{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Computer Systems and Security Policy
1. Purpose
The purpose of this policy is to establish clear governance, security and operational requirements for the use of computer systems, digital care records, mobile devices, cloud-based systems, email, messaging platforms and electronic information across {{org_field_name}}. This policy applies to all digital and electronic information used in the running of the care home, including care records, risk assessments, medicines information, staff records, safeguarding information, incident records, audits, quality assurance records, financial information and communications with professionals, residents and representatives.
This policy is designed to protect the confidentiality, integrity, availability, accuracy and accessibility of information, especially personal data, special category health and social care data, and confidential information relating to residents. It supports compliance with the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, the Care Quality Commission (Registration) Regulations 2009, UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, common law confidentiality duties, and relevant CQC guidance for adult social care providers.
This policy supports the provider’s compliance with CQC Regulation 17, Good governance, by ensuring that accurate, complete, contemporaneous and securely maintained records are available when needed. It also supports Regulation 12, Safe care and treatment, by ensuring staff have timely access to the information they need to provide safe care, and Regulation 13, Safeguarding service users from abuse and improper treatment, by ensuring digital systems and information-sharing arrangements support safeguarding, confidentiality and lawful disclosure where required.
2. Scope
This policy applies to all staff, directors, registered managers, deputy managers, nurses, care staff, ancillary staff, agency workers, contractors, volunteers, students and any other person who uses, accesses, manages, stores, transmits or supports {{org_field_name}}’s computer systems, digital care record systems, mobile devices, email accounts, cloud systems, business systems, telephony systems, CCTV systems where applicable, Wi-Fi networks, electronic medication systems, electronic rostering systems, payroll systems or any other system containing personal, confidential, operational or commercially sensitive information.
This policy applies to all locations and working arrangements, including use within the care home, remote access, off-site access, visits, professional meetings, emergency situations, business continuity situations and work carried out by approved third-party suppliers.
This policy applies to all information held electronically or digitally, including residents’ care records, health information, medicines information, photographs, incident records, safeguarding records, deprivation of liberty information, mental capacity records, staff employment records, recruitment records, training records, rota information, quality assurance records, complaints, audits, maintenance records and communications with health and social care professionals, commissioners, families and representatives.
3. Related Policies
- CH04 – Good Governance Policy
- CH13 – Safeguarding Adults from Abuse and Improper Treatment Policy
- CH18 – Risk Management and Assessment Policy
- CH24 – Management of Accidents, Incidents, and Near Misses Policy
- CH34 – Confidentiality and Data Protection (GDPR) Policy
- CH35 – Duty of Candour Policy
4. Policy Statement and Principles
4.1 Governance and Accountability
The Registered Provider and Registered Manager retain overall accountability for ensuring that computer systems, digital records and electronic information are managed safely, securely and lawfully. Day-to-day oversight is delegated to the Data Protection Officer, where one is appointed, or the nominated Data Protection Lead / Information Governance Lead. The responsible person for this policy is {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}.
The Data Protection Officer or nominated Data Protection Lead is responsible for advising on UK GDPR, the Data Protection Act 2018, data protection by design and default, data breach management, subject access requests, Data Protection Impact Assessments, information-sharing arrangements, staff training, supplier assurance and monitoring compliance with this policy.
{{org_field_name}} will maintain clear accountability for information security through documented roles and responsibilities. This will include identifying who is responsible for system administration, user access approvals, access reviews, leaver access removal, device security, supplier liaison, backups, incident reporting, audits and business continuity.
All staff must comply with this policy, the Confidentiality and Data Protection Policy, the Safeguarding Adults Policy and all relevant information governance procedures. Failure to comply may result in disciplinary action, referral to professional bodies where applicable, reporting to the Information Commissioner’s Office, notification to CQC, safeguarding referral, police referral or contractual action against suppliers, depending on the nature and seriousness of the incident.
