Internal policy document

Document Control

1. Purpose

This statement sets out how (“the Company”, “we”, “our”) manages the quality of the care and support it provides to the people who use our services. It explains:

• The standards and regulatory frameworks we align ourselves with.
• How we monitor and measure performance against those standards.
• Who is responsible for quality at every level of the organisation.
• How we identify shortfalls, learn from them, and drive continuous improvement.
• Our position on formal certification schemes such as ISO 9001 and ISO 27001.
• How we protect the personal data and confidentiality of service users, staff, and third parties.

The statement is a single point of reference for staff, regulators, commissioners, local authority contract monitoring officers, and people who use our services. It should be read alongside the specific policies listed in section 12.

2. Scope

This statement applies to:

• Every regulated activity we deliver under our CQC registration.
• Every member of staff, whether directly employed, engaged through an agency, or working under a sub-contract or consultancy arrangement.
• Every location from which we operate or deliver care, including service users’ own homes.
• Every digital system (including Care Pathway Pro), paper record, and communication channel we use to plan, deliver, record, and review care.
• All third-party suppliers and sub-processors who handle personal data or deliver services on our behalf.

Where we deliver services under a contract with a local authority or NHS commissioner, the quality requirements of that contract are met through the framework described in this statement. Where a contract imposes additional quality obligations beyond those described here, compliance with those obligations is tracked as part of the contract management process.

3. Our Commitment to Quality

is committed to delivering safe, effective, caring, responsive, and well-led services. These are not abstract values pinned to a noticeboard. They are the criteria against which the Care Quality Commission assesses every regulated provider, and they form the backbone of everything we do.

Quality is owned by everyone. From the Registered Manager who sets the direction, to the care worker who records a daily log entry at the point of care, every person in the organisation has a direct impact on the quality of service we deliver.

We hold ourselves to three commitments:

• Do what we said we would do. Care plans, risk assessments, and policies are only useful if they are followed. We train staff on what is expected, we supervise to check that it is happening, and we act quickly when it is not.
• Record it accurately. Good records protect the people we support, provide evidence for regulators and commissioners, and allow us to spot problems before they escalate. We record at the point of care, in real time, using Care Pathway Pro.
• Learn and improve. When things go wrong, or when they could have gone wrong, we investigate without blame, capture lessons, and change the way we work. Improvement is not a one-off project. It is a cycle that runs every day.

4. Position on ISO 9001 and ISO 27001

does not currently hold ISO 9001 (Quality Management Systems) or ISO 27001 (Information Security Management Systems) certification.

4.1 Why we have not pursued ISO certification

We have taken a deliberate decision to align our internal quality and information security arrangements with the regulatory frameworks that govern adult social care in England, rather than pursue ISO certification at this stage. The principal reasons are:

• Regulatory alignment. The CQC Single Assessment Framework, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, UK GDPR, and the Care Act 2014 impose mandatory requirements that are specific to adult social care. These frameworks are directly audited and inspected by the bodies that regulate us, and compliance with them is a condition of our continued registration.
• Proportionality. ISO certification involves significant ongoing cost (external audits, consultancy, documentation overheads) that must be weighed against the size and complexity of the organisation. At this stage, we have concluded that the investment is better directed into frontline quality improvement.
• Overlap. The principles that underpin ISO 9001 and ISO 27001 are already reflected in the arrangements described in this statement: a documented management system, defined roles and responsibilities, risk-based controls, internal audit, management review, and a structured approach to continuous improvement.

4.2 Future position

We keep this position under review. Where a contract, commissioner, or future strategic direction requires us to work towards ISO certification, the Registered Manager will commission a formal gap analysis, a costed implementation plan, and a timeline for accreditation. Any decision to pursue certification will be recorded and tracked as a quality improvement action.

5. Standards and Frameworks We Work To

Our quality framework draws on the following legislation, regulation, and sector guidance. Where a standard has been updated or replaced since this statement was last reviewed, we adopt the current version.

5.1 Primary legislation and regulations

• Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. We operate within the regulated activities for which we are registered with the Care Quality Commission and meet the fundamental standards set out in the regulations (Regulations 9 to 20). The fundamental standards cover person-centred care, dignity, consent, safety, safeguarding, nutrition, premises, complaints, governance, staffing, fit and proper persons, and duty of candour.
• Care Act 2014. We discharge our responsibilities under the Care Act in relation to safeguarding, wellbeing, prevention, and the promotion of individual outcomes. We cooperate with local authorities in the exercise of their statutory functions.
• Mental Capacity Act 2005 and the Deprivation of Liberty Safeguards. Capacity assessments are decision-specific and time-specific. Best interest decisions are recorded and reviewed in line with the Act’s five statutory principles. Where a care arrangement may amount to a deprivation of liberty, we apply for authorisation through the appropriate route.
• Equality Act 2010. We provide services without discrimination. Reasonable adjustments are made for people with protected characteristics, and our recruitment, training, and service delivery reflect our obligations under the Act.
• Health and Safety at Work etc. Act 1974 and associated regulations. We maintain a safe working environment for staff and a safe care environment for service users. Risk assessments, COSHH records, fire safety checks, manual handling procedures, and RIDDOR reporting are managed through our health and safety framework.

