Version: Draft
Ratified By: Finance & Risk Committee
Date ratified: 31/03/2021
Job Title of Author: Assistant Director – IT & Systems
Reviewed by Sub Group or Expert Group: Technology Programme Board
Equality Impact Assessed by: Assistant Director – IT & Systems
Related Procedural Documents: IGPOL53 Information Security Policy ITPOL13 – N365 Platform Policy & Guidance
Review Date: April 2024
It is the responsibility of users to ensure that you are using the most up to date document template – i.e. obtained via the intranet
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date Author Status Comment
1.0 March 2021 Assistant Director IT & Systems Approved by FRC –30/03/2021
1. Introduction
Bring Your Own Device (BYOD) covers technology devices such as laptops, tablets and smartphones and can bring many benefits:
• Employees are familiar with their device, no training is required
• Potential improvement of employee morale
• Employees only need to carry a single mobile device
• Mutually cost beneficial for the Provide Group and the staff member
• Employees may be more likely to take better care of a device that they have paid for and belongs to them
However, there are potentially negative considerations that mostly relate to the fact that whilst the ownership of the device belongs with the employee, the ownership of the data remains the responsibility of the data controller:
• IT support is more complex
• Heightened security risks, such as malicious exploitation of devices through poor configuration or malware
• Heightened risk of accidental data loss, such as back ups of devices containing Provide Group data or devices being shared with family members
• Its more difficult to secure service user and company data
2. Scope
This policy applies to all employees, contractors, temporary staff and volunteers of Provide CIC and all Provide Group companies where BYOD is offered
At this point BYOD is not permitted for laptops, tablets or any other devices that would need to connect directly to any Provide Group network, any future change to this would be dependent upon the installation of a corporately managed Mobile Device Management solution on the personal device.
Staff are permitted in the circumstances described in this policy to use their own smartphone upon acceptance of the terms in this policy and agreement by their line manager.
No work related information will be permitted to be stored on BYOD smartphones.
3. Purpose
To enable staff, where appropriate to safely and securely use a personal smartphone for Provide Group work by setting out the operating principles and rules that staff must adhere to, and by setting out the security controls that must be applied in order to reduce the risk of staff using personal mobile phones to a level of risk that falls within the risk appetite of the Provide Group.
4. BYOD Permitted Uses
Staff who are approved to use their personal smartphone will be allowed to do so for the following work-related purposes only:
• For tethering their laptop or tablet to for the provision of a mobile data connection. The connection of the work tablet or laptops will itself be secured by a VPN solution.
• For the use of phone calls (service user phone numbers must not be stored on the smartphone).
• To send and receive work emails using a secure email account supplied by the Provide Group and used through O365.
• To view documents that are accessible through O365
• Joining a Microsoft Teams meeting with other employees, the meeting must not include any service users.
For clarity, uses do not include:
• Directly connecting to the Provide network (this will not be made possible)
• Taking or storing work related photographs of any type.
• Using the smartphone to carryout virtual consultations
• The use of any work apps that contain Patient Identifiable Data (PID) or business sensitive information.
• The use of NHSmail, other than through O365
• Storage of any work information directly on the device
5. BYOD Security Requirements
Devices being used for work purposes must comply with the following at all times:
• Use a strong password to secure the device
• Acceptance of security updates for apps and the operating system
• Use a supported version of the operating system
• Keep passwords secure
• Use biometric features to secure the device if possible
• Keep your operating system updated
• Be careful who can see your screen when accessing work systems
• Report lost or stolen devices
• Being aware of their responsibility for all costs
• Facilitate IT to conduct spot checks if required
• Don’t save work in unapproved locations or applications
Should a personal device be lost, this must be reported to the Provide Technology Team immediately and NHSmail password must be changed and personal number stored for the user may need to be updated. A Datix must be completed.
6. Approvals & Monitoring
Staff must not use a personal phone for work purposes until they have received confirmation that their request is approved.
The application process will include completion of a survey that will be assessed by the Technology Team to ensure how the phone will be used and the current security level of the phone. As part of the agreement, users may be asked to complete this information on an annual basis, at any point there is a concern and additionally each time they change their phone.
Details relating to the phone will be stored by the Provide Technology Team and used as the basis of when to re-validate users and may occur at times such as the users operating system going end of life.
Regular reports will be run in NHSmail to ensure NHSmail is not installed on personal mobile phones.
7. Financial Recompense
Staff that qualify for a work issued smartphone and instead choose to use their personal smartphone will following approval receive a monthly payment to compensate them for each full month of use at the advertised rate, this amount will be re-charged to service budgets. The payment will be made as part of the monthly pay run and will not be pensionable. It is not expected to have any tax implications to individuals although tax rules and guidance is subject to change and out of the control of Provide.
Provide reserve the right to end the BYOD scheme at any point by giving a minimum of 30 days’ notice. Where staff still require the use of a mobile phone for work purposes, one would be supplied at the end of the scheme.
8. Duties
8.1 All Managers
All managers are responsible for:
• Ensuring that the staff they manage are aware of this policy and their individual responsibility for complying with it.
• Ensuring staff are aware of the opportunities in this Policy and if they qualify to use their mobile phone or not.
• Ensuring the processes required for users to be compensated for the use of their personal phone is followed in a timely manner.
• Ensuring they complete the relevant leavers and joiners processes for their staff.
8.2 Technology Team
The Technology Team are responsible for:
• Regular review of the scope of this policy
• Reviewing and approving requests that must come via the staff members manager to the Provide Service Desk and sharing approved requests to the Finance Department.
8.3 Finance Team
The Finance Team are responsible for:
• Ensuring that the appropriate Services are recharged in a timely manner
• Process Staff Change Forms for staff opting in to BYOD in a timely manner
8.4 All Staff
All staff are responsible for:
• Adhering with this Policy, including the permitted uses and security requirements
• Adhering with the N365 Platform Policy and Guidelines which should be read and understood before considering use of a personal mobile phone.
