CHW188-Computer Systems and Security Policy
{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Computer Systems and Security Policy
1. Purpose
The purpose of this policy is to ensure that all computer systems, digital devices, and electronic records used at {{org_field_name}} are secure, legally compliant, and used in a way that protects the confidentiality, integrity, and availability of information. The policy outlines the systems and processes in place to prevent unauthorised access, protect sensitive personal data, and ensure business continuity. It is in full compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and CIW requirements under the Regulation and Inspection of Social Care (Wales) Act 2016. As the care home routinely stores, accesses, and processes personal and medical data via computer systems, the need for strong digital security and data governance is critical. This policy explains how the organisation mitigates digital risks and trains its staff to operate responsibly and securely.
2. Scope
This policy applies to all staff at {{org_field_name}} who use digital devices or computer systems, including full-time and part-time employees, agency workers, volunteers, contractors, and external professionals accessing care records. It covers all computers, tablets, laptops, smartphones, cloud platforms, servers, email systems, Wi-Fi, USB devices, and any software or systems used to manage care, HR, or business operations.
3. Related Policies
This policy should be read in conjunction with:
CHW34 – Confidentiality and Data Protection (GDPR) Policy
CHW13 – Safeguarding Adults from Abuse and Improper Treatment Policy
CHW04 – Good Governance
CHW29 – Whistleblowing (Speaking Up) Policy
CHW14 – Receiving and Acting on Complaints Policy
CHW27 – Staff Supervision, Training, and Development Policy
4. Policy Details
4.1 System Access and User Controls
Access to computer systems is strictly controlled through individual user accounts and password protection. Each user is assigned a unique login, with permissions based on their job role. Only authorised users may access confidential records. Passwords must be changed every 90 days and must not be shared. Shared devices (e.g., nurses’ stations) must be locked when unattended. Staff must log out of systems at the end of their shift. Admin-level access is limited to the Registered Manager, designated IT support, and key personnel authorised by {{org_field_name}}’s leadership team.
4.2 Data Protection and Confidentiality
All digital records containing personal data are encrypted and stored securely. Our systems comply with UK GDPR and only process data for lawful purposes. Confidential information about residents, staff, or business operations must not be saved to personal devices or unencrypted USB drives. When transferring files between systems or organisations, only secure and encrypted methods are used. Access to personal data is on a need-to-know basis and subject to strict audit controls. The Data Protection Officer, {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}, monitors data access and supports any investigations into unauthorised access or breaches.
4.3 System Security and Cyber Protection
All computers and devices are protected with up-to-date antivirus software, firewalls, and security patches. Operating systems and software are regularly updated. External devices such as USB sticks are scanned before use, and the use of personal USB drives is discouraged unless authorised. Systems are backed up regularly using secure cloud-based or encrypted on-site storage to ensure recovery in the event of data loss or cyberattack. Regular penetration testing and vulnerability scans are carried out by our IT provider. The organisation maintains a cybersecurity plan which includes response protocols for malware, phishing, ransomware, or unauthorised access attempts.
4.4 Internet and Email Usage
Staff are expected to use the internet and email systems responsibly. Work devices are for business purposes only. Staff must not use care home systems to access inappropriate, harmful, or unauthorised websites. Email communications containing sensitive information must be encrypted or use secure mail services. Attachments should be password-protected where appropriate. Staff must not open suspicious emails, links, or attachments from unknown sources. Any suspected phishing attempts or email scams must be reported immediately to management.
4.5 Use of Personal Devices (Bring Your Own Device – BYOD)
Staff are not permitted to use personal laptops or smartphones to access care home systems or confidential information unless this has been explicitly authorised by the Registered Manager. Any use of personal devices for work-related communication must comply with our data protection and security standards. Use of apps such as WhatsApp or personal email accounts for discussing care information is strictly prohibited. All communications regarding residents or sensitive matters must occur through approved platforms.
4.6 Staff Training and Responsibilities
All staff receive mandatory training on data protection, information governance, and cyber safety as part of their induction and through annual refreshers. Training covers the safe use of passwords, identifying suspicious emails, secure storage of devices, and responsible use of digital systems. Staff are required to read and sign a digital code of conduct that outlines acceptable use of devices and the consequences of breach. The Registered Manager ensures that staff who use care records systems, electronic MAR charts, or digital reporting tools are trained and monitored for competence.
4.7 Monitoring, Audits, and Compliance
User activity on our systems may be monitored to ensure compliance with policies, prevent data breaches, and maintain accountability. Regular audits are carried out to check access logs, data integrity, and compliance with security protocols. Any anomalies are investigated immediately. Staff who misuse digital systems or access unauthorised information may face disciplinary action in line with CHW31 – Disciplinary and Grievance Policy. Any breach of data security will be documented, reported to the Data Protection Officer, and notified to the Information Commissioner’s Office (ICO) where required.
4.8 Responding to Incidents and Breaches
In the event of a suspected security breach or cyberattack, the organisation will follow a structured incident response plan. This includes isolating affected systems, informing senior management and the Data Protection Officer, identifying the scope of the breach, and notifying CIW, the ICO, and individuals affected where appropriate. Lessons learned from the breach will be used to strengthen future safeguards. All staff are expected to report any IT or data security concern immediately to management, and no blame will be placed for good faith reporting.
4.9 Business Continuity and Disaster Recovery
We maintain a backup and recovery system to ensure continuity in the event of data loss, power failure, or system outage. Data is backed up daily and stored in secure, off-site or cloud-based servers. Recovery procedures are tested regularly. In the event of a serious system failure, paper-based contingency procedures are available and used until systems are restored. Critical resident care information is accessible at all times through secure methods, and staff are trained to maintain documentation continuity in emergency scenarios.
5. Policy Review
This policy will be reviewed annually or sooner if required following changes in legislation, regulatory updates, significant incidents, or internal audits. It forms part of our governance, safeguarding, and risk management framework and is overseen by the Registered Manager and the Data Protection Officer.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.