5.2 CQC regulatory framework

• CQC Single Assessment Framework. We measure our service against the five key questions (safe, effective, caring, responsive, well-led) and the quality statements that sit beneath them. Self-assessment against the quality statements forms part of our quarterly review cycle.
• CQC notifications. We comply with notification requirements under Regulation 18 (staffing), Regulation 16 (complaints), and the CQC (Registration) Regulations 2009, Schedule 3 (notifiable events including deaths, serious injuries, safeguarding incidents, and police involvement).

5.3 Workforce standards and guidance

• Care Certificate. All new care workers complete the Care Certificate within their probation period. Existing staff have their competence in the fifteen standards reviewed through supervision and observed practice on a rolling basis.
• Skills for Care guidance. We use Skills for Care workforce planning tools, the Manager Induction Standards, and recommended qualification and training pathways (including the new Care Workforce Pathway where applicable) to shape our learning and development offer.
• NICE guidelines and quality standards. Where NICE has issued guidance relevant to the people we support (for example NG97 on dementia, QS49 on pressure ulcers, NG46 on oral health, SC1 on managing medicines, and NG31 on end-of-life care), we incorporate it into care plans, risk assessments, staff training, and competency checks.

5.4 Data protection and information governance

• UK GDPR and the Data Protection Act 2018. We process personal data and special category data lawfully, fairly, and transparently. We are registered with the Information Commissioner’s Office and we maintain records of processing activities.
• Data Security and Protection Toolkit (DSPT). Where required by an NHS or local authority contract, we complete and submit the DSPT annually, using it as a self-assessment tool for our information governance maturity.
• Caldicott Principles. We apply the Caldicott Principles when making decisions about the sharing of personal confidential data, particularly health information.

5.5 Safeguarding

• Local safeguarding adults board procedures. We follow the multi-agency safeguarding procedures published by the relevant local safeguarding adults board. Staff are trained to recognise the categories of abuse, to raise concerns without delay, and to preserve evidence.
• Prevent duty. We comply with the Prevent duty under the Counter-Terrorism and Security Act 2015 and ensure that staff receive appropriate awareness training.
• LADO referrals. Where an allegation is made against a member of staff, we follow the Local Authority Designated Officer referral process alongside our own disciplinary and safeguarding procedures.

6. How We Manage Quality Day to Day

6.1 Care Pathway Pro as the management system

Care Pathway Pro is our primary care management system. It is a cloud-hosted platform that holds:

• Service user profiles, care plans, and risk assessments.
• Daily care logs entered at the point of care.
• Electronic medication administration records (eMAR).
• Incident and accident reports.
• Staff rotas, time-and-attendance records, and shift sign-in/sign-out logs.
• Staff files, training records, supervision and appraisal records.
• Complaints and compliments log.
• Family Connect portal for authorised family members to view care activity.

Using a single system gives us live visibility of what is happening across the service, reduces duplication, makes it easier to spot patterns early, and provides a defensible audit trail for regulators and commissioners. All staff who deliver or coordinate care are trained on Care Pathway Pro during their induction and their competence is verified before they use it unsupervised.

6.2 Audit programme

The Registered Manager () runs a rolling programme of internal audits. The audit schedule below sets out the minimum frequency for each area. Additional audits may be triggered by an incident, complaint, safeguarding referral, or CQC feedback.

Audit area	Frequency	Led by	Reported to
Care plans and risk assessments	Monthly	Registered Manager	Monthly management meeting
Daily care logs	Weekly sample	Care Coordinator	Registered Manager
Medication records (eMAR)	Monthly	Registered Manager	Monthly management meeting
Infection prevention and control	Quarterly	Registered Manager	Quarterly quality report
Training and supervision compliance	Monthly	Registered Manager	Monthly management meeting
Recruitment files and DBS checks	Quarterly	Registered Manager	Quarterly quality report
Call monitoring and time-and-attendance	Monthly	Care Coordinator	Registered Manager
Complaints and compliments	Quarterly	Registered Manager	Quarterly quality report
Incidents, accidents, and safeguarding	Monthly	Registered Manager	Monthly management meeting
Environmental health and safety	Quarterly	Health and Safety Officer	Registered Manager
Service user and family feedback	Six-monthly	Registered Manager	Annual quality account
Policy review tracker	Quarterly	Registered Manager	Quarterly quality report

Each audit produces a written record that includes the scope, findings, required actions, responsible person, target date, and evidence of completion. Outstanding actions are reviewed at every monthly management meeting and escalated where deadlines are missed.

