Digital Identity, Passwords and Personal Control in LD Services

Digital identity is now part of ordinary life in learning disability services. People may need email accounts, passwords, banking access, online shopping logins, health portal access, benefits accounts, app permissions and device security. Strong providers connect this work to the wider Learning Disability Services Knowledge Hub, because digital identity is now linked to independence, privacy, citizenship and rights.

This sits within learning disability legal frameworks and rights, especially where capacity, consent, privacy, safeguarding, financial abuse and best interests overlap. It also affects learning disability service models and pathways, because modern supported living, outreach, residential and transition services increasingly support people to access digital systems safely.

The practical standard is that providers should be able to evidence who controls digital accounts, what support staff provide, how passwords are protected, what the person understands and how risks are reviewed without taking ownership away from the person.

Concept Explained Clearly

Digital identity means the accounts, logins, passwords, verification codes, devices and permissions that allow a person to act online as themselves. It can affect money, health, housing, benefits, relationships, purchases, appointments and communication.

The rights issue is personal control. If staff hold passwords, manage accounts, receive verification codes or speak online on the person’s behalf, the provider must be clear about consent, authority, necessity and safeguards.

Why It Matters in Real Services

Digital identity can be taken over quietly. Staff may keep passwords in offices, use shared email addresses, set up accounts with staff-controlled recovery details or manage apps because it feels easier. This may appear helpful, but it can reduce privacy, independence and accountability.

Providers should be able to evidence that digital support is enabling. Strong services demonstrate that people are supported to control their own digital identity wherever possible.

What Good Looks Like

Good practice means supporting people to understand accounts, passwords, recovery options, verification codes, scams and privacy. Staff should provide prompts and accessible support without unnecessarily becoming the account holder or gatekeeper.

Strong services demonstrate a clear line of sight from digital access need to support arrangement to personal control.

Operational Example 1: Staff Holding Passwords for Online Accounts

Context

A person used several online accounts but often forgot passwords. Staff kept a password list in the office so they could help quickly with shopping, email and appointments.

Five Practical Steps

  1. The provider reviewed which passwords were held, why and who could access them.
  2. Staff supported the person to understand privacy, account control and safer password options.
  3. A password manager and recovery process were explored with the person’s consent.
  4. Staff stopped using office-held password lists except where lawful authority was clearly evidenced.
  5. Governance reviewed account access, staff boundaries and safeguarding risks.

Support Approach and Day-to-Day Delivery

The provider moved from staff-controlled access to supported access. Staff prompted the person through login steps and recovery processes, while the person retained ownership of accounts.

How Effectiveness Was Evidenced

Evidence included consent records, password practice review, staff supervision, account access checks and person feedback. The person retained digital access with stronger privacy and less staff control.

Deepening the Approach

Digital identity decisions should be considered alongside mental capacity, consent and best interests in learning disability services. A person may understand using an app but not the implications of giving someone else a password or recovery email.

Strong providers avoid broad statements such as “staff support online access”. They specify what account is involved, what support is provided, what the person controls and what safeguards are in place.

Operational Example 2: Health Portal Access and Privacy

Context

A person’s health portal was set up using a staff email address because the person did not have an email account at the time. Appointment letters, test results and medication messages were therefore going to the service office.

Five Practical Steps

  1. The provider reviewed whether staff-controlled portal access remained necessary.
  2. Staff supported the person to understand what health information appeared in the portal.
  3. An individual email account was created with accessible recovery support.
  4. Portal access was transferred so the person was not dependent on the service office.
  5. Governance reviewed privacy, clinical communication and support arrangements.

Support Approach and Day-to-Day Delivery

The provider recognised that health information belongs to the person. Staff continued to support appointments and interpretation, but the account itself was moved closer to the person’s control.

How Effectiveness Was Evidenced

Evidence included consent notes, portal access records, staff guidance, appointment records and person feedback. The person had better privacy while still receiving health support.

Systems, Workforce and Consistency

Teams need clear boundaries for digital identity support. Staff should know when they can help with logins, when they must not hold passwords, how to respond to verification codes and when safeguarding advice is needed.

Handovers should record agreed digital support boundaries, not actual passwords. Supervision should test whether staff are enabling access or informally controlling digital identity because it feels convenient.

The principles in day-to-day MCA practice in learning disability support reinforce that ordinary digital support can still involve consent, privacy, capacity and least restrictive decision-making.

Operational Example 3: Benefits Account and Supported Access

Context

A person needed support to access an online benefits account. Staff had historically logged in for them, read messages and responded to tasks. The person said they wanted to know what was being written in their name.

Five Practical Steps

  1. The provider clarified what support was needed and what decisions belonged to the person.
  2. Staff explained account messages in accessible language before any response was submitted.
  3. The person agreed which staff could support access and when.
  4. Records showed what the person chose, what staff typed and what was submitted.
  5. Governance reviewed whether digital benefits support remained transparent and person-led.

Support Approach and Day-to-Day Delivery

The provider stopped treating online administration as a staff task. Staff supported the person to understand messages, make choices and approve responses before anything was submitted.

How Effectiveness Was Evidenced

Evidence included support notes, consent records, account task logs, supervision and review minutes. The person became more involved in decisions affecting their benefits and responsibilities.

Governance and Evidence

Governance should show that digital identity support is lawful, proportionate and auditable. Useful evidence includes consent records, capacity notes, account access reviews, password policies, staff supervision, safeguarding records, financial checks and quality audits.

Data can show staff-held passwords, shared accounts, unclear recovery details, financial concerns, privacy incidents and complaints. Qualitative evidence shows whether the person feels supported, excluded, controlled or confident.

Providers should be able to evidence a clear line of sight from digital access need to support method to outcome. Where staff manage any part of digital identity, records should explain why, under what authority and when review will happen.

Commissioner and CQC Expectations

Commissioners expect providers to support digital inclusion, financial safety, access to services and independence without creating unmanaged privacy or safeguarding risks. They look for evidence that digital support is modern, lawful and person-led.

CQC expectations include consent, dignity, safeguarding, person-centred care and good governance. Inspectors may review whether staff access accounts appropriately, whether passwords are protected and whether people retain control wherever possible. Strong services demonstrate that digital identity is treated as part of rights-based support.

Common Pitfalls

  • Keeping password lists in staff offices.
  • Using staff email addresses for personal accounts.
  • Submitting online forms without recording the person’s agreement.
  • Assuming digital administration is too complex for the person to understand.
  • Failing to review who controls recovery details and verification codes.
  • Allowing convenience to replace consent.
  • Not treating digital identity concerns as potential safeguarding risks.

Conclusion

Digital identity is now a core rights issue in learning disability services. Providers should be able to evidence how people are supported to access accounts, protect passwords, understand online responsibilities and retain personal control. Strong services do not take over digital identity for convenience; they build the support people need to act online as themselves.