Bring Your Own Device to Work Policy


About this policy

We recognise that many of our staff have personal mobile devices (such as tablets, smartphones and handheld computers), which they could use for business purposes, and that there can be benefits for both us and staff, including increased flexibility in our working practices, in permitting such use. However, the use of personal mobile devices for business purposes gives rise to increased risk in terms of the security of our IT resources and communications systems, the protection of confidential and proprietary information and reputation, and compliance with legal obligations.

No one is required to use their personal mobile device for business purposes. It is a matter entirely for each person’s discretion. We have chosen to implement this policy as we recognise that using personal mobile devices for business purposes can offer increased flexibility and autonomy for our staff. However, we also encourage our staff to consider carefully how and when you use your device, and maintain an effective balance between work and personal life.

This policy covers all employees, officers, consultants, contractors, volunteers, interns, casual workers and agency workers.

Personnel responsible for this policy

The Registered manager has overall responsibility for the effective operation of this policy.

All staff are responsible for the success of this policy. Any misuse (or suspected misuse) of a device or breach of this policy should be reported to the senior on shift.

If you have any questions regarding this policy or have questions about using your device for business purposes which are not addressed in this policy, please contact the Registered Manager.

Monitoring

The contents of our systems and company data are our property. All materials, data, communications and information, including but not limited to e-mail (both outgoing and incoming), telephone conversations and voicemail recordings, instant messages and internet and social media postings and activities, created on, transmitted to, received or printed from, or stored or recorded on a device (collectively referred to as content in this policy) during the course of business or on our behalf is our property, regardless of who owns the device.

We reserve the right to monitor, intercept, review and erase, without further notice, all content on the device that  we reasonably believe is the property of Derbyshire House or contains confidential information about Derbyshire House or any of our residents. This might include, without limitation, the monitoring, interception, accessing, recording, disclosing, inspecting, reviewing, retrieving and printing of messages, communications, postings, log-ins or recordings and other uses of the device.

Monitoring, intercepting, reviewing or erasing of content will only be carried out to the extent permitted by law in order for us to comply with a legal obligation or for our legitimate business purposes, including, without limitation, in order to:

  • prevent misuse of the device and protect company data or confidential information; and
  • ensure compliance with our rules, standards of conduct and policies in force from time to time (including this policy);

You acknowledge that the company is entitled to conduct such monitoring where it has a legitimate basis to do so, and you confirm your agreement (without further notice or permission) to our right to copy or erase any items we reasonably believe is the property of Derbyshire House or contains confidential information about Derbyshire House or any of our residents.

You also agree that you use the device at your own risk and that we will not be responsible for any losses, damages or liability arising out of its use, including any loss, corruption or misuse of any content or loss of access to or misuse of any device, its software or its functionality.

Security requirements

You must:

  • at all times, use your best efforts to physically secure the device against loss, theft or use by persons who we have not authorised to use the device. You must secure the device whether or not it is in use and whether or not it is being carried by you. This includes, but is not limited to, passwords, encryption, and physical control of the device;
  • protect the device with a PIN number or strong password, and keep that PIN number or password secure at all times. The PIN number or password should be changed regularly. If the confidentiality of a PIN number or password is compromised, you must change it immediately. The use of PIN numbers and passwords should not create an expectation of privacy by you in the device;
  • maintain the device’s original operating system and keep it current with security patches and updates. Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing out systems or company data;
  • not download or transfer any company data or copies of any confidential information to the device, for example via e-mail attachments, unless specifically authorised to do so. Staff must immediately erase any such information that is inadvertently downloaded to the device;
  • not use a device to capture images, video, or audio, within the workplace.

We reserve the right, without further notice or permission, to inspect your device and access data and applications on it, and copy, disclose, wipe or otherwise use some or all of the company data on it for legitimate business purposes, which include (without limitation) enabling us to:

  • inspect any company data stored on the device or on backup or cloud-based storage applications and prevent misuse of the device and protect company data;
  • investigate or resolve any security incident or unauthorised use of our systems or data;
  • conduct any relevant compliance obligations (including in relation to concerns regarding confidentiality, data protection or privacy); and
  • ensure compliance with our rules, standards of conduct and policies in force from time to time (including this policy).

You must co-operate with us to enable such inspection, access and review, including providing any passwords or PIN numbers necessary to access the device or relevant applications. A failure to co-operate with us in this way may result in disciplinary action being taken, up to and including dismissal.

We will not track any personal devices via GPS or location based Wi-Fi.

Lost or stolen devices and unauthorised access

In the event of a lost or stolen device, or where a staff member believes that a device may have been accessed by an unauthorised person or otherwise compromised, the staff member must report the incident to the Registered Manager immediately.

Appropriate steps will be taken to ensure that company data on or accessible from the device is secured, including remote wiping of the device where appropriate. The remote wipe will destroy all company data on the device (including information contained in a work e-mail account, even if such e-mails are personal in nature). Although we do not intend to wipe other data that is strictly personal in nature (such as photographs or personal files or e-mails), it may not be possible to distinguish all such information from company data in all circumstances. You should therefore regularly backup all personal data stored on the device.

Personal data

We have a legitimate basis on which to access and protect company data stored or processed on your device, including the content of any communications sent or received from the device. However, we recognise the need to balance our obligation to process data for legitimate purposes, with your expectations of privacy in respect of your personal data. Therefore, when taking (or considering taking) action to access your device or delete data on your device (remotely or otherwise) in accordance with this policy, we will, where practicable:

  • consider whether the action is proportionate in light of the potential damage to the company, our customers or other people impacted by company data;
  • consider if there is an alternative method of dealing with the potential risks to the company’s interests (recognising that such decisions often require urgent action);
  • take reasonable steps to minimise loss of your personal data on your device, although we shall not be responsible for any such loss that may occur; and
  • delete any such personal data that has been copied as soon as it comes to our attention (provided it is not personal data which is also company data, including all personal emails sent or received using our email system).

Appropriate use

You must be aware of our and your obligations under the relevant data protection legislation when processing company data. You must ensure that company data is used only for the business purposes for which it was intended, and that you do not use it for a purpose different from that for which it was originally intended.

You should never access or use our systems or company data through a device in a way that breaches any of our other policies. For example, you must not use a device to:

  • breach any obligations that relevant regulatory bodies may have relating to confidentiality and privacy;
  • breach our Disciplinary Rules;
  • breach our Anti-harassment and bullying policy;
  • breach our Equal opportunities policy; or
  • breach our Data protection policy.

If you breach any of the above policies you may be subject to disciplinary action up to and including dismissal.

Use of your personal device during working hours should only be used for legitimate business reasons.

Technical support

We do not provide technical support for devices. If you use a device for business purposes you are responsible for any repairs, maintenance or replacement costs and services.

Costs and reimbursements

You must pay for your own device costs under this policy, including but not limited to voice and data usage charges and any purchase and repair costs. You acknowledge that you alone are responsible for all costs associated with the device and that you understand that your business usage of the device may increase your voice and data usage charges.