4.2 Legal and Regulatory Framework
{{org_field_name}} will operate computer systems and electronic information in line with the following legal and regulatory requirements:
- Health and Social Care Act 2008
- Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, including Regulation 12, Safe care and treatment; Regulation 13, Safeguarding service users from abuse and improper treatment; Regulation 17, Good governance; and Regulation 20, Duty of candour, where relevant
- Care Quality Commission (Registration) Regulations 2009, including statutory notification requirements
- UK General Data Protection Regulation and Data Protection Act 2018
- Data (Use and Access) Act 2025, where provisions are in force and applicable
- Human Rights Act 1998
- Equality Act 2010
- Mental Capacity Act 2005, where digital records relate to capacity, best interests, consent or deprivation of liberty
- Common law duty of confidentiality
- CQC guidance on digital records, good governance, safe care and treatment, safeguarding and statutory notifications
- Relevant NHS, local authority, commissioner, information governance, cyber security and Data Security and Protection Toolkit requirements where applicable
The organisation will review this policy when legislation, CQC guidance, ICO guidance, DSPT requirements, commissioning requirements or technology changes require an update.
4.3 System Access and User Responsibilities
Access to computer systems, digital care records and electronic information will be granted only where there is a legitimate work-related need. Access will be role-based, proportionate and limited to the minimum information required for the person’s role.
Each staff member must use their own unique username and password. Shared accounts must not be used unless there is a documented technical exception approved by the Registered Manager and Data Protection Lead, and suitable compensating controls are in place. Login credentials must not be shared, written down in an insecure place, reused across personal and work accounts, or disclosed to colleagues, residents, relatives, visitors or contractors.
Multi-factor authentication must be enabled for remote access, administrator accounts, cloud systems, email accounts and any system containing personal or special category data, wherever the system allows it. Where MFA is not available, the system owner must record this as a risk and ensure alternative controls are in place.
Access must be authorised by the Registered Manager or delegated senior manager before a user account is created. Access permissions must be reviewed at least quarterly, and immediately when a staff member changes role, changes working location, is suspended, leaves employment, or no longer requires access. Leavers’ access must be removed on or before their last working day, or immediately where there is a safeguarding, disciplinary, confidentiality or security concern.
Staff must lock screens when leaving a device unattended, log out of systems when access is no longer required, and must not allow another person to use an open session. Staff must challenge and report any unauthorised attempt to access information.
4.4 Passwords and Authentication
Passwords must be strong, unique and appropriate to the sensitivity of the system. Staff must follow {{org_field_name}}’s password rules and must not use passwords that are easy to guess, such as names of residents, relatives, pets, dates of birth, the care home name, job titles or common words.
Passwords must be changed immediately if compromise is suspected. Staff must report suspected password compromise, suspicious login prompts, unexpected MFA requests, account lockouts or unusual system activity to the Registered Manager or Data Protection Lead without delay.
Administrator accounts must be restricted to authorised personnel only and must not be used for routine day-to-day work unless necessary. Administrator access must be reviewed regularly and removed when no longer required.
4.5 Data Security and Protection
All personal data, special category data, confidential information and care records must be stored only in approved systems authorised by {{org_field_name}}. Approved systems must have appropriate security controls, including access control, audit logs, secure authentication, encryption in transit, appropriate encryption at rest where available, secure backup arrangements, supplier support arrangements and the ability to retrieve information when required for care delivery, inspection, audit, safeguarding, complaints, legal requests or continuity of care.
Staff must not store residents’ or staff personal data on unapproved local drives, personal cloud accounts, personal email accounts, personal messaging apps, removable media, screenshots, photographs, unsecured documents or privately owned devices unless this has been formally authorised and risk assessed.
All systems and devices used to access care records or confidential information must be protected by appropriate security controls, including supported operating systems, security updates, antivirus or endpoint protection where appropriate, firewalls, screen locks, device encryption where available, secure disposal arrangements and remote wipe capability for mobile devices where technically possible.
USB drives, memory cards and other removable media must not be used for personal or confidential data unless there is no reasonable alternative, the use has been authorised by the Registered Manager or Data Protection Lead, the device is encrypted, the information is transferred securely, and the removable media is recorded, tracked and securely deleted or destroyed when no longer required.
