{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Internet Access for Staff Policy

1. Purpose

The purpose of this policy is to set out how internet access, online systems, email, cloud services, remote access, and connected devices are authorised, used, secured, monitored, and reviewed by staff at {{org_field_name}}. The policy is designed to support safe, effective, lawful and professional care delivery in a care home setting.

This policy supports compliance with the Health and Social Care Act 2008 and the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, in particular Regulation 12 (Safe Care and Treatment), Regulation 13 (Safeguarding Service Users from Abuse and Improper Treatment), Regulation 17 (Good Governance), and Regulation 18 (Staffing). It also supports compliance with UK data protection law, including the UK GDPR and Data Protection Act 2018, by requiring secure handling of personal data, appropriate access controls, and transparent, proportionate monitoring of staff use of organisational systems.

The policy aims to ensure that internet access is used in a way that protects residents, staff, visitors, and the organisation from avoidable harm, confidentiality breaches, cyber security risks, misuse of systems, unlawful disclosure of information, and conduct that could undermine safeguarding, dignity, privacy, or public confidence in the service.

2. Scope

This policy applies to all employees, workers, agency staff, contractors, students, volunteers, and any other person authorised to access the internet or digital systems on behalf of {{org_field_name}}.

It applies to use of:

• company-owned computers, tablets, phones and other connected devices;
• personal devices authorised for work purposes under organisational procedures;
• the organisation’s Wi-Fi, wired network, cloud systems, email, care planning systems, medication systems, communication platforms and remote access tools; and
• internet access used on care home premises, during work-related travel, at training, meetings, off-site activities, and during any authorised remote working or business continuity arrangements.

This policy applies at all times when an individual is acting in the course of their work for {{org_field_name}}, whether during normal working hours, on-call duties, or any other period in which organisational systems or data are being accessed.

3. Related Policies

• CH04 – Good Governance Policy
• CH13 – Safeguarding Adults from Abuse and Improper Treatment Policy
• CH27 – Staff Supervision, Training, and Development Policy
• CH28 – Staff Conduct and Code of Ethics Policy
• CH34 – Confidentiality and Data Protection (GDPR) – Service User Policy

4. Policy Statement and Responsibilities

Purpose of Internet Access for Staff

Internet access is provided to staff at {{org_field_name}} for the following operational purposes:

• Accessing digital care records, rotas, and communication tools
• Using electronic medication administration systems
• Communicating securely with colleagues, health professionals, and family members
• Undertaking e-learning, mandatory training, and professional development
• Accessing emergency protocols, care policies, or regulatory guidance
• Using secure cloud-based systems for reporting, logging incidents, and completing audits

Access must be directly related to the staff member’s duties and responsibilities.

Internet access and system permissions will be granted on the basis of role, legitimate work need, competence, and organisational approval. Access must be limited to the minimum information and systems necessary for the staff member to carry out their duties safely and effectively. The organisation may restrict, suspend or withdraw internet, email, remote access or device permissions where there is a security concern, safeguarding concern, performance concern, investigation, or any other identified risk to residents, staff, systems or data.

Acceptable Use

Staff must:

• use the internet, email, cloud services and digital systems in a lawful, professional and work-related manner, except for limited personal use expressly permitted by this policy;
• use only organisation-approved systems, platforms, applications, browsers, extensions, communication tools and storage locations;
• access only the information, records and websites necessary for their role;
• comply at all times with confidentiality, safeguarding, records management and data protection requirements;
• protect login credentials, use strong passwords, enable multi-factor authentication where provided, and never share usernames, passwords, PINs or access tokens;
• log out of systems or lock devices when unattended;
• take reasonable steps to verify emails, links, attachments and websites before opening them; and
• use professional language and conduct in all online communications made in connection with work.

Staff must not:

• access, create, store, download, transmit or share material that is offensive, abusive, discriminatory, extremist, sexually explicit, defamatory, unlawful or otherwise inappropriate for a care setting;
• use personal email accounts, personal cloud storage, personal messaging apps or unapproved collaboration tools to send, receive, store or discuss work-related information;
• upload resident information, staff data, incident details, care records, photographs or confidential organisational information into unapproved third-party websites, AI tools or applications;
• install software, browser extensions, apps or updates unless authorised through the organisation’s approved process;
• attempt to disable, bypass or interfere with security controls, web filtering, monitoring systems, encryption, anti-virus protection, firewalls or access restrictions;
• use internet access for personal business activities, gambling, cryptocurrency activity, excessive streaming, unauthorised downloading, file-sharing or any activity that could impair network performance or security; or
• post or share any work-related content online that could identify a resident, relative, staff member, visitor, incident, complaint, investigation or internal matter without lawful authority and management approval.

