{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Using Social Media Platforms Policy

1. Purpose

The purpose of this policy is to provide clear guidance on the responsible, ethical, and lawful use of social media by employees of {{org_field_name}}. This policy ensures that staff understand how to engage with social media safely, protecting the privacy, dignity, and confidentiality of service users while maintaining the professional reputation of the organisation.

This policy has regard to the Regulation and Inspection of Social Care (Wales) Act 2016 and the Regulated Services (Service Providers and Responsible Individuals) (Wales) Regulations 2017 (as amended), and the Welsh Ministers’ statutory guidance for domiciliary support services. It also supports compliance with the UK GDPR and the Data Protection Act 2018, and the Social Care Wales Codes of Professional Practice and any updated codes that apply to the workforce (including updated codes coming into force on 1 July 2026).

2. Scope

This policy applies to: All employees of {{org_field_name}}, including care staff, managers, administrative personnel, and contractors. Any official social media accounts managed by {{org_field_name}}. Personal social media use where it impacts the organisation, service users, or colleagues.

It covers: Acceptable and unacceptable use of social media. Protecting service user confidentiality. Preventing reputational risks and legal breaches. Reporting and managing social media misuse. Staff training on responsible social media use.

2.1 Definitions

For the purposes of this policy, “social media” includes social networking sites, forums, blogs, video-sharing platforms, live-streaming services, and all direct messaging functions within those platforms. “Messaging apps” includes any internet-based messaging used for one-to-one or group communications.

3. Principles of Using Social Media in a Care Setting

3.1 Professional Conduct on Social Media

Employees must always maintain professionalism when using social media, whether they are posting on official company accounts or personal profiles. This means: Never sharing confidential information about service users, staff, or the organisation. Avoiding comments that could be perceived as offensive, discriminatory, or defamatory. Not engaging in online disputes or posting inappropriate content that could damage professional credibility. Respecting boundaries when engaging with service users or their families on social media.

All social media interactions must align with the Social Care Wales Code of Professional Practice, which requires staff to uphold public trust in the profession and act with integrity, respect, and responsibility.

3.2 Protecting Service User Privacy and Confidentiality

Service users have a legal right to privacy under GDPR and the Data Protection Act 2018. Employees must:

• Employees must never post images to a service user using any personal social media account or personal device, even if the service user (or anyone else) says they consent.
• Avoid discussing service users’ care, conditions, or personal matters online.
• Not tag, reference, or disclose any details that could indirectly identify a service user.
• Report any suspected breaches of confidentiality immediately to their manager.

Any proposed use of a service user’s image/story for {{org_field_name}} promotional, awareness or recruitment purposes may only be created and posted via an authorised organisational account. Staff must not make their own judgement or rely on informal/verbal consent.

Any use of service user information for official marketing or awareness campaigns must have explicit written consent from the service user or their legal representative.

3.3 Authorised photography, video and case stories (organisation accounts only)

Where {Organisation Name} proposes to use any image, video, audio recording, quotation, “success story”, case example, testimonial or similar content relating to a service user, this must be treated as the processing of personal data and must be managed as follows:

1. Written, informed consent (before recording or publishing): Written consent must be obtained before any recording is made and before any content is published. The consent form must clearly state what will be used (e.g., photo/video/quote), which platforms it will appear on (e.g., website, Facebook), the purpose (e.g., awareness, recruitment), and the time period the consent applies for.
2. Capacity and best-interest decision making: If there is any doubt about the person’s capacity to give consent, a capacity assessment must be completed and recorded. Any decision to proceed must follow the principles of the Mental Capacity Act 2005, and where required, a best-interest decision must be recorded in line with those principles.
3. Right to withdraw consent: The person (or their representative) can withdraw consent at any time. If consent is withdrawn, {Organisation Name} will take prompt steps to remove the content from its own accounts and platforms where reasonably practicable. We recognise that re-shares by third parties may be outside our control; however, we will take reasonable steps to minimise further sharing where possible.
4. Data minimisation and privacy by design: Content must not include unnecessary identifying details. Do not include service user addresses, care visit times, medication information, dates of birth, unique medical details, or location markers (including geo-tags) that could identify where the person lives or receives support.
5. Approval and record keeping: All such content must be approved in writing by the Registered Manager (and the Data Protection Lead where applicable). A record must be kept in a consent register including: what was consented to, the date of consent, where content is posted, the purpose, and a link or screenshot of the published post.
6. No staff personal devices or personal accounts: Staff must not store service user images or recordings on personal phones, personal computers, personal cloud storage, or personal messaging apps. Staff must not post this type of content using personal social media accounts.

3.4 Managing Official Social Media Accounts

{{org_field_name}} may use official social media accounts for communication, marketing, recruitment, and raising awareness of care services. These accounts must be managed responsibly to maintain professionalism and regulatory compliance.

This includes:

• Ensuring that any message or comment indicating dissatisfaction, harm, risk, or a complaint is moved promptly into the organisation’s formal complaints or safeguarding process and is not debated or investigated publicly online.
• Keeping a secure record (for example, screenshot or export) of any significant complaint, allegation, safeguarding indicator, threat, or harassment received through social media, and ensuring it is logged and managed through the appropriate internal procedure.
• Not deleting content that may be evidence of a complaint, safeguarding concern, or alleged misconduct. Preserve the evidence and escalate it in line with reporting procedures.
• Posting accurate, non-misleading information about the organisation and its services.
• Ensuring all content aligns with CIW guidelines and professional standards.
• Not responding to complaints or sensitive matters publicly—these should be handled through official complaint procedures.
• Engaging positively with the community while avoiding controversial discussions.