{{org_field_name}} will maintain an information asset register covering key systems, devices, suppliers, data types, system owners, access arrangements, backup arrangements and retention requirements.
4.6 Digital Care Records and Accuracy
Digital care records must be accurate, complete, contemporaneous, clear, factual and kept up to date. Staff must record care and support at the time it is provided, or as soon as reasonably practicable afterwards. Records must clearly identify the person making the entry, the date and time of the entry, and any action taken.
Electronic care planning, risk assessment and medicines systems must support safe care by ensuring that relevant staff can access the information they need when they need it. This includes care plans, risk assessments, mental capacity assessments, best interest decisions, DoLS or LPS-related information when applicable, nutrition and hydration information, moving and handling information, falls risks, pressure care information, allergies, health appointments, medicines information, incident records and professional advice.
Where information is corrected, amended or updated, the system must retain an audit trail where technically possible. Staff must not delete or alter records in a way that hides the original entry unless this is authorised and lawful. Any factual error must be corrected transparently and promptly.
Digital systems must not create a barrier to CQC inspection, safeguarding enquiries, complaints investigations, audits, continuity of care or access by authorised staff. The Registered Manager must ensure that authorised information can be produced promptly when required.
4.7 Confidentiality and Data Handling
All staff must treat digital information with the same level of confidentiality as paper records. Personal data and confidential information must only be accessed, used or shared where there is a lawful basis, a legitimate care or business need, and the sharing is necessary and proportionate.
Information about residents must be shared securely with relevant professionals, commissioners, safeguarding bodies, emergency services, families, representatives or others only where lawful and appropriate. Where information is shared for safeguarding, urgent care, public protection or legal reasons, staff must record what was shared, with whom, when, why and under what authority.
Staff must not discuss, display, photograph, copy, download or share residents’ or staff information in public areas, on social media, through personal messaging apps, on personal email accounts, or with unauthorised persons. Screens must be positioned to reduce the risk of unauthorised viewing, and privacy screens must be considered where devices are used in communal areas.
Confidential information must not be printed unless necessary. Printed information must be collected promptly, stored securely, used only for the purpose intended, and shredded or disposed of in confidential waste when no longer required.
4.8 Data Protection by Design, DPIAs and New Systems
Before introducing any new digital system, care planning platform, eMAR system, monitoring technology, CCTV system, call bell system with data reporting, artificial intelligence tool, cloud storage solution, electronic visitor system, staff monitoring system or other technology involving personal data, {{org_field_name}} will assess privacy, confidentiality, safety, security and operational risks.
A Data Protection Impact Assessment must be completed where processing is likely to result in a high risk to individuals’ rights and freedoms, including where new technology is used, special category data is processed at scale, monitoring is introduced, or data is shared in a new way.
The assessment must consider the purpose of the processing, lawful basis, data minimisation, access controls, retention, supplier arrangements, security controls, risks to residents and staff, equality and human rights impacts, business continuity, incident response and how information will be retrieved if the system fails or the supplier relationship ends.
No new system that processes personal or confidential information may be implemented until it has been approved by the Registered Manager and Data Protection Lead, and appropriate supplier due diligence has been completed.
4.9 Mobile Devices, Remote Access and Off-Site Working
Mobile devices used to access care records, emails, staff records or confidential information must be approved by {{org_field_name}} and protected by appropriate security controls. These controls must include a strong passcode, biometric access where available, automatic screen lock, encryption where available, supported software, security updates, antivirus or endpoint protection where appropriate, and remote wipe capability where technically possible.
Personal devices must not be used to access, store or transmit personal data or confidential information unless this has been formally authorised under the Bring Your Own Device procedure, risk assessed, and protected by agreed security controls. Where personal devices are authorised, staff must agree to the organisation’s requirements for secure access, reporting loss or theft, removing organisational data and allowing security actions such as remote wipe where appropriate.
Public Wi-Fi must not be used to access care records or confidential information unless there is no reasonable alternative and a secure approved connection, such as VPN or other approved secure access method, is used. Staff must not access confidential information in a public place where screens or conversations may be seen or overheard.
