Login

DCW116-Online Safety Policy

{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

Online Safety Policy

1. Purpose

The purpose of this policy is to ensure that all individuals receiving domiciliary support, staff, volunteers, agency workers, contractors and relevant stakeholders are protected from online and digital risks, including cyber threats, personal data breaches, inappropriate or harmful content, online abuse, digital fraud, scams, exploitation and unsafe use of technology. The increased use of electronic care records, mobile devices, online communication, digital scheduling systems and remote working within domiciliary care means that personal information, care records and professional communications must be handled securely, lawfully and in a way that protects people’s privacy, dignity, rights, safety and well-being.

This policy supports compliance with the Regulation and Inspection of Social Care (Wales) Act 2016, The Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, as amended, the Welsh Government statutory guidance for domiciliary support services, the Social Services and Well-being (Wales) Act 2014, the Wales Safeguarding Procedures, UK GDPR and the Data Protection Act 2018, the Social Care Wales Code of Professional Practice and relevant Care Inspectorate Wales requirements, including notification and duty of candour expectations.

Our organisation is committed to the responsible and secure use of digital technology to enhance the quality of care provided. This includes ensuring that service users can safely access online services, that staff follow best practices when using digital platforms, and that all personal data is protected against cyber threats. This policy sets out clear expectations for all stakeholders on how to use technology securely and responsibly within the home care environment.

2. Scope

This policy applies to all employees, volunteers, and contractors who use digital systems as part of their roles in providing domiciliary care services. It also extends to service users and their families who interact with our online platforms and digital records, as well as third-party providers who have access to our digital infrastructure.

This policy also applies to agency workers, temporary workers, volunteers, students, consultants, IT support providers, electronic care planning providers, call monitoring providers, payroll or rota system providers, and any person or organisation who has authorised access to the organisation’s systems, devices, records, applications or online platforms. It applies whether access takes place from the office, an individual’s home, during a care visit, while travelling between visits, or through remote working arrangements.

The policy covers a wide range of digital activities, including:

This policy ensures that all parties understand their responsibilities in maintaining online safety and mitigating risks associated with digital interactions in a domiciliary care setting.

3. Online Safety Management

3.1 Digital Access and Acceptable Use

Staff must use organisation-approved devices, systems and software for work-related online activities wherever these are provided. Personal devices must not be used to store, photograph, download, copy, share or retain confidential care information. Personal devices may only be used for work purposes where this has been expressly authorised by the Registered Manager, the device has appropriate security controls in place, and the use is necessary for safe service delivery. This includes password or biometric protection, automatic locking, up-to-date software, encryption where available, secure access to approved systems, and the ability to remove work-related access if the device is lost, stolen, compromised or the staff member leaves the organisation.

Staff must not use personal email, personal messaging accounts, personal cloud storage, personal social media accounts or unapproved applications to send, receive, store or discuss service user information. Access to digital systems must be role-based and limited to the minimum information necessary for the staff member’s role.

To maintain security and accountability, staff must complete mandatory cybersecurity training as part of their induction and attend regular refresher sessions. This training includes guidance on password management, identifying phishing scams, and handling digital data safely. Staff are expected to follow best practices when accessing online services, ensuring that care records remain protected and that all interactions with service users are conducted securely.

3.2 Cybersecurity and Data Protection

All digital records containing personal or special category information must be stored only within approved systems using appropriate security controls, including encryption where available, secure authentication, access controls, audit trails and regular backups. Staff must use strong, unique passwords or passphrases and must not share passwords, write them down where they may be accessed by others, or reuse work passwords for personal accounts. Multi-factor authentication must be used for systems containing personal or sensitive information wherever available. Passwords must be changed immediately where there is suspicion or evidence that they may have been compromised, when required by the system administrator, or following a relevant security incident. Routine forced password changes will not be used unless required by a specific system, contract or risk assessment, as current cyber security guidance advises that automatic password expiry can weaken rather than improve security.

Any suspected data breaches must be reported immediately to the Data Protection Officer ({{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} – {{org_field_data_protection_officer_email}}). Reports should include the nature of the breach, the type of information compromised, and the potential impact on service users. Our organisation conducts regular security audits and penetration testing to identify vulnerabilities in IT systems and implement necessary improvements.

