{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Online Safety Policy

1. Introduction

At {{org_field_name}}, we recognise the increasing reliance on digital technology in delivering domiciliary care services. While technology enhances efficiency, communication, and record-keeping, it also introduces risks related to data breaches, cybercrime, and inappropriate use. Our Online Safety Policy ensures that all staff, service users, and stakeholders use technology responsibly and securely, safeguarding personal information and promoting safe online practices.

This policy supports compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 as it comes into force, the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, the Care Quality Commission (Registration) Regulations 2009, CQC Fundamental Standards and CQC’s current assessment framework. In particular, this policy supports safe care and treatment, safeguarding, good governance, accurate and secure records, staff training, openness and transparency, and effective management of risks associated with digital systems, online communication and electronic care records.

For the purposes of this policy, “online safety” includes cyber security, safe use of digital care records, secure communication, social media conduct, safe remote working, protection from online abuse or exploitation, and the safe handling of personal and special category data relating to people who use the service, staff and other relevant persons.

2. Purpose and Scope

The purpose of this policy is to:

• Protect sensitive information related to service users, staff, and the organisation.
• Promote safe and responsible use of technology.
• Prevent cyber threats, including phishing, malware, and hacking.
• Ensure compliance with data protection legislation and CQC standards.
• Support compliance with CQC Regulation 17 by ensuring that digital systems, electronic care records, online communications and information governance arrangements are effectively assessed, monitored, audited and improved.
• Ensure that staff can access accurate, complete and up-to-date information when needed to deliver safe care and support.
• Ensure that digital incidents, data breaches, cyber incidents and online safeguarding concerns are identified, escalated, investigated, recorded and learned from.
• Support annual completion of the Data Security and Protection Toolkit (DSPT), or an equivalent recognised assurance process, where applicable to the service.
• Provide guidance for reporting and responding to online safety incidents.

This policy applies to all staff, including care workers, administrators, managers, volunteers, agency workers, students, contractors and any other person who accesses {{org_field_name}} systems or information. It also applies to service users, relatives, representatives and professionals where they use digital communication or online systems connected with the service. It covers company-owned devices, personal devices used for work purposes, electronic care planning systems, medication and visit monitoring systems, email, messaging, video calls, cloud-based platforms, portals, social media, internet use, remote working, electronic rostering and any other digital system used to plan, deliver, monitor or review care.

3. Principles of Online Safety

Our approach to online safety is guided by the following principles:

3.1 Confidentiality and Privacy:

Sensitive information, including service user records, care plans, risk assessments, medication information, staff records and safeguarding information, must be kept confidential and accessed only by authorised individuals who need the information to perform their role. Access controls, encryption, secure authentication, audit trails, password or passkey protection, secure platforms and role-based permissions will be used to protect information. Staff must not access, view, copy, photograph, download, share or discuss records unless there is a lawful and legitimate work-related reason to do so.

3.2 Integrity and Accuracy:

Online information must be accurate, reliable, and up to date. Any discrepancies in service user records or care notes must be reported and corrected promptly.

3.3 Accountability and Responsibility:

All staff are responsible for safeguarding digital systems and adhering to company policies. Regular training will be provided to promote accountability and vigilance.

3.4 Proactive Risk Management:

Online and digital risks, including phishing, malware, ransomware, unauthorised access, device loss, system outage, inaccurate digital records, inappropriate sharing, online abuse and risks arising from artificial intelligence or automated tools, will be identified and managed through risk assessment, staff training, secure configuration, software updates, back-ups, access reviews, supplier checks, audits and incident learning. Risks that may affect people’s safety, privacy, dignity or continuity of care will be escalated promptly to the Registered Manager and, where relevant, the Data Protection Officer or senior responsible person.

3.5 Respect and Professionalism:

Online communication must be respectful, professional, and compliant with organisational standards. Any inappropriate content or behaviour will be addressed promptly.

3.6 Person-Centred Digital Safety:

Digital systems must support, and never replace, safe, person-centred care. Staff must ensure that electronic records are accurate, timely and meaningful, and that digital communication does not exclude people because of disability, sensory impairment, language, cognitive impairment, lack of access to technology or personal choice. Reasonable adjustments and alternative formats will be provided where required.

4. Online Safety Responsibilities

4.1 Registered Manager

• Oversees the implementation and monitoring of the Online Safety Policy.
• Ensures that all staff receive appropriate training and resources.
• Investigates online safety incidents and takes appropriate action.
• Ensures that online safety risks are included in the service’s governance, risk management, audit and quality assurance arrangements.
• Ensures that digital care records and communication systems support safe, effective and person-centred care.
• Ensures that incidents involving online safety, cyber security, data protection or digital records are reviewed for CQC, safeguarding, contractual and ICO reporting requirements.
• Ensures that any required DSPT or equivalent annual assessment is completed, reviewed and used to improve practice.