Any loss, theft or suspected compromise of a mobile device, laptop, tablet, phone, security token or authentication method must be reported immediately to the Registered Manager or Data Protection Lead.
4.10 Email, Messaging and Communication Systems
Staff must use only approved communication systems for work-related messages containing personal data, confidential information or care information. Personal email accounts, personal social media accounts and personal messaging applications must not be used for care records, photographs, resident information, staff records or confidential business information unless specifically authorised in an emergency and documented afterwards.
Emails containing personal data or confidential information must be checked carefully before sending. Staff must check the recipient, attachment, subject line and content before sending. Where sensitive information is sent externally, secure email, password protection, encryption or an approved secure transfer method must be used where appropriate.
Staff must not send bulk emails containing personal data unless recipients are appropriately protected, such as by using BCC where necessary. Staff must report misdirected emails, incorrect attachments, unauthorised disclosures and suspicious emails immediately.
Photographs or videos of residents must only be taken, stored or shared where there is a lawful basis, documented consent or best interests decision where applicable, and an approved business need. Photographs must be stored only in approved systems and must not be retained on personal devices.
4.11 Backup, System Failure and Disaster Recovery
{{org_field_name}} will maintain backup and disaster recovery arrangements for systems that are essential to safe care, business continuity, regulatory compliance and safeguarding. This includes digital care records, medicines systems, staff rostering systems, payroll systems, dependency tools, communication systems and other critical systems identified in the information asset register.
Backups must be secure, encrypted where appropriate, protected from unauthorised access, and tested at planned intervals to confirm that information can be restored. Backup arrangements must include consideration of cyberattack, ransomware, accidental deletion, supplier failure, internet outage, power outage, device failure and loss of access to cloud systems.
The Registered Manager must ensure that staff know what to do if a digital system becomes unavailable. Business continuity arrangements must include access to essential resident information, emergency contacts, medicines information, allergies, risk assessments, moving and handling information, nutrition and hydration needs, safeguarding information and professional contact details.
Where paper contingency records are used during a system outage, staff must ensure that records are accurate, dated, signed, securely stored and entered into the digital system once it is restored, with a clear audit trail.
System failures that affect safe care, continuity of care, medicines management, safeguarding, staffing, access to records or the safe running of the service must be escalated immediately to the Registered Manager and recorded as an incident.
4.12 Cyber Security Controls
{{org_field_name}} will maintain proportionate cyber security controls to protect residents, staff, systems and information from unauthorised access, loss, damage, cyberattack, malware, phishing, ransomware and accidental compromise.
The following controls must be maintained as a minimum:
- supported operating systems and software must be used;
- security updates and patches must be applied promptly;
- antivirus, anti-malware or endpoint protection must be used where appropriate;
- firewalls and secure network controls must be maintained;
- default passwords must be changed before devices or systems are used;
- administrator access must be restricted;
- MFA must be used for high-risk systems where available;
- backups must be protected from ransomware and unauthorised alteration;
- staff must receive phishing and cyber-awareness training;
- suspicious emails, links, attachments, pop-ups and login requests must be reported;
- cyber incidents must be recorded, investigated and reviewed for learning.
The Registered Manager or nominated system lead must ensure that key devices and systems are included in an asset register and that obsolete, unsupported or insecure devices are removed from use or risk assessed with compensating controls.
4.13 Staff Training and Awareness
All staff must receive information governance, confidentiality, data protection and cyber security training during induction and at least annually thereafter. Training must be appropriate to the person’s role and level of access to information.
Training must include confidentiality, UK GDPR principles, recognising personal data and special category data, secure record keeping, accurate digital care records, password security, MFA, phishing, ransomware, safe use of email and messaging, reporting data breaches, reporting cyber incidents, subject access requests, information sharing, safeguarding-related disclosures and the safe use of mobile devices.
Staff who use digital care planning systems, eMAR systems, electronic rostering systems, dependency tools, incident systems or other specialist platforms must receive system-specific training before being given access. Competency must be checked where the system affects safe care, medicines management, risk assessments or statutory records.
