Bring your own device (BYOD) policy
Bring your own device (BYOD) is the practice of allowing staff to use their own devices in the workplace and to use those devices to securely access the organisation’s systems, applications and information. This can mean using their own smartphones, tablets or laptops for work.
BYOD is optional and offered to provide greater flexibility. It may not be available to all staff.
This policy provides guidance which you must follow when using your own device at work. All users of BYOD are required to read this policy in full and confirm they understand and will comply with it.
A summary of important points is provided below.
- keep your passwords secure
- use biometric features to secure the device if possible
- keep your operating system updated
- be careful who can see your screen when accessing work systems
- report lost or stolen devices
- be aware of your responsibility for all costs
- help IT to conduct spot checks if required
- inform IT if you leave employment with the organisation
- share your device or passwords
- make copies of data or take screenshots
- access systems without authorisation
- save work in unapproved locations or applications
This policy applies to all staff and authorised third parties of the organisation who voluntarily choose to use BYOD.
The BYOD service includes a range of systems and access may vary by individual depending on the requirements of individual roles.
Available systems include:
- intranet and web browsing
- internal web-based systems
- rotas and scheduling
- communication systems
- reporting systems
- clinical systems
The aims of this policy
This policy is in place to make sure:
- BYOD systems and data are used appropriately, legally and securely
- personal devices are used in a way which protects confidentiality in accordance with GDPR
- staff clearly understand their responsibilities when using BYOD
Due to the rapid pace of change it is not possible to support BYOD on all devices. BYOD will only be supported on devices which can run the latest version of the Apple or Android operating system. Staff will be expected to make sure their devices are kept updated or risk losing access to some systems.
Devices must be encrypted and have passcode or biometric security if available with a timeout to lock automatically after 5 minutes of inactivity. Jailbroken or rooted devices are strictly prohibited. Staff must not circumvent security controls.
The organisation’s BYOD software must be installed on devices in order for access to be granted to systems. Staff must not remove or modify the BYOD software on their device.
Technical support will be limited to the organisation’s BYOD software and systems.
Connectivity by wifi or mobile data contracts will be the responsibility of the device owner.
Devices may connect over guest or NHS wifi but are not permitted to connect directly to the corporate network.
Use of BYOD and access to corporate systems is subject to other organisation policies and practices and does not override or supercede them.
BYOD is optional and may not be appropriate in all roles.
The organisation reserves the right to revoke access if staff do not follow this policy.
Staff may only connect to organisation systems for the purpose of authorised work.
Use of a device that has access to work systems by BYOD should be limited to its owner and must not be shared.
Devices must be maintained as stated in the 'supported devices' section.
You should always keep your account log in details, passwords and pins confidential and never share them with anyone.
Staff should be conscious of the setting in which devices are being operated and should ensure data and systems displayed are not visible to others. Data accessed must not be saved to the device or copied off it. Screenshots of systems must not be taken.
- inform IT if they leave employment with the organisation
- comply with all relevant legislation including not using BYOD whilst driving
You must read and understand and adhere to other key policies including:
- IT acceptable use policy
- IT security policy
- mobile working policy
You must immediately inform IT if:
- their password has been breached
- their device gets lost or stolen
- organisational systems are not working normally
Loss or damage
The organisation will not accept any liability for loss or damage of personal devices and data that are using the BYOD system.
Staff should inform IT immediately if they lose their personal device or have it stolen. IT will attempt to remotely wipe or disable the device.
Staff should only use the BYOD policy to access work systems during working hours.
Staff should only access systems which they require and normally use.
Staff should never try to access systems for which they are not authorised.
Confidential data should only be accessed for a specific work-related requirement.
Any suspected breach must be immediately reported to IT.
Staff are solely responsible for all costs associated with purchasing, running, repairing and replacing their personal devices used with BYOD.
Staff are responsible for all mobile data or wifi hotspot costs related to BYOD usage and should monitor these to ensure they have sufficient allowance.
The organisation will monitor usage of BYOD devices from time to time including the make and model of devices in use and the version of the operating system currently installed. Where operating systems are found to be out of date the staff member will be informed and expected to upgrade to the most current version within 5 days.
Failure to remediate will result in access to BYOD services being withdrawn.
Spot checks on BYOD devices may be initiated at any time and staff will be expected to allow access to authorised personnel to check settings related to BYOD usage. Spot checks will always be conducted in the presence of the staff member and devices will never be taken away from their owner.
Technical support personnel can access details on usage of corporate applications via the BYOD system but cannot access personal application data. In some instances, device location may be collected but this data will only be used if the device is lost or stolen.
The organisation is committed to digital equity. All systems accessible through BYOD are also available on the corporate network and computer system.
Where there is a genuine business need for a mobile device, and BYOD is not the staff members preferred option, the organisation will provide suitable device.