6.3 Management oversight and reporting

The Registered Manager chairs a monthly management meeting that reviews:

• Audit findings and outstanding actions from the previous month.
• Incidents, accidents, and near misses reported since the last meeting.
• Open safeguarding referrals and their status.
• Complaints received, investigations in progress, and outcomes.
• Training and supervision compliance rates.
• Staffing levels, vacancy rates, and agency usage.
• Feedback from service users, families, and commissioners.
• Progress against the annual quality improvement plan.

The Registered Manager produces a written quarterly quality report that consolidates the monthly data and provides trend analysis. The quarterly report is shared with the directors of the Company and is available on request to commissioning bodies.

An annual quality account is produced at the end of each financial year. It summarises the year’s quality performance, identifies successes and areas for improvement, and sets out the quality improvement priorities for the coming year.

6.4 Recruitment, induction, training, and supervision

Safer recruitment

We recruit safely in line with Schedule 3 of the Regulated Activities Regulations. Every recruitment file includes proof of identity, right to work, a satisfactory enhanced DBS check (with adults barred list check where applicable), at least two references (including the most recent employer), a full employment history with explanations for any gaps, and a health declaration. No member of staff begins regulated work until all checks are completed and verified.

Induction

Every new starter completes a structured induction programme that includes: orientation to the organisation, its values, and its policies; the Care Certificate (where the individual has not previously completed it or cannot evidence competence against the fifteen standards); mandatory training covering safeguarding, moving and handling, medication awareness, fire safety, infection prevention and control, first aid awareness, equality and diversity, and mental capacity; shadowing experienced staff; and a competency sign-off before they work unsupervised.

Ongoing training

We maintain a training matrix that maps each role to the mandatory and recommended training modules. Training compliance is monitored monthly and any member of staff who falls below the required threshold is contacted and a catch-up plan is agreed. Training is delivered through a mix of e-learning, face-to-face sessions, and practical observed competency.

Supervision and appraisal

Every member of care-delivering staff receives a formal one-to-one supervision at least every eight weeks (more frequently during probation). Supervisions cover workload, wellbeing, development needs, reflective practice, and any concerns. Each member of staff also receives an annual appraisal that sets objectives for the coming year and reviews progress against the previous year’s objectives. At least one observed practice session per year is conducted to verify that care is being delivered in line with care plans and training.

6.5 Person-centred care planning

Every person who uses our services has a care plan that is:

• Written in plain language, reflecting the person’s own words where possible.
• Based on a thorough pre-admission or initial assessment that identifies needs, preferences, risks, and outcomes.
• Developed with the involvement of the person, their family or representative (where consent is given), and relevant health and social care professionals.
• Reviewed formally at least every month, or sooner if the person’s needs change, an incident occurs, or a concern is raised.
• Held on Care Pathway Pro and accessible to all staff delivering care to that person.

Risk assessments are reviewed alongside the care plan and updated whenever a new risk is identified or an existing risk changes. Risk assessments cover (as a minimum) falls, skin integrity, nutrition and hydration, moving and handling, medication, mental capacity, and environmental hazards.

6.6 Listening to people who use our services

We invite feedback through multiple channels:

• Care plan reviews. Every formal care plan review includes a conversation with the person (and their family where appropriate) about what is working well and what could be better.
• Service user and family surveys. We conduct a structured satisfaction survey at least every six months. Results are analysed for themes and reported in the quarterly quality report.
• Spot checks and unannounced visits. During spot checks, supervisors ask the person about their experience and record the feedback.
• Family Connect. Authorised family members can view care activity through the Family Connect portal on Care Pathway Pro. This promotes transparency and gives families a direct window into the care being delivered.
• Complaints and compliments. All complaints are logged, acknowledged within two working days, investigated within twenty working days (or a revised timescale is agreed with the complainant), and responded to in writing. Compliments are also recorded and shared with staff. Themes from complaints and compliments are reported to the monthly management meeting.

Where feedback identifies a need for change, the change is captured as an improvement action, assigned an owner and a target date, and tracked to completion.

