Mobile Devices and Remote Working

Policy

Version: 2.0
Date: March 2016
Version Control

Date Version Comments

28.8.13 1.0 First finalised version

28.4.14 1.2 Review and update
03.06.14 1.3 Review
20.1.15 1.4 Review
September 2015 1.5 Policy subject to full review
December 2015 1.6 Draft approved at IMG
February 2016 1.6 Union Consultation
March 2016 2.0 Approved by Executive Decision

V.2.0 Mobile Devices and Remote Working Policy Page 2 of 7

Table of Contents

1 Introduction ............................................................................................................................... 4
2 Policy Statement ....................................................................................................................... 4
3 Scope ....................................................................................................................................... 4
4 Mobile Device ........................................................................................................................... 5
5 Working Remotely .................................................................................................................... 5
6 Responsibilities ......................................................................................................................... 6
Information Management Group (IMG) ......................................................................................... 6
Business IT .................................................................................................................................. 6
Line Managers ............................................................................................................................. 7
Employees ................................................................................................................................... 7
7 Review and Governance ........................................................................................................... 7
8 Policy Compliance .................................................................................................................... 7

V.2.0 Mobile Devices and Remote Working Policy Page 3 of 7

1 Introduction
1.1 Mobile devices are provided to assist Employees to conduct official Council business
efficiently and effectively. This equipment, and any information stored on mobile devices,
must be recognised as valuable organisational information assets and safeguarded
appropriately.
1.2 This Policy is intended to identify how the Council will secure its data and its physical
corporate assets when they are removed from Council premises for the purpose of
Employees working in remote locations, including working from home.
1.3 It will consider the physical security needed to protect valuable equipment and it will
consider the electronic securities necessary to ensure that computers falling into wrong
hands cannot be used to access personal or other sensitive data.
1.4 It will also identify measures needing to be taken to ensure that data whether paper based
or in electronic form is not able to be seen by unauthorised individuals.

2 Policy Statement
2.1 The Council provides Employees with the facilities and opportunities to work remotely as
appropriate. The will ensure that all Employees who work remotely are aware of the
acceptable use of mobile devices and remote working opportunities.
2.2 The Council recognises that there are risks associated with Employees accessing and
handling information in order to conduct official Council business.
2.3 This Policy aims to mitigate the following risks:
 Increased risk of equipment damage, loss or theft.
 Accidental or deliberate overlooking by unauthorised individuals.
 Unauthorised access to sensitive information.
 Introduction of malicious software and viruses.
 Potential sanctions against the Council or individuals imposed by the Information
Commissioner’s Office as a result of information loss or misuse.
 Potential legal action against the Council or individuals as a result of information loss or
misuse.
 Council reputational damage as a result of information loss or misuse

3 Scope
3.1 This Policy applies to all Employees and third parties working for or on behalf of the Council
with any form of access to a Council mobile device and any Council information when
working away from Council premises (i.e. working remotely). For the purpose of this Policy
the term ‘Employee’ refers to all full-time and part-time employees, temporary employees,
agency workers, contractors and consultants.
3.2 This Policy should be read in conjunction with the Code of Conduct, the Council
Comprehensive Equality Policy and other associated relevant policies, procedures and
guidance as contained within the Information Management Framework.

V.2.0 Mobile Devices and Remote Working Policy Page 4 of 7

4 Mobile Device
4.1 Business IT staff shall be given access to Council mobile devices to allow essential
maintenance, security work or removal of the device, upon request.
4.2 The following points must be adhered to at all times:
 Due care must be given to all supplied equipment.
 All information on mobile devices must be encrypted.
 Software must not be installed on the mobile device, unless approved by Business IT.
 Hardware must not be installed to or inside the mobile device, unless advised to do so
by Business IT.
 No attempts must be made to change the configuration of the mobile device.
 Endpoint protection must not be disabled.
 IT Service Desk must be informed of any mobile device reporting configuration
changes.
 Business critical information should be stored on a Council file server and not held on
the mobile device.
 All faults, equipment thefts or losses must be reported to the IT Service Desk as soon
as is reasonably practicable.
 Asset registration information must not be removed or defaced.
 Upgrades of hardware or software must be appropriately approved.
 The mobile device is supplied for the individual’s sole use.
 Costs of repair may be recovered for any fault in the equipment caused by the
Employee or by their negligence.
 Approval must be sought via the IT Service Desk before taking any Council supplied
ICT equipment outside the United Kingdom.
 The mobile device must be returned to the IT Service Desk if requested, in order that
audits and inspections can be undertaken.
 Data classed as personal/sensitive, services or facilities should only be accessed from a
Council owned device.

