Bring your own device policy

Policy summary

This policy covers any person wishing to use a device owned by someone other than the council (for example, personal devices) to access council data - commonly known as Bring Your Own Device (BYOD). You must comply with the whole policy, but in summary:

• If you have accepted certain policies and your device meets certain criteria, you may access council data from a personal device
• The council retains control of the data, and as part of this agreement you accept the installation of software that can erase data from your device and adds certain management facilities for council use which include being able to record use of facilities
• You must tell the council if your device is lost, stolen, infected with malware or the security of the device is otherwise compromised
• The council does not support use of personal devices although FAQs and installation instructions are maintained for your use. The council will accept comments and issues around BYOD but does not commit to respond to them. Issues with connectivity will be investigated, but if they cannot be reproduced you will have to find solutions in conjunction with your personal providers.
• Some types of data cannot be stored or accessed on BYOD devices. If you are using as part of your role data from certain partners, you cannot use BYOD devices.
• Compliance with this policy is part of your employment contract

Introduction

The council has a responsibility to safeguard the information that has been provided to it by people and various government and statutory organisations to carry out its business. In order to do this, we need to make sure that:

• the requirements of UK law on personal data management are being met
• the requirements of the Public Service Network Code of Connection (CoCo) are met
• the council’s own Data Privacy and Information Security policies are being followed
• where third party data is being used, the requirements of the data owners are being followed

The council recognises that users may wish to use their own mobile devices to access council data and use council applications as part of flexible working arrangements. This policy outlines the responsibilities of both the device owner and the council.

Prohibited services and data

The council and its partners reserve the right to prohibit use of personally owned devices (BYOD) for accessing certain category of services and data as necessary.

Department of Work and Pensions (DWP) as well as Her Majesty's Revenue and Customs (HMRC) data and/or systems available to the council fall under such prohibited categories.

Who does the policy apply to?

This policy applies to all persons who connect or intend to connect a device not owned by the council to use council data. Note that if you have a council-provided mobile phone, you cannot additionally have a personal mobile phone connected due to technical limitations.

Enfield Council’s responsibilities

As the data controller, the council is responsible for ensuring that all processing of personal data which is under its control remains in compliance with UK law. Additionally, the council receives data from partners which may be restricted by their security policies with which we have to comply.

The council must also remain mindful of the personal usage of such devices and the privacy of the individual. Technical and organisational measures used to protect council owned data must remain proportionate to the risks and consider your rights as an individual to privacy. Decisions on these matters will be made via the council’s internal governance routes.

Rights, privileges and responsibilities

The use of a personally owned device in connection with council business is a privilege granted to device owners. The council reserves the right to revoke these privileges without notice.

You must read and understand this policy before configuring your device to access council information.

You must also complete the council’s online eLearning courses on Information Rights and Cyber Security, and accept the Acceptable Use Policy prior to being provided access to information from your personal device.

There are additional requirements for certain persons, for example, contractor staff who may need to sign additional agreements - please consult if you are in this group.

The council remains the data controller for all data held on BYODs.

Disciplinary and/or criminal action may be taken if a breach of policy or law occurs. Compliance with this policy is part of your employment contract.

As the device owner, you carry specific responsibilities, as listed below:

• You will not lend anyone your device to access council information or use council infrastructure
• Should you decide to sell, recycle, give away or change your device, you will inform the council's Digital Service (DS) Service Desk by phone or online. Do not allow the device to leave your possession until you have been informed council data has been wiped
• The policy will require at minimum a four-digit pin or a passcode to access your device
• In order to access your Outlook email and calendar, you will need to enter your network account password. You may be required to provide a second authentication factor before access, this will be via either a text message or an app.
• You must ensure that your device is compliant, and that security software is kept up to date. The system will check whether your device meets compliance criteria and if not, will automatically stop syncing and potentially be wiped of council data.
• The council data will be automatically wiped without notice if:
  • you lose the device
  • the device is stolen
  • you terminate employment with the council
  • Enfield DS detects a data or policy breach or virus/malware infection
  • Your device becomes jailbroken or rooted (either intentionally or through the installation of software or an application that makes the modification to add additional functionality)
• You are responsible for the safekeeping of your own personal data. We recommend that you secure and encrypt your phone appropriately using the facilities on the device, and that you have an up-to-date malware scanning solution installed (anti-virus).
• You must conform strictly to the council’s Data Protection Policy and Information Classification and Handling Policy for the movement and use of information

All users are expected to use their device in an ethical manner. Using your device in ways not designed or intended by the manufacturer is not allowed. This includes, but is not limited to, 'jailbreaking' your iPhone or 'rooting' your android device even if this adds additional functionality.

Which devices are covered?

Current devices approved for Bring Your Own Device use are listed below along with the minimum system requirements:

• Android 7.1.1 ('Nougat') or higher Smart Phones and Tablets
• iOS 9.3.6 or higher iPhones and iPad (note that Apple do not guarantee support for any version other than the latest.
• MacOS devices with TPM 2.0 and MacOS Mojave version 10.14.6 or higher (note that Apple to not guarantee support for any version other than the latest update).
• Windows 10 devices with TPM 2.0 running the Professional edition or higher (Home edition is not supported).

Devices below these specifications will not comply with our policies and therefore will not be allowed to be used as BYOD.

It should be noted that as technology improves and newer versions of operating system are introduced by vendors or vulnerabilities are discovered in existing operating systems this list is subject to immediate change and access maybe revoked (in some instances this may be without notice).

Which IT services are available?

Currently, the IT Services available and covered by policy are:

• email - note that the amount of email allowed on the phone is fixed by the council and cannot be changed
• calendar
• contacts
• tasks
• telephony, meetings and instant messaging via Ms Teams
• file access and editing via SharePoint and OneDrive for Business (using the Microsoft Office suite for the mobile device)
• multi-factor authentication via Microsoft Authenticator
• collaboration and group discussion via Teams
• council building Wi-Fi

Note that some file types cannot be securely opened, and hence you may find you cannot open certain attachments. Additionally, mobile software may have different and more limited functionality from desktop versions.

A minimum 4-digit passcode will be required to access devices containing council data - you will also initially need to set up the device using your council username/email and password. You will need to update these as per council policy and must not share these with any other person.

Council data is stored encrypted to protect it and is subject to restrictions on copying and where it can be saved.

Who manages this facility?

Enfield Digital Services in conjunction with the Information and Data Governance Board will manage the BYOD facility, as described within this document, on behalf of the council. Human Resources will advise managers if corporate policies have not been followed.

What support will Enfield IT provide?

Enfield DS will not support or maintain any personal device. Furthermore, the council will not cover any damage to the device or any loss of personal data that may occur as a result of installing any mobile device management solution or when data is removed as part of the data wiping ability of the solution. The council makes reasonable endeavours to ensure that your device is not affected and that only council data is erased, but this cannot be fully guaranteed and the council accepts no liability for issues resulting from use.

It is recommended that device owners insure their device as part of their home contents insurance or via a specific mobile device insurance scheme and advise their insurer that the device will be used for work purposes at home and at work locations.

Upon installation of the mobile device management software, the device owner can connect to the council infrastructure to access their Enfield Council accessible data. However, the device owner is personally liable for the device and carrier service costs. They will not be reimbursed by the council for the acquisition of a mobile device, its use, maintenance or replacement or any carrier service charges incurred. The device owner must agree to all terms and conditions in this policy to be allowed access to council services listed in this document.

If a security incident should occur

A security incident is defined as any event that could compromise information security. Some examples: your device is lost or stolen, someone else gains access to your password/passcode, your device becomes infected with malware.

If a security incident should occur, you are required to inform the council's DS Service Desk immediately with details.

The council reserves the right to wipe either Enfield Council data and applications or the whole device if it is deemed necessary. This may impact other personal applications and data, such as the native address book data and any personal files on your device. We recommend that you investigate backup solutions for your personal files available for your operating system.

The council has developed and implemented a Security Incident Response Procedure, you should ensure that you read and understand both the policy and your responsibilities under the reporting process.

The council also needs to take action where potential incidents are identified. Where ‘near misses’ occur, these should be reported to your line manager and a local decision taken as to whether the cause of the ‘near miss’ is one which could involve the enhancement of the policy or the process. If this is the case the council's DS Security Team should be informed and a security incident raised via the council's DS Service Desk.

Note that not reporting security incidents is a breach of the Acceptable Use Policy.

Guidelines for acceptable behaviour

Device owners are expected to behave in accordance with the council’s behaviours framework at all times whilst undertaking work for the council. Further information can be found on staff intranet from your manager or by contacting an HR advisor.

Be aware that any personal device used at work may be subject to discovery in litigation. This means that it could be used as evidence in a lawsuit against the council. Your data could be examined not only by the council but also by other parties in any legal action.

Allowed countries

The UK law on data protection only permits export of personal data to certain countries. Because of this, we cannot permit BYODs with council data to be taken to countries outside of the following classes:

• Countries in the European Economic Area
• Countries with an assessment of adequacy of data protection (see European Commission - Adequacy decisions)

For countries outside this list, the council may choose to perform an assessment of risk of its own, but it has not so far done so. Any such decisions will be added to the list above.

If you leave the employment of the council

As part of the leaver’s process, your access to the council infrastructure and applications will cease and your device will be de-provisioned and ensure access to council data is ceased and council data is wiped.

Enfield Council release of liability and disclaimer statement

Enfield Council hereby acknowledges that the use of a personal device in connection with council business carries specific risks for which you, as the device owner and user, assume full liability. These risks include, but are not limited to, the partial or complete loss of data as a result of a crash of the OS, errors, bugs, viruses, and/or other software or hardware failures, or programming errors which could render a device inoperable.

The council hereby disclaims liability for the loss of any such data and/or for service interruptions. The council expressly reserves the right to wipe the device management application (or similar applications) at any time as deemed necessary for purposes of protecting or maintaining Enfield Council infrastructure and services.

The council also disclaims liability for device owner injuries such as repetitive stress injuries developed. The council provides IT equipment that is suitable for long-term office use.

Device owners bring their devices to use at the council as their own risk. Device owners are expected to act responsibly with regards to their own device, keeping it up to date and as secure as possible. It is their duty to be responsible for the upkeep and protection of their devices.

Enfield Council is in no way responsible for:

• personal devices that are broken while at work or during work-sponsored activities
• personal devices that are lost or stolen at work or whilst undertaking work-related activities
• maintenance or upkeep of any device (keeping it charged, installing updates or upgrades, fixing any software or hardware issues)
• the management or creation of users own ‘cloud’ based user accounts, which are required for purchasing software, or backing up data

Enfield Council does not guarantee that Service will be compatible with your equipment, or warrant that the Service will be available at all times, uninterrupted, error-free, or free of viruses or other harmful components, although it shall take reasonable steps to provide the best Service it can.

Furthermore, depending on the applicable data plan, the software may increase applicable rates. You are responsible for confirming any impact on rates as a result of the use of council supplied applications as you will not be reimbursed by the council.

Finally, the council reserves the right, at its own discretion, to remove any

Council supplied applications from your personal device as a result of an actual or deemed violation of the council’s BYOD Policy.

Policy details

Author - Information Governance Manager
Owner - Information and Data Governance Board
Version - 2.2
Reviewer - Information and Data Governance Board
Classification - Official
Issue status - Draft
Date of first issue - 08.09.2014
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.05.2023
Date of next review - 30.04.2024