← All posts Compliance

PDPA for elder-care homes in Thailand: handling resident data lawfully

A practical PDPA guide for Thai care centers and home-care services: consent, sensitive health data, access control, and how to stay audit-ready without a lawyer.

By Pongsiri Trivittayasil · Founder, Caleo · June 16, 2026 · 4 min read

Care homes hold some of the most sensitive information a person has: medical history, medications, daily condition, ID numbers. PDPA is not a distant legal concern here, it is a daily duty you need to get right from day one. This is a plain guide to what your center actually has to do, without needing to be a lawyer.

Health data is “sensitive data” and the rules are stricter

PDPA, Thailand’s Personal Data Protection Act, splits information into two tiers. Ordinary data like a name or address sits in one tier. Sensitive data, which includes health information, disability, and biometric data, sits in a much stricter one.

Almost everything a care home records falls into the sensitive tier. That matters because the law requires explicit consent to collect and use it, and demands tighter control over who can see it. Jotting notes on paper anyone can read, or keeping resident details in an Excel file the whole office can open, can put you on the wrong side of the law without anyone realizing.

The practical takeaway: treat every resident record as sensitive by default, and design your handling around that, not around what is merely convenient.

The three things every care home needs in place

You do not need a legal department to be compliant. You need three things working reliably.

  • A lawful basis to collect. For most care data this means clear, recorded consent from the resident or their legal representative, gathered at admission and kept on file. Verbal “they agreed” is not enough; you need a record of what they consented to and when.
  • Purpose and retention limits. You may only use data for the reasons you stated, and you should not keep it forever. Decide how long records are held after a resident leaves, and be able to explain it.
  • Access control. Not every staff member needs every resident’s full medical history. Access should match the role, and you should be able to show who looked at what.

That last point is where paper and shared spreadsheets fail hardest. A binder on a desk has no access log. A shared Excel file cannot tell you who opened it. A system with proper resident records and role-based access does both by design, which is what turns a vague good intention into something you can actually prove.

Families want updates, and that is healthy. But sending photos and condition reports over an open chat is a quiet PDPA risk, because you lose control of where that sensitive data ends up.

The lawful pattern is to share through a controlled channel where access is tied to the family member’s consent and can be withdrawn. A purpose-built LINE Family Portal keeps families informed inside the channel they already use, while keeping the data governed rather than scattered across personal phones and forwarded messages.

When you collect consent, be specific. State what data you collect, why, who can see it, and how a resident or family can ask to access or delete it. Specific consent protects you far better than a blanket “we may use your data” line.

Be ready for an inspection before it happens

The difference between a calm สบส. or PDPA review and a stressful one is whether your evidence already exists, or has to be assembled in a panic.

If your records, consent forms, access logs, and medication history live in connected systems, producing evidence is a matter of pulling a report. If they live across paper, spreadsheets, and chat threads, you spend days reconstructing a story and hoping nothing is missing. Aim for the first situation. A platform built for Thai care with สบส. and PDPA compliance and one-click evidence turns audit readiness from a project into a button.

A few habits make this durable:

  • Log access automatically, so you never have to remember who saw what.
  • Keep medication records structured, not handwritten, so an eMAR trail is queryable rather than a stack of paper.
  • Review consent on a schedule, especially when a resident’s representative changes.

What this looks like day to day

Compliance should not slow your carers down. Done well, it is invisible. A carer records a note, the system files it against the right resident with the right access rules. A family checks in through a governed portal instead of a personal chat. When an inspector asks for evidence, it is already there.

The goal is not to bolt PDPA on top of your work as extra paperwork. It is to keep records in a way that is lawful because of how the system is built, so doing the right thing is also the easy thing.

If you would like help mapping your current data handling to what PDPA expects, reach out to our team and we will walk through it with your center’s real workflow.

Founding providers · limited places

See Caleo on your own care home.

Transparent per-bed pricing, no setup fees for founding partners, and white-glove migration included. Book a 30-minute demo and we'll show you the AI working on a real day from your service.

Book a demoExplore features

No card required · Thai-based team · We reply within one working day.