{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Mobile Devices (Phones and Tablets) Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} uses mobile devices, including mobile phones, smartphones, tablets, electronic care-record systems, rostering applications, communication platforms and any mobile applications used for service delivery, in a safe, lawful, confidential and professional manner. This policy supports the safe provision of domiciliary support services in Wales and must be read alongside the organisation’s Confidentiality and Data Protection Policy, Safeguarding Policy, Record Keeping Policy, Social Media and Online Communication Policy, Lone Working Policy, Driving Policy, Duty of Candour arrangements and IT/Cybersecurity Policy.

Mobile devices must only be used in ways that protect individuals’ privacy, dignity, rights, safety and well-being; support accurate care delivery and record keeping; promote continuity of care; and comply with the Regulation and Inspection of Social Care (Wales) Act 2016, the Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended, the Welsh Government statutory guidance for domiciliary support services, UK GDPR, the Data Protection Act 2018 and CIW expectations.

Our objectives are to:

• Ensure the appropriate and secure use of mobile devices for work-related purposes.
• Protect sensitive service user data from unauthorised access, misuse, or loss.
• Promote safe and professional communication between staff and service users.
• Comply with legal and regulatory requirements regarding data security and confidentiality.
• Ensure that mobile devices are used to improve efficiency without compromising safety or professionalism.

2. Scope

This policy applies to:

• All employees, including care workers, managers, and administrative staff.
• The Registered Manager and Responsible Individual, responsible for compliance.
• Third-party contractors or external professionals using mobile devices for work-related tasks.
• Service users and their families, where mobile communication is used.

This policy applies to all mobile devices used for work-related activity, whether owned by {{org_field_name}}, supplied by a third-party system provider, or personally owned and authorised for limited work use. This includes phones, tablets, laptops, smart watches, wearable devices, memory cards, removable media, messaging applications, camera functions, voice-recording functions, GPS/location functions, electronic call monitoring systems, electronic medication records, digital care planning systems, email accounts and any application used to access, record or transmit information about individuals receiving care and support.

This policy applies whenever staff are working, travelling between care visits, communicating with individuals or representatives, accessing care records, completing visit notes, using electronic rostering or call-monitoring systems, or storing/transmitting any information relating to the service.

3. Legal and Regulatory Framework

This policy supports compliance with the following legal and regulatory requirements and guidance, as applicable to domiciliary support services in Wales:

• The Regulation and Inspection of Social Care (Wales) Act 2016.
• The Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended.
• Welsh Government Statutory Guidance for service providers and responsible individuals on meeting service standard regulations for domiciliary support services, Version 3, March 2024.
• The Social Services and Well-being (Wales) Act 2014, including the promotion of well-being, voice, control and safeguarding duties.
• The Data Protection Act 2018 and UK GDPR, including the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.
• Information Commissioner’s Office guidance on data security, encryption, mobile working, personal data breaches and bring-your-own-device arrangements.
• The Human Rights Act 1998, including respect for private and family life.
• The Equality Act 2010, including reasonable adjustments and accessible communication.
• The Welsh Language (Wales) Measure 2011 and the Welsh Government’s “More Than Just Words” principles, where relevant to communication and the Active Offer of Welsh language services.
• The Mental Capacity Act 2005, where decisions involve individuals who may lack capacity to consent to communication, photographs, recordings or the use of technology.
• The Safeguarding Vulnerable Groups Act 2006, where misuse of technology raises safeguarding or staff-suitability concerns.
• The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, where lawful monitoring of work communications is required.
• The Privacy and Electronic Communications Regulations, where electronic communications are used.
• The Road Traffic Act 1988 and associated road-safety legislation concerning the use of mobile phones, tablets, sat navs and other devices while driving.
• Social Care Wales Codes of Professional Practice and the Code of Practice for Employers of Social Care Workers.

The Registered Manager and Responsible Individual must ensure that this policy is implemented, monitored and reviewed so that mobile technology is used consistently with the organisation’s statement of purpose and the assessed needs, rights, privacy, dignity and well-being of individuals receiving care and support.

3.1 Roles and Responsibilities

The service provider is responsible for ensuring that suitable systems, policies, procedures and resources are in place for the safe and lawful use of mobile devices within the service.

