Data Protection Leadership for Care Home Managers and IG Leads

Accountability, governance, DPIAs, supplier oversight, breach response, SARs, security assurance, and information sharing in adult social care

  • Reputation

    No token earned yet.

    Reach 50 points to earn the Peridot (Trainee Level).

  • CPD Certificates

    Certificates

    You have CPD Certificates for 0 courses.

  • Exam Cup

    No cup earned yet.

    Average at least 80% in exams to earn the Bronze Cup.

Launch offer: Certificates are currently free when you create a free account and log in. Log in for free access

SARs, rights requests, and disclosure governance

Elderly man talking with doctor and companion

People have rights over their personal data. In care homes, subject access requests may come from residents, relatives, attorneys, deputies, solicitors, advocates, former or current staff, complainants, and sometimes third-party portals. Requests can be verbal or written and do not need to use the words "subject access request".

ICO guidance says individuals have the right to access and receive a copy of their personal data and certain supplementary information. Organisations should normally respond without delay and within one month; complex requests or multiple requests from the same person may justify an extension. Managers need a process that begins at first contact, not only when the request reaches head office.

Two minutes on subject access requests

Video: 1m 56s · Creator: Information Commissioner's Office (ICO). YouTube Standard Licence.

This ICO video explains that when someone asks for a copy of information an organisation holds about them, this is a subject access request. It presents subject access as a legal right and says organisations of all types need to recognise and respond to these requests.

The video gives four tips for handling a request. First, plan ahead by deciding who is responsible, what timeframes apply, and how information will be sent; it suggests mapping the steps into a 28-day plan so the one calendar month deadline can be met. Second, practise good records management so the organisation knows what information it holds, where it is kept, and how to search for it.

Third, train staff and volunteers to recognise requests early, because people may ask for their information without using formal subject access wording. Fourth, check that the request has been understood before gathering information, including what information the person wants and how they want to receive it, so time is not wasted on the wrong search or response.

Was this video a good fit for this page?

A safer SAR workflow

  • Recognise: train staff to spot requests such as "I want my notes" or "Send me everything you hold about Mum".
  • Record: log date received, requester, what was asked for, how it was received, and who is handling it.
  • Verify: check identity and authority where needed, especially for relatives, attorneys, deputies, solicitors, and representatives.
  • Clarify: ask proportionate clarification if the request is broad or unclear, without creating unnecessary delay.
  • Search: include care records, paper files, emails, incident reports, complaints, messages, CCTV where relevant, and archived material.
  • Review: consider third-party information, safeguarding risk, legal exemptions, professional opinions, and social work or health-record considerations.
  • Disclose securely: use an appropriate format and secure method, with a record of what was provided and when.

Care-home complications

Care records often include material about other residents, staff, relatives, safeguarding concerns, professional opinions, and family conflict. A resident's right of access is important, but disclosure may require careful redaction or withholding where another person's rights or safety would be affected.

Requests from relatives require authority checks. A "next of kin" label does not automatically give someone the right to receive records. Relevant factors include health and welfare attorneyship, deputyship, resident consent, best interests decisions, safeguarding concerns, and the home’s local policy.

Scenario

A daughter emails the home asking for "Mum's full file, including all incident reports and staff notes, by Friday". The resident has fluctuating capacity and has previously told staff she does not want her daughter to know about a relationship with another resident. The administrator forwards the email to the manager and asks whether to send the file.

What should the manager consider?

 
Optional: Not part of the course final assessment.
Another?

A request for records should trigger a process, not a favour. Recognise SARs early, check authority, review third-party information, and disclose securely.

Ask Dr. Aiden

Rate this page

Course Snapshot

  • Not rated yet
  • Length: 75 minutes CPD (1.25 CE Credits)
  • Appropriate for: registered manager, deputy manager, care home owner, operations manager, quality lead, information governance lead, data protection officer (DPO), caldicott/confidentiality lead, administrator with IG duties
  • 100% Online
  • Assessment requirements

    To receive a CPD certificate you must view all course pages while logged in, then take a MCQ assessment.

    • 10 questions, pass mark 80%.
    • You have unlimited attempts.
Course tools & details Study tools, course details, quality and recommendations

Study Tools

Personal Development Plan

Add this course to your Personal Development Plan.

Please log in to save this to your PDP.
View my course notes Open your saved notes for this course. Share this course Send the course link to a colleague or friend.

Course Details

Trust & Quality

Mecourse applies stringent Quality Controls to every course for the highest level of content integrity and accuracy in our educational resources.

Recommended Courses

Funding & COI Media Credits