25 February 2026 · 13 min read · Arviteni
A step-by-step guide to understanding how personal data moves through a care organisation, covering UK GDPR Article 30 requirements, common gaps in care settings, and how mapping your data flows builds genuine compliance.
If someone asked you right now to explain exactly where your service users' personal data goes, from the moment a referral arrives to the point where a care plan is archived, could you answer? Not vaguely. Could you trace every system, every handoff, every external share?
Most care providers cannot. Not because they are careless, but because data flows in care organisations are more complex than people realise. A single service user's information might pass through a referral platform, a care management system, an email chain with a GP, a local authority funding portal, a shared drive, a family WhatsApp message, and a paper file in the office. Nobody planned that journey. It just happened over time.
Data flow mapping is the process of documenting exactly how personal data moves through your organisation: what data you hold, where it sits, who can access it, where it goes when it leaves your systems, and why. It is a legal requirement under UK GDPR, but more importantly, it is how you demonstrate that the people in your care are genuinely protected.
The UK GDPR places specific obligations on organisations that process personal data. Article 30 requires every data controller to maintain a record of processing activities. That record must include the categories of personal data you process, the purposes of processing, who receives the data, and how long you keep it. For care providers, this is not a suggestion. It is a legal obligation.
The Information Commissioner's Office (ICO) expects to see evidence that you understand your own data processing. If a data breach occurs, one of the first questions the ICO will ask is whether you had a clear picture of what data you hold and how it flows. If you cannot answer that question, you are in a significantly weaker position, even if the breach itself was minor.
Beyond the ICO, the CQC assesses data handling under its "Safe" and "Well-led" key questions. Inspectors will want to see that personal information about residents and staff is handled appropriately, stored securely, and shared only with the right people for the right reasons. A documented data flow map provides clear evidence of exactly that.
Care providers also handle special category data under Article 9 of the UK GDPR. Health records, care plans, medication schedules, mental capacity assessments, safeguarding notes, and information about disabilities or religious beliefs all fall into this category. Special category data carries stricter processing requirements and higher expectations from regulators. You cannot meet those expectations if you do not know where the data is.
The DSPT (Data Security and Protection Toolkit) also requires you to demonstrate that personal data is handled securely and that you understand your processing activities. Data flow mapping directly supports your DSPT submission by providing the evidence base for several of the National Data Guardian's 10 standards.
Before you can map data flows, you need to understand the full scope of personal data your organisation holds. Care providers often underestimate this.
Service user data includes names, dates of birth, addresses, NHS numbers, GP details, medical histories, diagnoses, care plans, risk assessments, mental capacity assessments, DoLS applications, medication records, dietary requirements, religious and cultural preferences, safeguarding reports, photographs, and next-of-kin details. Much of this is special category data.
Staff data includes names, addresses, dates of birth, National Insurance numbers, bank details, DBS certificates and update service records, right-to-work documents, qualifications, training records, supervision notes, absence records, disciplinary records, performance reviews, and emergency contact information.
Family and contact data includes names, addresses, phone numbers, email addresses, and relationship to the service user. Families often share additional information during care discussions that may be recorded in notes.
Referrer and professional data includes details of GPs, social workers, commissioners, healthcare professionals, pharmacies, and local authority contacts who share information as part of the care process.
When you lay it all out, most care organisations hold personal data on hundreds or thousands of individuals across multiple categories. Each of those categories may sit in different systems and follow different paths through the organisation.
Understanding typical data flows helps you identify where to start mapping. These are the journeys personal data commonly takes through a care provider.
Referral to care plan. A referral arrives, often by email or through a local authority portal. It contains the prospective service user's personal details, medical history, and care needs. This information is reviewed by management, discussed in assessment meetings, entered into the care management system, and used to create a care plan. Elements are shared with the GP, the pharmacy, and the funding authority. The original referral may also remain in an email inbox, a shared drive, and a paper file.
Staff onboarding. A new employee's data enters through an application form or recruitment system. It moves into the HR system, the payroll system, training platforms, rota management tools, and the care management system for access permissions. DBS certificate data is processed separately. References are received by email and stored in various locations. By the time a new starter is fully onboarded, their data may exist in six or more systems.
Incident reporting. When an incident occurs, a report is created containing details of the people involved. This may be shared with the CQC, the local authority safeguarding team, healthcare professionals, the service user's family, and internal management. Each share is a data flow that needs documenting.
Family communication. Updates to families about their loved one's care involve sharing personal health information. Whether these updates happen by phone, email, letter, or video call, they represent data flows. If care staff are using personal devices or informal messaging apps to communicate with families, those are undocumented data flows outside your control.
Data flow mapping does not require specialist software or consultants, though both can help for larger organisations. What it requires is a systematic approach and time.
Start by listing every system, platform, and storage location where personal data exists. Include the obvious ones: your care management system, HR platform, payroll system, email, and document storage. Then look harder.
Check for shared drives and legacy file servers. Ask about spreadsheets maintained by individual managers. Look at the apps installed on shared tablets. Ask care teams whether they use any messaging apps, personal email, or paper forms. Check whether any third-party portals are used for local authority reporting, CQC submissions, or pharmacy communications. Do not forget paper records, filing cabinets, and notice boards with staff rotas.
In one project mapping data flows across a national care provider, the less visible systems, including legacy shared drives, WhatsApp groups used informally by care teams, and paper records at individual sites, held just as much personal data as the core platforms.
For every system identified in Step 1, record what categories of personal data it contains and whose data it is. A care management system holds service user data. An HR system holds staff data. But email holds both, plus family data, referrer data, and professional correspondence containing personal information.
