The UK’s Information Commissioner’s Office (ICO) has recently warned that it may take legal action against organisations that fail to provide care-experienced people with timely, complete and well-managed access to their care records. The ICO has described the current situation as lengthy, traumatic and often demoralising for individuals seeking their own files, with some people waiting more than a decade for access, receiving incomplete documentation or being provided with records heavily redacted without explanation.
What is a care record?
Care records are not merely administrative documents. For people who grew up in the care system, they represent a life record: evidence of decisions made, experiences lived and events that have shaped their identity. Poor records management, missing files or delays caused by fragile or disorganised systems can have a profound and lasting impact. When records are not properly maintained or preserved, individuals may be prevented from understanding their own history or pursuing legal or redress routes. The harm caused is deeply personal.
What action has been taken?
The ICO has already taken enforcement action where appropriate, including issuing enforcement notices and fines and is actively promoting its Better Records Together campaign to raise standards around how care records are managed and disclosed. Central to this campaign is the recognition that good Subject Access Request (SAR) handling depends on robust records governance throughout the entire lifecycle of the data. Recent enforcement action highlights this approach, such as the fine issued to Birthlink for serious records management failures that led to the destruction of irreplaceable personal data and the enforcement notice served on Bristol City Council for significant delays and poor handling of SARs relating to child social care records.
What requirements do organisations need to comply with?
Under UK data protection laws, individuals have a clear legal right to access their personal data. Organisations must ensure they meet the following requirements:
- Respond to SARs without delay and within one month of receipt. Extensions are permitted only in limited and clearly justifiable circumstances.
- Where possible, records must be provided in full and be easy to understand. This includes explaining terminology, abbreviations or context where necessary so that individuals can properly interpret their information.
- Personal data must be delivered securely to the requester. Where individuals face barriers such as lacking a secure address or requiring assisted access, organisations are expected to make reasonable adjustments.
- Some redactions may be lawful, particularly where third-party data is involved or serious harm could result, but these must be applied transparently. Organisations must be able to explain clearly why information has been withheld and which exemption under data protection legislation has been relied upon.
- Organisations must maintain clear audit trails showing how SARs are handled, how redaction decisions are made and how compliance is achieved. This accountability is essential if decisions are later challenged by the ICO.
Failure to follow these requirements may result in fines, enforcement action or claims arising from significant harm or distress caused to affected individuals.
Long-term records management
A recurring issue identified by the ICO is weak underlying records management. Some organisations incorrectly assume that data protection legislation discourages the retention of records and may therefore minimise records or dispose of them prematurely. However, good records management supports compliance with data protection laws.
For many public authorities, care records may need to be retained for up to 100 years. This presents a challenge as such records often outlive the systems, staff and organisational structures that created them which makes long-term planning essential. Organisations should develop and maintain a clear records retention schedule that reflects statutory requirements and business or personal needs and regularly review it to ensure records are kept no longer than necessary. Records should then be securely disposed of when they are no longer required.
The ICO provides detailed advice on creating retention schedules and related records management practices and The National Archives offers practical resources for public authorities on retention and disposal planning. Robust retention planning helps ensure that historical care records remain easy to locate and secure for as long as they are needed.
Organisations should consider both paper and electronic records as part of their retention and governance arrangements. Paper records must not be left unmanaged in filing cabinets or storage areas without clear ownership, security controls and retention rules. Electronic records similarly require organisations to know which systems hold personal data, where that data is stored, how it is secured and who can access it. Access arrangements must be resilient and not dependent on a single individual. For example, an organisation cannot justify delays or non-compliance by stating that only one member of staff has access to a system and they are on long-term sick leave.
While it is recognised that many organisations operate under financial constraints, investment in records infrastructure is essential to complying with data protection legislation. Even where resources are limited, organisations are expected to adhere to the policies, retention schedules and governance frameworks they have in place. Fragile systems increase the risk of data loss.
Need support?
The ICO’s recent warning highlights a systemic issue: access to care records cannot be separated from how those records are managed and preserved throughout their lifecycle. Organisations holding sensitive personal information must respond to SARs promptly and manage records sensitively and responsibly.
At MFMac, we provide specialist advice in data protection compliance and records management. We support organisations including local authorities, charities and care providers in reviewing their SAR processes and overall records management frameworks to ensure they meet both legal requirements and the standards expected by the ICO.
This article was co-authored by Nina Wright, Trainee Solicitor, in our Data Protection team.