The Responsible Individual is responsible for maintaining oversight of how this policy is implemented, including receiving assurance that mobile devices, electronic care records, communication systems and monitoring arrangements are being used safely, lawfully and in line with the statement of purpose. The Responsible Individual must ensure that any concerns, incidents, trends, data breaches or unsafe practices relating to mobile-device use are reviewed through the service’s governance, quality assurance and improvement arrangements.

The Registered Manager is responsible for day-to-day implementation of this policy, including staff guidance, risk assessment, authorisation of device use, investigation of breaches, audit of electronic records, staff training and escalation of concerns to the Responsible Individual, Data Protection Lead, commissioners, safeguarding authorities, CIW or the ICO where required.

Staff are responsible for using mobile devices only as authorised, protecting confidential information, completing accurate records, reporting lost or compromised devices immediately, and raising any concern where mobile-device use may place an individual, staff member or the service at risk.

The Data Protection Lead or nominated senior person is responsible for advising on data protection, privacy notices, data protection impact assessments, breach assessment, ICO reporting, retention of evidence and liaison with the organisation’s IT support or external system providers.

4. Permitted Use of Mobile Devices

4.1 Work-Related Use of Mobile Phones and Tablets

Mobile devices may only be used for legitimate work-related purposes and only in ways authorised by {{org_field_name}}. Approved work-related purposes include accessing electronic care records, viewing care plans and risk assessments, confirming visit schedules, recording visit notes, reporting concerns, contacting the office, communicating with health or social care professionals, receiving urgent operational updates, using lone-working systems, and contacting emergency services where required.

Staff must use company-issued devices wherever these are provided. Personal devices must not be used for work-related purposes unless this has been expressly authorised by the Registered Manager and the controls in this policy have been met.

Staff must not use mobile devices in a way that distracts from the individual receiving care and support. During care visits, devices must only be used where this is necessary for the person’s care, safety, record keeping, medication support, communication needs, emergency assistance, lone-working arrangements, or another authorised work purpose.

Staff must explain the use of work devices to individuals where appropriate, for example where the staff member is using a device to read the person’s care plan, record care notes, confirm medication support, translate information, contact the office, or support communication. Staff must use devices respectfully and must not allow device use to undermine privacy, dignity, choice, control, communication or person-centred care.

4.2 Personal Use of Mobile Devices During Work

• Personal mobile phones must be kept on silent or vibrate mode during working hours.
• Personal calls, texts, and social media use are prohibited during working hours except in emergencies.
• Mobile devices must not be used while providing direct care to service users unless necessary for their well-being.

How we manage this efficiently:

• All staff sign a Mobile Device Agreement outlining permitted use.
• Clear guidelines on personal phone usage are included in staff handbooks and induction training.

4.3 Bring Your Own Device — Personal Devices Used for Work

Personal mobile phones or tablets must not be used to access, store, photograph, record, transmit or discuss information about individuals unless this has been authorised in advance by the Registered Manager. Authorisation will only be granted where there is a legitimate work need and where appropriate technical and organisational controls are in place.

Where personal-device use is authorised, staff must comply with the following minimum controls:

• the device must be protected by a strong password, PIN, biometric lock or equivalent security measure;
• the device must automatically lock after a short period of inactivity;
• operating systems and applications must be kept up to date;
• multi-factor authentication must be used where available for work systems;
• service-user information must not be stored locally on the device;
• personal messaging, personal email, personal cloud storage, personal photo galleries and personal note applications must not be used for work information;
• screenshots of care records, rotas, medication records, messages or service-user information are prohibited unless expressly authorised for a specific safeguarding, clinical, operational or legal purpose;
• family members or other persons must not have access to the device where work systems or work communications are accessible;
• lost, stolen, compromised or unauthorised access to the device must be reported immediately.

{{org_field_name}} reserves the right to withdraw authorisation for personal-device use at any time. Staff who refuse or are unable to meet these controls must not use a personal device for work-related purposes.

5. Data Security and Confidentiality

5.1 Secure Handling of Service-User Information

Staff must protect all personal, confidential and special-category information relating to individuals, representatives, staff and the service. Information must only be accessed where there is a legitimate work-related need and must only be accessed through systems approved by {{org_field_name}}.

Mobile devices used for work must be protected by strong access controls, including a password, PIN, biometric lock or equivalent security measure. Devices must lock automatically when not in use and must never be left unlocked, unattended or visible to unauthorised persons.

