{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Mobile Devices (Phones and Tablets) Policy

1. Introduction

At {{org_field_name}}, mobile devices such as smartphones and tablets play an essential role in delivering high-quality domiciliary care services. They facilitate communication, enable real-time record-keeping, and support staff in accessing essential information while working remotely. However, the use of mobile devices also introduces risks related to data security, misuse, and distractions.

This Mobile Devices Policy outlines how mobile phones and tablets should be used in the workplace, ensuring efficiency, professionalism, and compliance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Health and Social Care Act 2008. It applies to all employees, contractors, and volunteers who use mobile devices for work purposes, whether company-issued or personal devices.

2. Purpose and Scope

The purpose of this policy is to:

1. Ensure mobile devices are used responsibly and securely in the provision of domiciliary care.
2. Protect confidential service user information stored or accessed on mobile devices.
3. Promote professionalism and prevent misuse of mobile devices during working hours.
4. Clarify expectations for both company-owned and personal mobile devices used for work purposes.
5. Ensure compliance with GDPR and data protection regulations.

This policy applies to all employees, including full-time, part-time, and temporary staff, as well as contractors and volunteers who use mobile devices for work-related tasks. It covers both company-issued devices and personal devices used for work purposes under the Bring Your Own Device (BYOD) Policy.

3. Principles of Mobile Device Use

Our approach to mobile device management is based on the following principles:

1. Professionalism: Devices must be used responsibly and only for work-related purposes during working hours.
2. Data Security: All mobile devices must be protected by passwords, encryption, and security software to prevent unauthorised access.
3. Confidentiality: Service user information must remain confidential and never be stored on personal devices without encryption and authorisation.
4. Minimal Disruption: Mobile devices must not interfere with care delivery or service user well-being.
5. Accountability: Employees are responsible for the security, maintenance, and appropriate use of their devices.

4. Responsibilities and Expectations

4.1 Registered Manager:

• Oversees the implementation and monitoring of this policy.
• Ensures staff receive training on safe and responsible mobile device use.
• Investigates any breaches and takes appropriate action.

4.2 Line Managers and Supervisors:

• Monitor staff adherence to the policy and address any concerns.
• Ensure mobile device use does not interfere with care delivery.

4.3 Employees:

• Use mobile devices responsibly, professionally, and in line with this policy.
• Protect devices with passwords, encryption, and security updates.
• Report any lost, stolen, or compromised devices immediately.

4.4 IT Department (if applicable):

• Manage device setup, security software, and remote wiping capabilities.
• Monitor company-owned devices for compliance with this policy.

5. Use of Company-Owned Mobile Devices

5.1 Device Issuance:

• Employees may be issued company-owned mobile devices (phones or tablets) for work-related tasks, such as accessing care plans, recording notes, and communicating with colleagues.
• Devices will be pre-configured with security settings, encryption, and approved applications.

5.2 Acceptable Use:

• Company devices must be used solely for work-related purposes.
• Personal use of company devices is prohibited except in emergencies.
• Devices must not be used for social media, gaming, or non-work-related browsing during working hours.

5.3 Security Measures:

• Devices must be protected by strong passwords, biometric locks, and automatic lock screens after 2 minutes of inactivity.
• Anti-virus software, mobile device management (MDM), and encryption must be installed and regularly updated.
• All devices must be set to receive automatic software and security updates.

5.4 Monitoring and Auditing:

• Company-owned devices are subject to periodic audits by the IT team or Registered Manager to ensure compliance with this policy.
• Usage logs, app installations, and data storage may be monitored for work-related purposes.

5.5 Return of Devices:

• Company-issued devices must be returned upon resignation, termination, or role change.
• Devices will be wiped of all data and reset to factory settings before reissuance.

6. Use of Personal Devices (Bring Your Own Device – BYOD)

Employees may use personal devices for work purposes under the following conditions:

6.1 Registration and Approval:

• Personal devices used for work must be registered with the company under the BYOD Policy.
• The IT team will configure devices with necessary security settings before approval.

6.2 Security Requirements:

• Personal devices must have password protection, encryption, and antivirus software.
• Automatic updates must be enabled to ensure the latest security patches.
• Devices must be set to auto-lock after 2 minutes of inactivity.

6.3 Data Storage and Access:

• Service user data must not be stored on personal devices. Access to care plans, notes, and communication platforms must be through secure, cloud-based systems (e.g., Access Care Planning or other care management software).
• Personal devices must not be used for photographing or recording service users without explicit consent and management approval.

6.4 Device Monitoring and Remote Wiping:

• Personal devices used for work may be subject to monitoring for policy compliance.
• If a personal device is lost, stolen, or compromised, the company may initiate remote wiping to protect sensitive information.

