25 February 2026 · 11 min read · Arviteni
CQC, the ICO, and local authority commissioners all expect care providers to demonstrate accountability over sensitive data. This practical guide explains what audit trails are, why care providers need them, and how to implement them using tools most organisations already have in Microsoft 365.
Every care provider will, at some point, be asked a question they cannot afford to get wrong: who accessed this file, and when?
It might come from a safeguarding lead investigating a concern. It might come from the ICO following a data breach report. It might come from a family member submitting a subject access request. It might come from a CQC inspector reviewing how your organisation handles sensitive records.
If you cannot answer that question clearly and with evidence, you have a serious problem. Not a theoretical problem. A practical one that can affect your CQC rating, your ICO standing, your commissioner relationships, and the trust that families place in your organisation.
The good news is that most care providers already have the tools to answer it. They just have not turned them on.
An audit trail is a record of who did what, when, and where within your systems. Every time someone opens a file, edits a document, shares a link, changes a permission, or signs in to a system, that action can be logged automatically with a timestamp, the identity of the person who did it, and a description of what happened.
Think of it as a logbook for your digital environment. In the same way that care homes maintain physical sign-in books for visitors and medication administration records for residents, an audit trail maintains a record of every interaction with your digital data.
The important thing to understand is that audit trails are not surveillance. They are accountability. They protect staff as much as they protect the data. If someone is falsely accused of accessing a file they should not have seen, the audit trail can demonstrate that they did not. If a document was changed and nobody knows who made the change, the audit trail provides the answer.
For care providers, where the data you hold relates to vulnerable adults and includes health records, safeguarding notes, care plans, and mental capacity assessments, that accountability is not optional. It is a fundamental part of how you demonstrate that you are fit to hold that data in the first place.
Care organisations handle some of the most sensitive personal data in any sector. The regulatory expectations around that data are equally significant.
When a safeguarding concern is raised, the integrity of the evidence matters. If a care plan was modified before an investigation began, you need to know who changed it, when, and what the previous version contained. Without an audit trail, altered or deleted records undermine the entire investigation. The local authority safeguarding team expects a reliable evidence chain. If you cannot produce one, it raises questions about your governance that go well beyond the immediate concern.
CQC inspectors assess how care providers manage records and protect personal data under the "Safe" and "Well-led" key questions. Being able to demonstrate that you have audit logging in place and can produce evidence of who accessed what and when provides clear evidence of good governance. If a concern arises and you have no audit trail, inspectors will draw their own conclusions.
The ICO expects organisations handling personal data to implement appropriate technical measures, including the ability to detect and investigate unauthorised access. If you report a data breach, one of the first questions will be how you detected it and what evidence you have about its scope. Without audit logs, your answers will be limited to "we are not sure".
Under UK GDPR, any individual has the right to request access to their personal data. A subject access request does not just ask what data you hold. It can ask who has accessed it, what has been done with it, and who it has been shared with. Without audit trails, responding to a SAR is a slow, manual process with no guarantee of completeness. We have seen how mapping data flows across a care organisation makes these requests manageable. Audit trails are the other half of that picture.
If a breach occurs, the speed and accuracy of your response matters. Audit trails allow you to establish exactly what happened: which accounts were involved, what data was accessed, and how far the breach extends. This is essential for your ICO breach report (which must be submitted within 72 hours for reportable breaches) and for notifying affected individuals accurately. Without audit data, you are left estimating the scope, which typically means assuming the worst.
Not everything needs the same level of logging, but for care providers handling sensitive personal data, here are the categories that matter most.
File and document access. Every time someone opens, views, downloads, or prints a document containing personal data, that action should be recorded. This is particularly important for care plans, safeguarding records, HR files, and financial documents.
Changes and modifications. When a document is edited, the audit trail should record who made the change, when, and what was changed. Version history in SharePoint and OneDrive provides this automatically when configured.
Sharing actions. If someone shares a file externally or with colleagues who would not normally have access, that should be logged. Sharing is one of the highest risk activities for data protection.
Sign-in activity. Every sign-in should be recorded, including the time, account, device, and location. Failed sign-in attempts are equally important, as they can indicate attempted unauthorised access.
Permission changes. When someone's access to a system, site, or folder is changed, that should be logged. Our work automating SharePoint access controls for a care group across eight homes showed how important it is that permission changes are both intentional and recorded.
Administrative actions. Any action taken by an administrator, such as creating or deleting user accounts or changing security settings, should be logged separately. These are high-privilege actions that warrant additional scrutiny.
If your care organisation runs Microsoft 365, you already have audit logging built into the platform. The challenge is that most of these features are not enabled or configured by default.
The Unified Audit Log is the central record of activity across your Microsoft 365 environment: Exchange (email), SharePoint, OneDrive, Teams, Entra ID (sign-ins), and the admin centre. To check whether it is enabled, go to the Microsoft Purview compliance portal and navigate to Audit. Enabling it is straightforward, but it only starts recording from that point. There is no retrospective data.
