Overview
This document outlines SSAFA’s policy aligned to the care and use of mobile devices whilst conducting the business of SSAFA. This updated version is effective from 1st October 2024 and may be amended from time to time.
If, having read this policy document, you have questions or comments please raise these in the first instance with your manager or your primary SSAFA point of contact in writing. Please note that SSAFA owned devices cannot be issued unless the DocuSign version of this policy is signed.
Purpose
The purpose of this document is to state explicitly and clearly:
- How corporate mobile devices are issued.
- How issued mobile devices must be used for SSAFA business and cared for. AKA acceptable use.
- How personal devices can be used to access SSAFA systems, services and content.
- Your obligations to SSAFA when using any mobile device to access SSAFA systems, services or content.
All the above is necessary to protect employees from injury, to prevent damage to valuable equipment, to prevent any future legal action that could harm SSAFA’s reputation and to ensure the correct expectations are set at all times.
Scope
This policy applies to employees, volunteers, contractors, consultants, temporary staff and other workers at SSAFA, including all personnel affiliated with third parties that use their own mobile device for business purposes or have one issued to them. This policy covers all mobile phones, Smartphones, tablets, BlackBerry type devices, or other personal information, communication or entertainment devices on SSAFA premises or elsewhere whilst on SSAFA business.
Policy
The issuing of a mobile device
- Devices are issued only as SSAFA deems it necessary. Requesting a mobile device from your manager is no guarantee that you will be issued one.
- Mobile devices and the mobile device type issued will be solely dependent on business requirements. Therefore, if SSAFA requires you to be contactable through voice alone, you might not be issued with an email capable handset.
- The issuing of a mobile device should not be deemed permanent and can be requested back by your line manager or the IT department at any time. Similarly, you might be upgraded or downgraded based on business requirements at any point during your employment.
- Mobile devices can be likened to small computers. As such, they have a lifespan of a few years and may be passed from employee to employee. It is likely that you will be issued a device and telephone number that has been used by an outgoing employee. Please do not expect a brand-new device.
General usage, ownership and care
- By accepting a SSAFA-owned mobile device you are agreeing to keep the mobile device and all accessories safe, returning them on request in as near as possible to an “as new” condition (mobile devices can be sold back to the phone company and are of greater value in good condition). The condition of allocated devices will be documented and compared with the device on its return.
- You may be required to replace or pay a fee for lost accessories, cables, chargers, headphones, USB leads, or damaged handsets. Further details can be found in your contract of employment. This ensures that as devices are reallocated, the user experience is not tarnished.
- You will be personally accountable for the safe keeping of the mobile device and its usage: Costs can be recovered, and this will be explained in your contract of employment.
- Lost or damaged handsets may result in costs being recovered from your salary.
- Failing to report a lost or stolen device immediately can lead to excessive costs on the mobile bill, which may be recovered from your salary.
- To reduce risk, personal use is prohibited unless in extreme circumstances. (Today, mobile devices are commodity items and people typically own/operate at least one device personally.)
- Taking the phone abroad is prohibited unless previously agreed in writing, with data capping enabled.
- As the mobile device must be used for business purposes only, the following are prohibited.
- Accessing and using iPlayer or other audio/video catch-up (streaming) services.
- Games and non-business sites.
- Tethering or Internet Sharing or Personal Hotspot: – using the mobile device as a source for Internet connectivity for non-business purposes.
Obligations
The following obligations exist to all users of mobile devices regardless of whether they are corporately issued devices or personal devices.
- You agree to immediately inform your manager, as well as the IT and Facilities teams, should your mobile device become lost, stolen or otherwise compromised.
- You are required to be aware of how to remotely wipe your own device if lost, stolen or compromised. Failure to do so could result in data reaching the wrong hands and compromising security. This may lead to a formal process under SSAFA’s disciplinary policy.
- PINs and passwords must be as complex as possible and not in use on any other device or system. By using a mobile device on behalf of SSAFA, you are confirming that any PINs and passwords used to secure the device are unique and not in use anywhere else by yourself.
Security, safety and proprietary information
- Because your own safety and that of others is of primary importance to SSAFA the following usage policy applies:
- Only use your mobile device in accordance with the manufacturer’s instructions.
- Be aware of, and take into account, the best advice available to you
concerning the safe use of your mobile device. - Be aware of, and comply with, any local laws or regulations covering mobile device use.
- Do not use a mobile device (including a hands-free kit) while driving. SSAFA explicitly forbids the use of any mobile device when in control of a car, even for navigational use.
- Road and traffic offences/violations/charges, any convictions or any costs resulting from the inappropriate use of a phone or other mobile device while driving will be solely your responsibility.
- Protect SSAFA devices and their data by keeping the handset safe and out of sight. The centralised management systems will require devices to PIN-lock after one minute of inactivity.
- Take common sense steps to guard against mobile device theft:
- Do not leave it on a restaurant table, for example. Keep it on your person.
- Keeping SSAFA owned devices at home or at work sites and never taking out to places unless on SSAFA business.
- Keeping the mobile device on one’s person when at work or conducting SSAFA business.