Staff must access, record and share only the minimum information necessary for the purpose of providing care and support. Electronic care records must be accurate, factual, timely and completed in accordance with the organisation’s record keeping and confidentiality requirements. Staff must log out of systems when not in use and must ensure that screens, mobile devices and paper notes are not visible to unauthorised persons during visits, travel or office working.

Any loss, theft or suspected compromise of a work device, personal device used for authorised work purposes, password, login details, care record, email, message, photograph, document or system access must be reported immediately to the Registered Manager and Data Protection Officer. Access for staff who leave the organisation or change roles must be removed or amended without delay. Third-party suppliers who process personal data on behalf of the organisation must be subject to appropriate due diligence, written data processing arrangements and contractual confidentiality and security requirements.

3.3 Online Safeguarding of Service Users

Online safeguarding concerns include, but are not limited to, online abuse, grooming, coercion, harassment, cyberbullying, scams, fraud, financial abuse, identity theft, image-based abuse, unauthorised sharing of photographs or videos, hate crime, online radicalisation, exploitation, technology-facilitated domestic abuse, and misuse of a person’s personal information or digital accounts.

Staff must be alert to signs that an individual may be experiencing online harm, exploitation or digital abuse. This may include unexplained financial transactions, distress following phone or online contact, pressure from unknown persons, changes in behaviour, fear of using a device, secrecy about online relationships, repeated scam calls or messages, or a person being coerced to share passwords, money, images or personal information.

Any suspected online abuse, neglect, exploitation, financial abuse or improper treatment must be reported immediately to the Safeguarding Lead ({{org_field_safeguarding_lead_name}} – {{org_field_safeguarding_lead_role}}) and recorded in the organisation’s safeguarding records. The Safeguarding Lead or Registered Manager will consider the concern in line with the Wales Safeguarding Procedures and the organisation’s Safeguarding Adults from Abuse and Improper Treatment Policy. Where the concern indicates that an adult or child may be at risk, a safeguarding referral must be made to {{org_field_local_authority_authority_name}} without delay.

Staff must not investigate safeguarding concerns beyond their role or place themselves or the individual at further risk. Where safe to do so, staff should preserve relevant evidence, such as screenshots, messages, dates, times, usernames, phone numbers or email addresses, and must pass this information to the Safeguarding Lead or Registered Manager. Staff must not delete potential evidence unless instructed by the Registered Manager, Safeguarding Lead, police, local authority safeguarding team or Data Protection Officer.

Individuals who require support to use digital technology will be supported in a way that promotes independence, choice, dignity and safety. Staff may provide general support to help individuals recognise scams, unsafe links, suspicious emails, fraudulent calls and unsafe websites, but must not take control of an individual’s personal online accounts, banking, passwords or private communications unless this has been lawfully authorised, recorded in the personal plan, risk assessed and agreed with the individual and/or their lawful representative.

3.4 Social Media and Public Communications

Staff must not discuss service users, care plans, or any confidential matters on social media, even in private groups. Any reference to the organisation, staff members, or service users online must be professional and comply with confidentiality regulations.

Only designated staff members are permitted to manage the organisation’s official social media accounts, ensuring that all public communications reflect the organisation’s professional standards. Photos or videos of service users must not be shared online unless explicit written consent has been obtained and documented in the service user’s file. Any misuse of social media that compromises privacy or professionalism may result in disciplinary action.

Consent for photographs, videos, testimonials or online content must be specific, informed, voluntary, recorded, time-limited and capable of being withdrawn. Consent must identify what will be used, where it will be shared, the purpose of sharing, who may see it, and how long it will remain in use. Where there are concerns about an individual’s mental capacity to consent to a specific use of digital content, the Mental Capacity Act 2005 must be followed and any best-interest decision must be recorded. Images or information must not be used where doing so may place the individual at risk, compromise dignity, breach confidentiality or conflict with the individual’s wishes, rights or well-being.

