{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Online Safety Policy

1. Introduction

At {{org_field_name}}, we recognise the increasing reliance on digital technology in delivering domiciliary care services. While technology enhances efficiency, communication, and record-keeping, it also introduces risks related to data breaches, cybercrime, and inappropriate use. Our Online Safety Policy ensures that all staff, service users, and stakeholders use technology responsibly and securely, safeguarding personal information and promoting safe online practices.

This policy aligns with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Health and Social Care Act 2008, and CQC’s standards for information governance and safe care delivery. It applies to all digital platforms, devices, and systems used within the organisation, including email, social media, mobile devices, and online care platforms.

2. Purpose and Scope

The purpose of this policy is to:

• Protect sensitive information related to service users, staff, and the organisation.
• Promote safe and responsible use of technology.
• Prevent cyber threats, including phishing, malware, and hacking.
• Ensure compliance with data protection legislation and CQC standards.
• Provide guidance for reporting and responding to online safety incidents.

This policy applies to all staff, including care workers, administrators, managers, volunteers, contractors, and service users who access company systems or services online. It covers all company-owned and personal devices used for work purposes, including computers, tablets, smartphones, and cloud-based platforms.

3. Principles of Online Safety

Our approach to online safety is guided by the following principles:

3.1 Confidentiality and Privacy:
Sensitive information, including service user records, must be kept confidential and accessed only by authorised personnel. Encryption, password protection, and secure platforms will be used to protect data.

3.2 Integrity and Accuracy:
Online information must be accurate, reliable, and up to date. Any discrepancies in service user records or care notes must be reported and corrected promptly.

3.3 Accountability and Responsibility:
All staff are responsible for safeguarding digital systems and adhering to company policies. Regular training will be provided to promote accountability and vigilance.

3.4 Proactive Risk Management:
Potential online threats, such as phishing emails or malware, will be identified and mitigated through regular risk assessments, software updates, and antivirus protection.

3.5 Respect and Professionalism:
Online communication must be respectful, professional, and compliant with organisational standards. Any inappropriate content or behaviour will be addressed promptly.

4. Online Safety Responsibilities

4.1 Registered Manager:

• Oversees the implementation and monitoring of the Online Safety Policy.
• Ensures that all staff receive appropriate training and resources.
• Investigates online safety incidents and takes appropriate action.

4.2 IT and Data Protection Officer (if applicable):

• Manages network security, software updates, and system backups.
• Monitors digital platforms for suspicious activity and breaches.
• Provides technical support and guidance to staff.

4.3 Line Managers and Supervisors:

• Ensure that staff follow safe online practices in daily operations.
• Conduct regular audits of digital records and communications.
• Support staff in reporting and resolving online safety concerns.

4.4 All Staff:

• Follow online safety protocols, including password management and safe browsing.
• Report any suspicious emails, breaches, or incidents immediately.
• Protect service user information when using digital platforms.

4.5 Service Users and Families:

• Encouraged to follow safe online practices, including protecting personal information.
• Advised on secure use of digital communication platforms when accessing care services.

5. Safe Use of Technology

To ensure safe and responsible use of technology, the following guidelines apply:

5.1 Password Management:

• All company systems and devices must be password-protected.
• Passwords must be strong, containing at least 12 characters, including uppercase letters, lowercase letters, numbers, and symbols.
• Passwords must be changed every 90 days and not reused.

5.2 Device Security:

• All company-owned devices must be protected by antivirus software, firewalls, and automatic updates.
• Personal devices used for work purposes must comply with the Bring Your Own Device (BYOD) Policy and be protected by encryption and passcodes.
• Lost or stolen devices must be reported immediately for remote locking and data erasure.

5.3 Email and Communication:

• Staff must use company email accounts for work-related communication.
• Phishing awareness training will be provided, with regular testing through simulated phishing campaigns.
• Suspicious emails, links, or attachments must not be opened and must be reported immediately.

5.4 Internet and Social Media Use:

• Internet use must be appropriate, professional, and related to work purposes.
• Staff must not share confidential information, images, or personal opinions related to work on social media platforms.
• Service users must not be contacted or engaged with through personal social media accounts.

5.5 Remote Working and Virtual Meetings:

• Staff working remotely must use company-approved devices and VPN connections.
• Virtual meetings must be conducted through secure platforms, such as Microsoft Teams or Zoom, with password-protected access.

