Bring Your Own Device (BYOD) Policy

Introduction

Bring Your Own Device (BYOD) is the practice of allowing staff to utilise personally owned devices (such as smartphones, tablets or laptops) in the workplace, and to use those devices to securely access the organisation’s systems, applications and information.

BYOD is optional and offered to provide greater flexibility. It may not be available to all staff.

This policy provides guidance which must be followed when using your own device at work. All users of BYOD are required to read this policy in full and confirm they understand and will comply with it. A summary of important points is provided below.


Do

  • Keep your passwords secure
  • Use biometric features to secure the device if possible
  • Keep your operating system updated
  • Be careful who can see your screen when accessing work systems
  • Report lost or stolen devices
  • Be aware of your responsibility for all costs 
  • Facilitate IT to conduct spot checks if required
  • Inform IT if you leave employment with the organisation

Don't

  • Don’t share your device or passwords 
  • Don’t make copies of data or take screenshots 
  • Don’t access systems without authorisation
  • Don’t save work in unapproved locations or applications


Scope

This policy applies to all staff and authorised third parties of the organisation who voluntarily choose to use BYOD.

The BYOD service includes a range of systems and access may vary by individual depending on the requirements of individual roles.

  • Available systems include:
  • Email
  • Calendar
  • Intranet and web browsing
  • Internal web-based systems
  • Rotas and scheduling 
  • Communication systems
  • Reporting systems
  • Clinical systems

Aims

To ensure BYOD systems and data are used appropriately, legally and securely.

To ensure personally owned devices are used in a manner which protects confidentiality in accordance with GDPR.

To ensure staff clearly understand their responsibilities when using BYOD.

Support Devices

Due to the rapid pace of change it is not possible to support BYOD on all devices.

BYOD will only be supported on devices which will run the latest version of the Apple or Android operating system. Staff will be expected to ensure devices are kept updated or risk losing access to some systems.

Devices must be encrypted and have passcode or biometric security if available with a timeout to lock automatically after 5 minutes of inactivity. Jailbroken or rooted devices are strictly prohibited. Staff must not circumvent security controls.

The organisation’s BYOD software must be installed on devices in order for access to be granted to systems. Staff must not remove or modify the BYOD software on their device.

Technical support will be limited to the organisation’s BYOD software and systems.

Connectivity via WiFi or mobile data contracts will be the responsibility of the device owner.

Access

Devices may connect over Guest / NHS WiFi but are not permitted to connect directly to the corporate network.

Use of BYOD and access to corporate systems is subject to other organisation policies and practices and does not override or supersede them.

BYOD is optional and may not be appropriate in all roles.

The organisation reserves the right to revoke access if staff do not follow this policy.

Responsibilities

Staff may only connect to organisation systems for the purpose of authorised work.

Use of a device that has access to work systems via BYOD should be limited to its owner and must not be shared. Devices must be maintained as stated in section 4.

Account logon, passwords and pins must be kept confidential and never shared with others.

Staff should be conscious of the setting in which devices are being operated and should ensure data and systems displayed are not visible to others. Data accessed must not be saved to the device or copied off it. Screenshots of systems must not be taken.

Staff must inform IT if they leave employment with the organisation.

Staff must comply with all relevant legislation including not using BYOD whilst driving.

Staff must read and understand and adhere to other key policies including:

  • IT Acceptable Use Policy
  • IT Security Policy
  • Mobile Working Policy

Staff must immediately inform IT if:

  • Their password has been breached
  • Their device gets lost or stolen
  • Organisational systems are not working normally

Loss or Damage

The organisation will not accept any liability for loss or damage of personal devices and data that are using the BYOD system.

Staff should inform IT immediately if they lose their personal device or have It stolen. IT will attempt to remotely wipe or disable the device.

Acceptable Use

Staff should only use the BYOD policy to access work systems during working hours.

Staff should only access systems which they require and normally use.

Staff should never try to access systems for which they are not authorised.

Confidential data should only be accessed for a specific work-related requirement.

Any suspected breach must be immediately reported to IT.

Costs

Staff are solely responsible for all costs associated with purchasing, running, repairing and replacing their personal devices used with BYOD.

Staff are responsible for all mobile data or WiFi hotspot costs related to BYOD usage and should monitor these to ensure they have sufficient allowance.

Monitoring

The organisation will monitor usage of BYOD devices from time to time including the make and model of devices in use and the version of the operating system currently installed. Where operating systems are found to be out of date the staff member will be informed and expected to upgrade to the most current version within 5 days. 

Failure to remediate will result in access to BYOD services being withdrawn.

Spot checks on BYOD devices may be initiated at any time and staff will be expected to allow access to authorised personnel to check settings related to BYOD usage. Spot checks will always be conducted in the presence of the staff member and devices will never be taken away from their owner.

Technical support personnel can access details on usage of corporate applications via the BYOD system but cannot access personal application data. In some instances, device location may be collected but this data will only be used if the device is lost or stolen.

Digital Equity

The organisation is committed to digital equity. All systems accessible via BYOD are also available via the corporate network and computer system.

Where there is a genuine business need for a mobile device, and BYOD is not the staff members preferred option, the organisation will provide suitable device.