5 Working Remotely
5.1 The Lone Working section of the Health and Safety Procedures Manual must be complied
with, ensuring an awareness of the physical security dangers and risks associated with
working remotely.
5.2 When removing anything from Council buildings, including mobile devices and paper
documentation, the following points must be adhered to:
 Hard copies of data must be kept out of sight, i.e. in a bag or briefcase.
 Data should be saved to a network drive, unless approval has been obtained from
Business IT.
 Laptops must be completely shut down and turned off to ensure that data is encrypted.
 If documents and mobile devices containing sensitive data are removed from site,
appropriate controls should be put in place to provide an audit trail; e.g. signing in/out of
hard copy files, provision of locked storage boxes, specific management approval etc.
 If transporting mobile devices / data by car, the bag / briefcase must be placed in the
locked boot of the vehicle.
 If the vehicle is left unattended for any reason, the bag / briefcase must be removed and
remain with the individual at all times.
5.3 In the home it must also be located out of sight of the casual visitor and when not in use.

V.2.0 Mobile Devices and Remote Working Policy Page 5 of 7

5.4 Access/authentication tokens and personal identification numbers must be kept in a
separate location to the mobile device at all times.
5.5 Remote access to the Council’s network is available through mobile devices provided by
the Council. The hardware provided will have the necessary security software in place.
5.6 Remote access by third parties is managed in line with the Council Third Party ICT Access
Procedure.

Access Controls
5.7 The access controls as documented within the ICT Security Policy must be complied with at
all times.
5.8 Dual-factor authentication methods should be used when accessing the Council network
remotely.
5.9 Access to the Internet from Council owned ICT equipment that connects to the Council’s
network is only allowed via onward connection to Council provided Proxy Servers and not
directly to the Internet.

Endpoint Protection and Patching

5.10 It is essential that mobile devices are connected to the Council network at least once every
two weeks to enable the endpoint protection software to be updated and for patches to be
applied.

Personal / Sensitive Data

5.11 Documents or screen shots detailing personal / sensitive data should only be printed to be
taken off site when absolutely necessary. All other methods should be considered first, e.g.
remote access to data.

6 Responsibilities
Information Management Group (IMG)
6.1 The role of the Information Management Group (IMG) is to co-ordinate the approach to
every aspect of Information Management, and not just compliance with DPA 1998.
6.2 The group is made up of Departmental Information Management Representatives who are
senior managers in each Department and are responsible for a multi-disciplinary approach
to the management of information throughout their Departments.
6.3 The IMG is responsible for the overarching governance and implementation of the Policy
throughout the Council.
6.4 The IMG is responsible for ensuring that all Employees are fully aware of Council policy and
process, and have received appropriate training.
6.5 The IMG is also responsible for the development and monitoring of the adherence to the
Policy.

Business IT
6.6 Business IT has overall responsibility for the issue, management and maintenance of
Council mobile devices.
6.7 Business IT are responsible for setting up and patching devices in accordance with
approved end-point protection.

V.2.0 Mobile Devices and Remote Working Policy Page 6 of 7

6.8 Business IT will provide operational procedures and advice for using mobile devices and
maintenance.

Line Managers
6.9 Line Managers are responsible for ensuring all Employees in their operational area adhere
to the Policy and have undertaken all relevant training.
6.10 Line Managers should be aware of the physical security dangers and risks associated with
Employees working within any remote office or mobile working location.
6.11 Line Managers should have documented risk assessments and operation procedures to
support Employees to protect data and devices.

Employees
6.12 Employees should ensure that mobile devices are used in line with this Policy.
6.13 Employees are responsible for ensuring that access to all sensitive information is controlled.
6.14 Employees who work remotely must ensure that their mobile devices are connected to the
Council network at least once every two weeks.
6.15 Employees shall ensure that appropriate security measures are taken to stop unauthorised
access to the mobiles device and any sensitive information.
6.16 Employees must ensure that access/authentication tokens and personal identification
numbers are kept in a separate location to the mobile device at all times.
6.17 Employees should ensure compliance with the Lone Working section of the Health and
Safety Procedures Manual, relevant risk assessments and internal procedures.

7 Review and Governance

Policy Governance
7.1 The Policy will be subject to governance through the IMG, and will be formally approved by
Chief Officers Group via the Executive Decision Framework.
7.2 The Policy will be subject to at least an annual review, and where changes in legislation
require, more frequent.

8 Policy Compliance
8.1 If you are found to have breached this Policy, the matter will be considered and investigated
under the Council’s disciplinary procedure.
8.2 Serious breaches of this policy may constitute gross misconduct and lead to summary
dismissal. Breaches, where applicable, may also result in civil action and/or criminal
charges.

V.2.0 Mobile Devices and Remote Working Policy Page 7 of 7