Bring your own device policy and standard

Introduction

Kent County Council (KCC) is responsible for ensuring the confidentiality, integrity, and availability of the data that it processes and stores in ICT systems. KCC has, therefore, an obligation to provide appropriate protection against threats which could adversely affect the security of its ICT systems and/or their associated data.

This policy relates to the use of devices that are not owned or supplied by KCC to carry out business for and on behalf of KCC, including devices owned and/or managed by another organisation.

Throughout this document, the terms ‘device’ and ‘Bring Your Own Device’ (‘BYOD’) refer to all electronic end-user devices capable of making telephone calls, text messaging, accessing the Internet and/or accessing KCC’s systems, services and data.

Objectives

The objective of this policy is to state KCC’s intentions, aspirations and expectations regarding the secure use of devices that are not owned or leased by KCC to conduct business for and on behalf of KCC.

At the core of this policy is the concept that an employee, contractor, consultant, agent or member concedes a limited amount of control over their device in exchange for access to enterprise resources (such as email and other business applications). It is important that the consequences and obligations of this arrangement are well-understood.

Scope

This policy applies to all KCC employees, members, agents, contractors and consultants engaged to carry out work for and on behalf of KCC using end-user devices (for example smartphones, tablets, laptops, desktop PCs etc.) that are not leased, owned or managed by KCC (for example personally owned or managed by another organisation) for KCC business purposes.

Policy

• KCC reserves the right to allow or deny the use of BYOD for conducting its business or accessing its data.
• BYOD will not be suitable for all KCC data and services. It is the responsibility of line managers to assess whether BYOD is appropriate for staff members under their supervision based on their role and the data they process/store. This assessment should include seeking approval from the relevant Information Asset Owner and undertaking a Data Protection Impact Assessment for the service as per KCC’s Data Protection Impact Assessments Policy and Guidance.
• Only devices that meet KCC’s minimum connectivity criteria (section 5 of this document) will be allowed access to KCC  data. It is the responsibility of the user and managing organisation (if applicable) to ensure their non-KCC owned devices are supported and up to date.
• Other than to support the access to, and security of, the business applications and data in scope, KCC, via Cantium Business Solutions (CBS), will not provide support or maintenance for BYOD, including hardware or OS support.
• KCC is not responsible for the cost of the user’s personal data plan for example the call minutes, text messages and Internet data available to the user under their service provider’s tariff. It is the responsibility of the user to monitor their data usage.
• When accessing and using KCC data or when transporting KCC data between work and home or between work-bases, users are expected to abide with KCC’s ICT Acceptable Use Policy and other remote/mobile working related KCC policies and procedures.
• KCC data must not be accessed, read, amended or erased by any unauthorised person. Therefore, users within the scope of this policy:
  • must not share access to KCC’s data, applications and systems on their non-KCC owned mobile devices e.g. with relatives, friends and associates.
  • must log-out of KCC business applications and systems if the non-KCC owned device is temporarily transferred from the user’s custody e.g. passed to an external vendor for repair/upgrade.
  • must inform KCC (via CBS’s Service Desk) as soon as possible in the event of the loss or theft of their non-KCC owned mobile device.
  • must inform KCC (via the process defined in KCC’s Data Breach Policy) as soon as possible in the event of a data breach.
  • must sign out and remove their KCC account from the device before they:
    • sell their non-KCC owned mobile device or trade it in for a new device.
    • Leave KCC’s employment or terminate their contract with KCC or resign from being a member.
• KCC data must not be transferred or copied outside of KCC’s corporate applications and systems.
• KCC reserves the right to remove all access to KCC data on personal devices without notification, for example, upon termination of employment or contract or loss or theft of the device.
• KCC is not responsible for damaged, lost or stolen personal devices while the employee is performing KCC business.
• KCC will facilitate access to a restricted sub-set of corporate applications for BYOD. All other corporate applications must be accessed on KCC-owned devices and/or as defined within the relevant KCC policies, standards and processes.
• Data derived from:
  • the Public Services Network (PSN)
  • the Joint Asset Recovery Database (JARD) Service
  • the Payment Card Industry’s Data Security Standards (PCI-DSS)
  • Central Government’s DWP, HMRC and/or Home Office

  And data in scope of the Payment Card Industry’s Data Security Standards (PCI-DSS) must not be accessed, processed or stored on personal devices.

• Accounts with elevated privileges, for example access rights enabling a user to make changes to a KCC system, application or database greater than that of a ‘normal’ user account, must not be logged into via a personal device.