6.7 Incidents, accidents, safeguarding, and learning

Reporting

Incidents and accidents are recorded on Care Pathway Pro at the point of occurrence by the member of staff involved. The record includes the date, time, location, people involved, a factual description of what happened, immediate actions taken, and any injuries or harm.

Review and escalation

The Registered Manager reviews every incident report within 24 hours. They assess whether the event triggers:

• A CQC notification under the Registration Regulations.
• A safeguarding referral to the local authority.
• A RIDDOR report to the Health and Safety Executive.
• An internal investigation or root cause analysis.
• Immediate changes to a care plan, risk assessment, or staffing arrangement.

Safeguarding

Safeguarding concerns are managed by (Safeguarding Lead), who receives and triages all concerns, liaises with the local authority designated officer and the safeguarding adults board, and ensures that internal protective measures are put in place without delay. All staff receive safeguarding training during induction and at least annually thereafter, and know that they have a personal duty to report concerns regardless of who is involved.

Learning

Where investigation reveals systemic issues, we capture the lessons in writing, share them with the team through team meetings, supervision, and (where appropriate) a lessons-learned bulletin, and update the relevant policies, training materials, or care plans. We treat near misses with the same seriousness as actual harm. Trends in incidents, accidents, and safeguarding referrals are analysed monthly and reported in the quarterly quality report.

6.8 Continuous improvement

Quality improvement runs on a Plan, Do, Study, Act (PDSA) cycle:

• Plan. Identify the issue, define the desired outcome, and agree the change to be tested.
• Do. Implement the change on a small scale or for an agreed trial period.
• Study. Collect data, compare results to the baseline, and evaluate whether the change achieved the desired outcome.
• Act. If the change worked, adopt it as standard practice and update procedures. If it did not, adapt or abandon and try a different approach.

The Registered Manager maintains a quality improvement plan that lists all open improvement actions, their origin (audit, incident, complaint, inspection, self-assessment), owner, target date, and current status. The plan is reviewed at every monthly management meeting. Completed actions are retained for twelve months as evidence of learning.

7. Information Governance and Data Security

Although we do not hold ISO 27001 certification, information security is managed through a structured set of controls. The arrangements below provide the practical equivalent of a formal information security management system for an organisation of our size and type.

7.1 Registration and legal basis

• ICO registration. is registered as a data controller with the Information Commissioner’s Office. The registration is renewed annually and the registration reference is available on request.
• Lawful basis and special category conditions. We have documented our lawful basis for processing personal data under Article 6 UK GDPR and the additional conditions for processing special category data under Article 9 and Schedule 1 of the Data Protection Act 2018. The records of processing activities are maintained by the Data Protection Lead and are reviewed annually.
• Privacy notices. Service users, staff, and job applicants each receive a privacy notice that explains what data we collect, why we collect it, how long we keep it, who we share it with, and how to exercise their rights.

7.2 Access controls and authentication

• Least-privilege access. Access to records on Care Pathway Pro is granted on a role-based, least-privilege basis. Staff are only able to view and edit the records they need to do their job. Permissions are reviewed when roles change and revoked on the day a staff member leaves.
• Named accounts. Every user has a unique, named account. Shared or generic logins are prohibited.
• Password policy. Passwords must meet a documented minimum complexity standard. Staff are trained not to reuse passwords across systems.
• Two-factor authentication. Where Care Pathway Pro supports it, two-factor authentication is enabled for administrator and management accounts.

7.3 Technical and physical safeguards

• Encryption in transit. Care Pathway Pro is delivered over HTTPS with TLS encryption. Email is protected by transport-layer security where the receiving server supports it.
• Device and remote-working controls. Staff who access care records on personal devices follow the bring-your-own-device standards set out in our IT and Acceptable Use Policy. Devices must be password-protected, encrypted where the operating system supports it, and set to auto-lock after a short period of inactivity.
• Paper records. Paper records are kept in lockable storage and are only removed from the office where strictly necessary. Any paper records taken off-site are signed out and tracked.
• Disposal. Paper records are shredded to a cross-cut standard. Digital records are deleted in accordance with the retention schedule and, where hardware is decommissioned, storage media is securely wiped or destroyed.

7.4 Staff obligations

• Confidentiality. All staff sign a confidentiality clause as part of their contract of employment and receive data protection training during induction and annually thereafter.
• Acceptable use. The IT and Acceptable Use Policy sets out what staff may and may not do with Company systems, data, and devices. Breaches are treated as a disciplinary matter.

