{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Online Safety Policy

1. Purpose

The purpose of this policy is to ensure that all employees of {{org_field_name}} use digital technologies, online resources, and social media safely and responsibly. This policy is designed to protect sensitive data, prevent cyber threats, and maintain the confidentiality and dignity of individuals receiving care. It sets out clear guidelines for staff on the appropriate use of email, social media, mobile devices, and online systems while ensuring compliance with the Health and Social Care Standards (Scotland), the SSSC Codes of Practice for Social Service Workers and Employers (2024), and relevant data protection laws including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Scope

This policy applies to all employees, volunteers, contractors, and anyone using {{org_field_name}}‘s digital resources, including:

• Computers, laptops, and tablets used for work-related purposes.
• Email and communication platforms such as Microsoft Teams, Zoom, and WhatsApp.
• Social media platforms (Facebook, Twitter, Instagram, LinkedIn, etc.).
• Cloud-based storage and care management systems.
• Mobile phones and messaging apps used for work purposes.
• Any other internet-connected devices used in the workplace.

This policy applies to work-related digital interactions inside and outside of working hours, whether using {{org_field_name}} devices or personal devices used for work-related tasks.

3. Related Policies

This policy should be read in conjunction with the following:

• Confidentiality and Data Protection Policy, ensuring secure handling of sensitive information.
• Safeguarding Adults Policy, protecting vulnerable individuals from online abuse.
• Cybersecurity and IT Acceptable Use Policy, ensuring safe use of online systems.
• Social Media and Digital Communications Policy, outlining appropriate online interactions.
• Whistleblowing Policy, providing a process for reporting online safety concerns.

4. Policy Statement

{{org_field_name}} is committed to ensuring that all staff members use online systems responsibly and safely. The key principles of this policy include:

• Protecting the personal and confidential data of individuals receiving care, staff, and the organisation.
• Preventing cyber threats such as phishing, hacking, and data breaches.
• Promoting responsible use of social media and online communication.
• Ensuring compliance with Care Inspectorate Scotland regulations regarding online safety and data protection.
• Educating staff on best practices for online security and digital ethics.

5. Responsibilities

5.1 Responsibilities of All Staff

All employees must:

• Use work-related online platforms responsibly, ensuring all digital communication remains professional and appropriate.
• Keep login credentials secure and avoid sharing passwords.
• Report any suspicious emails, messages, or cybersecurity threats to IT support or management.
• Refrain from using personal devices for work unless explicitly authorised.
• Never disclose personal details of individuals receiving care on social media or unsecured online platforms.
• Be aware of online fraud, phishing attempts, and digital scams that could compromise security.
• Ensure compliance with online training related to cybersecurity and data protection.

5.2 Responsibilities of Management

Managers must:

• Ensure all staff receive training on online safety and cybersecurity threats.
• Monitor and enforce compliance with this policy, addressing any breaches.
• Implement and maintain security measures, such as encrypted email and secure cloud storage.
• Conduct regular audits to assess risks associated with online activities.
• Take immediate action in the event of an online security breach.

5.3 Responsibilities of Senior Leadership

Senior leadership is responsible for:

• Ensuring all digital systems are compliant with data protection laws.
• Allocating resources to cybersecurity measures.
• Developing policies to protect the online safety of both staff and individuals receiving care.
• Reviewing and updating this policy in response to new online threats.

6. Safe Use of Digital Devices

6.1 Work Computers and Mobile Devices

Employees must:

• Use password-protected work devices for all work-related activities.
• Ensure automatic software updates are installed to protect against security threats.
• Store files in approved secure cloud storage systems, not on personal USBs or external drives.
• Lock their screens when away from their devices to prevent unauthorised access.
• Not download or install unauthorised applications that may compromise security.

6.2 Personal Devices and Bring Your Own Device (BYOD) Policy

Employees must not:

• Use personal devices to access or store sensitive work information unless authorised.
• Connect personal devices to the organisation’s Wi-Fi without approval.
• Use personal emails or messaging apps for official communication regarding individuals receiving care.
• Take or store photos, videos, or documents related to work on personal devices.

If personal device use is permitted, it must comply with data protection laws and security guidelines.

7. Online Communication and Social Media Use

7.1 Email and Messaging Applications

• Work-related emails must be sent using official company email accounts only.
• Employees must not open suspicious links or attachments in emails.
• Personal information must not be shared via unsecured messaging platforms such as WhatsApp or SMS.

7.2 Social Media Guidelines

Employees must:

• Not discuss confidential information about individuals receiving care, staff, or work-related matters on social media.
• Not post images or videos of individuals receiving care without explicit written consent.
• Not engage in online discussions that could harm the reputation of {{org_field_name}}.
• Report any social media misuse that may involve the organisation.

Failure to comply with these guidelines may result in disciplinary action.

8. Cybersecurity and Data Protection

8.1 Protecting Sensitive Data

Employees must:

• Store data in GDPR-compliant systems.
• Avoid sharing login credentials with anyone.
• Report lost or stolen devices immediately.
• Use multi-factor authentication where applicable.

8.2 Identifying and Preventing Cyber Threats

Common cyber threats include:

• Phishing emails attempting to steal information.
• Malware and ransomware attacks that lock or steal files.
• Fake websites mimicking official services.

All employees must report suspected cyber threats to IT support.

9. Reporting Online Safety Concerns

If an employee experiences or witnesses an online safety issue, they must:

1. Report it to their line manager or IT support immediately.
2. Complete an incident report, detailing the nature of the concern.
3. Refrain from engaging with the suspected threat (e.g., do not click on suspicious links).

Any breach of this policy will be investigated under the Disciplinary Policy.

10. Compliance and Monitoring

This policy aligns with:

• SSSC Codes of Practice for Social Service Workers and Employers (2024).
• UK GDPR and Data Protection Act 2018.
• Cyber Essentials and Care Inspectorate IT Security Guidelines.

Regular policy audits, security training, and compliance checks will be conducted to ensure ongoing adherence.

11. Policy Review

This policy will be reviewed annually or sooner if regulatory requirements or cybersecurity risks change. Updates will be communicated to all employees to ensure continuous compliance.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.