Professional Documents
Culture Documents
Summary: This policy outlines the processes and controls the Trust
uses to facilitate a BYOD scheme to enable staff to use
personal devices to access Trust resources.
Keywords (minimum of 5): Bring Your Own Device, BYOD, Personal Devices, Mobile
(To assist policy search engine) Working, Tablet, Smartphone, Good
Target Audience: The policy relates to any staff member (or manages a staff
member) who uses the Southern Health NHS Foundation
Trust Bring Your Own Device (BYOD) scheme
1
BYOD Policy
Version: 1
March 2016
Version Control
Change Record
Reviewers/contributors
Name Position Version Reviewed &
Date
2
BYOD Policy
Version: 1
March 2016
Contents
1. Introduction .................................................................................................................... 4
2. Scope............................................................................................................................. 4
3. Duties / Responsibilities ................................................................................................. 4
4. Data Protection .............................................................................................................. 5
5. Physical Security ............................................................................................................ 6
6. Mobile Device Management ........................................................................................... 6
7. Applying for the service .................................................................................................. 7
8. Device Support .............................................................................................................. 7
9. Connecting Devices to the Trust Networks ..................................................................... 8
10. Reimbursement .............................................................................................................. 8
11. References and Associated Documentation ................................................................... 8
3
BYOD Policy
Version: 1
March 2016
Bring Your Own Device (BYOD) Policy
1. Introduction
1.1. The Trust aims to take advantage of the many benefits offered by new and emerging
mobile technologies and, in line with the overall Trust strategy to facilitate a mobile and
flexible workforce, seeks to enable the use of personal devices to access corporate
data – a scenario commonly referred to as Bring Your Own Device (BYOD).
1.2. Along with the advantages of BYOD there are additional risks which must be
effectively managed to protect the Trust, its staff, patients and the services and data
on which they rely, against known and emerging threats. Any user of a personal device
used to store and/or process Trust information shall comply with this policy in addition
to the more general ICT Security Policy.
1.3. The key principle of BYOD is that the user owns, maintains and supports the device.
This has advantages in terms of support requirements, although it also means that the
data controller will have significantly less control over a BYOD device than it would
have over a traditional corporately owned one. This policy outlines the controls, both
process and technical, the Trust has in place to ensure data on non-Trust devices
remains secure and under the Trust’s influence at all times. It also describes detailed
instructions that must be followed whilst using a BYOD enabled device to carry out
Trust related work
2. Scope
2.1. This policy applies to all Trust employees – including voluntary workers employed
under special contracts and employees of organisations contracted to the Trust – who
take part in the Trust BYOD scheme, it also applies to staff in management roles and
whose team members are part of the scheme.
2.2. This policy focuses on smart phones and tablet computers, often categorised together
as smart devices, and includes devices manufactured by a range of companies (Apple,
HTC, Nokia, etc.) and running several different operating systems (Android, IOS,
Win8.1, etc.). The important distinction is that these are personal devices and are not
supported or maintained by Southern Health ICT services.
3. Duties / Responsibilities
3.1. Ultimately, responsibility for ICT Security rests with the Chief Executive who has
delegated much of this responsibility to the Senior Information Risk Officer.
Routinely, the ICT Security Specialist is responsible for developing, managing and
implementing ICT Security policies/processes on a daily basis.
3.2. In addition to the responsibilities outlined in the Trust ICT Security Policy the ICT
Department will:
3.2.1. Ensure all requests to take part in the BYOD scheme are provisioned in line
with the process outlined within this policy.
3.2.2. Ensure that all devices have a security policy applied which reflects the
controls stated within this policy.
4
BYOD Policy
Version: 1
March 2016
3.3. Line Managers are responsible for ensuring that:
3.3.1. staff have an appropriate business need to be part of the BYOD scheme and
give budgetary approval to cover the cost of the service.
