Bring your own device (BYOD) guidance
Published: October 2020
Updated: August 2023
Bring your own device (BYOD) is a service offered by organisations to their employees to enable them to use their own devices for work, e.g. mobile phones, laptops and tablets.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Guidance for patients and service users
This guidance will help doctors, nurses and other health and care staff use their own devices safely and securely in the work they do.
Guidance for healthcare workers
It should be possible for you to use your own device where there is no practical alternative. You should however refer to your organisation’s policies before using your own device for work.
If you choose to use your own device for work, your organisation should ask you to sign an acceptable use policy. This could include for example, seeking your agreement to:
- set a strong password
- use secure channels to communicate e.g. tools/apps that use encryption
- not store personal/confidential patient information on the device unless absolutely necessary and appropriate security is in place
Guidance for IG professionals
Enabling staff to use their own device for work can bring benefits for example, to support communications with other colleagues or to access information on the move. It is possible to implement a BYOD policy which ensures that risks are managed and appropriate controls are implemented. Here are the key things you need to consider relating to BYOD.
- Use a Data Protection Impact Assessment (DPIA) to identify any privacy risks
- Develop a BYOD policy so that staff are clear about responsibilities and acceptable use. For example recommending security standards such as setting strong passwords.
- Consider how you will meet any legal requirements. For example, how will you respond to a Freedom of Information Act request if a staff member is on holiday? Have you considered in your BYOD policy, advice about backing up data to ensure that data is not backed up outside of the EU, which could breach the Data Protection Act?
- Audit and monitor compliance with the policy. Regular checks will ensure that the policy is being adhered to
- Support staff to ensure that they are protected against unauthorised or unlawful access, for example if the device is lost or stolen. This remains your responsibility as the data controller. Such measures can include controlling access to the data or device using a password or PIN, or encrypting the data.
Further Information
- BYOD guidance from the National Cyber Security Centre (the UK's independent authority on cyber security)
- BYOD guidance from the Information Commissioner’s Office (PDF, 344 KB)