4.2 Data Protection Officer, Data Protection Lead or Senior Responsible Person for Information Governance

• Leads on data protection, information governance and cyber security arrangements, unless these duties are formally delegated.
• Maintains data protection records, including records of processing activities where required, data breach logs, DPIAs, supplier due diligence records and information sharing arrangements.
• Supports managers to assess whether incidents are reportable to the ICO, CQC, commissioners, safeguarding partners, police, insurers or system suppliers.
• Ensures that technical and organisational measures are proportionate to the sensitivity of the information held and the risks to people who use the service.
• Ensures staff receive clear guidance on secure use of devices, systems, email, messaging, cloud storage and electronic care records.

4.3 Line Managers and Supervisors:

• Ensure that staff follow safe online practices in daily operations.
• Conduct regular audits of digital records and communications.
• Support staff in reporting and resolving online safety concerns.

4.4 All Staff:

• Follow online safety protocols, including password management and safe browsing.
• Report any suspicious emails, breaches, or incidents immediately.
• Protect service user information when using digital platforms.

4.5 Office Staff, Care Coordinators and Administrators:

Staff responsible for rostering, care records, call monitoring, finance, recruitment, medication records, referrals or communications must ensure that information is accurate, shared only with authorised recipients and updated promptly. They must check recipient details before sending personal or special category data, use approved systems only, and escalate any error, system issue or suspected breach immediately.

4.6 Service Users and Families:

• Encouraged to follow safe online practices, including protecting personal information.
• Advised on secure use of digital communication platforms when accessing care services.

5. Safe Use of Technology

To ensure safe and responsible use of technology, the following guidelines apply:

5.1 Passwords, Passkeys and Authentication

• All company systems, devices and applications must be protected by secure authentication.
• Passwords must be unique, not shared, not written down in an insecure place and not reused across work and personal accounts.
• Passwords should be strong and proportionate to the system being accessed. Staff are encouraged to use long, memorable passwords, password managers or passkeys where approved.
• Routine forced password changes will not be required unless there is a specific security reason, such as suspected compromise, staff role change, staff leaving employment, supplier notification, or a cyber/security incident.
• Multi-factor authentication must be enabled for email, cloud systems, electronic care records, remote access, administrator accounts and other high-risk or internet-facing systems wherever available.
• Default passwords must be changed before devices, routers, applications, care record systems or supplier portals are used.
• Shared logins must not be used unless there is a documented, risk-assessed operational reason and compensating controls are in place.

5.2 Device Security

• All company-owned devices must be protected by antivirus software, firewalls, and automatic updates.
• Personal devices used for work purposes must comply with the Bring Your Own Device (BYOD) Policy and be protected by encryption and passcodes.
• Lost or stolen devices must be reported immediately for remote locking and data erasure.
• Staff must not store service user information locally on personal devices unless this has been authorised, risk assessed and protected by encryption and remote wipe capability.
• Mobile phones, tablets and laptops used for work must automatically lock when not in use and must not be left unattended in vehicles, public places or service users’ homes.
• Staff must not use public or unsecured Wi-Fi to access care records or send personal data unless using an approved secure connection.
• Company systems must be backed up regularly, and back-ups must be protected, tested and capable of supporting business continuity following cyber attack, system failure, device loss or ransomware.
• Software, operating systems and applications must be kept up to date. Unsupported systems must not be used for care delivery or storage of personal data unless a specific risk assessment and mitigation plan has been approved.

5.3 Email and Communication

• Staff must use company email accounts for work-related communication.
• Phishing awareness training will be provided, with regular testing through simulated phishing campaigns.
• Suspicious emails, links, or attachments must not be opened and must be reported immediately.
• Personal email accounts must not be used for work-related communication or for sending, receiving or storing service user or staff information.
• Messaging apps, text messages and video calls must only be used for care-related communication where approved by the service, risk assessed and appropriate to the person’s needs and consent.
• Staff must check the recipient’s identity and contact details before sending personal or special category data. Particular care must be taken when using auto-complete email addresses, group emails, attachments, photographs or screenshots.
• Personal data must not be sent by open group message or group email unless all recipients are authorised to see each other’s details and the disclosure is necessary and lawful.
• Where urgent information is shared verbally or by message to protect a person’s safety, staff must update the care record as soon as practicable.

