This website is being retired.
Content is no longer being updated from 31 March 2026. Find out more.
This website is being retired.
Content is no longer being updated from 31 March 2026. Find out more.
Transformation Directorate
This guidance has been reviewed by the Health and Care Information Governance Working Group, including the Information Commissioner's Office (ICO) and National Data Guardian (NDG).
Have we done a good job? Let us know.
Published: October 2020
Updated: 29 January 2026
Bring your own device (BYOD) is where employees use their own devices (for example mobile phones, laptops and tablets) for work purposes. As personal devices are not managed in the same way as equipment owned by the organisation, this guidance is intended to support the safe and secure use of BYOD within health and care organisations.
Sometimes doctors, nurses and other health and care staff may use their own devices in the work they do. If staff use their own device, they will need to:
You can find more information in your health and care organisation's privacy notice, or you can ask your organisation how staff use their own devices.
Your organisation may have a policy which allows you to use your own device. You should refer to your organisation’s policies before using your own device for work.
If you are allowed to use your own device for work, you should:
It is essential that you follow your local policy or speak with your information governance (IG) team if you are unsure of when it is or isn't appropriate to use your own device.
Enabling staff to use their own device for work can bring benefits, for example to support communications with other colleagues or to access information on the move when organisational devices are not available. It is important to ensure that benefits of allowing BYOD are balanced with the need to ensure security and compliance with data protection laws. Here are the key things you need to consider relating to BYOD.
Complete a Data Protection Impact Assessment (DPIA) to identify any privacy risks. The DPIA could include:
You should consider completing a separate DPIA for any apps used for storing information or communicating with patients and service users. For example, if using WhatsApp, ensure you have a DPIA for WhatsApp and this includes considerations for BYOD.
Develop and maintain a BYOD policy. The National Cyber Security Centre (NCSC) provides further guidance on how to establish your policy goals and enforce these with technical controls.
Your policy should set out as a minimum:
Consider that your organisation may need to provide information under a Subject Access Request (SAR) or a Freedom of Information (FOI) Act request. Data may also be required for an inquiry or investigation. This may require information from personal devices, so your BYOD policy should explain how data can be accessed if needed and provide clear advice to staff about backing up and storing data appropriately.
You should audit and monitor compliance with your BYOD policy. Regular checks will ensure that the policy is being adhered to.
Auditing should also take into account the implications for staff who leave the organisation or those on long term absence, to ensure any work data is appropriately managed or removed where needed.
Make sure it is clear who is responsible for carrying out these checks, for example, the IG team or line managers. You should review the BYOD policy and audit processes regularly.
The NCSC provides guidance on the technical controls that should be considered for BYOD.
You should support staff to ensure that they are protected against unauthorised or unlawful access, for example, if the device is lost or stolen. This remains your organisation’s responsibility as the controller. Measures should include:
Updated 29 January 2026:
Updated August 2023:
Original publication: October 2020