1. Devices are issued only as SSAFA deems it necessary. Requesting a mobile device from your manager is no guarantee that you will be issued one.
2. Mobile devices and the mobile device type issued will be solely dependent on business requirements. Therefore, if SSAFA requires you to be contactable through voice alone, you might not be issued with an email capable handset.
3. The issuing of a mobile device should not be deemed permanent and can be requested back by your line manager or the IT department at any time. Similarly, you might be upgraded or downgraded based on business requirements at any point during your employment.
4. Mobile devices can be likened to small computers these days. As such, they have a lifespan of a few years and may be passed from employee to employee. It is likely that you will be issued a device and telephone number that has been used by an outgoing employee. Please do not expect a brand new device.

1. By accepting a SSAFA-owned mobile device you are agreeing to keep the mobile device and all accessories safe, returning them on request in as near as possible to an “as new” condition (mobile devices can be sold back to the phone company and are of greater value in good condition). The condition of allocated devices will be documented and compared with the device on its return.
2. You may be required to replace or pay a fee for lost handbooks, cables, chargers, headphones, USB leads, accessories or damaged handsets. Further details can be found in your contract of employment. This ensures that as devices are reallocated, the user experience is not tarnished.
3. You will be personally accountable for the safe keeping of the mobile device and its usage: Costs can be recovered, and this will be explained in your contract of employment.
4. Lost or damaged handsets may result in costs being recovered from your salary.
5. Failing to report a lost or stolen device immediately may result in costs incurred as a result of loss or theft being recovered from your salary.
6. To reduce risk, personal use is prohibited unless in extreme circumstances. (Today, mobile devices are commodity items and people typically own/operate at least one device personally.)
7. As the mobile device must be used for business purposes only, the following are prohibited.
8. Accessing and using iPlayer or other video catch-up services.
9. Games
10. Music streaming services
11. Tethering or Internet Sharing or Personal Hotspot:– using the mobile device as a source for Internet connectivity for non-business purposes.

While there are individuals that SSAFA demands have access to a suitable mobile device, SSAFA recognises that many employees may choose to use their own personal device(s) to increase productivity or allow for a more flexible working style. In order accommodate these requests and desires, SSAFA aims for an “any device, any location, any time” strategy (otherwise known as “AAA”) whenever it can. This strategy is subject to the following rules:

1. The onus is on the employee to configure and maintain the device(s) for the systems and services they are to be linked with. The IT and Facilities teams will provide Internet links and other sources of helpful material on a best endeavour basis. In short, if you are unable to configure your own device without external help, you should not be relying on it for business purposes.
2. Unless captured in writing and agreed to by an employee, any use of a personal device and the costs associated with its use for business become solely the responsibility of the employee.
3. The employee should ensure they have the appropriate controls, management overhead or tech-knowhow to control their costs.
4. The employee agrees that their device will become a centrally managed asset and grants SSAFA the ability to remotely wipe any corporate data stored, such as company emails, if the need arises. (Personal data will not be affected by this.)

The following obligations exist to all users of mobile devices regardless of whether they are corporately issued devices or personal devices.

1. You agree to inform their manager, as well as the IT and Facilities teams, should your mobile device become lost, stolen or otherwise compromised.
2. You are required to be aware of how to remotely wipe your own device if lost, stolen or compromised. Failure to do so could result in data reaching the wrong hands and compromising security. This may lead to a formal process under SSAFA’s disciplinary policy.
3. PINs and passwords must be as complex as possible and not in use on any other device or system. By using a mobile device on behalf of SSAFA, you are confirming that any PINs and passwords used to secure the device are unique and not in use anywhere else by yourself.

1. Because your own safety and that of others is of primary importance to SSAFA the following usage policy applies:
2. Only use your mobile device in accordance with the manufacturer’s instructions.
3. Be aware of, and take into account, the best advice available to you
   concerning the safe use of your mobile device.
4. Be aware of, and comply with, any local laws or regulations covering mobile device use.
5. Do not use a mobile device (including a hands-free kit) while driving. SSAFA explicitly forbids the use of any mobile device when in control of a car, even for navigational use.
6. Road and traffic offences/violations/charges, any convictions or any costs resulting from the inappropriate use of a phone or other mobile device while driving will be solely your responsibility.
7. Protect SSAFA data by keeping the handset safe and out of sight whenever possible. The centralised management systems will require devices to PIN-lock after one minute of inactivity.
8. Take common sense steps to guard against mobile device theft always, for example:
9. Do not leave it on a restaurant table if it is your own device.
10. Keeping SSAFA owned devices at home or at work sites and never taking out to places unless on SSAFA business.
11. Keeping the mobile device on one’s person when at work or conducting SSAFA business.
12. As with all SSAFA equipment, take good care of your SSAFA-provided mobile device and return it in the same condition that it was accepted.
13. Reduce bills by keeping data service usage to a minimal level by avoiding unnecessary mobile web browsing or data usage and instead using a computer for that purpose. IE, use an office data connection rather than the mobile device data.
14. Ensure that no one else uses your SSAFA-provided mobile device. SSAFA issued devices are only to be used by the employee the device was issued to. Emails and other data are classed as sensitive and must not be accessed by any other party.
15. Mobile devices are not toys and should not be given to children to play with.
16. Mobile device use is reviewed and monitored by SSAFA at all times.
17. The configuration of the mobile device, including installed apps/applications must not be adjusted at any time as this increases risk and potentially weakens security. Any attempt to modify the configuration, even on a best endeavours basis, could result in the SSAFA Disciplinary Policy being invoked.

