{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Safe Key Holding and Access Management Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} manages key holding and access to service users’ homes safely and securely in compliance with Care Inspectorate Wales (CIW) regulations, data protection laws, and best practices in domiciliary care. Our primary aim is to protect service users, their property, and their right to privacy, while ensuring that care workers can access homes safely and efficiently when required.

Our objectives are to:

• Ensure that all key holding practices are secure, transparent, and accountable.
• Prevent unauthorised access to service users’ homes.
• Provide staff with clear guidance on key handling, storage, and access procedures.
• Comply with CIW regulations and safeguarding policies to protect vulnerable individuals.
• Maintain accurate records of key usage and access permissions.
• Handle lost, stolen, or misplaced keys efficiently and securely.

2. Scope

This policy applies to:

• All employees, including care workers, managers, and administrative staff.
• The Registered Manager and Responsible Individual, responsible for compliance.
• Service users receiving domiciliary care and reablement support.
• Families and authorised representatives, where key access permissions apply.
• External professionals or contractors, who may require temporary access.

3. Legal and Regulatory Framework

This policy must be read and implemented in line with the requirements of the Regulation and Inspection of Social Care (Wales) Act 2016 (‘RISCA’) and the Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017 (as amended) (‘the Regulations’). We will have regard to Welsh Government statutory guidance for care home and domiciliary support service providers and responsible individuals, and to Care Inspectorate Wales (CIW) guidance, inspection frameworks and Codes of Practice, as applicable to domiciliary support services.

This policy also supports compliance with:

• Social Services and Well-being (Wales) Act 2014 (well-being, safeguarding duties and rights-based practice);
• Human Rights Act 1998 and Equality Act 2010 (privacy, dignity, non-discrimination and reasonable adjustments);
• Mental Capacity Act 2005 (including best-interest decision making where consent is in question);
• Data Protection Act 2018 and UK GDPR (secure handling of personal data, confidentiality, data minimisation, and breach management);
• Health and Safety at Work etc. Act 1974 (safe systems of work, including lone working and safe access); and
• Welsh Language Standards (ensuring information and agreements are provided in an appropriate language/format where required).

4. Service User Consent and Key Holding Agreements

4.1 Obtaining Consent

• Keys must only be held with the full written consent of the service user or their legal representative.
• Service users have the right to refuse key holding services; alternative access arrangements will be explored.
• Consent must be documented in the service user’s care plan/personal plan and reviewed at each planned review of the personal plan (and immediately if needs, risks, mental capacity, or access arrangements change); as a minimum, consent will be reviewed no less frequently than the service’s personal plan review cycle.

4.2 Key Holding Agreement

Before accepting responsibility for a service user’s key, {{org_field_name}} will ensure:

• A formal key holding agreement is signed by the service user and care provider.
• The agreement specifies access times, key storage, and authorised personnel.
• Service users are informed of their right to withdraw consent at any time.

The Key Holding Agreement must also specify:

• whether the access method is a front door key, communal entrance key, fob, alarm code, door-entry code, or other access method;
• the agreed ‘no response’ / emergency access process, including when emergency services may be contacted;
• the exact arrangements for key safe use (where applicable), including who may hold/access the code and how code changes are managed;
• how we will manage situations where the person lacks capacity to consent, including best-interest decision making and who is authorised to agree arrangements;
• how we will record, audit, and retain key access records; and
• how the person (or their representative) will be informed if a key is lost, compromised, or if there is suspected unauthorised access.

How we manage this efficiently:

• A structured consent form ensures compliance with CIW regulations.
• Key holding records are updated regularly to reflect changes in service user needs.

5. Secure Storage and Handling of Keys

5.1 Key Storage in the Office

• Keys must be stored in a locked, secure cabinet with restricted access.
• Only authorised staff members have access to the key cabinet.
• Keys must be clearly labelled with an anonymous code (not service user names or addresses).

5.2 Key Storage in the Community

• Care workers must not carry unnecessary keys unless required for scheduled visits.
• Keys must be kept in a secure pouch or lockable key case while in transit.
• Keys must never be left unattended in a vehicle or public place.

How we manage this efficiently:

• An electronic key management system logs key issuance and returns.
• Staff receive training on key security and proper storage procedures.

5.3 Key Safe / Door Code / Alarm Code Management

Where a key safe, door-entry code, alarm code, or digital access method is used, codes must be treated as confidential personal information. Codes must:

• be shared strictly on a need-to-know basis and only with staff authorised for that individual’s visits;
• be stored only within approved secure systems (not written in notebooks, personal phones, or visible rotas);
• be changed promptly when access is withdrawn, staff leave employment/agency placement ends, or where compromise is suspected; and
• be recorded and controlled so that any access or change is traceable to a named person and date/time.

5.4 Key Identification, Data Minimisation and Confidentiality

Key labels/codes must never allow a key to be linked to a person’s name or address without access to a separate secure index. The index linking key codes to service users must be held securely with restricted access. If any key, fob or code record is lost and it is possible to identify the service user/address, this will be treated as a potential personal data breach and managed under our data breach procedure.

6. Accessing Service Users’ Homes Safely

6.1 Procedure for Key Access

• Care workers must knock and announce themselves before entering, even if they have a key.
• If a service user does not respond, staff must follow the no-response protocol.
• Staff must ensure that the key is returned to the designated storage location after use.

6.2 Alternative Access Methods

If a service user refuses key holding, {{org_field_name}} may:

• Use a secure key safe, with access codes shared only with authorised personnel.
• Arrange for a family member or designated individual to provide access.
• Assess alternative care delivery options if access is restricted.

