GDPR-Compliant Elderly Monitoring: A Care Provider's Guide

Why GDPR matters for care providers

If you operate a care home, domiciliary care agency, or supported living facility in the UK or EU, you are almost certainly processing personal data about some of the most vulnerable people in society. The General Data Protection Regulation (GDPR), and the UK's Data Protection Act 2018, set strict rules on how that data must be handled.

Monitoring is where these rules bite hardest. Whether you use cameras in communal areas, wearable trackers for wandering residents, or sensors to detect falls, every monitoring system generates data. Some of that data is personal. Some of it is sensitive. All of it is subject to regulatory scrutiny from the Information Commissioner's Office (ICO) in the UK or the relevant national authority in EU member states.

Getting this wrong has real consequences. ICO enforcement actions against care providers have resulted in fines, enforcement notices, and reputational damage. Poorly implemented monitoring can also undermine the dignity and trust of the people you are trying to protect.

Below we cover what GDPR requires, how different monitoring technologies compare on privacy, and what practical steps you need to take to stay compliant.

GDPR basics every care provider must know

A few core GDPR principles come up repeatedly in care monitoring situations.

The seven principles

GDPR Article 5 sets out seven principles. Four are especially relevant to monitoring:

• Lawfulness, fairness, and transparency -- You must have a legal basis for collecting data, and you must tell people what you are doing with it.
• Purpose limitation -- Data collected for safety monitoring cannot be repurposed for staff performance management or marketing without a separate legal basis.
• Data minimisation -- You must collect only the data you actually need. If you need to know whether someone has fallen, you do not need a video of them falling.
• Storage limitation -- Data must not be kept longer than necessary. Indefinite retention of monitoring footage is a compliance failure.

Lawful basis for processing

Under GDPR Article 6, every instance of data processing requires a lawful basis. For care monitoring, three bases are typically relevant:

• Consent (Article 6(1)(a)) -- The individual agrees to monitoring. This sounds straightforward, but consent must be freely given, specific, informed, and revocable. In a care setting, there is a real question about whether consent from a vulnerable, dependent person is truly "free." Regulators recognise this tension.
• Legitimate interests (Article 6(1)(f)) -- You have a genuine, documented need to monitor (e.g., fall prevention), and this interest is not overridden by the individual's rights. This requires a Legitimate Interests Assessment (LIA). Many care providers find this is the most appropriate basis for proportionate monitoring.
• Vital interests (Article 6(1)(d)) -- The monitoring is necessary to protect someone's life. This is a high bar and is generally reserved for emergencies rather than routine monitoring.

In practice, most care providers rely on legitimate interests for routine monitoring, supplemented by consent where appropriate. The key is to document your reasoning clearly.

Privacy by design and by default

GDPR Article 25 requires that data protection is embedded into systems and processes from the start, not added as an afterthought. For monitoring, this means:

• Choosing the least intrusive technology that achieves your safety objective
• Setting systems to the most privacy-friendly configuration by default
• Limiting access to monitoring data on a need-to-know basis
• Building in automatic data deletion after a defined retention period

This is not aspirational. It is a legal requirement. The ICO can and does assess whether organisations have implemented privacy by design in practice.

Monitoring technologies ranked by GDPR risk

Not all monitoring is equal under GDPR. The type and volume of data a system collects determines its privacy risk and your compliance burden.

Cameras: highest GDPR risk

CCTV captures identifiable personal data by definition. In a care setting, this triggers the most onerous GDPR requirements: mandatory DPIA, signage, restricted access, defined retention periods, subject access request procedures, and data breach notification processes. Cameras are outright prohibited in bedrooms and bathrooms under Article 8 of the European Convention on Human Rights (right to private life). Staff and visitors must also be informed and may raise objections.

For a deeper analysis, see our article: Why Cameras Are Becoming a Liability in Residential Care.

Wearables with location tracking

GPS-enabled wearables and location trackers process personal data (location history) and potentially special category data (health data inferred from movement patterns). They require consent or another lawful basis, and they raise questions about freedom of movement, particularly for residents with dementia who may not be able to consent meaningfully.

