the place of useful learningThe University of Strathclyde is a charitable body, registered in Scotland, number SC015263 BRING YOUR OWNDEVICE POLICY Bring Your Own Device Policy1 IntroductionThe University of Strathclyde recognises the benefits that can be achieved byallowing staff to use their own electronic devices when working, whether that is athome, on campus or while travelling. Such devices include laptops, smart phonesand tablets, and the practice is commonly known as ‘bring your own device’ orBYOD. It is committed to supporting staff in this practice and ensuring that as fewtechnical restrictions as reasonably possible are imposed on accessingUniversity provided services on BYOD.The use of such devices to create and process University information and datacreates issues that need to be addressed, particularly in the area of informationsecurity.The University must ensure that it remains in control of the data for which it isresponsible, regardless of the ownership of the device used to carry out theprocessing. It must also protect its intellectual property as well as empowering staffto ensure that they protect their own personal information.2 Information Security PoliciesAll relevant University policies still apply to staff using BYOD. Staff should note, inparticular, the University’s Information Security related policies. Several of these aredirectly relevant to staff adopting BYOD. University Policy on the Use of Computing Facilities and Resources Protection of Information Held on Mobile Devices and Encryption Policy Anti-Virus Policy Data Protection Policy3 The Responsibilities of Staff MembersIndividuals who make use of BYOD must take responsibility for their own device andhow they use it. They must: Familiarise themselves with their device and its security features so that theycan ensure the safety of University information (as well as their owninformation) Invoke the relevant security features Maintain the device themselves ensuring it is regularly patched and upgraded Ensure that the device is not used for any purpose that would be at odds withthe University Policy on the Use of Computing Facilities and ResourcesWhile University IT staff will always endeavour to assist colleagues whereverpossible, the University cannot take responsibility for supporting devices it does notprovide.Staff using BYOD must take all reasonable steps to: Prevent theft and loss of data Keep information confidential where appropriate Maintain the integrity of data and information, including that on campus Take responsibility for any software they download onto their deviceStaff using BYOD must: Set up passwords, passcodes, passkeys or biometric equivalents. Thesemust be of sufficient length and complexity for the particular type of device Set up remote wipe facilities if available and implement a remote wipe if theylose the device Encrypt documents or devices as necessary (see Protection of InformationHeld on Mobile Devices and Encryption Policy ) Not hold any information that is sensitive, personal, confidential or ofcommercial value on personally owned devices. Instead they should use theirdevice to make use of the many services that the University offers allowingaccess to information on University services securely over the internet. Moreinformation on determining if information is ‘confidential’ is available on thewebsite Where it is essential that information belonging to the University is held on apersonal device it should be deleted as soon as possible once it is no longerrequired. This includes information contained within emails Ensure that relevant information is copied back onto University systems andmanage any potential data integrity issues with existing information Report the loss of any device containing University data (including email) tothe IT Help desk Be aware of any Data Protection issues and ensure personal data is handledappropriately. Report any security breach immediately to IT Helpdesk in accordance with theInformation Security Policy (the Information Governance Unit will be informedwhere personal data is involved). Ensure that no University information is left on any personal deviceindefinitely. Particular care must be taken if a device is disposedof/sold/transferred to a third party4 Monitoring and AccessThe University will not routinely monitor personal devices. However it does reservethe right to: Prevent access to a particular device from either the wired or wirelessnetworks or both Prevent access to a particular system Take all necessary and appropriate steps to retrieve information owned by theUniversity5 Data Protection and BYODThe University must process ‘personal data’ i.e. data about identifiable livingindividuals in accordance with the Data Protection Act 1998. Sensitive personal datais information that relates to race/ethnic origin, political opinions, religious beliefs,trade union membership, health (mental or physical) or details of criminal offences.This category of information should be handled with a higher degree of protection atall times.The University, in line with guidance from the Information Commissioner’s Office onBYOD recognises that there are inherent risks in using personal devices to holdpersonal data. Therefore, staff must follow the guidance in this document whenconsidering using BYOD to process personal data.A breach of the Data Protection Act can lead to the University being fined up to£500,000. Any member of staff found to have deliberately breached the Act may besubject to disciplinary measures, having access to the University’s facilities beingwithdrawn, or even a criminal prosecution.For more information see the University’s Data Protection webpages.6 Information to Help StaffThe University has a policy of ensuring remote access to its systems and serviceswherever possible – Remote Access to University provided Information Systems andServices.The University provides information for staff making use of remote access services:http://www.strath.ac.uk/ithelpdesk/helptopics/remoteaccess/On campus BYOD will normally be limited to the WiFi Network using eduroam.Additional information is provided to help with encryption:http://www.strath.ac.uk/it/itsecurity/encryption/