- As with all SSAFA equipment, take good care of your SSAFA-provided mobile device and return it in the same condition that it was accepted.
- Reduce bills by keeping data service usage to a minimal level by avoiding unnecessary mobile web browsing or data usage and instead using a computer for that purpose. IE, use an office data connection rather than the mobile device data. SSAFA pays heavily for extra data used.
- Ensure that no one else uses your SSAFA-provided mobile device. SSAFA issued devices are only to be used by the employee the device was issued to. Emails and other data are classed as sensitive and must not be accessed by any other party.
- Mobile devices should not be given to children to play with.
- Mobile device data use is always reviewed and monitored by SSAFA.
- The configuration of the mobile device, including installed apps/applications must not be adjusted at any time as this increases risk and potentially weakens security. Any attempt to modify the configuration, even on a best endeavours basis, could result in the SSAFA Disciplinary Policy being invoked.
- Ensure that your SSAFA-issued mobile device is regularly powered on and connected to the internet via WiFi at home. This allows the device to check in with the Mobile Device Management (MDM) system, ensuring compliance and maintaining secure access to SSAFA data. For personal devices, checking in is optional, but if the device does not check in for an extended period, you may need to take steps to re-establish compliance or re-onboard the device before regaining access to SSAFA data.
- Your SSAFA-issued mobile device must be updated within 14 days of an update being released to ensure that all relevant security updates are applied. For personal devices, updating is optional; however, if you choose not to update within 14 days, you will lose access to SSAFA data.
- Signing your SSAFA-issued mobile device into unapproved third-party accounts, including but not limited to (personal) Apple ID, is prohibited. This is essential for maintaining proper mobile management, security, data governance standards, and ensuring no indirect conflict with other policy requirements.
In addition, the following should be avoided
- Calling premium rate numbers or, unless in an emergency, directory enquiry services.
- Using real-time email or enabling data services while out of your “home” country (contact IT for an alternative strategy).
- Accessing or attempting to access potentially inappropriate content such as explicit or pornographic content, hacking materials, radicalisation sites or extremist views.
- Downloading (including purchased content) ring tones, music, videos, images, software/Apps or other items to your SSAFA-provided mobile device without the specific written approval of SSAFA; the IT department and your manager on each occasion. This type of activity exposes SSAFA to litigation, copyright claims and weakens security. As these are computing devices, changes must be controlled and properly documented.
- Synchronising copyrighted content (music, videos, images for example) to a SSAFA-owned PC or laptop. This exposes SSAFA to litigation because we (SSAFA) did not purchase the content.
- Connecting any accessories to your SSAFA-provided mobile device without the specific written approval of SSAFA. This type of activity weakens security.
- Taking/using the phone out of the country for non-SSAFA purposes e.g., taking it on holiday with you.
- Taking the device to a non-business location, other than when travelling to/from a work location. For example, taking the device out to a nightclub.
- Connecting to unsecured WiFi networks as these allow other users to clearly intercept your data. Usage of “foreign” WiFi network access should be restricted to known and approved business networks only.
- “Rooting” or “jailbreaking” of devices, or attempting to root, jailbreak or otherwise circumvent the security being applied to the device.
- Giving out the number of a SSAFA owned device for non-business purposes. (If the device and its phone number is allocated to another employee when you move on, it is not fair on them to field calls from your friends and family.)
- Saving SSAFA content locally on your SSAFA-issued device should be avoided, including within Apple native apps or other similar applications. The appropriate applications (OneDrive, for example) must be used to store SSAFA content, to ensure this data is backed up, and therefore not lost.
Additional guidance
- Bear in mind the increasing incidence of bluejackings - using Bluetooth to deliver viral marketing to your device, install malware or simply add to the bill. Good practice is to disable any Bluetooth function unless you are in a safe environment such as a SSAFA office.
- Please make sure to read and understand Appendix 1, the BYOD extension of this Mobile Policy.
Changes and authorisations
Authorisation for changes in the contract, for example the activation of global roaming, may be sought from a senior Director in writing.
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Please refer to the SSAFA Disciplinary policy.
Signature
- I understand that the safety, security and use of the mobile device is solely my responsibility and I agree to personally reimburse SSAFA for any loss, damage or excessive call/data charges whilst any SSAFA owned mobile device is under my care and control.
- I understand and accept all terms of this policy and agree to be bound by them until I return any SSAFA owned mobile device.
- I understand and accept all terms of this policy and agree to be bound by them until I disconnect my personal device(s) from SSAFA’s mobile device management system.
Name (print) | Date | ||
Signature |
Appendix A – BYOD (Bring your own device)
Overview
SSAFA recognises the benefits that can be achieved by allowing staff/volunteers to use their own electronic devices when working, whether that is at home, on site or while travelling. Such devices include laptops, smart phones and tablets, and the practice is commonly known as ‘bring your own device’ or BYOD. SSAFA IT is committed to supporting staff/volunteers in this practice by ensuring that as few technical restrictions as reasonably possible are imposed on accessing SSAFA provided services on BYOD.