5.4 Internet and Social Media Use

• Internet use must be appropriate, professional, and related to work purposes.
• Staff must not share confidential information, images, or personal opinions related to work on social media platforms.
• Service users must not be contacted or engaged with through personal social media accounts.
• Staff must not accept or send friend requests, follow requests, private messages or social media contact with service users, former service users, relatives or representatives through personal accounts, unless there is a documented exceptional reason approved by the Registered Manager.
• Staff must not post images, videos, names, initials, addresses, care details, incidents, rota information, complaints or comments that could identify a service user, colleague or family member.
• Any online abuse, grooming, exploitation, scam, coercion, harassment, hate crime, cyberbullying or inappropriate contact involving a service user must be treated as a potential safeguarding concern and reported in line with the Safeguarding Policy.
• Staff must not use personal devices to photograph, film or record service users, their homes, medicines, records or property unless this is expressly authorised, necessary for care or safeguarding purposes, and recorded in line with consent, data protection and care record requirements.

5.5 Remote Working and Virtual Meetings

• Staff working remotely must use company-approved systems, secure devices and approved secure connections.
• Staff must ensure that conversations, screens, care records and documents cannot be overheard or viewed by unauthorised people, including household members or members of the public.
• Virtual meetings must be conducted through approved platforms using appropriate security settings, such as waiting rooms, passwords, meeting locks or controlled admission where available.
• Staff must verify the identity of participants before discussing personal or special category data.
• Meeting recordings, screenshots or transcripts must not be made unless there is a lawful reason, prior approval and clear information has been given to those involved.
• Remote working must not delay urgent care decisions, incident escalation, safeguarding reporting or access to information needed to keep people safe.

6. Protecting Personal and Sensitive Data

6.1 Data Storage

• Service user records and company documents must be stored on secure, encrypted platforms, such as a company-approved cloud storage system.
• Paper records must be stored in locked cabinets and digitised where possible.
• Digital care records must be accurate, complete, up to date, legible, attributable to the person making the entry and available to authorised staff when needed to deliver safe care.
• Records must not be altered to hide errors. Corrections must be made transparently, with an audit trail where the system allows.
• Access permissions must be reviewed regularly and promptly amended when staff change role, leave employment or no longer require access.

6.2 Data Sharing

• Personal data must only be shared with authorised individuals and for legitimate purposes.
• When sharing information externally, encrypted email or secure file transfer platforms must be used.
• Staff must verify the identity of recipients before sharing sensitive data.
• Information will be shared on a need-to-know basis and in line with consent, lawful basis, safeguarding duties, contractual requirements and professional responsibilities.
• Where information is shared with health professionals, local authorities, commissioners, emergency services or safeguarding partners, staff must ensure that the information is relevant, accurate, necessary and shared securely.
• Information sharing decisions must be recorded where the decision is significant, unusual, refused, disputed or made without consent because of risk, safeguarding, public interest or legal duty.

6.3 Data Retention and Disposal

• Personal data must be retained in accordance with the company’s Data Retention Policy and GDPR guidelines.
• Outdated digital files and paper records must be securely deleted or shredded.

6.4 Data Protection Impact Assessments

A Data Protection Impact Assessment will be completed where a new system, technology, supplier, process or method of communication is likely to result in a high risk to people’s rights and freedoms. This includes, but is not limited to, new electronic care record systems, remote monitoring tools, artificial intelligence tools, large-scale data sharing, use of CCTV or recording technology, or new systems involving health or safeguarding information.

6.5 Suppliers and Digital Care Systems

Before using any electronic care record system, rostering system, monitoring system, cloud platform, communication tool or external IT supplier, {{org_field_name}} will complete proportionate due diligence. This will include checking information security arrangements, UK GDPR processor terms where applicable, access controls, back-up arrangements, incident reporting, data location, business continuity, support arrangements and exit arrangements.

6.6 Data Security and Protection Toolkit

Where applicable, {{org_field_name}} will complete the Data Security and Protection Toolkit annually, or maintain equivalent evidence demonstrating that appropriate data protection and cyber security standards are met. The outcome and improvement actions will be reviewed by the Registered Manager and used as part of the service’s governance and quality assurance arrangements.

6.7 Lawful, Fair and Transparent Processing

{{org_field_name}} will process personal data and special category data only where there is a lawful basis and, where required, a condition for processing special category data. Information will be used fairly, transparently and only for legitimate care, employment, safeguarding, regulatory, contractual, legal or business continuity purposes. Service users and staff will be provided with privacy information explaining how their information is used, shared, stored, retained and protected.