Training records must be maintained and reviewed as part of governance audits. Where an incident identifies a training need, targeted refresher training must be provided.
4.14 Monitoring, Audit and Quality Assurance
{{org_field_name}} will monitor compliance with this policy through regular governance checks, audits and management review. Audits will include, as appropriate, user access, leavers’ access removal, administrator accounts, device security, care record accuracy, eMAR records, system audit logs, data breach records, cyber incidents, backup testing, staff training, supplier assurance, information asset registers and compliance with retention requirements.
Access logs and system activity reports will be reviewed where available and proportionate, particularly following incidents, complaints, safeguarding concerns, suspected unauthorised access, unusual activity or staff changes.
Audit findings must be recorded, reviewed by the Registered Manager and Data Protection Lead, and used to produce action plans with named leads and timescales. Significant risks must be escalated to the provider or nominated responsible individual.
The service will use audit findings, incidents, complaints, safeguarding learning and staff feedback to improve information governance and digital safety. This supports CQC Regulation 17 by ensuring systems and processes are operated effectively, monitored and improved.
4.15 Reporting, Data Breach and Cyber Incident Management
All staff must report suspected or confirmed information security incidents, data breaches, confidentiality breaches, cyber incidents, lost devices, misdirected emails, unauthorised access, malware, ransomware, phishing, accidental disclosure, missing records or system failures immediately to {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} via {{org_field_data_protection_officer_email}}, or to the Registered Manager if the Data Protection Officer or Data Protection Lead is unavailable.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes incidents affecting electronic records, paper records, emails, mobile devices, cloud systems, photographs, staff records and resident care records.
The Registered Manager and Data Protection Officer or Data Protection Lead will ensure that the incident is contained, investigated, risk assessed, recorded and reviewed. The assessment must consider the type of information involved, the number of people affected, whether special category data is involved, the likelihood and severity of harm, whether the data was encrypted, who has received or accessed the information, and what action is needed to protect affected individuals.
Where a personal data breach is likely to result in a risk to individuals’ rights and freedoms, {{org_field_name}} will report it to the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to individuals’ rights and freedoms, affected individuals will be informed without undue delay unless an exemption or lawful reason applies.
Where an incident affects the health, safety or welfare of residents, affects the safe running of the service, prevents or threatens to prevent the service from operating safely and properly, involves abuse or alleged abuse, or otherwise meets CQC statutory notification requirements, the Registered Manager will submit the required notification to CQC without delay.
All incidents will be reviewed for learning. Actions may include staff supervision, retraining, system changes, supplier escalation, disciplinary action, safeguarding referral, police referral, ICO notification, CQC notification, commissioner notification, resident or representative communication, and changes to this policy or related procedures.
4.16 CQC Access to Records and Inspection
{{org_field_name}} will ensure that digital systems do not prevent or delay CQC from exercising its regulatory functions. The Registered Manager must ensure that authorised managers know how to access, retrieve and provide records requested by CQC, including care records, staff records, audits, incidents, complaints, safeguarding records, training records and governance records.
Where records are held in third-party systems, {{org_field_name}} will ensure that supplier arrangements allow records to be accessed and produced promptly for inspection, safeguarding, complaints, legal requests, commissioner requests and continuity of care.
Staff must cooperate with lawful requests for information from CQC, safeguarding authorities, commissioners, the ICO, police or other authorised bodies, while ensuring that disclosures are lawful, necessary, proportionate and recorded.
4.17 Suppliers, Cloud Systems and Data Processors
Before using any third-party supplier or cloud-based system to process personal data or confidential information, {{org_field_name}} will complete proportionate due diligence. This must include consideration of the supplier’s security arrangements, data hosting location, backup arrangements, business continuity, access controls, audit logs, incident reporting, support arrangements, data export arrangements, subcontractors and contract terms.