3.5 Artificial Intelligence, Apps, Messaging Platforms and Digital Recording

Staff must not enter personal, confidential, identifiable or sensitive information about individuals, relatives, staff members or the organisation into public artificial intelligence tools, translation tools, chatbots, transcription tools, personal apps or unapproved digital platforms. Any use of artificial intelligence or automated tools for care planning, communication, translation, transcription, monitoring or administration must be approved by the Registered Manager and Data Protection Officer before use and must be subject to a documented risk assessment.

Staff must not make audio recordings, video recordings, screenshots or photographs during care visits unless this is necessary, lawful, authorised, proportionate, recorded and in line with the individual’s consent, personal plan and data protection requirements. Covert recording by staff is not permitted. Where an individual or family member uses recording equipment, smart devices, doorbell cameras, CCTV, monitoring apps or assistive technology in the home, staff must report this to the Registered Manager so that any privacy, consent, safeguarding, dignity, employment and data protection issues can be considered and recorded.

3.6 Digital Inclusion, Accessible Information and Welsh Language

The organisation will support individuals to understand online safety information in a way that is appropriate to their needs, language, communication style, age, capacity and level of understanding. Information may be provided verbally, in writing, in large print, easy read, translated format, or with support from representatives, advocates or communication aids where appropriate.

The organisation will take reasonable steps to meet individuals’ language and communication needs, including Welsh language needs, and will work towards actively offering services and information in Welsh where this is the individual’s language of need or choice. Where an individual requires digital communication aids, assistive technology or support to access online services safely, this will be considered as part of their provider assessment, risk assessment and personal plan where relevant.

Staff must not assume that an individual is able or unable to use technology safely. Support must promote independence and positive risk-taking while also protecting the individual from avoidable harm, abuse, fraud and exploitation.

4. Incident Reporting and Response

4.1 Reporting Online Safety Concerns

All online safety concerns, including cyber threats, phishing attempts, suspected scams, inappropriate online content, unauthorised access, lost or stolen devices, accidental disclosure, data breaches, social media misuse, online safeguarding concerns or unsafe digital practice, must be reported immediately. Staff must report concerns as follows:

A Cybersecurity and Online Safety Incident Log will be maintained to record the incident, date and time identified, person reporting, individuals affected, immediate action taken, referrals made, notifications required, outcome, learning and any preventive action.

4.2 Investigation and Corrective Action

Each reported incident will be assessed promptly by the Registered Manager, with input from the Data Protection Officer, Safeguarding Lead, Responsible Individual and/or IT support provider as appropriate. Immediate action will be taken to reduce risk, protect individuals, secure systems, preserve evidence and prevent further unauthorised access or disclosure.

Where a personal data breach has occurred, the Data Protection Officer will assess whether it is reportable to the Information Commissioner’s Office. Where the breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the ICO without undue delay and, where feasible, within 72 hours of the organisation becoming aware of it. Where the breach is likely to result in a high risk to individuals’ rights and freedoms, affected individuals will also be informed without undue delay unless a lawful exception applies. All personal data breaches, including those not reported to the ICO, will be recorded with the reasons for the reporting decision.

Where an online safety incident involves suspected abuse, neglect, exploitation, financial abuse, improper treatment or risk of harm, a safeguarding referral will be made to {{org_field_local_authority_authority_name}} in line with the Wales Safeguarding Procedures and the organisation’s safeguarding policy. Where the incident involves crime, fraud, harassment, exploitation, theft, malicious communications, unauthorised system access or immediate danger, the police or relevant specialist agency will be contacted as appropriate.

Where an incident is a notifiable event under The Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017, the Responsible Individual and/or Registered Manager will ensure that Care Inspectorate Wales is notified through CIW Online without delay, usually within 24 hours, and in the form required by CIW. This includes, where relevant, any abuse or allegation of abuse involving the service provider, staff or volunteers, any allegation of misconduct by a member of staff, any incident reported to the police, and any event that prevents or could prevent the provider from continuing to provide the service safely.

Where disciplinary action is required, staff will be managed in line with the Disciplinary and Grievance Policy (DCW31). Where appropriate, referrals will be considered to Social Care Wales, the Disclosure and Barring Service, the police or other professional/regulatory bodies.

