This guidance has been reviewed by the Health and Care Information Governance Panel, including the ICO and NDG.

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at datapolicyhub@nhsx.nhs.uk.

Bring your own device (BYOD) guidance

mobile patient.jpg

Bring your own device (BYOD) is a service offered by organisations to their employees to enable them to use their own devices for work, e.g. mobile phones, laptops and tablets. 

During the COVID-19 period the high level messages still apply.



Guidance for patients and service users

This guidance will help doctors, nurses and other health and care staff use their own devices safely and securely in the work they do.


Guidance for healthcare workers

It should be possible for you to use your own device where there is no practical alternative. You should however refer to your organisation’s policies before using your own device for work.

If you choose to use your own device for work, your organisation should ask you to sign an acceptable use policy. This could include for example, seeking your agreement to:

  • set a strong password
  • use secure channels to communicate e.g. tools/apps that use encryption
  • not store personal/confidential patient information on the device unless absolutely necessary and appropriate security is in place

Guidance for IG professionals

Enabling staff to use their own device for work can bring benefits for example, to support communications with other colleagues or to access information on the move. It is possible to implement a BYOD policy which ensures that risks are managed and appropriate controls are implemented. Here are the key things you need to consider relating to BYOD. 

  1. Use a Data Protection Impact Assessment (DPIA) to identify any privacy risks
  2. Develop a BYOD policy so that staff are clear about responsibilities and acceptable use. For example recommending security standards such as setting strong passwords. Read our guidance on developing a BYOD policy.
  3. Consider how you will meet any legal requirements. For example, how will you respond to a Freedom of Information Act request if a staff member is on holiday? Have you considered in your BYOD policy, advice about backing up data to ensure that data is not backed up outside of the EU, which could breach the Data Protection Act?
  4. Audit and monitor compliance with the policy. Regular checks will ensure that the policy is being adhered to 
  5. Support staff to ensure that they are protected against unauthorised or unlawful access, for example if the device is lost or stolen. This remains your responsibility as the data controller. Such measures can include controlling access to the data or device using a password or PIN, or encrypting the data. 

Further Information

mobile patient.jpg