3.3.2. staff authorised to take part in the BYOD scheme sign to confirm they have
read and agree to the terms and conditions (appendix 1);
3.3.4. they take disciplinary action as appropriate against any member of staff in
breach of this policy;
3.3.5. notify any suspected breaches of this policy to the ICT Department;
3.3.6. Immediately notify ICT if a staff member leaves the Trust or no longer requires
BYOD;
3.4.2. report any suspected breaches of this policy to their line manager or the ICT
Department;
3.4.3. understand that failure to comply with the rules and regulations contained in
this policy, or any attempt to circumvent the security controls, may result in
the withdrawal of this facility and/or disciplinary action;
3.4.4. report the loss or theft of any BYOD enabled device to the Trust’s ICT Service
Desk at the earliest possible opportunity and in addition report the incident on
the Trusts incident reporting system (Ulysses).
3.4.5. inform the ICT department if BYOD is no longer required and access to the
application will be removed and all data held within the application on the
device will be deleted.
3.4.6. Report any lost or stolen devices to the ICT Service Desk immediately so that
corporate data can be remotely wiped from the device. It will be the users
responsibility to report the theft of their device to the police.
3.4.7. keep their username and password secret and not allow anybody else to
access the information.
3.4.8. abide with the clauses of acceptable use outlined in both the Internet and
Email Acceptable Usage Policy and the ICT Security Policy.
4. Data Protection
4.1. To fully take advantage of the benefits of BYOD the risks need to be mitigated and this
can be achieved through process and technical controls. The overall objective is to
remain in control of Trust data at all times and thus prevent breaches of confidentiality
and/or data loss. Failing to adequately protect personal data is unlawful and in breach
of the Data Protection Act (DPA), in particular ‘Principle 7’ which states;
5
BYOD Policy
Version: 1
March 2016
“Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data.”
4.2. The Trust has a legal duty to comply with the DPA and failure to comply could lead to
an investigation by the Information Commissioners Office (ICO). The ICO have the
power to uphold the DPA and can fine organisations up to £500,000 where appropriate
controls have not been in place.
5. Physical Security
5.1. Owners shall accept full responsibility for the security of the device, taking necessary
precautions to avoid loss, theft or damage. In the event of loss, damage or theft, they
must report this immediately to the ICT Service Desk and the police if appropriate. In
particular owners must:
take all reasonable care to prevent the theft or loss of this device.
take extra vigilance if using any BYOD device during journeys on public transport
to avoid the risk of theft of the device or unauthorised disclosure of Trust stored
information by a third party “overlooking”.
not leave the device unattended for any reason whilst working on it unless the
session is “locked” and it is in a safe working place, not left in an unattended
room for example
ensure that other ‘non’ authorised users are not given access to the device or the
data it contains
6.2. The BYOD security policy pushed via Good to personal devices creates a separate
workspace separating ‘Trust’ data and ‘Personal’ data (personal data in this instance
relating to data owned by that individual, not to be confused with patient identifiable
data). Policies enforced on a BYOD device are aimed at managing and controlling
corporate data only and personal information held on the device should not be
affected.
6.3. The Good workspace on the device is fully encrypted and any content or attachments
contained within the corporate workspace cannot be saved outside of the application
or locally on the device.
6.4. All data in transit, between the Good infrastructure and handheld device, is fully
protected by encryption.
6.5. In order to prevent unauthorised access, the work space is password protected using
an 8 character password and this is in line with the Trust’s password policy which
requires all passwords to meet the following criteria;
6
BYOD Policy
Version: 1
March 2016
6.6. Passwords must be changed at least every 90 days, but more frequently if required.
6.7. Passwords must be kept safe at all time and should never be shared with other Trust
staff or family members.
6.8. The Good workspace on the device can be remotely wiped by the Trust at any stage if
there is cause to think the device has been compromised in any way. This will remove
the Trust data held within the Good workspace and should not interfere with any
personal data on that device. The device can be remote wiped in any of the following
scenarios;
7.2. Any user seeking to connect a personally owned device must gain approval via their
line management and this includes the provision of a budget code to meet the annual
cost of the Good license. This should be done prior to the request being made to the
ICT Service Desk and should be captured on the BYOD Request Form & Security
Procedures – Appendix 1.
7.3. There will be a cost for this service which is available on the Good request form and is
subject to change should there be changes in the license costs.
