{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Online Safety Policy

1. Purpose This policy outlines {{org_field_name}}’s approach to ensuring a safe and secure online environment for staff, the people we support, and visitors. It aligns with CQC regulations, the Data Protection Act 2018, UK GDPR, and Regulation 17 – Good Governance. The policy aims to prevent cyber risks, protect personal data, and promote responsible digital practices within the care home.

2. Scope This policy applies to all employees, including full-time, part-time, bank, and agency staff, as well as volunteers, contractors, and the people we support. It covers all digital systems, including internet access, email communication, social media, online learning platforms, and digital care management systems used within {{org_field_name}}.

3. Legal and Regulatory Framework

• Regulation 17 – Good Governance: Requires care providers to implement robust IT security and data management policies.
• Data Protection Act 2018 & UK GDPR: Ensures personal and sensitive data is protected online.
• Care Act 2014: Mandates safeguarding policies, including online safety measures.
• Computer Misuse Act 1990: Protects against cybercrime and unauthorised access to IT systems.
• Health and Safety at Work Act 1974: Ensures a safe working environment, including online safety.

4. Online Safety Measures and Management

• Access Control and User Permissions:
  • Staff are assigned appropriate access levels based on job roles.
  • Restricted access to sensitive information to prevent unauthorised use.
  • Strong password policies, requiring regular updates and multi-factor authentication.
• Internet Usage:
  • The use of the internet for non-work-related activities is permitted only during designated breaks.
  • Access to inappropriate or harmful websites is blocked via firewall and filtering software.
  • Downloading unauthorised software or applications is strictly prohibited.
• Email and Phishing Protection:
  • All staff must use work email accounts for professional communication.
  • Emails containing confidential data must be encrypted.
  • Staff must be trained to recognise phishing emails and report suspicious activity immediately.
• Social Media Use:
  • Staff must not discuss work-related matters on personal social media accounts.
  • No photos or information about the people we support should be shared without written consent.
  • Official social media pages must be managed only by authorised personnel.
• Use of Personal Devices (Bring Your Own Device – BYOD):
  • Staff must not store confidential information on personal devices.
  • Mobile devices used for work must have security software installed.
  • Personal device use for work purposes must comply with CH34-Confidentiality and Data Protection (GDPR) Policy.

5. Safeguarding the People We Support Online

• Supervised Internet Use:
  • Individuals with capacity should be supported in accessing online services safely.
  • Where necessary, supervision should be provided to prevent exposure to harmful content.
• Cybersecurity Awareness:
  • The people we support must be educated on safe browsing habits and avoiding online scams.
  • Staff should help individuals identify and report online abuse or cyberbullying.
• Online Financial Protection:
  • Staff must not assist with online financial transactions unless agreed within a care plan.
  • Any suspicious financial activity involving a resident must be reported under CH13-Safeguarding Adults from Abuse and Improper Treatment Policy.

6. Digital Record-Keeping and Data Security

• Secure Storage of Data:
  • All digital records must be stored in encrypted, password-protected systems.
  • No confidential information should be stored on unapproved cloud services or external devices.
• Regular System Backups:
  • IT systems must be backed up regularly to prevent data loss.
  • Backups must be stored securely and tested periodically.
• Audit and Monitoring:
  • All IT activity, including system logins and file access, is monitored for security compliance.
  • Any breaches or unauthorised access attempts must be reported immediately.

7. Cybersecurity Training and Awareness

• Mandatory Staff Training:
  • Staff must complete annual cybersecurity and online safety training.
  • Training will cover password security, phishing awareness, and data protection.
• Ongoing Digital Awareness:
  • Regular online safety updates via team meetings and digital newsletters.
  • IT security drills to test staff responses to potential cyber threats.

8. Reporting and Managing Online Safety Incidents

• Reporting Procedures:
  • Any data breach, cyberattack, or unauthorised system access must be reported to the Registered Manager and IT department immediately.
  • Incidents must be recorded and investigated in line with CQC notification requirements.
• Disciplinary Action for Breaches:
  • Misuse of IT systems, unauthorised access, or breaches of confidentiality will be addressed under CH31-Disciplinary and Grievance Policy.
  • Staff found engaging in cyberbullying, online harassment, or improper social media use may face disciplinary consequences.

9. Monitoring and Compliance

• IT audits will be conducted regularly to ensure compliance with security policies.
• Compliance checks on staff device usage, access logs, and email security will be implemented.
• Feedback from staff and residents on online safety will be reviewed to improve policies.

10. Related Policies

• CH17-Infection Prevention and Control Policy
• CH18-Risk Management and Assessment Policy
• CH27-Staff Supervision, Training, and Development Policy
• CH30-Equality, Diversity, and Inclusion Policy
• CH31-Disciplinary and Grievance Policy
• CH34-Confidentiality and Data Protection (GDPR) Policy

11. Policy Review

• This policy will be reviewed annually or sooner if changes in CQC regulations, cybersecurity threats, or legal requirements arise.
• Amendments will be made to ensure continued compliance and best practice in online safety and data protection.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.