Staff must not store service-user information on personal devices, personal email accounts, personal cloud-storage accounts, personal messaging applications, removable media or unapproved applications. Service-user information must only be accessed, recorded or transmitted through approved secure systems.

Staff must not download, copy, screenshot, photograph, forward, print or otherwise duplicate service-user information unless this is necessary, authorised and recorded. Where information is temporarily downloaded for an authorised purpose, it must be deleted securely as soon as it is no longer required.

Staff must ensure that information entered into electronic care records, visit notes, medication records, incident records or communication logs is accurate, factual, timely, respectful and relevant. Records must not include personal opinions, inappropriate comments, abbreviations that may be misunderstood, or information about third parties unless necessary and appropriate.

Mobile devices must be positioned and used so that individuals, visitors, family members or members of the public cannot see confidential information on the screen. Staff must take particular care when working in shared households, vehicles, public places or community settings.

5.2 Reporting Lost or Stolen Devices

• If a work-issued device is lost or stolen, it must be reported immediately to management.
• Remote wiping of sensitive data will be initiated if required to prevent unauthorised access.

How we manage this efficiently:

• Regular audits ensure mobile devices are being used securely.
• Encryption and secure logins are required for accessing sensitive data.

5.3 Personal Data Breaches and Information-Security Incidents

Any actual or suspected personal data breach or information-security incident must be reported immediately to the Registered Manager or nominated Data Protection Lead. This includes, but is not limited to:

• loss or theft of a work or authorised personal device;
• unauthorised access to a device, application, email account or care-record system;
• sending a message, email, photograph, screenshot or document to the wrong person;
• use of an unauthorised messaging application or personal email account for service-user information;
• unauthorised photography, video recording or voice recording;
• screenshots or downloads of care records without authorisation;
• suspected malware, phishing, hacking or compromised passwords;
• disclosure of an individual’s information to family members, visitors or other persons without lawful basis or consent.

The Registered Manager or Data Protection Lead must record the incident, assess the risk to individuals’ rights and freedoms, take immediate containment action, and decide whether the matter must be reported to the Information Commissioner’s Office. Where a personal data breach is likely to result in a risk to individuals’ rights and freedoms, the ICO must be notified without undue delay and, where feasible, within 72 hours of {{org_field_name}} becoming aware of the breach. Where the breach is likely to result in a high risk to an individual, the affected individual must also be informed without undue delay unless an exemption applies.

Where the breach also raises safeguarding, professional conduct, contractual, commissioner or regulatory concerns, the Registered Manager must consider referral or notification to the relevant safeguarding authority, commissioner, CIW, Social Care Wales, the police or other relevant body.

5.4 Encryption, Multi-Factor Authentication and System Security

All work-issued mobile devices must have appropriate security controls, including encryption where supported, secure log-in, automatic locking, remote-locking or remote-wiping capability where available, and secure configuration by {{org_field_name}} or its authorised IT provider.

Multi-factor authentication must be used for remote access to care-record systems, rostering systems, email, cloud storage and other systems containing personal or confidential information, unless the Registered Manager and Data Protection Lead have documented why this is not available or not proportionate.

Passwords, PINs, authentication codes and log-in details must not be shared with any other person, including colleagues, family members, individuals receiving care, representatives or external professionals. Staff must not write passwords down in a way that could allow unauthorised access.

Staff must not disable security settings, jailbreak or root devices, install unauthorised applications, bypass organisational controls, connect devices to unknown computers, or use unsecured public Wi-Fi for work systems unless using an approved secure connection.

Any suspected phishing message, malware warning, unusual device behaviour, unauthorised access attempt or system error affecting confidentiality, integrity or availability of information must be reported immediately.

5.5 GPS, Electronic Call Monitoring, Rostering Applications and Visit Records

Where {{org_field_name}} uses electronic call monitoring, rostering applications, GPS location functions, time-and-attendance systems or digital visit confirmation, these systems must only be used for legitimate purposes, including confirming attendance, supporting lone-worker safety, managing visit schedules, evidencing care delivery, responding to missed or late visits, and meeting contractual or regulatory requirements.

Staff must accurately record arrival and departure times, care delivered, concerns identified, refused care, missed calls, late calls and any change in the individual’s presentation, needs, risks or preferences. Staff must not ask another person to log in or out on their behalf, falsify visit times, alter records inaccurately, or delay recording information in a way that may affect care quality or safety.

