ICO Enforcement Lessons You Can’t Ignore
19/09/2025
Running a care home is never simple. Staffing, CQC inspections, family expectations… and somewhere in the mix, the law on personal data. It often slips down the priority list – until it bites back.
The Information Commissioner’s Office (ICO) has recently reminded the sector that data protection isn’t optional. Here are three real cases every care home manager should know about, and the lessons to take away.
1. Ignoring Subject Access Requests – Criminal Offence
In 2025, the ICO prosecuted the director of a Yorkshire care home (Bridlington Lodge) for flat-out refusing to respond to a Subject Access Request (SAR) from a resident’s daughter, who had lasting power of attorney. The home held incident reports, CCTV and care notes, all within the scope of the lawful request.
Instead of complying, the director concealed and withheld information. The result? A fine of £1,100 plus costs of £5,440. More damaging than the money was the reputational hit: a public prosecution and ICO press release.
Every SAR must be taken seriously. You have one calendar month to respond, and “we’re too busy” is not a defence. Staff need to know what a SAR looks like and who to escalate it to.
2. Cybersecurity Failures – Multi-Million Pound Fine
In a high-profile case, the ICO fined Advanced Computer Software Group (an NHS software supplier) £3.07 million after a ransomware attack. The core issue? Basic security was missing including no multi-factor authentication (MFA) on critical accounts and weak technical controls.
Care homes increasingly use electronic care planning and medication systems. If your supplier doesn’t have strong security in place, or if your own staff log in with weak passwords (or passwords on Post Its…) and no MFA, you’re vulnerable. The ICO, patients and their families expect reasonable technical and organisational measures under Article 32 GDPR.
3. Unencrypted Devices – Data Theft
A care home in Northern Ireland was fined £15,000 after an employee took an unencrypted laptop home, which was stolen in a burglary. The device contained sensitive health records of residents and staff.
Portable devices are high-risk. If you allow staff to work remotely, laptops must be encrypted, and sensitive information should not be stored locally at all unless absolutely necessary. Do you have a remote working policy in place?
What This Means for Care Homes
These aren’t abstract examples. They’re real-world cases showing that care homes are firmly on the ICO’s radar. Whether it’s mishandling a SAR, neglecting security basics, or failing to protect devices, the consequences are fines, prosecutions, and public reputational damage.
And remember: under CQC’s Well-Led and Safe key lines of enquiry, inspectors are looking closely at confidentiality, records management and information governance. Poor data protection practices will impact your ratings.
How I Can Help
At JH Data Protection Ltd, I work with independent care homes to make compliance practical, not painful. That includes:
- SAR processes that actually work in real life
- UK GDPR/DSPT audits and action plans
- Staff training (short, scenario-based sessions)
- Policy updates (privacy, retention, CCTV, breach response)
- Support with DPIAs for electronic care records, visitor systems, and more
I offer a free 30-minute mini-audit for care homes. You’ll walk away with clear, actionable steps to reduce risk and confidence that if the ICO or CQC come knocking, you’re ready.
Next Step
Get in touch at dpo@jhdataprotection.com. Don’t wait for a complaint, breach or ICO letter to make data protection your priority.
JH Data Protection Limited 
Leave a comment