Regulation 17: good governance and good records
CQC says Regulation 17 sets minimum record requirements for each person, staff employment and overall management of the regulated activity. The requirement applies to paper and digital records.
- Records must be accurate, complete and up to date.
- CQC looks at the information, how it is used and how it is stored and shared securely.
- CQC does not endorse a specific digital social care record product; the provider must assure itself that its system supports people’s needs and regulatory compliance.
Registration Regulation 18: specified incidents
The current regulation requires the registered person to notify CQC “without delay” of the specified incidents that occur while a regulated activity is being provided or as a consequence of it.
- The regulation lists defined injuries, abuse or allegations of abuse, police involvement and events threatening safe continuity, among other incidents.
- Whether a notification is required remains a provider decision against the law and CQC guidance.
- WellDash can flag a possible notification and assemble source evidence for authorised review; the provider retains the legal determination and submission responsibility.
Adult Social Care Minimum Operational Data Standard
MODS is an active information standard designed to create a consistent baseline for recording direct-care data by CQC-registered adult social care providers.
- The published scope includes all CQC-registered adult social care providers and the suppliers of their Digital Social Care Record systems.
- The Information Standards Notice gives a full-conformance date of 31 August 2025.
- Implementation is also a contractual requirement for NHS England DSCR Assured Solution Suppliers under the separate assurance arrangements described by the Standards Directory.
Data (Use and Access) Act 2025: standards reach IT suppliers
Schedule 15 extends the health and adult social care information-standard framework to relevant IT providers. Its relevant provisions came into force on 5 February 2026.
- A relevant IT provider includes a person making technology, an IT service or technology-enabled information processing available for health or adult social care in England.
- The Secretary of State can request compliance and evidence, specify steps and publish a statement of suspected non-compliance, subject to the statutory process.
- The direction is structural: care suppliers need standards-aware data models, interoperability and evidence of compliance—not just exportable documents.
Identity verification and authentication
The current Information Standards Notice sets a full-conformance date of 31 December 2026 for the amended identity verification and authentication standard.
- The published scope includes NHS and non-NHS organisations providing individuals with access to digital, data, analytics and technologies for health or care services.
- For WellDash, provider identity, organisation, site, role, relationship, consent scope and assurance level are part of the product boundary, not an afterthought at login.
AI should support, not replace, human decision-making
CQC encourages AI where it benefits people and supports high-quality, equitable care, but sets out principles providers should follow when using it in regulated care.
- Human oversight, transparency and choice, safety and reliability, security, fairness, training and effective governance.
- DPIAs, accountability mechanisms and procurement aligned with regulatory standards.
- Continuous monitoring and routes to recognise, report, investigate and learn when something goes wrong.
That maps directly to WellDash’s approval boundaries: AI helps structure and propose; workers confirm observations; authorised practitioners approve plan changes.
Deprivation of liberty is now assessed multifactorially
The Supreme Court’s 2 June 2026 judgment replaced reliance on the single Cheshire West “acid test” with a multifactorial assessment. The change applies immediately across the UK.
- Assessment starts with the specific situation: type, duration, effects and manner of implementing restrictions, with no single determinative factor.
- The person’s wishes, feelings and possible valid consent carry significant weight.
- DHSC says current authorisations likely to fall outside the revised scope should be reviewed as soon as practicable and clear decision-making should be recorded.
For a care system, this strengthens the need to record person-specific restrictions, implementation, effects, objection or acceptance, purpose, review and the authorised rationale—without pretending software makes the legal decision.
The proposed 72-hour restrictive-practice notification
The proposal would require CQC-regulated mental-health hospitals to notify CQC within 72 hours, as far as reasonably practicable, after restraint, seclusion or segregation.
Scope correction: this is not a general 72-hour CQC rule for adult social care. The government response says further policy and operational development is required before the requirement can be introduced.
- The consultation response identified demand for a robust, user-friendly, preferably electronic system that reduces duplicate reporting.
- It also recorded concerns about workforce burden, data security, clarity and CQC’s use of the resulting data.
- WellDash can preserve event-level source data and support future reporting workflows without presenting the proposal as current law.