For most Microsoft 365 Business Premium licences, audit log data is retained for 180 days. Most care providers should keep audit data for at least one year, so you will need to configure retention policies or export the data to longer-term storage.
SharePoint and OneDrive activity is captured in the Unified Audit Log, but you can configure more granular logging for specific document libraries. For care providers, the priority is libraries containing care plans, safeguarding records, HR files, incident reports, and compliance documents. At a minimum, capture file views, edits, downloads, deletions, sharing events, and permission changes.
Entra ID (formerly Azure Active Directory) maintains sign-in logs that record every authentication event: who signed in, when, from which device, from which location, and whether the sign-in was successful. These logs are essential for detecting unusual access patterns. For organisations on Microsoft 365 Business Premium, sign-in logs have a default retention of 30 days, which is too short for most compliance purposes. Configure log export to a longer-term store.
The default retention periods in Microsoft 365 are often shorter than what care providers need. As a practical baseline, consider one year as a minimum for general audit data and seven years for data related to safeguarding, complaints, and regulatory matters. This aligns with CQC record-keeping expectations and provides a reasonable window for responding to historic investigations.
Audit data is only useful if someone is paying attention to it. Microsoft 365 includes alert policies in the Purview compliance portal that notify you when something unusual happens. Here are the alerts care providers should configure.
Mass file downloads. If a user downloads an unusually large number of files in a short period, this could indicate data exfiltration. Configure an alert for download volumes that exceed normal patterns.
External sharing of sensitive documents. If someone shares a file from a SharePoint site containing care plans or safeguarding records with an external recipient, you want to know immediately. It may be legitimate, but it should always be reviewed.
Sign-ins from unusual locations. If an account that normally signs in from the East Midlands suddenly authenticates from another country, that is worth investigating.
Out-of-hours access to sensitive sites. If someone accesses your safeguarding records at 2am on a Sunday, that warrants attention. It may be legitimate, but it should be flagged and reviewed.
Permission changes on sensitive sites. If someone grants themselves or another user access to a SharePoint site containing restricted data, that change should trigger a notification to the information governance lead.
These alerts should go to someone specific, not a shared inbox that nobody monitors. Assign responsibility clearly: who reviews alerts, how quickly, and what the escalation process is.
Implementing audit trails is the foundation. Using them effectively is where the value is realised.
In the Microsoft Purview compliance portal, you can run audit log searches filtered by file name, user, date range, or activity type. The results export to a spreadsheet for review. This is how you respond to SARs (producing a complete record of who accessed the requester's data), investigate safeguarding concerns (demonstrating original content and every subsequent change), and support CQC inspections (showing active monitoring, not just assertions of good practice).
For data breach response, audit data is essential. You can establish the timeline, identify the accounts and data involved, and assess the scope of the breach. This information feeds directly into your ICO breach report and helps you notify affected individuals accurately. Our audit trail implementation for a care group demonstrated exactly this: once logging was enabled and configured, the organisation moved from being unable to answer basic questions about data access to having complete, evidence-backed responses.
Enabling logging but never reviewing it. Audit data that nobody looks at provides no protection. Build a regular review cycle: a monthly check of alert summaries and a quarterly review of access patterns on your most sensitive SharePoint sites.
Keeping default retention periods. The default retention periods are insufficient for care providers. Configure retention to match your actual regulatory and operational needs.
Not restricting access to audit data. The audit logs themselves are sensitive. If a user can access and modify audit records, the integrity of the entire system is compromised. Ensure that audit data is only accessible to your information governance lead and IT administrators.
Treating it as an IT project, not a governance project. The technology is the easy part. The harder work is building clear processes: who reviews alerts, who runs reports, who responds to requests, and how audit findings feed into your wider governance. This is a management responsibility, not something to delegate entirely to your IT provider.
If your care organisation does not currently have audit trails in place, the priority is to get logging enabled and configured. For most Microsoft 365 environments, this can be done within days. The longer-term work is building the processes around it: alert handling, regular reviews, and training your compliance team to use the data.
If you are working on DSPT compliance, audit trails directly support several of the 10 data security standards, particularly around managing data access and responding to incidents. If you are pursuing Cyber Essentials, the access control and user accountability requirements overlap significantly.
For care homes across the East Midlands, our managed IT service includes audit trail configuration and monitoring as part of our ongoing partnership. We enable the logging, configure the alerts, set appropriate retention, and train your team to use the data for governance, not just compliance.
Care providers hold information that belongs to some of the most vulnerable people in our communities. The families who entrust you with their loved ones' care are also entrusting you with their personal information. That trust carries an obligation to demonstrate, not just assert, that their data is handled with the accountability it deserves.
Audit trails are how you meet that obligation. They are how you move from "we think our data is secure" to "we can show you exactly who accessed it, when, and what they did". That is the standard that regulators expect, that commissioners look for, and that families deserve.
The tools are already in your Microsoft 365 licence. The question is whether you have turned them on.