Bring your own device (BYOD) guidance

Sometimes doctors, nurses and other health and care staff may use their own devices in the work they do. If staff use their own device, they will need to:

• make sure their device is secure
• follow their organisation’s rules

You can find more information in your health and care organisation's privacy notice, or you can ask your organisation how staff use their own devices.

Your organisation may have a policy which allows you to use your own device. You should refer to your organisation’s policies before using your own device for work.

If you are allowed to use your own device for work, you should:

• secure your device with a strong password in line with your local policy
• use secure channels to communicate, for example use tools/apps that have been approved by your organisation
• avoid storing personal/confidential patient information on the device unless absolutely necessary and appropriate security is in place. Where this is unavoidable (for example during a home visit where no work device is available), follow your organisation’s local policy and procedures for securely transferring information to the main record
• only use apps that have been approved by your organisation and follow any local guidelines on clinical photography

It is essential that you follow your local policy or speak with your information governance (IG) team if you are unsure of when it is or isn't appropriate to use your own device.

Enabling staff to use their own device for work can bring benefits, for example to support communications with other colleagues or to access information on the move when organisational devices are not available. It is important to ensure that benefits of allowing BYOD are balanced with the need to ensure security and compliance with data protection laws. Here are the key things you need to consider relating to BYOD.

Data protection impact assessment (DPIA)

Complete a Data Protection Impact Assessment (DPIA) to identify any privacy risks. The DPIA could include:

• procedures for lost or stolen devices
• a procedure for errors that may occur when transferring information to the official record
• mitigations such as verifying staff understanding of risks, policy awareness and the audit of devices
• considerations around using applications such as Microsoft InTune to ensure that work information is held in a segregated area on the personal device, to increase the security and protection of corporate information

You should consider completing a separate DPIA for any apps used for storing information or communicating with patients and service users. For example, if using WhatsApp, ensure you have a DPIA for WhatsApp and this includes considerations for BYOD.

Policy

Develop and maintain a BYOD policy. The National Cyber Security Centre (NCSC) provides further guidance on how to establish your policy goals and enforce these with technical controls.

Your policy should set out as a minimum:

• acceptable use standards (for example, security measures such as setting strong passwords, multi-factor authentication (MFA), encryption and regular software updates)
• roles and responsibilities for staff, management and IT
• procedures for when a staff member leaves, including ensuring that that all work data is removed from personal devices
• rules on what type of data can be accessed. For example, this may be limited to emails and internal chat rather than health record systems
• if personal data is accessed or saved on devices, what steps must be taken to prevent uploading or syncing to other devices or clouds and what steps should be taken afterwards, for example, saving to the main record and securely deleting the data
• a requirement for all BYOD devices to be registered and managed with IT (see NCSC guidance for further information on management of BYOD devices)
• an approach to staff education, training and awareness on the safe and appropriate use of BYOD

Requests for information

Consider that your organisation may need to provide information under a Subject Access Request (SAR) or a Freedom of Information (FOI) Act request. Data may also be required for an inquiry or investigation. This may require information from personal devices, so your BYOD policy should explain how data can be accessed if needed and provide clear advice to staff about backing up and storing data appropriately.

Auditing and monitoring

You should audit and monitor compliance with your BYOD policy. Regular checks will ensure that the policy is being adhered to.

Auditing should also take into account the implications for staff who leave the organisation or those on long term absence, to ensure any work data is appropriately managed or removed where needed.

Make sure it is clear who is responsible for carrying out these checks, for example, the IG team or line managers. You should review the BYOD policy and audit processes regularly.

Security

The NCSC provides guidance on the technical controls that should be considered for BYOD.

You should support staff to ensure that they are protected against unauthorised or unlawful access, for example, if the device is lost or stolen. This remains your organisation’s responsibility as the controller. Measures should include:

• ensuring that access to the data or device is controlled, by requiring members of staff using their own device to have a password or PIN in place on their device
• ensuring that MFA is required for any access to organisational resources
• having clear steps in place to respond to incidents including lost or stolen devices
• working with IT to have all BYOD devices registered and managed appropriately
• setting out what steps/action will be taken if a staff member does not follow the procedures outlined in the BYOD policy

Further Information

• BYOD guidance from the National Cyber Security Centre (the UK's independent authority on cyber security)
• BYOD guidance from the Information Commissioner’s Office (PDF, 344 KB)
• BYOD – what should we consider? - Information Commissioner’s Office