About our care records standards
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Latest updates - 09 December 2025
09 December 2025 - this page was published
We’ve written these care records standards for organisations that hold or create care records and respond to requests for access to those records. They set out how you, as an organisation handling records, can support or empower people in care or with care experience to exercise their rights and access their records. They draw on qualitative and quantitative research from those with care experience and from organisations who manage their records.
Our research highlighted the harm that a person can experience when an organisation handles their SAR poorly. Harms include loss of control of personal information, psychological harms, bodily harm, chilling effects and adverse effects on rights and freedoms. These arise from delays in responding to requests, significant unexplained or inappropriate redactions, poor communication, or unmet expectations.
Organisations that hold care records have told us how challenging the statutory timeframes can be for responding to SARs for care records.
As a regulator, we must be alive to the practical challenges in this area whilst also ensuring that people are protected from harm and able to access their rights.
The measures we’ve set out cover the lifetime of a care record.
Implementing these standards will make it easier for you to demonstrate that you’re doing your best to comply with data protection law and to prevent harm to people. We anticipate that following them will help you respond to information requests more efficiently and help people understand more about the information in their care records from the outset. This may reduce the number of requests and complaints you receive in the future.
Most significantly we anticipate they will lead to better outcomes for people with experience of the care system.
You should read this document alongside our detailed SAR guidance, which sets out your obligations when you receive and respond to SARs.
How we will use this guidance in our regulatory activity
Our focus in regulation is to address and prevent harm. We therefore prioritise strong regulatory action in cases where we identify:
- consistent, lengthy delays to SAR responses; and
- a lack of measures to reduce harm and address and prevent delays.
In deciding what action is appropriate, we will take into account the extent to which the organisation has applied the care records standards set out in this document.
Must, should, could
To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
Legislative or legal requirements
Must refers to:
- legislative requirements within the ICO’s remit; or
- established case law (for the laws that we regulate) that is binding.
Good practice
Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.
Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.