Electronic monitoring must not be used in a way that undermines the individual’s dignity, privacy or right to receive person-centred care. Staff must never allow the need to complete electronic records to shorten a care visit, rush care, ignore the individual’s communication needs, or fail to provide care in line with the personal plan.

Location data and electronic visit data must be processed transparently, proportionately and only for authorised work purposes. Staff must be informed about what monitoring takes place, why it is necessary, who can access the data, how long it is retained, and how concerns can be raised.

6. Communication with Service Users and Families

6.1 Professional Standards in Communication

All communication using mobile devices must be professional, respectful, necessary, accurate and relevant to the provision of care and support. Staff must communicate in a way that protects confidentiality, promotes dignity and respects the individual’s wishes, language, communication needs and personal circumstances.

Staff must not share personal phone numbers with individuals, representatives or family members unless this has been expressly authorised by the Registered Manager for a specific operational reason. Where contact is required, staff must use approved work numbers, office numbers or approved communication systems wherever possible.

Communication with individuals, representatives, families, commissioners, health professionals or other agencies must be documented where it relates to care delivery, risks, concerns, complaints, safeguarding, medication, changes in needs, changes to visit arrangements, refusal of care, accidents, incidents or professional advice.

Staff must take reasonable steps to meet the language and communication needs of individuals, including the needs of Welsh-speaking individuals and individuals who require communication aids, accessible formats, interpretation, translation or support from representatives. Where mobile devices or assistive technology are used to support communication, staff must ensure the individual’s privacy, dignity and consent are respected.

6.2 Messaging Applications, Social Media and Group Chats

Staff must not use social media platforms, personal messaging applications or personal email accounts to discuss, record, photograph, transmit or store information about individuals, representatives, staff or the service. This includes, but is not limited to, WhatsApp, Facebook Messenger, Instagram, Snapchat, TikTok, personal SMS, personal email and personal cloud-storage accounts.

Approved messaging or communication applications may only be used where authorised by {{org_field_name}}, risk assessed, secure, necessary for service delivery, and compliant with data protection requirements. Any approved group chat must have a clear work purpose, named administrator, controlled membership, appropriate confidentiality controls and a process for removing staff who leave the service or no longer require access.

Staff must not post, share, comment on or upload any information, image, video, audio recording or description that may identify an individual, their home, family, care arrangements, health condition, location, staff member or the service, unless this has been expressly authorised for a lawful and legitimate purpose.

Any accidental or unauthorised message, post, image, screenshot or disclosure must be reported immediately as a potential data breach and, where relevant, as a safeguarding or disciplinary matter.

7. Safe Use of Mobile Devices While Driving

7.1 Compliance with Road Safety Laws

Staff must not hold and use a mobile phone, tablet, sat nav or any device that can send or receive data while driving or riding a motorcycle. This applies whether the device is online or offline and includes making calls, texting, checking messages, using apps, taking photographs or videos, browsing the internet, checking rotas, reading care notes, entering visit records, adjusting playlists or using social media.

Staff must not use a handheld device while stopped in traffic, at traffic lights, queuing, supervising a learner driver, or during any other situation where they remain in control of a vehicle.

If a call, message, rota check, care-record entry or navigation adjustment is required, the staff member must stop and park safely and lawfully before using the device. Hands-free equipment may only be used where it is legal and safe to do so, and staff must not continue a hands-free call if it distracts them from driving safely.

Staff must plan journeys, check rotas and set navigation before driving wherever possible. Urgent operational issues must be managed in a way that does not require staff to use devices unlawfully or unsafely while driving.

7.2 Disciplinary Action for Unsafe Use

• Any employee found using a mobile phone while driving in violation of the law will face disciplinary action.

How we manage this efficiently:

• A clear Driving and Mobile Phone Policy is communicated to all staff.
• Staff are encouraged to use journey planning tools to avoid unnecessary communication while driving.

8. Monitoring and Compliance

8.1 Monitoring Mobile Device Usage

{{org_field_name}} may monitor work-issued devices, work accounts, approved applications, electronic care-record systems, call-monitoring systems, email accounts, internet use, location data and system-access logs where this is necessary and proportionate for legitimate purposes. These purposes include safeguarding individuals, protecting confidential information, ensuring accurate care records, investigating incidents or complaints, monitoring compliance with this policy, supporting lone-worker safety, ensuring service continuity, and meeting legal, regulatory, contractual or insurance requirements.

