{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Building Security and Access Control Policy

1. Purpose

The purpose of this policy is to ensure that all buildings operated or used by {{org_field_name}}—such as administrative offices, training venues, or any facility under our control—are secure, safely accessible, and protected from unauthorised access. This policy supports compliance with the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (as amended), including Regulation 12 (Safe care and treatment), Regulation 15 (Premises and equipment) and Regulation 17 (Good governance), by ensuring premises and equipment are secure, suitable, well maintained, and that security risks are assessed, controlled, monitored and reviewed through effective governance arrangements.

2. Scope

This policy applies to all premises controlled, managed, leased, or used by {{org_field_name}} for any aspect of regulated activity, including (where applicable) care home premises, administrative offices, training venues, storage facilities, and any meeting/clinical/record-storage locations.

It applies to all employees, agency staff, volunteers, contractors, visiting professionals, regulators/inspectors, and all visitors who access any {{org_field_name}} premises.

Where the premises are a care home, hospital, or hospice, security and access control arrangements will be operated in a way that supports safe visiting and accompanying and is consistent with Regulation 9A (visiting and accompanying) requirements, unless exceptional circumstances apply and are documented.

3. Related Policies

• CH11 – Safe Care and Treatment Policy
• CH13 – Safeguarding Adults from Abuse and Improper Treatment Policy
• CH16 – Health and Safety at Work Policy
• CH18 – Risk Management and Assessment Policy
• CH24 – Management of Accidents, Incidents, and Near Misses Policy
• CH34 – Confidentiality and Data Protection (GDPR) – Service User Policy

4. Policy Statement and Responsibilities

Definitions

For the purposes of this policy:

• Premises means any building, office, care home, clinic room, training space, storage area or other location used by {{org_field_name}} to deliver, coordinate, or record regulated activity.
• Secure area means any location requiring controlled access (for example record storage, medication storage, staff-only areas, IT/server cupboards, or key storage).
• Authorised person means an individual who has explicit permission to access a premises or secure area for a defined purpose.
• Access credentials mean keys, fobs, cards, codes, biometrics or digital credentials used to enter premises or secure areas.

Commitment to Security

{{org_field_name}} will ensure all premises and equipment are clean, secure, suitable for their intended purpose, properly used, properly maintained and appropriately located, and that risks in the care environment are identified and controlled. Access control arrangements will protect people who use services, staff, visitors and company assets, while supporting privacy, dignity, safeguarding and safe continuity of service.

Access Control Measures

All company buildings are protected by access control measures proportionate to their function and level of risk. These include:

• Lockable doors and windows
• Key or fob entry systems for authorised staff
• Visitor sign-in and sign-out procedures
• Security-coded or locked cabinets for confidential documentation
• Staff ID badges displayed during visits and on-site activities

Only designated staff are issued keys or fobs, and all access permissions are regularly reviewed and updated. Lost keys or fobs must be reported to the Registered Manager immediately.

Security Risk Assessment (Premises and Access)

The Registered Manager (or delegated Health & Safety Lead) will ensure a documented security risk assessment is completed and kept under review for each premises. The assessment will cover, as a minimum: entry/exit points; reception/visitor arrangements; staff-only and secure areas; out-of-hours access; lone working; record and equipment storage; lighting; alarms; CCTV (where installed); safeguarding risks; and emergency egress arrangements.

Risk assessments will be reviewed at least annually and immediately following: any security incident or near miss, repeated concerns, changes to the premises layout or use, changes to staffing patterns, or updates to relevant guidance/legislation. Actions will be assigned owners and timescales and monitored through governance meetings and audits.

Staff Responsibilities

All staff are responsible for:

• Ensuring doors and windows are securely locked when not in use
• Not sharing access codes, keys, or fobs with unauthorised persons
• Wearing ID badges visibly at all times when on duty
• Challenging any unknown or unauthorised person attempting to enter a secure area
• Reporting any security concerns, lost access items, or suspicious behaviour to the Registered Manager

Staff must also follow lone working and safety protocols when working out of hours.

Security Incidents, Escalation and Notifications

Any suspected or actual security breach (including tailgating, forced entry, missing keys/fobs, compromised access codes, loss/theft of devices or records, or unauthorised access to confidential information) must be reported immediately to the Registered Manager and recorded under CH24 – Management of Accidents, Incidents, and Near Misses Policy.