Only authorised personnel may post on behalf of {{org_field_name}}, and all content must be reviewed and approved before publishing.

3.5 Personal Social Media Use and Employment Responsibility

Employees are free to use social media in their personal time, but they must ensure that their activity does not negatively impact their role or the organisation. This means: Avoiding negative or defamatory posts about {{org_field_name}}, colleagues, or service users. Not sharing confidential or sensitive work-related information. Not posting anything that could bring the organisation into disrepute, such as inappropriate language, discriminatory comments, or illegal activity. Avoiding discussing work-related grievances publicly—these should be raised through internal procedures.

Even when posting on personal accounts, employees are still bound by confidentiality agreements and professional codes of conduct.

3.6 Interaction with Service Users and Families on Social Media

To maintain professional boundaries and safeguarding, employees must:

• Not accept friend requests or follow service users or their families on personal social media accounts.
• Avoid private messaging service users through social media platforms.
• Direct any online inquiries from service users to official communication channels.
• Staff must not search for, “check up on”, monitor, or gather information about service users (or their relatives) online, and must not discuss service users in online groups, even without naming them, if the person could be identified from the context.

This helps prevent ethical conflicts, safeguarding concerns, and potential breaches of professional conduct.

3.7 Social Media and Safeguarding Responsibilities

Social media can be used for grooming, exploitation, or abuse, and employees have a duty to report any safeguarding concerns related to social media use. This includes: Service users being targeted or harassed online. Inappropriate images or comments posted about a service user. Suspicious or exploitative online behaviour.

Concerns must be reported immediately to the Safeguarding Lead in line with the Safeguarding Adults from Abuse and Improper Treatment Policy (DCW13)​.

3.8 Reporting and Managing Social Media Misuse

If an employee becomes aware of suspected or actual inappropriate social media activity, they must report it immediately to their manager, the Registered Manager, or the organisation’s Safeguarding Lead. Where the concern involves the manager, or where the employee believes internal reporting is not being addressed, the concern must be escalated via the Whistleblowing Policy and may be raised with an appropriate person, including the Responsible Individual, the local authority safeguarding team, the police, or the service regulator (CIW), as relevant. Examples of misuse include: Posting confidential service user information. Harassment or cyberbullying of colleagues. Unprofessional comments about the organisation or its employees. Online behaviour that breaches regulatory or legal requirements.

Any breaches of this policy may result in disciplinary action, including formal warnings or dismissal for serious breaches, in line with the Disciplinary and Grievance Policy (DCW31)​.

Where the concern indicates a safeguarding risk (for example, grooming, exploitation, harassment, coercion, or the sharing of intimate images), staff must follow the organisation’s safeguarding procedures (including DCW13 if applicable), ensure prompt referral through safeguarding processes and external agencies where required, and the Registered Manager/Responsible Individual must consider any CIW notification duties that apply.

3.9 Data breaches, screenshots and cyber security controls

1. Staff must assume that anything posted, messaged, photographed, recorded, or screenshotted can be permanently shared beyond the intended audience.
2. Staff must not use personal messaging apps (including “closed groups”) to share service user information, visit times, addresses, door codes, medication details (including MAR information), care notes, or any other confidential information. Only approved organisational systems may be used.
3. Any loss or theft of a device, unauthorised access, accidental posting, mis-send, suspected online impersonation, or any other suspected compromise relating to {{org_field_name}}, its social media accounts, or service user information must be reported immediately as a potential data breach and managed under the organisation’s Data Protection and Incident Reporting procedures.
4. Staff must never share passwords. Staff must use multi-factor authentication on organisational accounts where available, and must not grant access to organisational accounts to anyone who is not authorised.

4. Efficiency in Managing Social Media Risks

To ensure efficient management of social media use, {{org_field_name}} implements:

• Clear guidelines and training, ensuring all employees understand their responsibilities.
• A monitored approval system, where only authorised personnel manage official accounts.
• Regular audits of social media use, identifying risks and ensuring compliance.
• Incident reporting mechanisms, allowing quick action against policy breaches.
• Ongoing updates to policy, ensuring it reflects new regulations, risks, and best practices.
• Social media, confidentiality and information-governance expectations are included in staff induction and refreshed through supervision. Staff are required to confirm they have read, understood and will comply with this policy and related confidentiality, safeguarding and data protection policies.

These measures help protect the organisation, service users, and employees while ensuring that social media is used responsibly and effectively.

5. Related Policies

This policy should be read alongside:

• Confidentiality and Data Protection (GDPR) Policy (DCW34)​
• Safeguarding Adults from Abuse and Improper Treatment Policy (DCW13)​
• Equality, Diversity, and Inclusion Policy (DCW30)​
• Staff Conduct and Code of Ethics Policy (DCW28)​
• Disciplinary and Grievance Policy (DCW31)​.

6. Policy Review

This policy will be reviewed annually, or sooner if legislative changes, new risks, or operational requirements necessitate amendments.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.