6. Protecting Personal and Sensitive Data

6.1 Data Storage:

• Service user records and company documents must be stored on secure, encrypted platforms, such as a company-approved cloud storage system.
• Paper records must be stored in locked cabinets and digitised where possible.

6.2 Data Sharing:

• Personal data must only be shared with authorised individuals and for legitimate purposes.
• When sharing information externally, encrypted email or secure file transfer platforms must be used.
• Staff must verify the identity of recipients before sharing sensitive data.

6.3 Data Retention and Disposal:

• Personal data must be retained in accordance with the company’s Data Retention Policy and GDPR guidelines.
• Outdated digital files and paper records must be securely deleted or shredded.

7. Online Safety for Service Users

{{org_field_name}} is committed to promoting online safety for service users who access technology as part of their care. Our approach includes:

1. Education and Support:
   • Providing service users with clear guidance on safe internet use, including recognising scams, protecting passwords, and avoiding suspicious websites.
   • Offering digital literacy training where appropriate, particularly for vulnerable individuals.
2. Secure Communication:
   • Encouraging the use of secure platforms for virtual consultations, care coordination, and family communication.
   • Ensuring that service users understand how to protect their privacy during online interactions.
3. Parental and Carer Involvement (if applicable):
   • When service users are children or vulnerable adults, carers will be encouraged to supervise online activities and implement parental controls.
4. Reporting Concerns:
   • Service users and families can report online safety concerns to their care coordinator or the company’s Data Protection Officer.

8. Online Safety Training and Awareness

To maintain high standards of online safety, all staff will receive regular training, including:

• Induction Training: New staff will receive comprehensive training on safe technology use, data protection, and cyber threat awareness.
• Annual Refresher Training: All staff will complete annual online safety training, including simulated phishing exercises and best practices for password management.
• Targeted Training: Additional training will be provided for staff working with vulnerable service users, including children and adults with cognitive impairments.
• Awareness Campaigns: Regular bulletins, posters, and workshops will promote ongoing awareness of emerging cyber threats and safe practices.

9. Reporting and Responding to Online Safety Incidents

To ensure swift and effective responses to online safety incidents, the following procedure will be followed:

1. Incident Detection:
   • Staff must report any suspected online safety incident immediately to their line manager or the company’s Data Protection Officer.
2. Incident Reporting:
   • An Online Safety Incident Report Form must be completed, detailing the date, time, nature of the incident, and any immediate actions taken.
3. Investigation and Mitigation:
   • The Data Protection Officer will investigate the incident, identify root causes, and implement corrective actions.
   • If a data breach occurs, affected individuals will be notified, and the Information Commissioner’s Office (ICO) will be informed within 72 hours, if required by law.
4. Follow-Up:
   • Lessons learned from the incident will inform future training and risk management practices.

10. Monitoring and Compliance

To ensure ongoing compliance with this policy:

1. System Monitoring:
   • Company IT systems will be monitored for unusual activity, including login attempts, software updates, and suspicious downloads.
2. Audits and Reviews:
   • Regular audits will be conducted to assess compliance with online safety procedures.
   • Audit findings will inform continuous improvement initiatives.
3. Staff Accountability:
   • Staff who breach the Online Safety Policy may face disciplinary action, up to and including termination of employment, depending on the severity of the breach.
4. Policy Review:
   • This policy will be reviewed annually or sooner if legislative changes, technological advancements, or emerging risks require updates.

11. Supporting Mental Health and Well-Being

We recognise that online safety extends beyond technical protection to include the psychological well-being of staff and service users. To promote digital well-being:

1. Screen Time Management: Staff and service users are encouraged to take regular breaks from screens and maintain healthy technology habits.
2. Preventing Online Harassment: Any instances of cyberbullying, harassment, or abusive content must be reported immediately and will be addressed under the company’s Bullying and Harassment Policy.
3. Mental Health Support: Access to the company’s Employee Assistance Programme (EAP) is available for staff experiencing stress or anxiety related to online safety issues.

12. Review and Approval

This Online Safety Policy will be reviewed annually by the Registered Manager ({{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}) and Data Protection Officer ({{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}) to ensure it remains current and effective. Updates will be communicated to all staff, and additional training will be provided where necessary.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.