• Bear in mind the increasing incidence of bluejackings - using Bluetooth to deliver viral marketing to your device, install malware or simply add to the bill. Good practice is to disable any Bluetooth function unless you are in a safe environment such as a SSAFA office.
• Please make sure to read and understand Appendix 1, the BYOD extension of this Mobile Policy.

SSAFA recognises the benefits that can be achieved by allowing staff/volunteers to use their own electronic devices when working, whether that is at home, on site or while travelling. Such devices include laptops, smart phones and tablets, and the practice is commonly known as ‘bring your own device’ or BYOD. SSAFA IT is committed to supporting staff/volunteers in this practice and ensuring that as few technical restrictions as reasonably possible are imposed on accessing SSAFA provided services on BYOD.

The use of such devices to create and process SSAFA information and data creates issues that need to be addressed, particularly in the area of information security.

SSAFA must ensure that it remains in control of the data for which it is responsible, regardless of the ownership of the device used to carry out the processing. It must also protect its intellectual property as well as empowering staff/volunteers to ensure that they protect their own personal information.

All relevant SSAFA policies still apply to staff/volunteers using BYOD. Staff/volunteers should note, in particular, SSAFA’s IT and Security related policies. Several of these are directly relevant to staff/volunteers adopting BYOD.

• SSAFA Policy on the Use of Computing Facilities and Resources
• Protection of Information Held on Mobile Devices and Encryption Policy
• Anti-Virus Policy
• Data Protection Policy

Those who make use of BYOD must take responsibility for their own device and how they use it. They must:

• Familiarise themselves with their device and its security features so that they can ensure the safety of SSAFA information (as well as their own information)
• Invoke the relevant security features
• Maintain the device themselves ensuring it is regularly patched and upgraded
• Ensure that the device is not used for any purpose that would be at odds with the SSAFA Policy on the Use of Computing Facilities and Resources
• While SSAFA IT will always endeavour to assist colleagues wherever possible, SSAFA cannot take responsibility for supporting devices it does not provide.

Staff/volunteers using BYOD must take all reasonable steps to:

• Prevent theft and loss of data
• Keep information confidential where appropriate
• Maintain the integrity of data and information and take responsibility for any software they download onto their device

Staff/volunteers using BYOD must:

• Set up passwords, passcodes, passkeys or biometric equivalents of sufficient length, sufficiently complexity and be completely unique.
• Set up and learn remote wipe facilities; be able to implement a remote wipe if they lose the device
• Encrypt SSAFA documents or content as necessary
• Not hold any information that is sensitive, personal, confidential or of commercial value on personally owned devices. Instead they should use their device to make use of the many services that the SSAFA offers allowing access to information on SSAFA services securely over the internet. More information on determining if information is ‘confidential’ is available on the website
• Where it is essential that information belonging to SSAFA is held on a personal device it should be securely deleted as soon as possible. This includes information contained within emails.
• Ensure that relevant information is copied back onto SSAFA systems and manage any potential data integrity issues with existing information.
• Use email services as communication tools, not storage tools.
• Report the loss of any device containing SSAFA data (including email) to the IT Help desk within 24 hours if it becoming lost.
• Stay up to date with Data Protection training and the nuances around the newer GDPR framework.
• Be aware of any Data Protection issues and ensure personal data is handled appropriately.
• Report any security breach immediately to the IT Helpdesk in accordance with the Information Security Policy
• Ensure that no residual SSAFA information is left on any personal device.
• Ensure they are fully aware of how the applications they choose to use work at a detailed level, such as how they store data. As an example we’ll look at WhatsApp.
• WhatsApp is not an application promoted by SSAFA IT but some people choose to use it. By using it, the user must be aware that images sent through the service are automatically copied to the device’s camera/pictures app, which can potentially be a security risk if the image is classed as sensitive. As a result, the image exists in the WhatsApp application and the pictures application on the device. One is secure, the other is not.

SSAFA will not personally monitor devices, however, the centralised management system will log connection information for governance purposes. In addition, SSAFA does reserve the right to:

• Prevent access to a particular device from either the wired or wireless networks or both
• Prevent access to a particular system from a device
• Take all necessary and appropriate steps to retrieve information owned by SSAFA

SSAFA must process ‘personal data’ i.e. data about identifiable living individuals in accordance with the Data Protection Act and GDPR. Sensitive personal data is information that relates to race/ethnic origin, political opinions, religious beliefs, trade union membership, health (mental or physical) or details of criminal offences. This category of information should be handled with a higher degree of protection at all times.

SSAFA, in line with guidance from the Information Commissioner’s Office on BYOD recognises that there are inherent risks in using personal devices to hold personal data. Therefore, staff/volunteers must follow the guidance in this document when considering using BYOD to process personal data of beneficiaries, clients or Service Users.

A breach of the Data Protection Act or GDPR can lead to SSAFA being fined up to 4% of its turnover. Any member of staff/volunteers found to have deliberately breached the Act may be subject to disciplinary measures, having access to the SSAFA’s facilities being withdrawn, or even a criminal prosecution.

For more information see SSAFA’s Data Protection policies and eLearning content.