The Registered Manager will assess and document whether the incident triggers any of the following actions:

• Safeguarding procedures (where a person who uses services may be at risk), in line with CH13 and local safeguarding processes;
• Police notification (e.g., theft, violence, forced entry, harassment, credible threats);
• Information governance action, including assessment of whether it is a personal data breach requiring actions under UK GDPR/Data Protection Act 2018 and internal reporting routes under CH34 and the Data Breach policy (where applicable);
• Immediate risk controls such as lock changes, code resets, suspension of access permissions, increased supervision, or urgent security re-assessment.

Learning from incidents will be reviewed through governance processes and used to update risk assessments, staff training and security controls.

Visitor Management

Visitors to any {{org_field_name}} premises must:

• Be pre-authorised by the Registered Manager
• Sign in upon arrival and wear a visitor badge at all times
• Be accompanied by a staff member unless previously agreed
• Sign out when leaving the building

• Contractors, professionals and other non-routine visitors must provide photographic identification where appropriate.
• Visitor records must include: full name, organisation (if applicable), reason for visit, person being visited/host, time in/out, areas accessed where relevant, and whether an ID check was completed.
• Visitors must comply with confidentiality requirements and any infection prevention or safety instructions given.

Visitor logs are confidential records and will be retained for a minimum of 12 months, or longer where required for an investigation, safeguarding enquiry, complaint, insurance matter or legal claim, and will be stored securely with access limited to authorised staff.

Contractors, inspectors, or professionals accessing secure areas must provide appropriate ID and comply with all safety protocols.

Information Security in Buildings

To protect personal and sensitive data, staff must ensure that:

• Care records and personal files are stored in locked cabinets or password-protected systems
• Confidential conversations are held in private, secure spaces
• Computers are logged off when unattended
• Paperwork is not left on desks or in open areas

This supports compliance with CH34 – Confidentiality and Data Protection Policy and reduces risk of data breaches.

Emergency Access and Lockdown

In emergencies, such as fire or lockdown situations:

• Emergency exits must remain accessible and unblocked
• All staff must be trained in evacuation and lockdown procedures
• Emergency contact numbers are displayed and accessible in key areas

The Fire Safety Lead ({{org_field_the_fire_safety_lead_name}} – {{org_field_the_fire_safety_lead_role}}) is responsible for ensuring access control does not compromise emergency egress and that all drills include security considerations.

Access control measures (including locks, maglocks and keypad systems) must be configured so they do not obstruct escape in an emergency. Fire exits must be available without keys where required, and routine checks must confirm escape routes are clear and doors function correctly. Any lockdown procedure must include a clear pathway for emergency services access and must be tested through drills and debrief learning.

Out-of-Hours and Lone Working

Where access is required outside regular business hours:

• Only authorised staff may enter the building
• A record of access time and reason must be maintained
• Staff must notify the on-call person and follow lone working protocols

Security lighting, CCTV (if installed), and emergency contact systems must be tested regularly.

CCTV (where installed)

Where CCTV is used, {{org_field_name}} will ensure its use is lawful, proportionate and transparent, with clear signage, defined purposes (e.g., deterrence and investigation of incidents), restricted access to footage, and defined retention periods. A privacy risk assessment (and DPIA where required) will be completed and reviewed. CCTV must not be used in a way that unjustifiably intrudes on privacy, dignity or the rights of people who use services, staff or visitors.

Audits and Monitoring

The Registered Manager or delegated Health and Safety Lead will:

• Conduct quarterly audits of building access and security systems
• Review access permissions and logs
• Assess building layout and physical security risks
• Investigate any breaches or near-misses under CH24 – Incident Management

Audit findings, actions, owners and completion dates will be recorded in a documented improvement plan, monitored through governance meetings, and retained as evidence of compliance with Regulation 17 – Good governance and continuous improvement.

Contractor and Maintenance Access

Contractors must be supervised during work in secure areas. Prior to entry, they must:

• Provide valid identification and evidence of professional registration (if applicable)
• Sign in and receive a site induction if necessary
• Follow all health and safety protocols

Work must be scheduled during operating hours where possible to minimise risk.

Access for regulators and authorised officials

{{org_field_name}} will cooperate with CQC inspectors and other authorised officials exercising lawful powers of entry, inspection and information requests. Security controls must not be used to delay or obstruct authorised access. Where identity is verified, staff will facilitate appropriate access in line with legal requirements while maintaining safety, privacy and confidentiality.

5. Policy Review

This policy will be reviewed at least annually and sooner where required by: a security incident or near miss; a change in premises use, layout or staffing model; changes to security technology (e.g., alarms, access systems, CCTV); updates to legislation or CQC guidance; or learning from complaints, safeguarding enquiries or audits. The Registered Manager is responsible for implementation, version control, staff communication and ensuring staff training and competence is updated and evidenced.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.