7. Artificial Intelligence, Automation and Digital Tools

{{org_field_name}} will only use artificial intelligence, automation, transcription, translation, summarisation or decision-support tools where they have been approved, risk assessed and confirmed as appropriate for use in a regulated care setting. Staff must not enter service user, staff or confidential business information into public or unapproved AI tools.

AI or automated tools must not replace professional judgement, person-centred assessment, consent, safeguarding decision-making, mental capacity considerations, medication checks, risk assessment or management oversight. Any AI-generated or automated output must be checked for accuracy, relevance, bias and safety before it is relied upon or entered into a care record.

Where AI or automated tools are used in a way that may affect people who use the service, {{org_field_name}} will ensure that privacy, fairness, transparency, accountability, human oversight and data protection requirements are met.

8. Online Safety for Service Users

{{org_field_name}} is committed to promoting online safety for service users who access technology as part of their care. Our approach includes:

Education and Support

• Providing service users with clear guidance on safe internet use, including recognising scams, protecting passwords, and avoiding suspicious websites.
• Offering digital literacy training where appropriate, particularly for vulnerable individuals.

Secure Communication

• Encouraging the use of secure platforms for virtual consultations, care coordination, and family communication.
• Ensuring that service users understand how to protect their privacy during online interactions.

Support, Consent, Capacity and Safeguarding

Where a service user needs support to use technology safely, staff will consider the person’s wishes, consent, mental capacity, communication needs, care plan, risk assessment and any authorised representative involvement. Where there are concerns about online abuse, scams, coercion, grooming, financial exploitation, harassment, domestic abuse, hate crime or unsafe contact, staff must report this as a safeguarding concern in line with the Safeguarding Policy and local authority procedures.

Reporting Concerns

• Service users and families can report online safety concerns to their care coordinator or the company’s Data Protection Officer.

Digital Inclusion and Reasonable Adjustments

Staff must not assume that service users can access, understand or safely use digital communication. Reasonable adjustments and alternative communication methods will be offered where a person has a disability, sensory impairment, cognitive impairment, language need, mental health need, limited digital access or a preference not to use digital communication.

9. Online Safety Training and Awareness

To maintain high standards of online safety and support compliance with CQC Regulation 18, all staff will receive training appropriate to their role, responsibilities, access level and the needs of people using the service.

• Induction Training: New staff will receive comprehensive training on safe technology use, data protection, and cyber threat awareness.
• Annual Refresher Training: All staff will complete annual online safety training, including simulated phishing exercises and best practices for password management.
• Targeted Training: Additional training will be provided for staff working with vulnerable service users, including children and adults with cognitive impairments.
• Awareness Campaigns: Regular bulletins, posters, and workshops will promote ongoing awareness of emerging cyber threats and safe practices.
• Staff with access to electronic care records, medication systems, rostering systems, email, cloud storage or mobile devices will receive role-specific guidance on secure access, accurate recording, safe sharing, incident reporting and confidentiality.
• Staff will receive training on recognising and reporting online safeguarding risks, including scams, coercion, grooming, exploitation, cyberbullying, domestic abuse, harassment and financial abuse.
• Staff will receive learning disability and autism training appropriate to their role, in line with statutory requirements and current CQC expectations. Where relevant, this will include how digital communication and online systems may need to be adjusted for autistic people and people with a learning disability.
• Training completion, competency checks and follow-up actions will be recorded and monitored through supervision, spot checks, audits and quality assurance processes.

10. Reporting and Responding to Online Safety, Cyber and Data Incidents

{{org_field_name}} will respond promptly to all suspected or actual online safety incidents, cyber incidents, data breaches, digital record errors and online safeguarding concerns.

10.1 Examples of Reportable Incidents

Staff must report immediately if they become aware of or suspect:

• loss or theft of a phone, tablet, laptop, paper record, access card or storage device;
• personal data sent to the wrong person;
• unauthorised access to care records, staff records, email or systems;
• phishing, malware, ransomware or suspicious links or attachments;
• system outage affecting care delivery, visit monitoring, medication records or access to care plans;
• inaccurate, missing or delayed digital care records that may affect safety or continuity of care;
• inappropriate photographs, recordings, screenshots or social media posts;
• online abuse, exploitation, scams, coercion, grooming, harassment or safeguarding concerns involving a service user;
• any incident that may require notification to the ICO, CQC, safeguarding authority, commissioner, police, insurer or system supplier.

10.2 Immediate Actions

Staff must report concerns immediately to their line manager, the Registered Manager or the Data Protection Lead. Staff must not delete evidence, attempt to investigate beyond their role, contact suspected attackers, conceal errors or delay reporting because they are unsure whether an incident is serious. Where safe to do so, staff should preserve relevant information such as emails, screenshots, device details, dates, times, names of people involved and actions already taken.