PIR motion sensors

Passive infrared sensors detect motion but cannot identify who is moving. The data they generate (room occupied/not occupied, motion detected/not detected) is generally not personal data under GDPR, provided it cannot be combined with other data to identify an individual. The privacy risk is low, but they also provide limited safety information. They cannot detect falls or distinguish between a person moving normally and a person in distress.

Radar-based monitoring: lowest GDPR risk

60GHz radar sensors, such as those used by HomeCare, detect human presence, movement patterns, and fall events using radio waves. They do not capture images, video, or audio. The data they produce is anonymous motion data that cannot identify a specific individual. That puts them at the bottom of the GDPR risk scale while still giving you fall detection and activity monitoring.

Legal basis for monitoring: choosing the right one

The lawful basis you choose has practical implications. Here is how each one works in a care monitoring context.

Consent

Consent is the most commonly understood basis, but it is often the wrong choice for care settings. GDPR requires consent to be freely given, but a resident who depends on your organisation for their daily care may feel unable to refuse monitoring. The ICO's guidance on consent specifically warns that where there is a "clear imbalance" between the data subject and the controller, consent is unlikely to be a valid basis.

If you do rely on consent, you must offer a genuine choice, explain the consequences of refusing (which must not be punitive), and make withdrawal of consent easy and without detriment.

Legitimate interests

For most care monitoring, legitimate interests is the most defensible basis. To use it, you need to complete a Legitimate Interests Assessment (LIA) covering three tests:

1. Purpose test: What is the legitimate interest? (e.g., detecting falls quickly to reduce injury severity)
2. Necessity test: Is the monitoring necessary for that purpose, or could you achieve the same result with less data?
3. Balancing test: Do the individual's rights and expectations override your interest? Would they reasonably expect this monitoring?

Document this assessment and keep it on file. Regulators will ask for it.

Vital interests

This basis applies when processing is necessary to protect someone's life. It is appropriate for emergency situations but is not a suitable basis for routine, ongoing monitoring. You cannot claim "vital interests" as a blanket justification for 24/7 surveillance.

Data protection impact assessments (DPIAs)

Under GDPR Article 35, a DPIA is mandatory when data processing is likely to result in a "high risk" to individuals' rights and freedoms. Monitoring vulnerable adults in a care setting will almost always meet this threshold.

When is a DPIA required?

The ICO's screening checklist identifies several triggers relevant to care monitoring:

• Systematic monitoring of a publicly accessible area (CCTV in communal spaces)
• Processing data about vulnerable individuals (elderly residents, people with dementia)
• Processing on a large scale (multiple residents across multiple locations)
• Use of new technologies (radar-based systems, AI-powered fall detection)

If two or more of these triggers apply, a DPIA is required. In practice, almost any monitoring system deployed across a care organisation will need one.

What a DPIA should contain

A DPIA is not a tick-box exercise. It should include:

• A systematic description of the monitoring: what data, how collected, how processed, how stored, who has access
• An assessment of necessity and proportionality: could you achieve your safety objective with less data?
• An assessment of risk to individuals: what could go wrong, and how severe would the impact be?
• Measures to mitigate those risks: technical safeguards, access controls, retention policies, staff training
• A record of consultation with your Data Protection Officer (if you have one) and, where appropriate, with residents and their families

The ICO provides a DPIA template that is a good starting point.

ICO guidance on care home monitoring (UK)

The ICO has issued specific guidance relevant to monitoring in care settings. The main points:

• Proportionality: The ICO expects monitoring to be proportionate to the identified risk. Blanket CCTV coverage of an entire care home is unlikely to be proportionate; targeted monitoring in response to specific safety concerns is more defensible.
• Transparency: Residents, their families, staff, and visitors must be told about monitoring, what data is collected, why, and how long it is kept. Privacy notices must be clear and accessible.
• Subject access requests (SARs): Anyone captured by monitoring has the right to request a copy of their data. For camera systems, this means you may need to review and redact footage of other individuals before disclosure, which is a significant operational burden.
• Staff monitoring: If your monitoring system also captures staff data (as cameras inevitably do), separate rules apply. Staff have a right to privacy at work, and monitoring must be justified, proportionate, and disclosed.
• Covert monitoring: The ICO's Employment Practices Code states that covert monitoring should only be used in exceptional circumstances (e.g., suspected criminal activity) and never as routine practice.