Any misuse of internet access may be treated as misconduct, and where relevant as a safeguarding concern, data security incident, or regulatory matter.

Personal Use

Limited personal use of the internet may be permitted during authorised breaks, provided that it is reasonable, lawful, does not interfere with duties, does not affect staffing responsiveness, does not involve excessive bandwidth use, and does not create any risk to information security, safeguarding, dignity, or the reputation of {{org_field_name}}.

Personal use must never:

• delay or distract from care delivery, call bell response, medication rounds, observations, handover, documentation, supervision of residents or emergency response;
• involve accessing or sharing work-related information through personal accounts or devices unless expressly authorised;
• involve photographing, recording, filming or discussing residents, relatives, staff or the service online; or
• breach any organisational policy, professional code, or legal duty.

Permission for limited personal use is discretionary and may be withdrawn at any time.

Access Control, Authentication and Device Security

The organisation will use role-based access controls so that staff can only access the systems and information necessary for their role. Shared accounts must not be used unless there is a documented exceptional reason authorised by management and subject to appropriate safeguards.

Staff must keep devices physically secure and must not leave devices unattended in resident areas, communal areas, vehicles or any unsecured location. Where devices store or can access personal data, appropriate technical safeguards must be used, including password protection, screen locks, encryption, remote wipe capability where available, and organisation-approved security software.

Lost, stolen, compromised or damaged devices, suspected password compromise, unusual log-in activity, or any suspected unauthorised access must be reported immediately in accordance with the organisation’s data breach and incident reporting procedure.

Information Security and Data Protection

Staff must handle all personal data, special category data, care records, employee information and confidential business information in accordance with UK GDPR, the Data Protection Act 2018, and the organisation’s confidentiality and information governance requirements.

In practice, staff must:

• access care records and other confidential systems only through approved, secure and encrypted systems or connections;
• use only authorised email accounts, communication platforms and storage locations for work-related information;
• limit access, viewing, sharing, downloading and printing to what is necessary for the task being carried out;
• avoid downloading confidential information to local devices unless strictly necessary and authorised;
• not send work-related information through personal email, text, social media, consumer messaging apps or unauthorised cloud services;
• not take screenshots, photographs or recordings of care records, medication systems, staff records, incident logs, CCTV images or other confidential information unless there is a lawful and authorised reason;
• ensure that confidential information is not visible to unauthorised persons on screen or in printed form; and
• immediately report any actual or suspected data breach, misdirection, unauthorised disclosure, lost device, phishing incident, malware incident or inappropriate access.

Data security incidents must be reported without delay to the Registered Manager and the Data Protection Officer ({{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}, and recorded in line with organisational incident procedures.

Mobile Devices, Remote Access and Off-Site Working

Staff who are issued with laptops, tablets, smartphones or other mobile devices, or who are authorised to access organisational systems remotely, must use those devices and systems only in line with this policy and any related cyber security, BYOD and remote working procedures.

Staff must:

• use only organisation-approved apps, systems and communication methods;
• keep devices secure, locked when not in use, and under their control at all times;
• avoid using public Wi-Fi for work purposes wherever possible;
• where remote access is authorised, use only approved secure connections and security controls;
• ensure that confidential conversations and screens cannot be overheard or overlooked by unauthorised persons; and
• report any loss, theft, compromise or suspicious activity immediately.

Remote or mobile access may be monitored and reviewed for security, audit, safeguarding and governance purposes.

Monitoring, Audit and Privacy

Use of organisational internet services, email, cloud systems, devices and network access may be monitored, logged, reviewed and audited by {{org_field_name}} for legitimate business purposes. These purposes include protecting residents and staff, maintaining cyber security, preventing and detecting misuse, investigating concerns, supporting safeguarding, ensuring business continuity, protecting confidential information, and demonstrating compliance with legal and regulatory requirements.

Monitoring will be carried out in a lawful, proportionate and transparent manner. The organisation will not carry out covert or excessive monitoring unless there is a lawful basis and a properly authorised exceptional reason, such as the investigation of suspected serious misconduct or criminal activity. Access to monitoring information will be restricted to authorised persons who need it for management, investigation, security, HR, safeguarding, audit or legal purposes.

