{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

HCS119-Staff Internet Access and Usage Policy

1. Purpose

The purpose of this policy is to establish clear guidelines for appropriate, responsible, and secure use of the internet and digital resources by staff at {{org_field_name}}. It aims to ensure that internet access is used ethically, professionally, and in compliance with relevant laws and regulations while safeguarding confidential information and maintaining cybersecurity. This policy aligns with Care Inspectorate Scotland regulations, the UK General Data Protection Regulation (UK GDPR), and the Health and Social Care Standards (Scotland) 2018.

2. Scope

This policy applies to all employees, agency staff, contractors, and volunteers using internet services and digital devices provided by {{org_field_name}} or accessing work-related systems from personal devices. It covers:

• Permitted and prohibited uses of the internet.
• Data protection and confidentiality measures.
• Social media and online communication guidelines.
• Cybersecurity and prevention of cyber threats.
• Monitoring and enforcement of policy compliance.
• Disciplinary actions for policy breaches.

3. Related Policies

• Confidentiality and Data Protection Policy
• Safeguarding Adults and Children Policy
• Health and Safety Policy
• Cybersecurity and IT Security Policy
• Social Media and Online Conduct Policy
• Disciplinary and Grievance Policy

4. Legal and Regulatory Compliance

{{org_field_name}} ensures compliance with the following laws and regulations:

• Care Inspectorate Scotland Guidance – Ensuring safe use of digital resources in care services.
• UK General Data Protection Regulation (UK GDPR) – Protecting personal and sensitive data.
• The Data Protection Act 2018 – Governing data security and privacy rights.
• The Computer Misuse Act 1990 – Preventing unauthorised access to systems and data.
• The Equality Act 2010 – Preventing discrimination in digital communication.
• The Communications Act 2003 – Regulating internet use in the workplace.

5. Permitted Use of Internet Access

Staff at {{org_field_name}} may use internet services for:

• Work-related tasks, including accessing care records, research, and communication.
• Professional development, such as online training, webinars, or care sector updates.
• Internal communication via official email and collaboration platforms.
• Reporting and documentation related to service delivery.
• Accessing policies, procedures, and regulatory updates relevant to their role.

6. Prohibited Use of Internet Access

Staff are strictly prohibited from using {{org_field_name}}‘s internet for:

• Accessing, downloading, or sharing offensive, illegal, or inappropriate content.
• Engaging in personal activities that are excessive or disrupt work responsibilities.
• Unauthorised disclosure of confidential, sensitive, or personal information.
• Cyberbullying, harassment, or discrimination against colleagues, people we support, or third parties.
• Using personal social media accounts for work-related discussions unless explicitly authorised.
• Downloading unauthorised software or accessing unapproved websites that may pose security risks.
• Bypassing security measures, firewalls, or other network protections.

7. Data Protection and Confidentiality

• Staff must follow data protection laws when accessing, storing, or sharing information online.
• People we support, their families, and colleagues’ personal data must never be shared electronically without authorisation.
• Only secure, encrypted communication channels should be used for work-related correspondence.
• Emails containing sensitive information must be sent only to authorised recipients and marked as confidential.

8. Social Media and Online Communication

8.1. Acceptable Social Media Use

• Staff must never discuss people we support, work-related matters, or colleagues on personal social media accounts.
• Only designated individuals may post content on behalf of {{org_field_name}}.
• Staff must uphold professionalism in all online interactions, including personal social media use.

8.2. Digital Communication with People We Support

• Work-related communication should be conducted via official channels only (e.g., work email, approved care apps).
• Staff must not exchange personal contact details with people we support or their families unless authorised.
• Confidential conversations must not take place over unsecured messaging apps or social media.

9. Cybersecurity and Preventing Cyber Threats

9.1. Preventing Data Breaches

• Staff must use strong passwords and multi-factor authentication when accessing secure systems.
• Work devices must not be left unattended while logged into sensitive systems.
• Emails from unknown sources should not be opened, and suspicious links should not be clicked.
• Staff must report lost, stolen, or compromised devices immediately to management.

9.2. Use of Personal Devices (Bring Your Own Device – BYOD)

• Personal devices may only be used for work if explicitly approved by management.
• Any work-related information stored on personal devices must be encrypted and password-protected.
• Staff must not download or store confidential files on personal devices unless required and approved.

10. Monitoring and Enforcement

10.1. Monitoring of Internet Usage

• {{org_field_name}} reserves the right to monitor internet usage on its networks and devices to ensure compliance.
• Internet activity logs may be reviewed periodically, and staff may be asked to justify their use.
• Monitoring will be conducted lawfully and proportionately, respecting staff privacy where appropriate.

10.2. Consequences of Policy Violations

Violations of this policy may result in:

• Verbal or written warnings for minor infractions.
• Temporary or permanent restrictions on internet access.
• Disciplinary action, up to and including termination of employment, for serious or repeated breaches.
• Legal action in cases involving criminal activity, cyber threats, or data breaches.

11. Staff Training and Awareness

• All staff will receive mandatory training on internet security, data protection, and professional online conduct.
• Training will be refreshed annually to ensure compliance with evolving cybersecurity threats.
• Staff will be provided with ongoing support and updates on digital best practices.

12. Reporting Concerns and Cybersecurity Incidents

• Staff must report any suspected security breaches, phishing attempts, or unauthorised access immediately to management.
• Any concerns about inappropriate or unlawful use of the internet should be reported confidentially under the Whistleblowing Policy.
• All incidents will be investigated, and corrective measures will be implemented to prevent recurrence.

13. Policy Review

This policy will be reviewed annually or earlier if required due to legislative updates, cybersecurity risks, or Care Inspectorate recommendations. Any amendments will be communicated to all staff.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.