Bring Your Own Device Policy (Sept25)

Introduction

Bring Your Own Device (BYOD) is an increasing practice of permitting staff to bring and use their own devices in the workplace to access organisational information and applications.  The practice is becoming more of a key consideration due to the rise in remote and hybrid working.  Personally owned/personal devices may include personal computers, laptops, tablets and smartphones which are used to access, collect, store, transmit, carry, use or hold any firm network, systems, computers, information or data. This policy is intended to address the use of such devices within the workplace.

Purpose

We understand that some staff may be more familiar, comfortable and proficient with using their own personal devices for work purposes and are open to this possibility provided that it is suitable for your role and you comply with the requirements set out in this policy.

We also encourage innovative ways of working where everyone feels valued and supported at the firm and wish to offer staff, wherever possible, the flexibility of a choice in using devices they prefer whilst operating under proportionate security controls to protect sensitive and confidential data which is inherent in the sector within which we operate.

Scope

This policy applies to all employees in The Eric Whitehead Partnership, including managers and consultants.

Responsibility for policy

All employees (including managers and consultants) are encouraged and expected to:

• understand this policy and seek clarification from management where required;
• consider this policy while completing work-related duties and at any time while representing The Eric Whitehead Partnership and
• support colleagues in their awareness of this policy.

All employees who are using their personal devices for work purposes are responsible for ensuring compliance with this policy.

Managers have a responsibility to:

• ensure that all employees are made aware of this policy;
• actively support and contribute to the implementation of this policy, including its aims and objectives. This includes leading by example and demonstrating the firm’s commitment to the policy aims and objectives through their own actions and behaviours; and
• manage the implementation and review of this policy.

Timothy Halliday (Data Protection Manager) is ultimately responsible for this policy and for ensuring that it is implemented throughout the firm.

Failure to comply with the requirements set out within this policy will be a disciplinary offence and may result in disciplinary action.

Aims and objectives

The firm’s aims and objectives with this policy are to:

• set out circumstances and criteria under which it is acceptable and authorised for users to use their personal devices for corporate use in order to access the firm’s network, systems, computers, information and data;
• ensure that staff comply with data protection legislation, that personal and sensitive information is protected from unauthorised access and that this policy compliments the firm’s existing policies (including but not limited to the information management and security policy and flexible, remote and hybrid working policies and any supplemental documents related to these);
• ensure that BYOD is used legally, securely and appropriately whilst protecting the firm’s duty of care towards the information with which it has been entrusted; and
• protect confidentiality, integrity and value of information through the optimal use of controls and safeguard our IT security and business network, systems, computers, information and data from risks.

Legal and regulatory obligations

We all have a responsibility to comply with the current UK legislation and regulatory obligations which contribute to the contents of this policy. As a data controller, the firm is responsible for ensuring that all processing of personal data which is under its control is compliant with the Data Protection Act 2018 (DPA), the UK General Data Protection Regulations (UK GDPR) and the relevant provisions of the Data (Sed and Access) Ace 2025 (DUAA); The firm also understands that it has obligations under the Employment Practices Code which entitles employees to a degree of privacy in the work environment.  Equally, The DPA, UK GDPR & DUAA require that employees must take measures against unauthorised or unlawful processing of personal data.

Supported devices and available systems and services

There are a number of different available devices that run different operating systems.  Not all systems and devices will be supported by BYOD owing to the rapidly changing nature of technological updates and it is the firm’s policy that only the most recent versions of Apple IOS, Apple Mac OSX, Android and Windows are supported.  Other devices and older versions of IOS, Android and Windows will, therefore, not be supported as they do not meet the required security standards.

Any device which is rooted, jail-broken or otherwise modified beyond the routine installation of updates, as directly provided by the manufacturer or network provider, will not be enabled for BYOD use and any devices that become rooted, jail-broken or modified will have access denied or removed.

Devices covered by this policy include:

• smartphones;
• desktops, laptops and tablet computers; and
• printers

The use of external hard disks, flash and memory drives and public cloud storage locations for storage, downloading or saving of any firm information or data are strictly prohibited for use with BYOD as is the copying or transfer of any of the firm’s systems, information or data to a non-registered/non-approved device.

The services available for BYOD will depend on current technology and network constraints and some services may be restricted by the constraints of a user’s personal device.