EU country variations

GDPR applies uniformly across the EU, but national implementations and supervisory authority interpretations differ in practice.

Germany: the strictest standard

Germany's federal data protection law (BDSG) and the interpretations of the BfDI (Federal Commissioner for Data Protection) impose stricter requirements than the GDPR baseline. Camera monitoring in care homes is subject to particularly intense scrutiny. Residents' rooms are treated as private dwelling space, and monitoring, even with consent, is heavily restricted. German courts have consistently upheld residents' privacy rights over institutional convenience.

France: CNIL requirements

France's CNIL requires a formal declaration for any video surveillance system in a care setting. The CNIL has issued specific guidance on monitoring in Etablissements d'Hebergement pour Personnes Agees Dependantes (EHPADs), stating that monitoring must respect residents' dignity and that camera placement must be justified room by room.

Netherlands: AP guidelines

The Autoriteit Persoonsgegevens (AP) has taken a balanced approach, recognising the legitimate need for monitoring in care settings while requiring clear documentation and proportionality. The AP's guidelines specifically mention the potential of non-camera technologies to achieve safety objectives with less privacy intrusion.

Practical implication

If your organisation operates across multiple countries, you need to comply with the strictest applicable standard. A system that is compliant in Germany will be compliant everywhere, which is another reason to choose monitoring with the lowest possible GDPR footprint.

Practical compliance checklist for care providers

Use this checklist to audit your current monitoring arrangements or to plan a new deployment.

Before deployment

• Identify the specific safety objective the monitoring addresses (e.g., fall detection, wandering prevention)
• Assess whether the chosen technology is the least intrusive way to achieve that objective
• Determine and document your lawful basis (legitimate interests, consent, or vital interests)
• Complete a Legitimate Interests Assessment if relying on Article 6(1)(f)
• Carry out a Data Protection Impact Assessment
• Define data retention periods and automatic deletion processes
• Establish access controls: who can view monitoring data, under what circumstances
• Prepare a clear, accessible privacy notice for residents and their families
• Prepare a separate privacy notice for staff, if the system also captures staff data
• Train all relevant staff on the monitoring system and their data protection obligations

During operation

• Display clear signage where camera monitoring is in operation (not required for non-camera systems)
• Maintain a record of processing activities (ROPA) that includes the monitoring system
• Have a documented process for handling subject access requests related to monitoring data
• Have a data breach response plan that covers monitoring data specifically
• Review the monitoring arrangement at least annually. Is it still necessary and proportionate?
• Document any complaints or concerns raised by residents, families, or staff

Ongoing governance

• Appoint a Data Protection Officer (DPO) if required (mandatory for organisations processing data about vulnerable individuals at scale)
• Include monitoring in your annual data protection audit
• Update your DPIA when the monitoring system changes or new technology is introduced
• Stay current with ICO or national supervisory authority guidance

Privacy by design: what it means in practice

Privacy by design is widely cited but often poorly understood. Here is what it actually looks like applied to care monitoring.

The core question

Ask: "What is the minimum data I need to achieve my safety objective?" If the objective is detecting falls, you need to know that a fall event occurred, where, and when. You do not need to know what the person looks like, what they were wearing, or what they were doing before the fall. Any data beyond what is strictly necessary is a privacy risk without a safety benefit.

Technology choice as privacy by design

The most impactful privacy-by-design decision is the choice of monitoring technology itself. A radar-based system that processes anonymous motion data cannot capture identifiable data even if misconfigured, because the technology itself does not produce it. A camera system, by contrast, requires layers of technical and organisational safeguards (encryption, access controls, retention policies, staff training) to get anywhere close to the same level of privacy protection.

This is not a theoretical distinction. Regulators increasingly look at whether care providers considered less intrusive alternatives before deploying cameras. If you cannot show that you evaluated privacy-first options, your DPIA may be found deficient.

