Login

CH188-Computer Systems and Security Policy

{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

Computer Systems and Security Policy

1. Purpose

The purpose of this policy is to establish clear principles and protocols to ensure the secure and effective use of computer systems and electronic data across {{org_field_name}}. It is designed to protect the confidentiality, integrity, and availability of all data—especially sensitive personal and health information about the people we support. This policy ensures compliance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the expectations outlined in CQC Regulation 17 (Good Governance) and Regulation 13 (Safeguarding).

2. Scope

This policy applies to all staff at {{org_field_name}}, including permanent, part-time, agency staff, contractors, and volunteers who use or access computer systems, mobile devices, cloud-based care management systems, or any digital systems to store, manage, or transmit data. It covers both office-based and remote access to information related to care provision.

3. Related Policies

4. Policy Statement and Principles

4.1 Governance and Accountability
The Data Protection Officer {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} oversees all aspects of information security and computer systems. All staff must comply with this policy and complete mandatory training on information governance. Breaches of this policy will result in disciplinary action and may be reported to the Information Commissioner’s Office (ICO) if required.

4.2 System Access and User Responsibilities
Access to computer systems and care records is role-based and strictly controlled. Each staff member is issued unique login credentials which must not be shared. Multi-factor authentication (MFA) is used where applicable. Staff must log out of systems when not in use and lock screens when leaving a workstation. Only authorised devices may be used to access sensitive data. Personal devices may only be used with prior approval and appropriate security controls in place.

4.3 Data Security and Protection
All care records and sensitive data are stored securely within encrypted, password-protected systems compliant with GDPR. All data transmitted between devices or stored in the cloud must use secure connections (e.g., https, VPN). USB drives and other removable media are prohibited unless encrypted and authorised by the Data Protection Officer. Firewalls and antivirus software are maintained and updated regularly to protect against unauthorised access and cyber threats.

4.4 Confidentiality and Data Handling
All staff must handle digital data with the same level of confidentiality as paper-based records. Personal or care-related data must only be shared on a need-to-know basis and only via secure communication methods such as encrypted emails or approved care systems. Data should never be saved on local drives or unsecured applications. Screens must be positioned away from public view and documents should not be left open or unattended.

4.5 Mobile and Remote Working
When working remotely, staff must use devices approved by {{org_field_name}} and ensure secure internet access. Public Wi-Fi must not be used for accessing care records. Remote workers must ensure that their working environment supports confidentiality and security. Any data accessed or generated during remote working must be saved to secure cloud systems and not retained locally unless pre-authorised.

4.6 Backup and Disaster Recovery
All digital data is backed up daily via encrypted cloud storage or secure off-site backup systems. Regular integrity checks are performed to ensure recoverability. In the event of a system failure, cyberattack, or data loss, the business continuity plan will be activated under the oversight of the Data Protection Officer. Backups are stored in compliance with data retention laws and tested at regular intervals.

4.7 Staff Training and Awareness
All staff are trained during induction and annually thereafter in cyber security, information governance, and safe use of computer systems. Training includes recognising phishing attempts, password management, and identifying suspicious activity. Refresher sessions and system-specific updates are provided as needed. Staff are encouraged to report any concerns or incidents related to digital security immediately.

4.8 Monitoring and Audit
Access logs and usage reports are routinely monitored by senior management to detect unauthorised activity or security breaches. Internal audits are conducted quarterly to assess system security, data protection compliance, and adherence to this policy. Findings are reviewed by the Data Protection Officer and Registered Manager, and action plans developed where necessary.

4.9 Reporting and Breach Management
Any suspected or confirmed data breach must be reported immediately to {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} via {{org_field_data_protection_officer_email}}. An incident log will be maintained, and the breach investigated in line with our CH24 and CH34 policies. Where required, individuals affected and the ICO will be informed within statutory timeframes.

5. Policy Review

This policy will be reviewed annually or sooner if changes occur in legislation, technology, or business operations. Any updates will be approved by senior management and communicated to all staff. The current version of the policy is available via {{org_field_website}} and upon request from {{org_field_email}}.

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *