Login

NA97-Cyber Security Policy

{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

Cyber Security Policy

1. Purpose

The purpose of this policy is to define the framework and procedures that {{org_field_name}} adopts to protect the confidentiality, integrity, and availability of all information assets, electronic systems, and data used within the organisation. As a temporary healthcare staffing agency providing registered nurses, healthcare assistants, and other temporary healthcare professionals to care homes and healthcare environments, {{org_field_name}} has a duty to protect sensitive information, including service user data, staff records, and client information, against cyber threats. The agency recognises that failure to protect information assets could result in harm to service users, financial loss, reputational damage, regulatory penalties, and breach of legal obligations. This policy is written in accordance with the Data Protection Act 2018, UK General Data Protection Regulation (UK GDPR), the Computer Misuse Act 1990, the Network and Information Systems (NIS) Regulations 2018, and guidance issued by the National Cyber Security Centre (NCSC) and the Care Quality Commission (CQC).

2. Scope

This policy applies to: All directors, office-based staff, registered nurses, healthcare assistants, temporary workers, contractors, and third parties who access {{org_field_name}} information or systems. All IT systems, networks, software, and communication platforms used within the agency. All forms of data processed by {{org_field_name}}, including electronic files, emails, cloud-based data, paper records converted into electronic formats, and databases. Any use of personal or business devices to access agency systems, including laptops, mobile phones, tablets, and remote access systems.

3. Related Policies

4. Policy Statement

{{org_field_name}} is committed to maintaining robust cyber security measures to protect all data and systems from unauthorised access, loss, theft, misuse, damage, or destruction. The agency will: Implement security controls to prevent cyber threats, including malware, ransomware, phishing, hacking, and insider threats. Ensure that all staff understand their roles and responsibilities regarding cyber security. Monitor and review cyber security risks and controls regularly. Respond promptly and effectively to cyber security incidents and data breaches. Comply with all applicable legislation and regulatory requirements.

5. Responsibilities

Directors The directors of {{org_field_name}} are responsible for: Ensuring that cyber security is incorporated into the agency’s governance arrangements. Approving, reviewing, and updating this policy. Ensuring that appropriate technical, organisational, and procedural controls are in place. Overseeing staff training and awareness of cyber security. Investigating and managing cyber security incidents and breaches. Ensuring that contracts with third parties (e.g., IT providers) include appropriate data protection and cyber security clauses.

All Staff and Temporary Workers All staff, including temporary workers, must: Comply fully with this policy and all related procedures. Follow security guidelines when using IT systems, accessing data, or communicating electronically. Report suspected or actual cyber security incidents immediately to the directors. Protect passwords and login credentials. Avoid sharing confidential information through insecure channels. Complete cyber security training during induction and refresher sessions.

6. Acceptable Use of IT Systems

All staff must: Use agency IT systems and data strictly for authorised work-related purposes. Not use agency systems for personal, unlawful, or unauthorised activities. Access systems only using their unique login credentials. Log out of systems when leaving devices unattended. Avoid downloading unauthorised or unapproved software. Comply with client-specific IT security protocols when working in client placements.

7. Password Management

All staff must: Use strong passwords comprising a mix of upper and lower-case letters, numbers, and symbols. Avoid using easily guessable passwords or reusing passwords across multiple systems. Change passwords regularly and immediately if a breach is suspected. Never share passwords with others, including colleagues. Report any suspected password compromise immediately.

8. Access Control

{{org_field_name}} will: Implement role-based access controls to ensure that staff only access information necessary for their role. Maintain an access control register. Remove system access promptly when staff leave the organisation or change roles. Review user access rights regularly.

9. Data Storage and Protection

All data must be: Stored on secure systems approved by {{org_field_name}} (e.g., encrypted cloud platforms or secure servers). Encrypted when stored or transmitted electronically. Protected against unauthorised access through appropriate permissions. Backed up regularly to enable recovery following incidents such as ransomware attacks or system failures.

10. Use of Personal Devices

Where staff use personal devices for work purposes (Bring Your Own Device – BYOD): The device must have up-to-date anti-virus and security software. Access to agency systems must be via secure methods approved by {{org_field_name}}. The device must be password protected. Confidential data must not be stored on personal devices unless encrypted and authorised. Personal devices must not be shared with others when used for work purposes.

11. Email and Communication Security

All staff must: Use professional and secure email accounts for all work-related communication. Be vigilant for phishing emails or suspicious links and attachments. Report suspicious emails to the directors immediately. Avoid sending confidential information by email unless encryption is used. Avoid discussing confidential matters over unsecured channels (e.g., unauthorised messaging apps).

12. Cyber Security Awareness and Training

{{org_field_name}} will provide cyber security training to all staff covering: Cyber threats (e.g., phishing, malware, social engineering). Safe use of systems, devices, and data. Password management. Incident reporting procedures. Training will be provided during induction and refreshed regularly.

13. Cyber Security Incident Management

All suspected or actual cyber security incidents must be reported to the directors immediately. Examples of incidents include: Suspected or actual unauthorised access to systems or data. Loss or theft of a device used for work. Receipt of a phishing or scam email. Ransomware or malware attack. Directors will: Record all reported incidents. Investigate incidents promptly and fairly. Take appropriate corrective and remedial action. Notify relevant parties where required (e.g., clients, Information Commissioner’s Office). Maintain a Cyber Security Incident Log.

14. Business Continuity and Disaster Recovery

{{org_field_name}} will ensure that: Regular backups of essential data are maintained. Disaster recovery procedures are in place and tested periodically. Staff know how to respond to IT failures and data loss incidents. Critical data can be restored quickly following a cyber attack or system failure.

15. Data Breach Notification

In line with UK GDPR, {{org_field_name}} will: Report data breaches to the Information Commissioner’s Office (ICO) within 72 hours where required. Notify affected individuals when there is a high risk to their rights or freedoms. Keep a record of all breaches, regardless of whether notification is required.

16. Monitoring and Auditing

The directors will: Regularly monitor IT systems and logs for signs of cyber security threats. Conduct internal audits of compliance with this policy. Address non-compliance through further training, disciplinary action, or system changes.

17. Use of Third-Party Systems and Providers

{{org_field_name}} will: Only engage third-party IT providers and software suppliers that meet robust security standards. Ensure that contracts include appropriate clauses covering data protection, confidentiality, and cyber security. Carry out due diligence before selecting third-party providers.

18. Equality and Inclusion

All staff will be provided with equal access to cyber security resources and training. Adjustments will be made where necessary to ensure that staff with additional needs or disabilities are supported in meeting their cyber security responsibilities.

19. Continuous Improvement

{{org_field_name}} will: Review and update cyber security controls regularly. Incorporate lessons learned from incidents, audits, and staff feedback. Adapt the policy to reflect changes in legislation, technology, or cyber security risks.

20. Policy Review

This policy will be reviewed annually or earlier if: New legislation or official guidance is issued. Feedback from staff, clients, or regulators indicates a need for revision. Cyber security incidents or audits identify gaps or risks.

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

e-Care Hub t/a Agency Care Staff Ltd

Facebook-f Instagram Linkedin Youtube

Policies

Menu

Important