The organisation may monitor or review, for example: website access logs, network activity, email metadata and content where justified, file transfers, system access history, log-in attempts, device compliance information, malware alerts, and use of organisational accounts on work systems. Monitoring data will be retained only for as long as necessary in accordance with retention schedules and investigation requirements.

Staff will be informed through this policy, privacy information, induction and related procedures that monitoring takes place. Monitoring arrangements will be kept under review to ensure they remain necessary, proportionate and consistent with data protection requirements.

Staff Training and Guidance

All staff will receive training, guidance and updates appropriate to their role on the safe and lawful use of internet-enabled systems and devices. This will include, as relevant:

• acceptable use of internet, email and communication systems;
• confidentiality, information governance and secure record handling;
• password security, phishing, malware, ransomware and cyber hygiene;
• reporting security incidents, suspected data breaches and safeguarding concerns;
• safe use of mobile devices, remote access and authorised personal devices;
• professional boundaries, social media, photography and online conduct; and
• the specific systems and digital platforms used by the organisation.

Training will be provided at induction, refreshed at least annually, and repeated sooner where there is a change in systems, threats, incidents, duties, legislation, guidance or identified staff need. Managers will ensure that staff are competent to use the digital systems relevant to their role and are appropriately supervised and supported.

Where staff roles bring them into contact with autistic people and people with a learning disability, training requirements applicable to registered providers in relation to learning disability and autism will also be met at a level appropriate to the member of staff’s role.

Breach of Policy

Any breach of this policy must be taken seriously and reported promptly. Depending on the nature of the breach, the matter may be managed as misconduct, a cyber security incident, a data protection incident, a safeguarding concern, a professional conduct issue, or a combination of these.

Immediate action may include temporary suspension of system or device access, preservation of evidence, password resets, device isolation, management review, incident reporting, safeguarding referral, disciplinary action, and referral to external bodies where required.

Serious breaches may result in formal disciplinary action up to and including dismissal, referral to professional regulators, referral to the local authority safeguarding team, notification to the Information Commissioner’s Office where required, notification to CQC where required under other applicable procedures, and referral to the police where criminal activity is suspected.

Safeguarding Considerations

Misuse of internet access or digital systems may place residents at risk of abuse, neglect, humiliation, discrimination, exploitation, financial abuse, emotional harm, privacy breaches, or improper treatment. This includes, but is not limited to, sharing unauthorised information about residents, accessing or sharing inappropriate content in the workplace, online bullying or harassment, contacting residents or relatives through unauthorised channels, taking or sharing images without lawful authority, and any use of digital systems that undermines dignity, consent, safety or professional boundaries.

Any concern that internet use or digital activity may have harmed, exploited or placed a resident at risk must be treated as a safeguarding matter and reported immediately to the Safeguarding Lead ({{org_field_safeguarding_lead_name}} – {{org_field_safeguarding_lead_role}}) and the Registered Manager, in line with the organisation’s safeguarding procedure.

5. Governance, Oversight and Business Continuity

The Registered Manager is accountable for implementing this policy and ensuring that internet access arrangements support safe care, safeguarding, confidentiality, and effective governance. Day-to-day operational responsibilities may be delegated to named managers, system leads and external IT support providers, but overall accountability remains with the provider and Registered Manager.

The organisation will maintain oversight of internet and digital risks through audits, incident reviews, device and access reviews, training compliance checks, feedback from staff and residents where appropriate, and review of any cyber security alerts, near misses or confirmed breaches. Findings and actions will be recorded and used to improve practice.

The organisation will also maintain business continuity arrangements so that safe care can continue if internet access, email, digital care records, medication systems or other essential systems are unavailable. Staff must follow downtime and contingency procedures to ensure that care, medicines management, communication and record keeping remain safe during outages or cyber incidents.

6. Policy Review

This policy will be reviewed at least annually, and sooner if required by any of the following:

• changes in legislation, regulation, CQC guidance or ICO guidance;
• changes to organisational systems, devices, remote access arrangements or working practices;
• cyber security threats, incidents, data breaches, safeguarding events or audit findings;
• lessons learned from complaints, investigations, staff feedback or quality assurance activity; or
• changes to the regulated activities carried on by the organisation.

The Registered Manager, Data Protection Officer and any designated IT or information governance lead are responsible for reviewing this policy, communicating changes to staff, and ensuring that compliance is monitored through training, supervision, audits and incident review.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.