7.5 Breach response

Any suspected personal data breach is reported immediately to (Data Protection Lead), who triggers the breach response procedure. The procedure requires:

• Containment and recovery measures within the first hour where possible.
• A written assessment of the nature and severity of the breach within 24 hours.
• Notification to the ICO within 72 hours where the breach is likely to result in a risk to individuals’ rights and freedoms.
• Notification to affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• A post-incident review to identify root cause and prevent recurrence.

All breaches, including those that do not meet the threshold for ICO notification, are logged in a breach register and reported to the Registered Manager.

7.6 Records retention

We retain records in line with the Records Management Code of Practice for Health and Social Care 2021. The retention schedule is reviewed annually and is available to staff on the staff portal.

7.7 Supplier assurance

Where a third party processes personal data on our behalf (including Care Pathway Pro as a data processor), we have a written data processing agreement that meets the requirements of Article 28 UK GDPR. We keep evidence of each processor’s security posture on file and review it at least annually.

8. Health and Safety

Health and safety is managed by (Health and Safety Officer), who is responsible for:

• Maintaining the health and safety policy and associated procedures.
• Conducting and reviewing workplace and environmental risk assessments.
• Ensuring that fire safety checks, equipment servicing, and PAT testing are completed on schedule.
• Monitoring COSHH compliance for any hazardous substances used in care delivery.
• Investigating RIDDOR-reportable events and submitting reports to the Health and Safety Executive.
• Reporting health and safety performance to the Registered Manager quarterly.

All staff receive health and safety training as part of their induction, including manual handling, fire safety, and COSHH awareness. Refresher training is delivered annually or more frequently where risk assessments require it.

9. Roles and Responsibilities

The following table sets out the quality responsibilities attached to each named role. Where a named individual is absent, their responsibilities are covered by the person identified in the business continuity plan.

Role	Quality responsibilities
	Registered Manager. Holds overall accountability for quality, regulatory compliance, and the day-to-day management of the service. Specific responsibilities include: Owning and reviewing this Quality Management Statement.Leading the internal audit programme.Producing monthly, quarterly, and annual quality reports.Overseeing Care Pathway Pro configuration and staff training.Managing incident response, learning, and CQC notifications.Chairing the monthly management meeting.Reporting quality performance to the Company directors.
	Safeguarding Lead. Receives and triages safeguarding concerns, liaises with the local authority designated officer and safeguarding adults board, ensures internal protective measures are actioned without delay, and maintains the safeguarding log. Ensures all staff receive safeguarding training during induction and annually.
	Data Protection Lead. Maintains the ICO registration and records of processing activities. Oversees access controls within Care Pathway Pro. Manages data subject access requests, deletion requests, and portability requests. Leads the breach response procedure and maintains the breach register. Reviews data processing agreements with third parties.
	Health and Safety Officer. Conducts workplace and environmental risk assessments. Monitors RIDDOR-reportable events and submits reports. Maintains the health and safety policy and ensures equipment servicing, fire safety checks, and PAT testing are completed on schedule.
Care Coordinators / Team Leaders	Carry out spot checks, supervisions, observed practice, and care plan reviews. Complete weekly care log audits. Escalate quality concerns to the Registered Manager and contribute to improvement actions.
All care-delivering staff	Follow agreed care plans. Record accurately and in real time on Care Pathway Pro. Raise concerns through whistleblowing and safeguarding routes. Report incidents and accidents at the point of occurrence. Complete required training and attend supervisions. Treat people who use our services with dignity and respect at all times.

10. Monitoring and Review

This statement is reviewed at least once every twelve months, and sooner where there is:

• A material change to legislation, regulation, or CQC guidance.
• A change to the services we deliver, the locations we operate from, or the systems we use.
• A finding from an audit, inspection, complaint investigation, or serious incident that requires a change to the quality framework.
• A request from a commissioning body or contract monitoring officer.

The review is led by (Registered Manager). The version history is maintained in the document control table at the front of this document. Superseded versions are archived for a minimum of three years.

11. Related Documents

This statement should be read alongside the following policies, all of which are held on the staff portal and are available to staff, regulators, and commissioners on request:

• Statement of Purpose
• Service User Guide
• Safeguarding Adults Policy
• Mental Capacity and DoLS Policy
• Data Protection and Confidentiality Policy
• IT and Acceptable Use Policy
• Complaints Policy
• Whistleblowing (Raising Concerns) Policy
• Incident Reporting and Notifications Policy
• Medication Policy
• Infection Prevention and Control Policy
• Recruitment and Selection Policy
• Supervision and Appraisal Policy
• Training and Development Policy
• Health and Safety Policy
• Equality, Diversity, and Inclusion Policy
• Lone Working Policy
• Business Continuity Plan
• Records Retention Schedule