Data architecture

Privacy by design also applies to how data flows through your systems:

• Process locally where possible: A sensor that processes data on-device and sends only alerts (not raw data) to the cloud has a smaller privacy footprint than one that streams continuous data to external servers.
• Encrypt in transit and at rest: All monitoring data should be encrypted, even if it is anonymous.
• Minimise data sharing: Only share monitoring data with people who need it for their defined role.
• Automatic deletion: Build in automatic data expiry so that old data is not retained by default.

For a more detailed exploration of privacy-first monitoring, see: Privacy-First Monitoring: What It Means and Why Regulators Prefer It.

Balancing safety and privacy

There is a genuine tension here. Care providers have legally mandated obligations to keep residents and clients safe. The Health and Safety at Work Act, the Care Act 2014, CQC regulations, and their equivalents across Europe all require you to take reasonable steps to prevent harm.

Privacy is not about doing nothing. A care provider who refuses to implement any monitoring on privacy grounds, while residents suffer avoidable falls and injuries, is not protecting anyone. The goal is proportionate monitoring: collecting the minimum data necessary for meaningful safety outcomes.

Technology has moved to a point where this trade-off is less painful than it used to be. Systems that detect falls using anonymous radar data deliver comparable or better safety outcomes to cameras, without the privacy costs. The regulatory direction in the UK, Germany, France, and across the EU is clearly towards these lower-risk approaches.

For guidance on how the CQC and EU regulators view this balance, see: Data Protection in Home Care: What the CQC and EU Regulators Expect.

Frequently asked questions

Do care homes need GDPR consent to monitor residents?

Not necessarily. Consent is one lawful basis under GDPR, but care providers can also rely on legitimate interests (Article 6(1)(f)) or vital interests (Article 6(1)(d)) where monitoring is needed to protect the health and safety of residents. However, whichever basis you choose, you must document it clearly, inform the resident, and carry out a Data Protection Impact Assessment if the monitoring is systematic or involves vulnerable individuals.

Is camera monitoring in care homes legal under GDPR?

Camera monitoring in common areas is legal if you have a lawful basis, display clear signage, carry out a DPIA, and limit access to footage. However, cameras are legally prohibited in bedrooms and bathrooms under UK and EU privacy law, as this would breach residents’ Article 8 rights (right to private and family life). Staff and visitors must also be informed, and footage must be stored securely with defined retention periods.

What is a DPIA and do care providers need one?

A Data Protection Impact Assessment (DPIA) is a formal process to identify and minimise data protection risks. Under GDPR Article 35, a DPIA is mandatory whenever processing is likely to result in a high risk to individuals’ rights and freedoms. Monitoring vulnerable adults in a care setting almost always meets this threshold. The ICO provides a template and screening checklist to help you determine whether a DPIA is required.

What does “privacy by design” mean for care monitoring?

Privacy by design (GDPR Article 25) means building data protection into your monitoring system from the outset, not bolting it on afterwards. In practice, this means choosing the least intrusive technology that achieves your safety objective. If you need to detect falls, a system that processes anonymous motion data achieves this without collecting identifiable images or video — which is a textbook example of data minimisation.

How long can we keep monitoring data?

GDPR requires that personal data is kept no longer than necessary for its stated purpose (the storage limitation principle). For care monitoring, this means you should define a clear retention period in your privacy policy — typically 30 to 90 days for routine monitoring data. Any data related to incidents or safeguarding concerns should be retained in line with your organisation’s incident management policy, which may be longer.

Are radar-based monitoring systems GDPR-compliant?

Radar-based systems that process only anonymous motion and presence data — without capturing images, video, or audio — carry the lowest GDPR risk of any monitoring technology. Because the data cannot identify a specific individual, it may not even constitute personal data under GDPR. However, best practice is still to carry out a DPIA, inform residents, and document your lawful basis, as the monitoring itself occurs in a private setting.

What to read next

For more on specific topics covered above:

• Why Cameras Are Becoming a Liability in Residential Care
• Privacy-First Monitoring: What It Means and Why Regulators Prefer It
• Data Protection in Home Care: What the CQC and EU Regulators Expect