Consent, Privacy and Information Governance in Person-Centred Technology

Person-centred technology only strengthens independence when people remain in control of what is used, what is shared, and what happens if they say no. Consent, privacy and information governance must therefore sit at the heart of delivery rather than being treated as background IT processes. This applies across Person-Centred Technology and must align with robust Digital Records, Data Quality & Information Governance.

What consent looks like in day-to-day delivery

In adult social care, consent for technology is rarely static. People’s confidence, capacity, circumstances and tolerance for risk can change over time. Providers must treat consent as an ongoing, reviewable agreement rather than a one-off signature obtained at the point of installation.

Operationally, staff must be able to explain what a technology does, what data it captures, who can see that data, and what alternatives exist. Just as importantly, people must be able to withdraw consent without fear that support will be reduced or withdrawn.

Operational examples

Example 1: Telecare opt-in with a defined alternative

A provider offered a falls sensor following a near-miss incident. The person wanted reassurance overnight but did not want continuous monitoring. The agreed plan limited activation to night-time only, with staff-led welfare checks identified as the alternative if the sensor was declined or failed. Consent was reviewed monthly and recorded in accessible language.

Example 2: Controlled family access to digital care records

A family requested access to digital care notes. The person agreed to share appointment outcomes and wellbeing summaries but did not want daily logs visible. Role-based access controls were set, boundaries were recorded in the support plan, and supervision checks ensured staff did not exceed agreed permissions.

Example 3: Time-limited location tracking to support independence

For someone becoming disoriented in the community, GPS tracking was agreed as a short-term safety measure while travel confidence was developed. The plan defined trigger points for viewing location data, named who could access it, and set a clear review date with the intention to step down once skills improved.

Commissioner and regulator expectations

Expectation 1: Least intrusive and proportionate use of technology

Commissioners expect providers to demonstrate that technology is used as the least restrictive option capable of achieving safety and wellbeing outcomes. Tender evaluations frequently test whether providers can justify why a particular tool is used and evidence consideration of non-digital alternatives.

Expectation 2: Clear governance and accountability for data use

Regulators and commissioners will expect providers to show how data is governed in practice. This includes access controls, audit trails, incident response arrangements and named accountability for digital governance. Statements of compliance must be backed by operational evidence.

Practical consent and privacy controls

Accessible and specific consent records

Consent documentation should clearly state the technology used, its purpose, what data is collected, who can access it and when consent will be reviewed. Where people use alternative communication methods, information must be adapted accordingly and recorded.

Built-in refusal and withdrawal pathways

Support plans should explicitly record what happens if technology is declined, withdrawn or fails. This reassures people, protects providers from challenge, and demonstrates that care is not conditional on digital compliance.

Data minimisation as standard practice

Collect only what is necessary to achieve agreed outcomes. Excessive data collection increases risk, undermines trust and creates unnecessary governance burden.

Governance and assurance mechanisms

Strong providers evidence:

• Routine audits of consent reviews and access permissions
• Manager sampling of support plans to confirm technology use aligns with agreements
• Clear incident reporting for privacy breaches or inappropriate use
• Regular supervision discussions on dignity, control and restriction risk

What good looks like

When consent and privacy are handled well, technology supports confidence, independence and safety without eroding dignity. Providers can evidence improved outcomes alongside reduced complaints, clearer commissioning assurance and stronger inspection narratives.