6.5 Costs and Reimbursement:

• Employees are responsible for the cost of personal devices, including repairs and maintenance.
• Reasonable work-related expenses, such as mobile data usage, may be reimbursed with prior approval.

7. Data Protection and Confidentiality

7.1 Access to Confidential Data:

• Access to service user data, care plans, and company systems must be through secure platforms only.
• Employees must log out of care apps and close browsers after use.

7.2 Data Storage and Transfer:

• Service user information must not be stored locally on mobile devices.
• All data transfers must occur via encrypted channels (e.g., VPN, secure email).
• Personal messaging apps (e.g., WhatsApp, Messenger) must not be used for work-related communication unless authorised.

7.3 Data Breach Reporting:

• Any suspected or actual data breach must be reported immediately to the Registered Manager and the Data Protection Officer.
• The company will investigate and, if necessary, report breaches to the Information Commissioner’s Office (ICO) within 72 hours.

8. Appropriate Use During Working Hours

To maintain professionalism and ensure service users receive undivided attention:

8.1 Care Settings:

• Mobile devices must not be used for personal calls, texts, or browsing while providing care.
• Devices should be kept on silent mode and stored securely when not in use.
• Emergency personal use is permitted but must be communicated to the line manager.

8.2 Meetings and Training:

• Mobile devices must be turned off or set to silent during meetings, training sessions, and supervision.

8.3 Driving:

• Employees must not use mobile devices while driving unless connected to a hands-free system.
• Devices must not be handled while the vehicle is in motion.

9. Lost, Stolen, or Compromised Devices

To protect company and service user data, employees must:

1. Report lost, stolen, or compromised devices immediately to the IT team and Registered Manager.
2. Activate remote tracking, locking, or wiping features if enabled.
3. Change all work-related passwords and monitor for suspicious activity.
4. Complete an Incident Report Form detailing the circumstances.

The company will assess the incident, implement risk mitigation measures, and, if necessary, report the breach to the ICO within 72 hours.

10. Mobile Device Management (MDM)

To enhance security and manage devices efficiently, the company may implement a Mobile Device Management (MDM) system, allowing the IT team to:

1. Enforce Security Policies: Apply encryption, password requirements, and remote wiping capabilities.
2. Manage Applications: Restrict app installations and ensure only approved apps are used.
3. Monitor Device Health: Track device status, software updates, and security patches.
4. Remote Lock or Wipe: Protect sensitive data if a device is lost, stolen, or compromised.

Employees will be notified if MDM is applied to company-issued or personal devices used for work purposes.

11. Monitoring and Auditing

To ensure compliance with this policy:

1. Regular Audits: Company-owned devices will be subject to periodic audits, including usage logs, app installations, and data storage.
2. Spot Checks: Line managers may conduct spot checks during visits or supervision sessions.
3. Compliance Monitoring: MDM tools may be used to track security updates, password management, and app usage.
4. Incident Reporting: Any breach of this policy must be reported immediately, and corrective actions will be taken.

Monitoring will focus solely on work-related activities, respecting employees’ privacy regarding personal use.

12. Breach of Policy

Failure to comply with this Mobile Devices Policy may result in disciplinary action, up to and including termination of employment. Examples of breaches include:

1. Misuse of Devices: Using devices for personal purposes during working hours without authorisation.
2. Data Breach: Storing or sharing service user information without encryption or authorisation.
3. Security Non-Compliance: Failing to protect devices with passwords, encryption, or antivirus software.
4. Unreported Loss or Theft: Not reporting lost or stolen devices promptly.

Disciplinary action will follow the company’s Disciplinary Policy, with the severity depending on the nature of the breach.

13. Training and Awareness

All staff will receive training on:

1. Safe and responsible use of mobile devices.
2. Data protection and confidentiality.
3. Identifying phishing attacks and other cyber threats.
4. Reporting breaches and incidents.

Training will be provided during induction and refreshed annually, with additional sessions if new risks or technologies arise.

14. Policy Review and Updates

This Mobile Devices Policy will be reviewed annually or sooner if significant changes occur, such as:

1. Updates to legislation (e.g., GDPR amendments).
2. Implementation of new technologies or security systems.
3. Emerging risks or industry best practices.

Any changes will be communicated to all staff, with training provided where necessary.

15. Employee Acknowledgment

All employees must read, understand, and acknowledge this policy. By signing the Mobile Device Agreement Form, employees confirm that they:

1. Understand and agree to comply with this policy.
2. Acknowledge their responsibility for device security and appropriate use.
3. Understand the consequences of non-compliance.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.