Where a supplier processes personal data on behalf of {{org_field_name}}, a written data processing agreement must be in place before processing begins, unless there is a documented lawful reason why this is not required. The agreement must set out the subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, confidentiality requirements, security measures, breach reporting, subcontracting arrangements, audit rights, return or deletion of data and assistance with data subject rights.
Suppliers must be required to report actual or suspected security incidents, data breaches, cyber incidents or service outages affecting {{org_field_name}}’s information or systems without undue delay.
When a supplier contract ends, {{org_field_name}} must ensure that information is securely returned, migrated, archived or deleted in line with legal, regulatory and retention requirements.
4.18 Subject Access Requests and Data Protection Rights
Residents, representatives where authorised, staff and other individuals have rights under data protection law, including rights of access to their personal data. Any request for personal information, care records, staff records, copies of records, corrections to records, deletion, restriction or objection must be passed immediately to the Registered Manager and Data Protection Officer or Data Protection Lead.
Staff must not refuse, ignore or delay a request because it does not mention “subject access request” or “UK GDPR”. Requests may be made verbally or in writing. The organisation will verify identity and authority before disclosure and will respond within the legal timeframe unless an extension or exemption applies.
Care records must be maintained in a way that supports lawful, timely and compassionate access to information while protecting third-party confidentiality, safeguarding information and the rights of others.
4.19 Data Security and Protection Toolkit
Where required or applicable, {{org_field_name}} will complete and maintain the Data Security and Protection Toolkit annually and will use it to assess and improve data protection, information governance and cyber security arrangements.
The Registered Manager or nominated lead will ensure that DSPT evidence is accurate, reviewed and updated when systems, suppliers, policies or working practices change. Any improvement actions identified through the DSPT will be recorded, assigned to a responsible person and monitored through governance arrangements.
Where {{org_field_name}} accesses NHS patient data, NHS systems, NHSmail or shared health and care systems, the organisation will comply with applicable DSPT requirements and any related commissioner or NHS information governance requirements.
4.20 Retention and Secure Disposal
Electronic records must be retained and disposed of in line with {{org_field_name}}’s Records Management and Retention Policy, legal requirements, contractual requirements, safeguarding requirements and relevant health and social care records guidance.
Records must not be deleted, destroyed, overwritten or anonymised unless this is authorised and consistent with the retention schedule. Where records are subject to a complaint, safeguarding enquiry, investigation, litigation, subject access request, regulatory request or other hold requirement, deletion or destruction must be suspended until the matter is concluded and retention has been reviewed.
Devices, hard drives, removable media and printed records containing personal data or confidential information must be securely wiped, destroyed or disposed of through approved confidential disposal processes. Disposal must be recorded where the information is sensitive or the device has held personal data.
4.21 Artificial Intelligence, Automation and New Digital Tools
Staff must not enter residents’ personal data, staff personal data, confidential information, care records, photographs, incident details, safeguarding information or commercially sensitive information into artificial intelligence tools, transcription tools, translation tools, automated note-taking tools or other external digital services unless the tool has been formally approved by {{org_field_name}} and a data protection and security assessment has been completed.
Any use of artificial intelligence, automated decision-making, automated care planning support, automated monitoring or predictive analytics must be approved by the Registered Manager and Data Protection Lead before use. Approval must consider safety, accuracy, bias, transparency, confidentiality, lawful basis, human oversight, resident rights, supplier terms, data retention and whether a Data Protection Impact Assessment is required.
AI or automated tools must not replace professional judgement, person-centred care planning, safeguarding decision-making, clinical advice or statutory responsibilities.
5. Policy Review
This policy will be reviewed at least annually, or sooner if there are changes in legislation, CQC guidance, ICO guidance, DSPT requirements, commissioning requirements, technology, supplier arrangements, cyber security risks, service delivery, incident learning or business operations.
The review will consider audit findings, data breaches, cyber incidents, system failures, complaints, safeguarding concerns, CQC feedback, staff feedback, resident or representative feedback, supplier performance and changes to digital systems.
Any changes will be approved by senior management and communicated to relevant staff. Where changes affect staff practice, additional training, supervision or competency checks will be provided.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.