5 min read
A national care group delivering residential, supported living, and specialist care services. The organisation handled sensitive personal data for hundreds of service users and several hundred staff, flowing through multiple systems including care management platforms, HR systems, payroll, email, SharePoint, and various third-party tools. Despite the volume and sensitivity of the data, there was no documented map of how it moved through the organisation.
Service: Tech Consulting Care sub-sector: Residential, supported living, specialist care
The organisation processed some of the most sensitive categories of personal data that exist: health records, care plans, medication schedules, mental capacity assessments, safeguarding notes, and detailed personal histories of vulnerable adults. It also held extensive data on its workforce: DBS certificates, right-to-work documents, supervision records, absence history, and payroll information.
Despite this, nobody in the organisation could answer a basic question: where does the data go?
When a service user's care plan was created, it existed in the care management system. But elements of it were also shared via email with healthcare professionals, discussed in reports stored on SharePoint, referenced in funding applications sent to local authorities, and summarised in family updates. Each of these represented a data flow, and none of them were documented.
Staff data followed a similarly undocumented path. HR held records in BambooHR, payroll held records in a separate system, training records sat in yet another platform, and various spreadsheets held subsets of the same data maintained independently by different teams. Nobody had a clear picture of which systems held what, who had access, or how long data was retained.
The UK GDPR requires organisations to understand and document their processing activities. Article 30 mandates a record of processing that includes the categories of data, the purposes of processing, who it is shared with, and the retention periods. For a care provider handling special category data (health, racial origin, religious beliefs) under Articles 9 and 10, the requirement is not optional. The organisation was exposed not because it was doing anything wrong, but because it couldn't demonstrate what it was doing at all.
We conducted a systematic data flow mapping exercise across the entire organisation, working with every department that handles personal data.
The first step was identifying every system that stores or processes personal data. This included the obvious platforms (care management, HR, payroll, email, SharePoint) but also the less visible ones: shared drives with legacy documents, WhatsApp groups used informally by care teams, paper records still maintained at some sites, and third-party portals for local authority reporting and CQC submissions.
For each system, we documented what categories of personal data it held, whose data it was (service users, staff, families, referrers, healthcare professionals), why it was being processed, and the lawful basis under UK GDPR. Care plans processed under a duty of care looked different from marketing data processed under legitimate interest, and each required distinct documentation.
We then traced the flows between systems. When a new service user is referred, their data enters the organisation through a referral form. We mapped every subsequent step: where that data is entered, what systems it is copied to, who can access it at each stage, whether it is shared externally (and with whom), and where it ultimately rests. The same exercise was completed for staff data, from recruitment through to departure and post-employment retention.
Data sharing with external parties was documented in detail: local authorities, CQC, healthcare partners, families, and third-party suppliers. For each sharing relationship, we assessed whether a data sharing agreement was in place, whether the agreement was current, and whether the actual sharing matched what the agreement permitted.
The output was a comprehensive data flow map: a visual and written record of every category of personal data, every processing activity, every internal and external flow, and every system involved. This was accompanied by a gap analysis identifying areas where processing was undocumented, where data was held longer than necessary, or where sharing arrangements needed formalising.
The organisation now has a complete, documented understanding of how personal data moves through its operations. For the first time, it can answer the questions that regulators, auditors, and families might ask: what data do you hold, where is it stored, who can access it, and why.
The Article 30 record of processing activities is now comprehensive and maintainable. Rather than a static document produced once and forgotten, the data flow map is structured so that changes to systems, processes, or third-party relationships can be reflected as they occur.
The gap analysis identified several areas for immediate action: informal data sharing via personal email and messaging apps that needed to be brought onto approved channels, legacy data held well beyond any reasonable retention period, and third-party relationships where formal data sharing agreements had either expired or never existed.
The mapping also provided the foundation for two subsequent workstreams: a retention policy aligned to actual processing activities (rather than a generic policy that nobody follows) and a data minimisation review to ensure the organisation holds only the data it genuinely needs.
Complete data flow map produced across all core systems · Every category of personal data traced from collection to storage · Data sharing agreements reviewed and documented · Processing activities mapped to lawful bases · Foundation established for retention policies and data minimisation
Related service: Tech Consulting
The organisation can now demonstrate, clearly and completely, how it handles the personal data of the vulnerable adults in its care. When a family asks what information is held about their loved one, when CQC reviews data handling practices, or when a subject access request arrives, the answer is documented, accurate, and ready. That is the standard care data deserves.