Bring Your Own Device (BYOD)
This policy applies to anyone who works remotely, or if you bring your own computer (or other devices, for example mobile telephones or tablets) into work. The policy covers anyone who works exclusively on their personal laptop as well as those who occasionally receive work-related emails on their mobile telephones.
The purpose of the policy is to set out how you should ensure that you protect any personal data while working from home or when bringing your own devices to work (BYOD). This policy should be read in conjunction with our data protection policy and use of social media policy.
Who is allowed to bring their own device to work?
All employees are allowed to use their personal device for work related activities.
If you wish to use your own device for work-related activities, you should contact the data protection officer (DPO) in writing with the name and model of the device and the purpose for which it is intended to be used. [The Company has a list of devices that it has assessed as providing the appropriate level of security for the processing of personal data. The list is available from the DPO].
Special category data
"Special category data" is information about an individual's racial or ethnic origin; political opinions; religious beliefs or philosophical beliefs; trade union membership (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992); physical or mental health or condition (including genetic or biometric data); and sex life or sexual orientation. Information related to criminal records and convictions is also treated as special category data for the purposes of this policy.
You must not process special category data on a personal device and should check whether or not any special category data has passed to your personal device by whatever means. If you discover any special category data on your device, you should notify the DPO immediately and arrange for its permanent deletion from the device.
OR
Only authorised employees may store special category data on a personal device and only if the device has a sufficiently high level of encryption.
Employees' obligations regarding BYOD
Security
Before using your own device for work-related purposes, you must ensure that you use a strong password to lock the device. The device must be capable of locking automatically [and deleting data automatically] if an incorrect password is entered after several attempts [or if the device is inactive for [specify period of time]]. [Employees must know exactly what data might be deleted automatically.]
In addition, you must:
- use encryption software on your devices to store personal data securely;
- ensure that if you transfer data (either by email or by other means), you do so via an encrypted channel (for example a VPN for individual services);
- ensure that you assess the security of any open network or Wi-Fi connection (you should not use unsecured Wi-Fi networks);
- not download unverified or untrusted apps that may pose a threat to the security of the information held on your devices;
- not, under any circumstances, use corporate personal information for any purpose other than for your work and as directed or instructed by the Company;
- use different applications for business and personal use;
- ensure that you have a system of software in place for quickly and effectively revoking access that a user might gain to a device in the event of loss or theft;
- make sure that any software that you use is genuine software installed under an appropriate licence agreement between you and the relevant manufacturer to prevent any security vulnerabilities;
- report the loss or theft of a device used for work-related activities immediately to the DPO ; and
- report data breaches of which they become aware to the DPO immediately.
[Employees are permitted to access any document on the Helpful Technology Limited [server/network/private cloud]. Employees must always log out of the Helpful Technology Limited [server/network/private cloud] between sessions.]
You must not use public cloud-based sharing or public back-up services without prior authorisation from the DPO.
[An employee is not permitted to download or access certain applications or types of data that require the identification of the employee's location or an additional level of authentication.]
Mobile device management
You must ensure that your device is subject to mobile-device management so that if the device is stolen, upgraded, recycled for money or given to family or friends, you are able to locate the device remotely and delete data on demand. You must limit the purpose of mobile-device management to the detection of the device and the remote deletion of data. If the device is stolen, you must be able effectively to wipe any confidential data on the device immediately by way of a remote "locate and wipe" facility.
Technical Support
If you require any technical support with your devices, you should ensure that the third party providing such support has access to any data insofar as is necessary to complete the work and that data is not transferred to a third-party device unless there is no other way of rectifying the technical problem. If data is transferred to a third-party device, the third party must warrant, and you must ensure, that the information is removed permanently from such third-party device once the problem has been rectified.
Retention of personal data
You must not retain personal data for longer than is necessary for the purpose for which it is being used, unless there is a requirement to retain it for longer to comply with any legal obligation. If you are in any doubt, you should contact the DPO.
Deletion of personal data
You must ensure that if you delete information, it is deleted permanently rather than left in the device's waste-management system. You may need to use overwriting software to achieve this. However, this is not always practicable because, for example, the information is stored or categorised with other information that is still live. In these circumstances, it is sufficient for you to put the information "beyond use". This means that you must:
- ensure that you do not use the personal information to make any decision that affects an individual or in a manner that affects an individual in any way;
- not give any other organisation access to the personal data in any way;
- surround the personal data with appropriate technical and organisational security; and
- commit to the permanent deletion of the information if and when this becomes possible.
If you use removable media, for example a USB stick, to transfer personal data, you must ensure that the personal data is deleted once the transfer is complete.
Co-operation with subject access requests
Any individual whose personal data is held by the Company has the right to make a subject access request or SAR (see Helpful Technology Limited’s data protection policy for more information). This means that, if an individual makes a subject access request, the Company may need to access your device to retrieve any data that is held on it about the individual. You must allow the Company to access the device and to carry out a search to find any information about the individual held on the device. You should be mindful that this may need to include conducting a suitable search of applications such as WhatsApp or other communication applications where these tools are habitually used for work related purposes, even if their primary purpose is for your personal use. In the conducting of any legitimate search of your personal device for the purposes of completing a subject access request, the Company will not seek to view any personal content that has no bearing on the scope of the SAR, and the Company will limit its search of your device to satisfy purely the parameters of the request that it has a legal obligation to fulfil.
Third-party use of device
You must ensure that if family or friends use your devices, they are unable to gain access to any personal information that is work-related by, for example, password-protecting it.
Termination of employment
If you leave the Company, you must delete all work-related personal data on your own device prior to your last day with the Company. The Company reserves the right to request a written undertaking from you to confirm that this action has been completed.
Monitoring
As part of its ongoing obligations under the GDPR, the Company will monitor data protection compliance in general and compliance with this policy. This monitoring is in the Company’s legitimate interests, to ensure that the policy is being complied with, and to ensure that the Company is complying with its legal obligations under the GDPR.
Monitoring will consist of [insert details of the monitoring that will be carried out]. Applications that have been installed for personal use will not be monitored: monitoring will be limited to business-related applications.
[Monitoring will normally be conducted by a Company Director. The information obtained through monitoring may be shared internally, including with your line manager and other key personnel only if access to the data is necessary for performance of their roles. However, information would normally only be shared in this way if the Company has reasonable grounds to believe that this policy has not been followed.]
[The information gathered through monitoring will be retained only long enough for any breach of this policy to come to light and for any investigation to be conducted. Data is normally securely destroyed after [number of days/weeks, depending on reasons for monitoring].]
Employees have a number of rights in relation to their data, including the right to have data rectified or erased in some circumstances. You can find further details of these rights and how to exercise them in our data protection policy. If you believe that the Company has not complied with your data protection rights, you can complain to the Information Commissioner’s Office.
Consequences of non-compliance
If you are suspected of breaching this policy, the Company will investigate the matter under its disciplinary procedure. If any breaches are established, this could result in disciplinary action up to and including dismissal. You may also incur personal criminal liability for breaching this policy.
Review of procedures and training
The Company will provide training to all employees on data protection matters on induction and on a regular basis thereafter. If you consider that you would benefit from refresher training, you should contact the Strategy and Client Services Director.
The Company will review and ensure compliance with this policy at regular intervals.