Bring your own device (BYOD) 2018

Lara Nichols recognises the advantages gained to the business and the efficiency of its employees through arranging flexible working arrangements as allowing employees to bring their own device into the business and permitting them to use their property to undertake their day to day working activities.

However employees must not use their own initiative to use these devices for business purposes.

Policy Aims

  • To protect the data that is downloaded onto an individual’s equipment
  • To specify what devices the the company will permit.
  • To provide protection to the clients customers and employees of Lara Nichols
  • To prevent sensitive data being stolen or misused in the event of theft or accidental loss of the portable equipment
  • To comply with the General Data Protection Regulations – Regulation (EU) 2016/679 (GDPR)
  • To establish a Service Policy for employees should problems occur.

Policy and Procedure

  • Unauthorised personally owned devices are not permitted for use in the business of the the company.
  • The business use of personal mobile phones, smartphones, personal tablets and laptops must first be authorised by Lara Nichols. Contact the Finance Manager in the first instance.
  • Authorisation will not be given if other members of your family have access to the device.
  • Lara Nichols expects that authorised devices will be used during your working day as part of your day to day duties.
  • You must agree with your your line manager whether or not, or when, you may be available for contact outside the working day. Such contact must not affect your wellbeing or place you at the behest of the the company unless (in the latter case) agreed in a document separate to this policy.
  • Devices must be protected by industry-standard anti-virus and firewall software. If in doubt seek advice from [IPTPOSN]
  • You must have administrator rights on your device and not provide those rights to other parties.
  • Other users of the device must not have access to any VPN (Virtual Private Network)
  • All data that is processed on your device is to be in compliance with the Data Protection Act 1998 (DPA) and the GDPR. Seek advice from the Finance Manager if necessary.
  • The the Managing Director (or Data Controller) will remain in control of all business personal data regardless of the ownership of the device used to carry out the processing.
  • Business personal data is defined as that acquired in the process of your work responsibilities, is owned by the the company and must be relinquished on leaving the the company.
  • Personal data (e.g. from social contacts but relevant to the business) brought to the the company by you may be retained by you as well as by the company.
  • If you want to containerise data so that personal data is not available to the the company then seek advice from Managing Director.
  • Both the DPA and the GDPR require the the Managing Director or data controller to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of personal data of, or damage to, personal data. You must comply with any additional requirements specified from time to time.
  • You must ensure that you password protect all devices on all occasions
  • All passwords must contain at least six characters a capital letter and a number or symbol to ensure the strength of the password is strong, subject to any further advice from Managing Director
  • Where available Touch ID can be used as an additional security measure
  • Login names and passwords must not be disclosed to anyone other than the Managing Director or Managing Director
  • You are responsible for being aware of the possibility of spoof emails or calls purporting to be from IT staff or companies.
  • Your devices can be used for personal use, of course, as well as for  business use.
  • Personal use of the device must be restricted to lunch and break times other than for exceptional emergency contact.
  • You must know where your personal devices are on all occasions, such equipment must not be left unattended
  • In the event that you lose your device or the device is stolen then this must be reported to the Managing Director and Managing Director as a matter of urgency.
  • All information (i.e. including business personal data) must be stored on the [ ORGDESCP] drives or servers.  Some business data may be stored on individual devices whilst work is being completed (only). Data may be stored on the Cloud provided it can also be accessed by the the company. Advice may be needed from Managing Director.
  • You understand and accept that should you leave our employment the device must be returned to the offices or Managing Director so that all business information can be removed from the device.
  • Applications (Apps) that are bought will be your property as the owner of the device and not Lara Nichols.
  • Access to business data on Apps is to be removed on leaving the company. The data itself must remain accessible to the the company.

Failure to follow the BYOD policy can lead to disciplinary action.

This policy will be subject to regular review to ensure that it provides security to Lara Nichols and its clients as well as following best practise in relation to such matters.

 

This policy was last reviewed in January 1970