How we manage this efficiently:

• Service user preferences are documented in the care plan.
• Emergency key access procedures are clearly outlined for staff.

7. Recording and Monitoring Key Usage

7.1 Key Log System

• Every key issue and return must be recorded in the key log system.
• The log must include date, time, staff member name, and purpose of use.
• Regular audits will be conducted to ensure accuracy and accountability.

Key logs (paper or electronic) must be accurate, complete, and made at the time of the event. Key logs must be stored securely and retained for the required retention period in line with the Regulations and our Records Management Policy. Where logs are electronic, access must be role-based and protected by unique user credentials to provide an audit trail of entries and amendments.

7.2 Reporting Misuse or Unauthorised Access

• Any unauthorised key use must be reported immediately to the Registered Manager.
• Staff found misusing keys may face disciplinary action.

How we manage this efficiently:

• Automated key tracking software ensures real-time monitoring.
• Managers conduct spot checks to verify compliance with key handling procedures.

7.3 Records Access and Confidentiality

Access to key-holding records (including the index linking key codes to individuals) is restricted to authorised roles only. Records must be made available promptly for internal audits and for CIW inspection on request. Individuals (or their representatives) will be supported to access information we hold about them in accordance with data protection law and our subject access procedure.

8. Lost, Stolen, or Misplaced Keys

8.1 Immediate Actions for Lost Keys

If a key is lost or stolen:

1. Report the incident immediately to the Registered Manager.
2. Inform the service user and assess the risk level.
3. Arrange for a locksmith to change the lock if necessary.
4. Conduct an internal review and update procedures to prevent recurrence.

8.2 Preventative Measures

• Staff must use key fobs or identifiable tags that do not reveal service user details.
• Backup access methods (such as key safes) should be considered for high-risk cases.

How we manage this efficiently:

• A lost key protocol ensures swift and secure resolution.
• Risk assessments are conducted following incidents to improve security measures.

8.3 Risk Assessment and Immediate Safeguarding Actions

On notification of a lost/stolen/misplaced key, the Registered Manager (or on-call manager) will complete and record an immediate risk assessment considering: whether the key can be linked to an identifiable address; the individual’s vulnerability; time of day; known risks (e.g., domestic abuse, exploitation); whether alarm codes/door codes are compromised; and whether the individual is alone or at immediate risk. The outcome will determine immediate controls, which may include urgent lock changes, temporary increased monitoring, family contact, safeguarding referral, or police involvement.

8.4 CIW / Commissioner Notification and Duty of Candour Considerations

Where the incident has caused, or is likely to cause, significant risk to the individual’s safety, security, or well-being, or could prevent the service from being provided safely, the Registered Manager will consider whether a notification to CIW (and, where applicable, commissioners/placing authorities) is required under the Regulations. Any notification will be made without delay and in the manner required by CIW. The service will also consider whether the circumstances trigger our duty of candour / openness requirements to ensure the individual is informed transparently and supported.

8.5 Personal Data Breach Management (UK GDPR / Data Protection Act 2018)

If a lost/stolen key, fob, or associated record could identify an individual (directly or indirectly), this will be managed as a potential personal data breach under UK GDPR/Data Protection Act 2018. We will:

• contain the breach (e.g., change locks/codes, secure systems);
• assess likelihood/severity of risk to the person’s rights and freedoms;
• record the breach decision-making and outcome;
• report to the ICO within 72 hours where required; and
• inform the affected individual without undue delay where the risk is high.

9. Emergency Access and Safeguarding Procedures

9.1 Emergency Access to a Service User’s Home

In an emergency (e.g., service user is unresponsive or in distress):

• Care staff should attempt contact via phone before entering.
• If entry is required, follow the agreed emergency access plan.

If the individual may lack capacity to make a decision about entry at that time, staff must act in accordance with the Mental Capacity Act 2005 and the individual’s recorded wishes, emergency plan and best-interest decision making, and must document the rationale and actions taken.

• If access is denied or there are safeguarding concerns, emergency services should be contacted.

9.2 Safeguarding Considerations

• All key handling staff must undergo a DBS check.
• Any concerns regarding home access must be reported to safeguarding teams.

How we manage this efficiently:

• Emergency entry procedures are outlined in the service user’s care plan.
• Safeguarding officers oversee all key-related security concerns.

All emergency access events must be recorded contemporaneously, including the time, reason, actions taken, who was contacted, and outcomes.

10. Staff Training and Compliance

10.1 Key Holding Training

• All staff must complete training on key handling, access management, and security.
• Refresher training is conducted annually to reinforce best practices.

10.2 Compliance Audits

• Quarterly audits review key logs and storage protocols.
• Any discrepancies are addressed through internal investigations and corrective actions.

How we manage this efficiently:

• Training records track staff competency in key holding.
• A compliance officer ensures adherence to best practices.

11. Related Policies

This policy aligns with:

• Safeguarding Adults Policy (DCW13)​.
• Confidentiality and Data Protection Policy (DCW34)​.
• Risk Management and Assessment Policy (DCW18)​.
• Emergency and Crisis Management Policy (DCW27)​.

12. Policy Review

This policy will be reviewed at least annually, and sooner where Welsh Government guidance, CIW requirements, or legislation changes, following any serious incident (including lost keys/security breach), or where audits identify learning. The Responsible Individual will ensure arrangements are in place for policies and procedures to be kept up to date and for staff to have access to, and understand, the current version. The Responsible Individual will also ensure that audits of key holding records and associated learning are incorporated into quality monitoring arrangements.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.