4.3 Duty of Candour and Communication with Individuals

The organisation will act in an open and transparent way with individuals receiving care and support, and with their representatives where appropriate, when an online safety, cyber, safeguarding or data protection incident affects them. Where something has gone wrong, the organisation will provide clear information about what has happened, what immediate action has been taken, what further enquiries or investigations are being completed, and what will be done to reduce the risk of recurrence.

Communication will be provided in a way the individual can understand, taking account of their language, communication needs, capacity, emotional well-being and any need for advocacy or representative support. Where appropriate, the organisation will offer an apology and will record all communication, outcomes and learning.

4.4 Records, Audit Trail and Learning Lessons

The organisation will keep accurate records of online safety incidents, cyber incidents, personal data breaches, safeguarding referrals, CIW notifications, ICO decisions, complaints, disciplinary actions and lessons learned. Records will include the date and time of the incident, how it was identified, who was affected, what information or systems were involved, immediate protective action, referrals and notifications made, investigation findings, outcome, duty of candour communication, and actions taken to prevent recurrence.

Themes and learning from online safety incidents will be reviewed through management oversight, staff supervision, staff meetings, audits and quality assurance processes. Where learning identifies a need to change practice, training, systems, risk assessments, personal plans, contracts or policies, the Registered Manager and Responsible Individual will ensure that improvements are implemented and monitored.

5. Staff Training and Compliance

All staff, volunteers and relevant contractors must receive online safety training as part of induction and at regular intervals thereafter. Training will be proportionate to the person’s role and will include secure use of electronic care records, mobile devices and communication systems; confidentiality and data protection; recognising and reporting phishing, scams and cyber incidents; online safeguarding and technology-facilitated abuse; social media boundaries; safe use of photographs and recordings; duty of candour; CIW notification awareness; whistleblowing; and how to support individuals with online safety in a way that promotes rights, independence, dignity, Welsh language and communication needs.

Staff understanding of this policy will be checked through induction, supervision, spot checks, audits, team meetings and incident debriefs. Records of training and competency checks will be maintained. Any member of staff who is unsure about safe digital practice must seek advice from their line manager before acting.

Any breach of this policy will be investigated, and appropriate disciplinary action may be taken. This may include additional training, formal warnings, or termination of employment, depending on the severity of the violation.

6. Roles and Responsibilities

The Responsible Individual has overall oversight of the service’s governance arrangements and must ensure that suitable arrangements are in place to monitor, review and improve the quality and safety of the service, including learning from online safety incidents, safeguarding concerns, complaints, whistleblowing and data protection incidents.

The Registered Manager is responsible for implementing this policy in day-to-day practice, ensuring staff understand and follow the policy, ensuring incidents are reported and investigated, ensuring records are maintained, and ensuring action is taken to protect individuals from online and digital risks.

The Data Protection Officer is responsible for advising on data protection compliance, supporting personal data breach assessment, maintaining breach records, advising on ICO reporting where required, and supporting improvements to confidentiality and information security practice.

The Safeguarding Lead is responsible for advising on online safeguarding concerns, ensuring appropriate safeguarding referrals are made, supporting staff to recognise online abuse or exploitation, and ensuring safeguarding records and outcomes are maintained.

Staff, volunteers, agency workers and contractors are responsible for following this policy, using systems and devices safely, protecting confidential information, reporting concerns immediately, attending required training, and maintaining professional boundaries online.

Third-party digital, IT and system suppliers must meet the organisation’s confidentiality, data protection, security, access control, incident reporting and contractual requirements. Suppliers must report incidents affecting the organisation’s data or systems without delay.

7. Related Policies

This policy should be read in conjunction with the following:

8. Policy Review

This policy will be reviewed at least annually or sooner where there are changes in legislation, Welsh Government statutory guidance, CIW requirements, ICO guidance, NCSC cyber security guidance, organisational systems, digital care planning arrangements, safeguarding procedures, contractual requirements, or following any significant online safety, cyber, data protection or safeguarding incident. The Registered Manager and Responsible Individual will ensure that changes to this policy are communicated to staff and, where the changes directly affect individuals or their representatives, information will be shared in an accessible and timely manner.

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *