Bring your own device policy

Policy summary

This policy covers any person wishing to use a device owned by someone other than the council (for example, personal devices) to access council data – commonly known as Bring Your Own Device (BYOD).

You must comply with the whole policy, but in summary:

Introduction

The council has a responsibility to safeguard the information that has been provided to it by people and various government and statutory organisations to carry out its business. In order to do this, we need to make sure that:

The council recognises that users may wish to use their own mobile devices to access council data and use council applications as part of flexible working arrangements. This policy outlines the responsibilities of both the device owner and the council.

Prohibited services and data

The council and its partners reserve the right to prohibit use of personally owned devices (BYOD) for accessing certain category of services and data as necessary.

Department of Work and Pensions (DWP) as well as Her Majesty's Revenue and Customs (HMRC) data and/or systems available to the council fall under such prohibited categories.

Who does the policy apply to?

This policy applies to all persons who connect or intend to connect a device not owned by the council to use council data. Note that if you have a council-provided mobile phone, you cannot additionally have a personal mobile phone connected due to technical limitations.

Enfield Council’s responsibilities

As the data controller, the council is responsible for ensuring that all processing of personal data which is under its control remains in compliance with UK law. Additionally, the council receives data from partners which may be restricted by their security policies with which we have to comply.

The council must also remain mindful of the personal usage of such devices and the privacy of the individual. Technical and organisational measures used to protect council owned data must remain proportionate to the risks and consider your rights as an individual to privacy. Decisions on these matters will be made via the council’s internal governance routes.

Rights, privileges and responsibilities

The use of a personally owned device in connection with council business is a privilege granted to device owners. The council reserves the right to revoke these privileges without notice.

You must read and understand this policy before configuring your device to access council information.

You must also complete the council’s online eLearning courses on Information Rights and Cyber Security, and accept the Acceptable Use Policy prior to being provided access to information from your personal device.

There are additional requirements for certain persons, for example, contractor staff who may need to sign additional agreements - please consult if you are in this group.

The council remains the data controller for all data held on BYODs.

Disciplinary and/or criminal action may be taken if a breach of policy or law occurs. Compliance with this policy is part of your employment contract.

As the device owner, you carry specific responsibilities, as listed below:

All users are expected to use their device in an ethical manner. Using your device in ways not designed or intended by the manufacturer is not allowed. This includes, but is not limited to, 'jailbreaking' your iPhone or 'rooting' your android device even if this adds additional functionality.

Which devices are covered?

Current devices approved for Bring Your Own Device use are listed below along with the minimum system requirements:

Devices below these specifications will not comply with our policies and therefore will not be allowed to be used as BYOD.

It should be noted that as technology improves and newer versions of operating system are introduced by vendors or vulnerabilities are discovered in existing operating systems this list is subject to immediate change and access maybe revoked (in some instances this may be without notice).

Which IT services are available?

Currently, the IT Services available and covered by policy are:

Note that some file types cannot be securely opened, and hence you may find you cannot open certain attachments. Additionally, mobile software may have different and more limited functionality from desktop versions.

A minimum 4-digit passcode will be required to access devices containing council data – you will also initially need to set up the device using your council username/email and password. You will need to update these as per council policy and must not share these with any other person.

Council data is stored encrypted to protect it and is subject to restrictions on copying and where it can be saved.

Who manages this facility?

Enfield Digital Services in conjunction with the Information and Data Governance Board will manage the BYOD facility, as described within this document, on behalf of the council. Human Resources will advise managers if corporate policies have not been followed.

What support will Enfield IT provide?

Enfield DS will not support or maintain any personal device. Furthermore, the council will not cover any damage to the device or any loss of personal data that may occur as a result of installing any mobile device management solution or when data is removed as part of the data wiping ability of the solution. The council makes reasonable endeavours to ensure that your device is not affected and that only council data is erased, but this cannot be fully guaranteed and the council accepts no liability for issues resulting from use.

It is recommended that device owners insure their device as part of their home contents insurance or via a specific mobile device insurance scheme and advise their insurer that the device will be used for work purposes at home and at work locations.

Upon installation of the mobile device management software, the device owner can connect to the council infrastructure to access their Enfield Council accessible data. However, the device owner is personally liable for the device and carrier service costs. They will not be reimbursed by the council for the acquisition of a mobile device, its use, maintenance or replacement or any carrier service charges incurred. The device owner must agree to all terms and conditions in this policy to be allowed access to council services listed in this document.

If a security incident should occur

A security incident is defined as any event that could compromise information security. Some examples: your device is lost or stolen, someone else gains access to your password/passcode, your device becomes infected with malware.

If a security incident should occur, you are required to inform the council's DS Service Desk immediately with details.

The council reserves the right to wipe either Enfield Council data and applications or the whole device if it is deemed necessary. This may impact other personal applications and data, such as the native address book data and any personal files on your device. We recommend that you investigate backup solutions for your personal files available for your operating system.

The council has developed and implemented a Security Incident Response Procedure, you should ensure that you read and understand both the policy and your responsibilities under the reporting process.

The council also needs to take action where potential incidents are identified. Where ‘near misses’ occur, these should be reported to your line manager and a local decision taken as to whether the cause of the ‘near miss’ is one which could involve the enhancement of the policy or the process. If this is the case the council's DS Security Team should be informed and a security incident raised via the council's DS Service Desk.

Note that not reporting security incidents is a breach of the Acceptable Use Policy.

Guidelines for acceptable behaviour

Device owners are expected to behave in accordance with the council’s behaviours framework at all times whilst undertaking work for the council. Further information can be found on staff intranet from your manager or by contacting an HR advisor.

Be aware that any personal device used at work may be subject to discovery in litigation. This means that it could be used as evidence in a lawsuit against the council. Your data could be examined not only by the council but also by other parties in any legal action.

Allowed countries

The UK law on data protection only permits export of personal data to certain countries. Because of this, we cannot permit BYODs with council data to be taken to countries outside of the following classes:

For countries outside this list, the council may choose to perform an assessment of risk of its own, but it has not so far done so. Any such decisions will be added to the list above.

If you leave the employment of the council

As part of the leaver’s process, your access to the council infrastructure and applications will cease and your device will be de-provisioned and ensure access to council data is ceased and council data is wiped.

Enfield Council release of liability and disclaimer statement

Enfield Council hereby acknowledges that the use of a personal device in connection with council business carries specific risks for which you, as the device owner and user, assume full liability. These risks include, but are not limited to, the partial or complete loss of data as a result of a crash of the OS, errors, bugs, viruses, and/or other software or hardware failures, or programming errors which could render a device inoperable.

The council hereby disclaims liability for the loss of any such data and/or for service interruptions. The council expressly reserves the right to wipe the device management application (or similar applications) at any time as deemed necessary for purposes of protecting or maintaining Enfield Council infrastructure and services.

The council also disclaims liability for device owner injuries such as repetitive stress injuries developed. The council provides IT equipment that is suitable for long-term office use.

Device owners bring their devices to use at the council as their own risk. Device owners are expected to act responsibly with regards to their own device, keeping it up to date and as secure as possible. It is their duty to be responsible for the upkeep and protection of their devices.

Enfield Council is in no way responsible for:

Enfield Council does not guarantee that Service will be compatible with your equipment, or warrant that the Service will be available at all times, uninterrupted, error-free, or free of viruses or other harmful components, although it shall take reasonable steps to provide the best Service it can.

Furthermore, depending on the applicable data plan, the software may increase applicable rates. You are responsible for confirming any impact on rates as a result of the use of council supplied applications as you will not be reimbursed by the council.

Finally, the council reserves the right, at its own discretion, to remove any

Council supplied applications from your personal device as a result of an actual or deemed violation of the council’s BYOD Policy.


Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 2.2
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – 08.09.2014
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up