Monitoring must be lawful, fair, transparent and proportionate. Staff will be informed about the nature and purpose of monitoring, the types of data collected, who may access it, how long it will be retained, and how concerns can be raised.

Monitoring must not be used for unnecessary intrusion into staff private life. Personal data obtained through monitoring must only be accessed by authorised persons and must only be used for legitimate work-related purposes.

Where monitoring identifies a concern about care quality, safeguarding, confidentiality, conduct, fraud, falsification of records, misuse of devices, missed visits, late visits or inaccurate records, the matter will be managed under the relevant policy and may result in safeguarding referral, commissioner notification, CIW notification, disciplinary action, referral to Social Care Wales, or referral to another relevant body.

8.2 Disciplinary Procedures for Misuse

• Breaches of this policy may result in disciplinary action, up to and including dismissal.
• Examples of misuse include:
  • Sharing confidential information via personal devices.
  • Using a mobile device for personal use during care provision.
  • Inappropriate or unprofessional communication with service users.

Additional examples of misuse include:

• accessing care records without a legitimate work reason;
• sharing passwords, PINs or log-in details;
• allowing another person to use a work device or work account;
• using a colleague’s log-in or asking another person to log in or out of a visit;
• falsifying electronic visit records, arrival times, departure times or care notes;
• taking unauthorised photographs, videos, screenshots or recordings;
• using personal email, personal messaging apps or social media for service-user information;
• storing service-user information on a personal device or personal cloud account;
• failing to report a lost device, suspected breach or unauthorised disclosure immediately;
• using a handheld device while driving;
• using a mobile device in a way that distracts from care, compromises dignity or creates a safeguarding risk.

How we manage this efficiently:

• Staff receive a written copy of the policy upon employment.
• Clear disciplinary procedures are in place for non-compliance.

9. Mobile Device Maintenance and Support

9.1 Issuing, Return and Inventory of Work Phones/Tablets

All work-issued mobile devices remain the property of {{org_field_name}}. Staff issued with a device must sign a Mobile Device Agreement confirming receipt, permitted use, security requirements, reporting duties and arrangements for return.

{{org_field_name}} will maintain an inventory of work-issued devices, including the device type, serial number or asset number, allocated staff member, date issued, applications installed, security controls applied, and date returned or deactivated.

Staff must keep work-issued devices secure and in good condition, must not lend them to any other person, and must report loss, theft, damage, malfunction, suspected compromise or unauthorised access immediately.

Devices must be returned immediately when requested, when employment ends, when a staff member changes role, when authorisation is withdrawn, or when the device is replaced. Before reallocation, disposal or recycling, devices must be securely wiped and removed from all work accounts and systems by an authorised person.

9.2 Software Updates and Cybersecurity

Work-issued devices must be configured and maintained securely. Security updates, operating-system updates and application updates must be applied promptly. Staff must not ignore repeated update prompts, disable security settings, install unauthorised software, connect devices to unknown computers, use unapproved charging/data cables, or attempt to bypass organisational controls.

Antivirus, mobile-device management, encryption, remote locking, remote wiping, secure back-up, secure authentication and access controls will be used where available and proportionate to the risk.

Staff must remain alert to phishing, suspicious links, unexpected attachments, fraudulent calls, fake log-in pages, malicious QR codes and requests for passwords or authentication codes. Suspicious activity must be reported immediately and staff must not click links, open attachments or provide information where they are unsure.

Work devices must not be used by family members, friends, individuals receiving care, representatives or any unauthorised person.

10. Staff Training and Awareness

All staff must receive training and guidance on this policy during induction and thereafter at intervals determined by the Registered Manager, and at least annually or sooner where there are changes in law, guidance, systems, risks, incidents or organisational practice.

Training must cover:

• confidentiality, data protection and secure handling of service-user information;
• accurate electronic record keeping and professional communication;
• safe use of mobile devices during care visits;
• use of electronic care-record, rostering, call-monitoring, medication or lone-working systems;
• personal data breach reporting and immediate escalation requirements;
• safeguarding risks linked to mobile devices, images, recordings, social media and online communication;
• consent, mental capacity and best-interest considerations for images, recordings and communication;
• Welsh language, accessible communication and communication aids;
• safe use of devices while driving and travelling between visits;
• phishing, password security, multi-factor authentication, encryption and cyber risks;
• BYOD rules, where personal-device use is authorised;
• disciplinary consequences of misuse.