7.4. All Good request forms should be returned to the ICT Service Desk to process, either
via the usual service desk number or using the using the online portal – this is done
using the LogIT icon/shortcut that is on all users’ desktop.
7.5. All users are required to agree and sign the BYOD Terms and Conditions as found on
the BYOD Request Form & Security Procedures – Appendix 1.
7.6. After a licence is purchased and your user account is authorised on the system you
will be sent instructions on how to add your device to the service.
8. Device Support
8.1. Personally owned devices are not supported by Southern Health ICT services. Staff
should contact the device manufacturer or their carrier for operating system or
hardware-related issues.
8.2. The support provided by the organisation for personal devices using Good is strictly
limited to;
7
BYOD Policy
Version: 1
March 2016
8.3. Detailed guidance for Good has been created by the Technology teams and is
available on the Intranet and covers all major functions, including;
8.4. The employee assumes full liability for risks including, but not limited to, the partial or
complete loss of company and personal data due to an operating system crash, errors,
bugs, viruses, malware, and/or other software or hardware failures, or programming
errors that render the device unusable.
8.5. In the unlikely event that personal data on the BYOD device is affected or lost the
Trust will not be held responsible or liable for any damages or compensation.
10. Reimbursement
10.1. The Trust will not reimburse the employee for the purchase or associated costs with
the device regardless of whether this was incurred during Trust business. This
includes, but not limited to; roaming charges, plan charges and overcharges, cost of
applications for personal use.
11.2. The following documents have been used as reference material in the development of
this policy.
IGTK standard 13-314: Policy and procedures ensure that mobile computing and
teleworking are secure
https://www.igt.hscic.gov.uk/RequirementsList.aspx?tk=64&lnv=2&cb=97815b81
-f91c-4b9f-bd8b-5f5a61ac20c4&sViewOrgType=2&sDesc=Acute+Trust
8
BYOD Policy
Version: 1
March 2016
Appendix 1 – BYOD Request Form & Security Operating Procedures
Name
Job Title
Contact Number
Email Address
Cost of Service
One off set up cost - £TBC on application
Annual Support Charge - £TBC on application
Limitations/Disclaimers
The user will need a smartphone or tablet on a personally owned contract with
an adequate data plan or has access to non-Trust Wi-Fi. The organisation will
not reimburse any additional data charges incurred by the user.
Personal devices are not supported by Southern Health ICT Services. Staff
should contact the device manufacturer or their carrier for operating system or
hardware-related issues.
The employee assumes full liability for risks including, but not limited to, the
partial or complete loss of company and personal data due to an operating
system crash, errors, bugs, viruses, malware, and/or other software or hardware
failures, or programming errors that render the device unusable.
Good for Enterprise is not supported on all mobile operating systems and staff
should check the list of supported devices before applying for the service.
Conditions of Use
All staff enabled for BYOD will abide by this and associated policies and
procedures.
The physical security of the device is the user’s liability but the Trust does
expect that individuals take suitable precautions to protect the physical asset.
For security reasons, nobody else, including friends or members of your family,
should be permitted to use your iPad / iPhone whilst the Good application is
unlocked.
Staff use personal devices at their own risk and the Trust are not liable for any
costs associated with the loss or damage of devices.
9
BYOD Policy
Version: 1
March 2016
Staff use their own devices at their own cost - Staff should have an ‘adequate
data plan’ - the Trust will not pay for excess data usage
The Trust will remove GOOD and all associated data from personal devices if
the device is lost or stolen or if the staff member leaves the Trust
Report the loss or theft of any personal device that has been enabled for BYOD
to the ICT Service Desk as soon as possible, preferably within 24 hours.
Failure to comply with the rules and regulations contained in this policy, or any
attempt to circumvent the security controls, may result in the withdrawal of this
facility and/or disciplinary action.
User Declaration
I hereby declare that I have read and understood the above Security Operating
Procedures (SyOPs) and agree to comply with all of the schedules contained herein.
Signature
Date
Name
Job Title
Contact Number
Email Address
Signature*
Date
Cost Centre
Subjective Code
*Not required if emailed directly from manager’s email account
10
BYOD Policy
Version: 1
March 2016