to allow us to develop our site to enhance the on-line experience of our users.

We never pass your personal information to any other parties unless we have first obtained your express permission to do so. If this is the case, we will state who these carefully selected third parties are so you can make an informed decision before granting your permission

You will always be offered the choice to opt out.

Your personal information will be used only for the purposes of communicating with you in relation to our goods or services, to enable us to review, develop and improve the services we offer.

Use of cookies

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We may use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

We only set first party cookies that aid in your use of the site and Google Analytics cookies which track web use but DO NOT collect any personal user data.

Disclosure of user's personal data to third parties

We do not disclose your personal data to any third parties without your permission except insofar as you have consented to such disclosure or we are required to do so by law for information such as a court order, witness summons, or complaint from governmental authorities.

Keeping your data secure

We have put in place appropriate physical and electronic measures, security policies and managerial procedures to safeguard and secure the personal data that we have under our control from unauthorised access, improper use, alteration, unlawful or accidental destruction or accidental loss.

Only authorised employees will have access to your personal information. All employees who have access to your personal data are contractually obliged to respect the confidentiality of your personal data.

While we strive to protect your personal information, we cannot guarantee the security of the information you transmit to us. In this regard, we urge you to take every precaution to protect your personal data while you are on the Internet.

Controlling your personal information

You have the right to request a copy of the information we hold on you. You may also request amendments to any personal data that we are holding about you which is factually inaccurate.

To request a copy of your personal information, contact us using the details below. There may be a fee involved in providing this data and you will be expected to provide proof of identity. Insofar as the law permits, however, we reserve the right to refuse to provide you with information. In this eventuality we will give you reasons for this refusal.

If you have any other questions or concerns about our privacy statement and practices please contact us at