6 min read
A care group operating residential, supported living, and specialist care services across multiple sites. The organisation stored sensitive data across Microsoft 365, SharePoint, its care management platform, and several other business systems. While the day-to-day operations ran smoothly, there was no way to determine who had accessed, modified, or deleted data across any of these systems.
Service: Managed IT Care sub-sector: Residential, supported living, specialist care
The organisation could not answer a straightforward question: who accessed this file, and when?
When a care plan was modified, there was no record of who made the change or what the previous version said. When a document was deleted from SharePoint, there was no log of who removed it. When a user accessed a folder they shouldn't have had access to, there was no alert and no evidence that it happened.
For a care provider, this gap had several serious implications.
Safeguarding: If a safeguarding concern was raised and the relevant documentation had been altered, there was no way to establish what the original content was, who changed it, or when. In safeguarding investigations, being unable to demonstrate an evidence chain undermines the entire process.
Regulatory compliance: CQC expects care providers to maintain appropriate records and demonstrate accountability for how those records are managed. The ICO requires organisations handling personal data to implement appropriate security measures, including the ability to detect and investigate unauthorised access. Without audit trails, the organisation could meet neither standard.
Subject access requests: Under UK GDPR, individuals have the right to request access to their personal data. When a request arrived, the organisation had no efficient way to identify everywhere that person's data had been accessed, by whom, or what had been done with it. Responding to SARs was a manual, time-consuming process with no guarantee of completeness.
Internal accountability: Without audit trails, disputes about data handling became impossible to resolve. If a manager claimed a document had been shared without authorisation, there was no evidence to confirm or deny it. If an employee asserted that their personnel file had been accessed inappropriately, there was nothing to investigate.
The systems themselves had audit capabilities. Microsoft 365 includes unified audit logging. SharePoint records document activity. But none of these features had been configured, enabled, or monitored. The organisation was sitting on the tools it needed but had never turned them on.
We implemented a comprehensive audit trail framework across the organisation's core systems, starting with the Microsoft 365 environment where the majority of sensitive data was stored and accessed.
Microsoft 365 Unified Audit Logging was enabled across the tenant. This captures user activity across Exchange, SharePoint, OneDrive, Teams, and the wider Microsoft 365 suite. Every sign-in, file access, file modification, sharing action, and permission change is now recorded with a timestamp, user identity, IP address, and action description.
SharePoint audit logging was configured at a granular level for document libraries containing sensitive data: care plans, HR records, compliance documents, and financial information. Beyond the standard audit log, we configured detailed logging for these high-sensitivity libraries so that every view, edit, download, and share is captured individually.
Retention policies were configured for audit logs to ensure they are preserved for a period appropriate to the organisation's regulatory obligations. Care-related logs are retained for the duration required by CQC record-keeping guidance and local authority commissioning requirements. The logs are stored in a location that standard users cannot access or modify, protecting the integrity of the audit trail.
Alerting rules were configured for high-risk actions. If a user downloads an unusually large number of files, accesses a SharePoint site outside their normal scope, or shares a sensitive document externally, an alert is generated and sent to the IT team and the information governance lead. These alerts provide early warning of potential data breaches or policy violations before they escalate.
We created a set of standard audit reports that can be run on demand: who accessed a specific document and when, what changes were made to a particular SharePoint site over a defined period, which users accessed sensitive data outside business hours, and a full activity log for any individual user. These reports were designed to be usable by non-technical staff, so that the compliance team can investigate a concern without depending on IT to extract the data.
Documentation and training were provided to the compliance and HR teams on how to request, interpret, and use audit data. The goal was to make audit trails a practical tool for governance, not a technical system that only IT understands.
Every access to sensitive data across the Microsoft 365 environment is now recorded, retained, and retrievable. The organisation can demonstrate exactly who accessed what, when, and what they did with it.
Subject access requests that previously required days of manual investigation can now be answered efficiently using audit reports. The compliance team can produce a complete record of how an individual's data was accessed and by whom, meeting the UK GDPR requirement for transparency.
The alerting system has already proven its value. Early alerts on unusual access patterns allowed the IT team to investigate and resolve potential issues before they became incidents. In one case, an alert identified a user account accessing data outside its normal scope, which turned out to be a misconfigured permission rather than malicious activity, but the point is that it was detected and investigated rather than going unnoticed.
CQC and commissioner queries about data handling can now be answered with evidence. When asked "how do you ensure only authorised staff access care records?", the organisation can demonstrate the technical controls in place and provide audit evidence that they work. This is a fundamental shift from asserting good practice to demonstrating it.
The internal culture around data handling has also shifted. Knowing that actions are logged encourages appropriate behaviour and provides a fair framework for investigating concerns. Staff are neither surveilled nor unsupported. They work within a system that protects them as much as it protects the data.
Audit logging enabled across Microsoft 365, SharePoint, and core business systems · Every access and modification to sensitive data now recorded · Retention policies configured for audit logs · Alerting configured for high-risk actions · Organisation able to respond to subject access and regulatory requests with evidence
Related service: Managed IT
The sensitive information that vulnerable adults and their families entrust to this care organisation is now protected by a system that records every interaction and detects anything unusual. When accountability is needed, the evidence is there. When transparency is required, it can be demonstrated. That is the standard that care data demands.