Access

BYOD is optional and may not be appropriate in all roles. Anyone wishing to use a personal device for BYOD must obtain prior authorisation from their line manager and register their personal device(s) with IT who will assess and configure the device(s) to enable access to the firm’s network, systems, computers, information and data, as appropriate.

The process for accessing the BYOD facility is as follows:

• the personal device owner will raise a request by e-mailing the finance department;
• IT will schedule an appointment with the personal device owner during which IT will assess and, if deemed appropriate and suitable, enable the relevant access on the personal device and install any necessary systems and applications and also register the personal device for BYOD use;

Access to the firm’s network, systems, computers, information and data is only permissible for the purposes of carrying on work necessary to fulfil the user’s role(s).

The firm reserves the right to revoke access to BYOD at any time if it is deemed that staff have not followed this policy.

Acceptable use and specific responsibilities

Whilst the firm supports BYOD for suitable roles, employees using their own personal devices must be aware that they are responsible for protecting the devices and behaving in accordance with this policy whilst using personal devices for business use and personal use during normal working hours.

The firm deems acceptable business use as that which directly or indirectly supports the business of The Eric Whitehead Partnership. Equally, acceptable personal use during normal working hours or whilst using the firm’s network, systems, computers, information and data will be deemed to be reasonable and limited personal communication and recreation.  Excessive personal calls, e-mails or texts during the normal working day, regardless of the device used, is not permitted.

Staff will be blocked from accessing certain websites and apps on their personal devices during normal working hours/whilst connected to the firm’s network, at the discretion of the firm.

Whilst at work, staff are expected to exercise the same discretion in using their personal devices as is expected for the use of firm-owned devices.

Users’ personal devices must not be used, at any time, to do any of the following:

• engage in business activities other those of the firm;
• access, store, download or transmit illicit material;
• harass others or cause any harm to others; or
• use BYOD for any reason, other than hands-free talking, whilst driving (use should only be where it is safe; even talking whilst using hands-free can be distracting).

For the avoidance of doubt, any user found to be using BYOD for any of the above will automatically have their BYOD privileges revoked and may also face disciplinary and civil or criminal sanctions.

To comply with this policy, we all have some specific responsibilities.  These are divided into the following:

Firm responsibilities:

• the firm’s partners and managers will work with IT to determine the level of network access for personally owned devices and users may be granted full, partial or guest access;
• the firm will work with IT to enable user access to appropriate web-based interface and email system, web-based application system, e-mails, calendars and contacts and firm network, systems, computers, information and data as applicable and appropriate to the personal device user’s role(s) in the normal business routines;
• as a data controller, the firm will be responsible for ensuring that all processing of personal data which is under its control is compliant with data protection legislation;
• the firm will respect the privacy rights of users and will only implement security measures which are required to meet its obligations as a data controller;
• the firm will not be responsible for covering the cost of damage to, or loss of, any personal devices used by BYOD users; and
• the firm will not be responsible for covering any network costs incurred when using personal devices for BYOD.

IT department responsibilities:

• IT will manage the BYOD facility by ensuring that appropriate security is in place in the first instance (thereafter the employee will be responsible for ensuring that up-to-date anti-virus protection is installed – see below) and that only suitable devices can connect to the firm’s network, systems, computers, information or data;
• IT will determine the level of network access for personally owned devices and users may be granted full, partial or guest access;
• IT will register all BYOD personal devices used to access the firm’s network, systems, information and data and check, at the outset of a request for BYOD, whether the relevant devices meet the minimum control requirements of this policy to enable BYOD for individual users;
• IT will not be responsible for supporting or maintaining any personal devices used for BYOD; a
• IT will remove personal device access for any user who has left the firm

User responsibilities:

• users must register their personal device(s) with IT
• users are expected to use their devices in an ethical manner and at all times to adhere to the firm’s acceptable use policy, above;
• users should not attempt to change or disable any security settings applied to their personal devices by IT;
• users should never share personal devices, account log-in details, passwords and pins for access to the firm’s network, systems, computers, information or data and should consider using different passwords for personal devices to those used to access corporate devices in the workplace;
• users must comply with any applicable legislation and adhere to the firm’s policies, working practices and procedures, including taking appropriate steps to maintain the security of the firm’s network, systems, computers, information and data;
• only users may access the firm’s network, systems, computers, information and data (such as emails, calendars, contacts and documents) through personal devices and then only those which they are authorised to access and which is appropriate to their role(s) during normal working hours (unless the use of BYOD is required for their role(s) beyond normal working hours) and users must ensure that non-staff members with access to their devices will not have access to the firm’s network, systems, computers, information and data;
• users must maintain their personal devices as required in the ‘supported devices and available services’ section of this policy;
• following IT department’s initial set up of a personal device, in the first instance, users will be responsible for ensuring that up-to-date anti-virus protection is installed on their personal devices, thereafter and turned on at all times;
• users accessing the firm’s network, systems, computers, information or data via personal devices must not store or save these to their devices (including via downloads and screenshots/screengrabs);
• any private information or applications on a personal device are entirely the user’s responsibility and the user is responsible for their safekeeping;
• users must report any viruses, spyware infection, other malware or threat risk or any breaches of the BYOD to IT as soon as it is possible to do so;
• users must inform the IT department before selling, recycling, giving away or otherwise disposing of personal devices used for BYOD or promptly if the user’s device is lost or stolen or the user leaves the firm’s employment, in order to allow access to the firm’s information to be removed securely from those personal devices.

Minimum control requirements

Personal devices such as smartphones, laptops and tablets which are not provided by the firm are required to meet minimum controls, to reduce security risks, in order to be used as BYOD for work purposes.

The minimum acceptable controls which must be implemented by users on any personal device in order to access the firm’s network, systems, computers, information and data are:

• at least a 6-digit PIN or password/pass-phrase;
• device to automatically lock after a period of inactivity of 5 minutes or less;
• device to be set to allow remote wiping; and
• encryption enabled that covers stored data and the business network/data must only be accessed through an encrypted VPN.

Additionally, the personal device must also:

• allow only trusted applications from official/reputable sources to be installed;
• receive software updates from the manufacturer and other third parties; and
• receive software updates for security patches within one week of their release.

Personal devices may be used to enable users to utilise Two Factor authentication

Monitoring

Staff will have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment. The firm wishes to make it clear that whilst we reserve the right to monitor the usage of any BYOD this will only be to the extent necessary to ensure that personal devices are being used in accordance with this policy (and other related policies, for example, internet and social media).  The monitoring process may involve checking that personal devices are operating on correct and up-to-date systems and may require users to upgrade these, within a specified time, if and as necessary.

Other monitoring may include spot checks on individual personal devices whereby the user will be required to allow authorised personnel to access the user’s personal device to check settings related to BYOD.

Any failure to cooperate with monitoring requirements or requests to remedy or rectify any failures identified or non-compliance with this policy may result in access to BYOD device being withdrawn from the user and/or disciplinary action by the firm.

For the avoidance of doubt, any access to personal devices will be conducted by authorised technical personnel who may only access corporate applications via the personal devices and may not access or monitor the user’s personal data or usage of a personal device, in accordance with the firm’s IT policy, information security policy and flexible, remote and hybrid working policies and any supplemental documents related to these.  In some limited circumstances, a user’s personal device location may be accessed and/or collected by authorised technical personnel but this data will only be used for the purpose of locating the device and users of iPhone, iPad and Mac should enable the “Find My iPhone” application on such devices.

Loss or damage

Users assume full liability for risks including, but not limited to, the partial or complete loss of firm and personal data due to an operating system crash, errors, bugs, viruses, malware and/or other software or hardware failures, programming errors that render the personal devices unusable or other loss or damage to personal devices which are used under this policy.  Should any personal devices used under this policy be lost, stolen or damaged, the user must inform the firm’s IT department as soon as possible so that the personal device may be remotely disabled and/or wiped. The Eric Whitehead Partnership does not take any responsibility for any personal data (such as photographs or personal files) that may be lost as a consequence of a remote wipe and it is the responsibility of individuals to ensure that their personal data is backed-up, in advance.

Costs

Users are personally and solely responsible for all costs related to the use of their personal device(s) including purchasing, running, repairing and replacing their personal device(s) including paying any network charges, mobile data or wi-fi hotspot incurred charges whilst using personal devices for work purposes.

Communication

The Eric Whitehead Partnership will ensure that:

• all employees receive a copy of this policy during the induction process and upon request for BYOD facility use;
• this policy and any supporting documents are easily accessible to all employees;
• employees are informed when a particular activity aligns with this policy;
• employees are empowered to actively contribute and provide feedback to this policy; and
• employees are notified of all changes to this policy.

Review of policy  

This policy will be reviewed at least annually by Timothy Halliday (Data Protection Manager).

September 2025