Staff understanding of this policy must be checked through induction, supervision, spot checks, audit, team meetings, incident review and annual appraisal. Additional training, supervision or competency checks must be provided where concerns, incidents, poor practice or changes in systems are identified.

10.1 Mobile Devices and Safeguarding

Misuse of mobile devices may constitute a safeguarding concern. This includes unauthorised images or recordings, online abuse, harassment, coercion, financial exploitation, grooming, discriminatory communication, sharing confidential information, cyberbullying, intimidation, misuse of location information, or any conduct that places an individual at risk of abuse, neglect or improper treatment.

Staff must report any concern immediately in line with the Safeguarding Policy. The Registered Manager must consider whether the concern requires referral to the local authority safeguarding team, police, commissioner, CIW, Social Care Wales, Disclosure and Barring Service, ICO or another relevant body.

Staff must not delete, alter or conceal potential evidence of safeguarding concerns unless instructed to do so by the police, safeguarding authority, Registered Manager or Data Protection Lead. Where evidence is held on a device, the device or content must be secured and access restricted while advice is obtained.

10.2 Duty of Candour and Openness

Where mobile-device use, electronic records, communication failures, data breaches, missed visits, inaccurate records or technology failures contribute to an incident, poor care, harm, distress, safeguarding concern, complaint or risk to an individual, {{org_field_name}} will act in an open and transparent way.

The Registered Manager and Responsible Individual must ensure that incidents are reviewed, that individuals and/or representatives are informed where appropriate, that apologies are offered where appropriate, and that learning is used to improve practice.

Staff must report incidents honestly and must not conceal, delete, falsify or delay information. Any attempt to obstruct openness, reporting, investigation or learning may be treated as a disciplinary matter.

10.3 Business Continuity, Device Failure and System Downtime

{{org_field_name}} must maintain arrangements to ensure continuity of care if mobile devices, electronic care records, rostering systems, call-monitoring systems, internet access, mobile networks or other digital systems fail.

Staff must know how to obtain essential information, report concerns, record care delivered, confirm visit attendance and contact the office during system downtime. Where paper contingency records are used, they must be completed accurately, stored securely and transferred to the approved electronic system as soon as practicable.

Staff must immediately report any system outage, device failure or inability to access essential care information. The Registered Manager must assess whether the issue creates a risk to individuals, staff, visit delivery, medication support, safeguarding, record keeping or contractual compliance, and must take action to maintain safe care.

11. Related Policies

This policy must be read alongside:

• Confidentiality and Data Protection Policy (DCW34)
• Record Keeping and Access to Records Policy
• Safeguarding Adults Policy (DCW13)
• Safeguarding Children Policy, where applicable
• IT and Cybersecurity Policy (DCW45)
• Social Media and Online Communication Policy (DCW29)
• Duty of Candour Policy or Duty of Candour Procedure
• Complaints Policy
• Whistleblowing Policy
• Staff Conduct and Disciplinary Policy
• Lone Working Policy
• Driving for Work / Driving and Mobile Phone Policy
• Medication Policy, where mobile systems are used for medication records or prompts
• Mental Capacity and Consent Policy
• Equality, Diversity and Welsh Language Policy
• Business Continuity Policy
• Data Breach and Incident Reporting Procedure
• Information Retention and Disposal Policy
• Use of CCTV, Surveillance or Monitoring Policy, where applicable

12. Policy Review

This policy will be reviewed at least annually, or sooner where required because of changes in legislation, Welsh Government guidance, CIW expectations, ICO guidance, Social Care Wales guidance, technology, systems, contractual requirements, incidents, complaints, safeguarding concerns, data breaches, audit findings or changes to the statement of purpose.

The Registered Manager is responsible for ensuring that this policy is implemented and reviewed. The Responsible Individual is responsible for maintaining oversight and assurance that the policy remains effective, that staff understand and follow it, and that learning from incidents, audits, complaints and quality assurance activity is used to improve practice.

Any changes affecting individuals, representatives or staff will be communicated in a timely and accessible way.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.