Be specific. Do not just write "staff data." Record that the HR system holds names, addresses, dates of birth, National Insurance numbers, bank details, DBS information, training records, and absence history. The detail matters because different categories carry different sensitivities, different lawful bases for processing, and different retention requirements.
This is the core of the exercise. For each category of data, trace how it moves from one system to another. When a referral is received by email, where is that data entered next? Is it manually typed into the care management system? Is the email forwarded to other staff? Is the referral document saved to a shared drive? Is any of the information copied into a spreadsheet for tracking purposes?
Draw the connections. A simple diagram showing systems as boxes and data flows as arrows is often the clearest format. The goal is to see the full picture of how data moves, not just where it sits.
Personal data does not stay within your organisation. Care providers routinely share data with external parties, and each of these relationships needs documenting.
Common external recipients include local authorities (for funding, safeguarding, and regulatory reporting), the CQC (for notifications and inspections), healthcare partners (GPs, hospitals, pharmacies, community nurses), families (care updates, reviews, complaints), recruitment agencies, training providers, payroll bureaux, IT suppliers, and insurance companies.
For each external sharing relationship, document what data is shared, why it is shared, how it is shared (email, portal, post, phone), and whether a data sharing agreement or data processing agreement is in place. If an agreement exists, check whether it is current. Expired or missing agreements are one of the most common findings in data flow mapping exercises.
UK GDPR requires that every processing activity has a lawful basis. For care providers, the most common bases are:
For special category data, you also need a condition under Article 9, such as the provision of health or social care.
Recording the lawful basis for each flow matters because it determines your obligations around transparency, retention, and individuals' rights.
Data flow mapping consistently reveals the same types of gaps across care organisations.
Informal messaging. Care staff using WhatsApp, personal email, or text messages to share information about service users. This is extremely common in care settings and creates uncontrolled, undocumented data flows on personal devices. The data cannot be audited, retrieved for subject access requests, or deleted when retention periods expire.
Legacy shared drives. Old network drives or cloud folders containing years of accumulated documents, including care records for people who left the service long ago, staff files for employees who departed years before, and duplicates of data that also exists in the current care management system. Nobody knows exactly what is there, and nobody has reviewed it.
Expired or missing data sharing agreements. Care providers share data with local authorities, healthcare partners, and third-party suppliers, but the formal agreements underpinning those arrangements are often outdated, incomplete, or simply do not exist. The sharing continues regardless.
Duplicated data across systems. The same personal data held in multiple places with no clear master record. Service user information in the care system, in email attachments, in SharePoint folders, and in spreadsheets. When data needs updating or deleting, there is no way to ensure all copies are addressed.
No documented retention periods. Data is kept indefinitely because nobody has defined how long it should be retained or established a process for secure disposal. Care records, staff files, and operational documents accumulate without any review cycle.
When a nursing home group moved to Microsoft Information Protection, the classification exercise revealed exactly these kinds of gaps: data spread across platforms without consistent labelling, protection, or lifecycle management. Understanding the flows first made the classification work meaningful rather than superficial.
A data flow map is not a compliance document to file and forget. It is a working tool that drives practical improvements.
Define retention policies. Now that you know what data you hold and where, you can set appropriate retention periods for each category. Care records may need to be retained for years after a service user leaves (specific periods depend on the type of care and the client group). Staff records have different requirements. Recruitment data for unsuccessful candidates should not be kept indefinitely. A data flow map gives you the foundation to build retention schedules that are specific, defensible, and practical.
Apply data minimisation. UK GDPR requires that you hold only the data you need for the purpose it was collected. Your data flow map will almost certainly reveal data that is held unnecessarily: old records beyond any retention requirement, data collected "just in case," and copies of information that serve no current purpose. Minimisation reduces your risk surface. Less data means less exposure in a breach.
Improve breach preparedness. If a breach occurs, the ICO expects you to identify what data was affected, whose data it was, and who needs to be notified. With a data flow map, you can answer those questions quickly because you already know what each system holds and who it belongs to. Without one, the first hours after a breach are spent trying to work out what you have lost, when time is critical.
Support subject access requests. When someone asks what data you hold about them (a right under UK GDPR), your data flow map tells you exactly where to look. Instead of searching every system individually and hoping you have found everything, you have a documented record of which systems hold data for each category of individual.
Maintain the map. Data flows change when you introduce new systems, change suppliers, or alter processes. Build a review into your annual cycle, ideally aligned with your DSPT submission timeline, so the map stays current rather than becoming another outdated document.
UK GDPR is built on the principle of accountability. It is not enough to comply with the rules. You must be able to demonstrate that you comply. Data flow mapping is one of the most tangible ways to do that.
When the ICO investigates, when the CQC inspects, when a family asks how their loved one's information is handled, a documented data flow map shows that you have taken the time to understand your own processing. It shows that data protection is something you actively manage, not something you assume is fine because nobody has complained.
For care providers, the stakes are real. The data you hold describes some of the most vulnerable people in society: their health, their histories, their capacity, their families. Understanding where that data goes is not a regulatory exercise. It is part of the duty of care you accepted when you took responsibility for those individuals.
If you do not know where your data goes, start finding out. The process is methodical, not complicated. Identify the systems, document the data, trace the flows, and record the sharing. Once you have the map, everything that follows, from retention policies to breach response to audit trails, becomes clearer and more manageable.
For care organisations that need support with data flow mapping, data protection, or building compliance into their technology strategy, our technology consulting service works with care providers to get this right. Not as a one-off project, but as a foundation for how you handle data going forward.
The people in your care deserve to know that their information is handled with the same diligence as their care. Data flow mapping is where that starts.