Bring your own device (BYOD)

When we have provided you with a work device, you must use this device whenever you attend work. Personal devices can be used for work purposes only when there is no other alternative.

Using personal devices for work-related purposes creates several issues that need to be addressed, particularly around information security. Here we set out the responsibilities of staff members taking advantage of BYOD, and the circumstances in which we may monitor use of or restrict access to our data and services.

Using your own smartphone or tablet	The operating system must be supported by regular security updates. If your operating system does not meet this requirement, you will not be able to access apps and data belonging to the organisation. It must only be used by you. Shared devices do not meet the requirements of the Data Protection Act. It must be protected by a minimum of a six-digit PIN. If your device supports biometric identity features, such as fingerprint or facial recognition, you should use these to enhance account protection. You must install the Microsoft 365 mobile apps – These approved apps are published by Microsoft to either the Apple AppStore or Google Play Store. At a minimum the Authenticator, Outlook and Teams apps will be used to access data belonging to us.
Using your own computer	Personal computers can only be used to access our virtual desktop service. Data belonging to Key must never be copied to or held on personal devices. You have responsibility for the security of your own device. You should be familiar with the operating system and the security tools it may contain. The operating system must be supported by regular security updates, and you must undertake to install these updates whenever they are released. Your device must have an active subscription to anti-virus and anti-malware applications. In some cases, for example Microsoft Windows, the built-in protection will be enough to satisfy this requirement. Your device must have a password protected account that can only be accessed by you. If your computer supports biometric identity features, such as fingerprint or facial recognition, you should use these to enhance account protection.
In the workplace	Where available, you may connect your personal device to guest Wi-Fi networks provided by the organisation when you are using it for work purposes. Guest Wi-Fi is not available at all locations. Personally owned devices must never be connected to Ethernet or Wi-Fi networks used in the homes of people we provide services to. Personal devices with Ethernet ports must never be connected to physical networks within any office or worker base. You must not store personal documents or other data on servers or storage belonging to the organisation or to people who receive our services. You must not use printers or copiers belonging to the organisation for personal purposes.
At home	You must not print any information belonging to the organisation at home. This is to ensure our compliance with the Data Protection Act 2018 and our obligations under the Cyber Essentials scheme.
Costs	You must pay for your own device costs under this policy including, but not limited to, voice and data usage charges and any purchase and repair costs. You are responsible for all costs associated with the device and understand that your business usage of the device may increase your voice and data costs.
Technical support	The ICT Support Team will provide limited technical support to help you access our systems.
When you leave us	All data and communications are the property of the organisation. Therefore, on or before your last day of work for the organisation, all accounts and apps provided by us must be removed from your device. If this cannot be automated, you must provide all necessary co-operation and assistance to the ICT Support Team to facilitate the removal.