10.3 Assessment and Escalation

The Registered Manager, Data Protection Lead or nominated senior person will assess the incident promptly to determine:

• whether people are at risk of harm or unsafe care;
• whether the incident is a personal data breach under UK GDPR;
• whether the ICO must be notified;
• whether affected individuals must be informed;
• whether the incident is a safeguarding concern;
• whether CQC notification, duty of candour, commissioner notification, police reporting, supplier escalation or business continuity arrangements are required;
• what immediate containment, recovery and communication steps are needed.

10.4 ICO Reporting

Where a personal data breach is likely to result in a risk to individuals’ rights and freedoms, {{org_field_name}} will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals’ rights and freedoms, affected individuals will also be informed without undue delay. If a decision is made not to report a breach to the ICO, the reasons for this decision must be documented.

10.5 CQC, Safeguarding and Duty of Candour

Where an online safety, cyber or data incident has caused or contributed to harm, avoidable harm, abuse, neglect, unsafe care, loss of access to essential care information or a notifiable safety incident, the Registered Manager will consider CQC notification requirements, safeguarding procedures and the duty of candour. Where the duty of candour applies, {{org_field_name}} will act in an open and transparent way, provide a truthful account, apologise where appropriate, explain what further enquiries will take place and keep a written record.

10.6 Investigation, Learning and Improvement

All incidents will be recorded, investigated proportionately and reviewed for learning. Corrective actions may include staff support, additional training, changes to access permissions, system configuration changes, supplier escalation, policy updates, disciplinary action, safeguarding referrals, data protection improvements, business continuity review or further audit. Lessons learned will be shared with staff where appropriate and monitored through governance meetings, supervision and quality assurance.

11. Monitoring and Compliance

To ensure ongoing compliance with this policy:

System Monitoring

• Company IT systems will be monitored for unusual activity, including login attempts, software updates, and suspicious downloads.

Audits and Reviews

• Regular audits will be conducted to assess compliance with online safety, data protection, cyber security and digital record procedures.
• Audits will include, where relevant, electronic care record quality, timeliness of entries, access permissions, staff compliance with confidentiality, incident reporting, data sharing, device security, training completion, supplier performance, business continuity and DSPT or equivalent evidence.
• Audit findings will be reviewed by the Registered Manager and used to improve safety, quality, governance and staff practice.
• Actions from audits will be recorded, allocated to responsible persons, given timescales and monitored until completed.

Staff Accountability

• Staff who breach the Online Safety Policy may face disciplinary action, up to and including termination of employment, depending on the severity of the breach.

Business Continuity and System Failure

{{org_field_name}} will maintain arrangements to ensure continuity of care if digital systems, phones, internet access, electronic care records, rostering systems or medication systems are unavailable. These arrangements will include emergency access to essential information, escalation contacts, alternative recording methods, communication plans, supplier contact details, back-up processes and post-incident reconciliation of records.

Policy Review

• This policy will be reviewed annually or sooner if legislative changes, technological advancements, or emerging risks require updates.

12. Supporting Mental Health and Well-Being

We recognise that online safety extends beyond technical protection to include the psychological well-being of staff and service users. To promote digital well-being:

1. Screen Time Management: Staff and service users are encouraged to take regular breaks from screens and maintain healthy technology habits.
2. Preventing Online Harassment: Any instances of cyberbullying, harassment, or abusive content must be reported immediately and will be addressed under the company’s Bullying and Harassment Policy.
3. Mental Health Support: Access to the company’s Employee Assistance Programme (EAP) is available for staff experiencing stress or anxiety related to online safety issues.
4. Support After Incidents: Staff and service users affected by cyber incidents, online abuse, harassment, scams, data breaches or distressing online content will be offered appropriate support. Staff will be encouraged to report mistakes, near misses and concerns promptly without fear of unfair blame, while recognising that deliberate, reckless or repeated breaches may result in disciplinary action.
5. Safer Online Culture: {{org_field_name}} will promote a culture of openness, learning and psychological safety so that staff feel able to report phishing, accidental disclosure, device loss, suspicious activity or online safety concerns immediately. The purpose of reporting is to protect people, reduce harm and improve systems.

13. Review and Approval

This Online Safety Policy will be reviewed at least annually by the Registered Manager ({{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}).

The policy will also be reviewed sooner following significant changes in legislation, CQC guidance, ICO guidance, DSPT requirements, technology, supplier arrangements, cyber threats, serious incidents, data breaches, safeguarding concerns, system failures, audit findings or organisational structure.

Updates will be communicated to relevant staff, and additional training, supervision or competency checks will be provided where required.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.