The use of such devices to create and process SSAFA information and data creates issues that need to be addressed, particularly in the area of information security.
SSAFA must ensure that it remains in control of all data for which it is responsible, regardless of the ownership of the device used to carry out the processing. It must also protect its intellectual property as well as empowering staff/volunteers to ensure they protect their own personal information.
Scope
All relevant SSAFA policies still apply to staff/volunteers using BYOD. Staff/volunteers should note, in particular, SSAFA’s IT and Security related policies. Several of these are directly relevant to staff/volunteers adopting BYOD.
- SSAFA Policy on the Use of Computing Facilities and Resources
- Protection of Information Held on Mobile Devices and Encryption Policy
- Anti-Virus Policy
- Data Protection Policy
Policy
Those who make use of BYOD must take responsibility for their own device and how they use it. They must:
- Familiarise themselves with their device and its security features so that they can ensure the safety of SSAFA information (as well as their own information)
- Invoke the relevant security features
- Maintain the device themselves ensuring it is regularly patched and updated
- Ensure that the device is not used for any purpose that would be at odds with the SSAFA Policy on the Use of Computing Facilities and Resources
- While SSAFA IT will always endeavour to assist colleagues wherever possible, SSAFA cannot take responsibility for supporting devices it does not provide.
- The onus is on the employee to configure and maintain the device(s) for the systems and services they are to be linked with. The IT and Facilities teams will provide Internet links and other sources of helpful material on a best endeavour basis.
- Any use of a personal device and the costs associated with its use for business become solely the responsibility of the employee.
- The employee should ensure they have the appropriate controls, management overhead or tech-knowhow to control their costs.
Staff/volunteers using BYOD must:
- Set up passwords, passcodes, passkeys or biometric equivalents of sufficient length, sufficiently complexity and be completely unique.
- Set up and learn remote wipe facilities; be able to implement a remote wipe if they lose the device
- Encrypt SSAFA documents or content as necessary
- Not hold any information that is sensitive, personal, confidential or of commercial value on personally owned devices. Instead they should use their device to make use of the many services that the SSAFA offers allowing access to information on SSAFA services securely over the internet. More information on determining if information is ‘confidential’ is available on the website
- Where it is essential that information belonging to SSAFA is held on a personal device it should be securely deleted as soon as possible. This includes information contained within emails.
- Ensure that relevant information is copied back onto SSAFA systems and manage any potential data integrity issues with existing information.
- Use email services as communication tools, not storage tools.
- Report the loss of any device containing SSAFA data (including email) to the IT Help desk within 24 hours of it becoming lost.
- Stay up to date with Data Protection training and the nuances around the newer GDPR framework.
- Be aware of any Data Protection issues and ensure personal data is handled appropriately.
- Report any security breach immediately to the IT Helpdesk in accordance with the Information Security Policy
- Ensure that no residual SSAFA information is left on any personal device.
- Ensure they are fully aware of how the applications they choose to use work at a detailed level, such as how they store data. As an example we’ll look at WhatsApp.
- WhatsApp is not an application promoted by SSAFA IT but some people choose to use it. By using it, the user must be aware that images sent through the service are automatically copied to the device’s camera/pictures app, which can potentially be a security risk if the image is classed as sensitive. As a result, the image exists in the WhatsApp application and the pictures application on the device. One is secure, the other is not.
Monitoring and Access
The employee agrees that their device will become a (partially) centrally managed asset and grants SSAFA the ability to remotely wipe any corporate data stored, such as company emails, if the need arises. (Important note: Personal data will not be affected by this.) Staff/volunteers using BYOD must take all reasonable steps to:
- Prevent theft and loss of data
- Keep information confidential where appropriate
- Maintain the integrity of data and information and take responsibility for any software they download onto their device
SSAFA staff cannot and will not monitor personal devices, however, the centralised management system will log connection information for governance purposes and to determine device compliance, such as whether your device has security patches applied. In addition, SSAFA does reserve the right to:
- Prevent access to a particular device from either the wired or wireless networks or both
- Prevent access to a particular system from a device
- Take all necessary and appropriate steps to retrieve information owned by SSAFA
Data Protection
SSAFA must process ‘personal data’ i.e. data about identifiable living individuals in accordance with the Data Protection Act and GDPR. Sensitive personal data is information that relates to race/ethnic origin, political opinions, religious beliefs, trade union membership, health (mental or physical) or details of criminal offences. This category of information should be handled with a higher degree of protection at all times.
SSAFA, in line with guidance from the Information Commissioner’s Office on BYOD recognises that there are inherent risks in using personal devices to hold personal data. Therefore, staff/volunteers must follow the guidance in this document when considering using BYOD to process personal data of beneficiaries, clients or Service Users.
A breach of the Data Protection Act or GDPR can lead to SSAFA being fined up to 4% of its turnover. Any member of staff/volunteers found to have deliberately breached the Act may be subject to disciplinary measures, having access to the SSAFA’s facilities being withdrawn, or even a criminal prosecution.
For more information see SSAFA’s Data Protection policy, Data Breach guidance and eLearning content.