Standard

• Only Android and iOS mobile devices that can support the operating parameters and security measures given below can be onboarded to BYOD to conduct KCC business and to access, process and store KCC data. The onboarding process may vary depending on your device, refer to the corporate installation guidance provided for your device type.
  • mandatory granting of permissions of Microsoft Defender to allow for security posture checking.
  • mandatory installation of the Microsoft Edge mobile app to access KCC web links and content.
  • acceptance of Microsoft’s applicable licensing terms.
  • the device’s operating system software is supported and kept up to date with the latest version, security patches and fixes.
  • the device’s operating system has not been ‘Jailbroken’ or ‘Rooted’ (for example. removal of a device’s restrictions  by means which have not been provided or authorised by the device manufacturer).
  • mandatory use of a PIN (no less than 8 digits long) and/or biometric to control access to the device. A  user will have to re-authenticate to their network account and reset their PIN after 6 consecutive  incorrect entries.
• a ‘Time-Out’ facility:
  • by which the device will ‘lock’ automatically after a period of 30 minutes of inactivity is mandatory. To ‘unlock’ the device will require re-entry of the password/PIN/biometric
  • automatic wiping of KCC data after 90 days of inactivity (for example non-use of corporate applications) on the device
• Access to KCC data from non-KCC owned Microsoft Windows or Apple Mac devices must only be facilitated via Microsoft 365’s web apps or KCC’s Remote Desktop Access solution and not through installed desktop applications, as this may cause licensing conflicts and functionality issues.

Privacy statement

Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

Who we are

Kent County Council collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. We are responsible as ‘controller’ of that personal information. Our Data Protection Officer is Benjamin Watts.

The personal information we collect and use

If you choose to make use of the KCC BYOD service, we will collect the following personal information:

• name
• username
• telephone number
• email address
• IP address

We will also collect the following telemetry and log data:

• device make and model
• device security information
• time of use
• approximate location of use

How we use your personal information

We use your personal information to:

• authenticate your identity and grant access to the KCC corporate network
• assure your device has adequate ‘security health’ to receive corporate data

Reasons we can collect and use your personal information

We rely on Article 6(1)(a) (Consent) as the lawful basis on which we collect and use your personal data.

How long your personal data will be kept

We will hold your personal information for 12 months. Your data will be automatically deleted at the end of this retention period.

Who we share your personal information with

We will share your personal information with:

• Cantium Business Solutions
• Microsoft

As third party processors to facilitate and support the BYOD service. There are Article 28 compliant contracts in place with all parties.

Your right to withdraw your consent

You can withdraw your consent to our use of your data at any time.

You can do this by declining to use BYOD at any time. If you have previously opted in to use the service, you can withdraw your use of BYOD by removing the relevant corporate applications from your device.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

Data will be constrained within KCC’s Microsoft environment using UK and EU facilities. Data is encrypted in transit and at rest.

We have procedures in place to deal with data security breaches. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Your rights

Under the UK GDPR you have a number of rights which you can access free of charge which allow you to:

• know what we are doing with your information and why we are doing it
• ask to see what information we hold about you
• ask us to correct any mistakes in the information we hold about you
• object to direct marketing
• make a complaint to the Information Commissioner’s Office.

Depending on our reason for using your information you may also be entitled to:

• object to how we are using your information
• ask us to delete information we hold about you
• have your information transferred electronically to yourself or to another organisation
• object to decisions being made that significantly affect you
• stop us using your information in certain ways.

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note: your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the United Kingdom General Data Protection Regulation.

If you would like to exercise a right, please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk.

Who to contact

Please contact the ICT Compliance and Risk Team at ICTcomplianceandrisk@kent.gov.uk for specific advice and guidance relating to the
BYOD service.

Please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk.

The United Kingdom General Data Protection Regulation also gives you the right to lodge a complaint with the Information Commissioner who may be contacted on 0303 123 1113 or on the ICO website. For further information read our privacy statement.

Roles and responsibilities and policy compliance

Managers, supervisors and team leaders

Managers, supervisors and team leaders are responsible for ensuring that:

• this policy is adopted and followed.
• all personnel within their remit are aware of and have read and understood this policy.
• this policy and its associated Standard are incorporated within and/or translated into formally documented operational processes and procedures.
• consideration has been made to the appropriateness of BYOD for the data they are responsible for.
• all personnel within their remit who are moving or changing roles have their access to KCC systems, services and data altered accordingly.

BYOD Users

Users who have chosen to use a mobile device that is not owned or supplied by KCC for KCC business are deemed to have:

• agreed to comply with and abide by this policy and;
• accepted that the security measures given in the Standard section of this document are applied to their BYOD device.

Training and awareness

All personnel should feel confident that they are aware of their personal responsibilities in respect of this policy and standard and are competent to carry out their duties.

Policy compliance

By using BYOD to access and use KCC ICT systems and services, users are deemed to have read, understood and agreed to adhere to this and other relevant policies and standards

If you are found to have breached this policy, you may be subject to KCC’s disciplinary procedure.

If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from your line manager and/or CBS’s Customer Support.

Supporting and reference documents

• Information Commissioner’s Office’s: Bring Your Own Device (BYOD) Guidance
• National Cyber Security Centre’s: BYOD Guidance – Executive Summary
• KCC’s Information Governance Policy
• KCC’s Information Management Manual
• KCC’s Information Security Policy
• KCC’s Data Protection Policy
• KCC’s Data Breach Policy
• KCC’s ICT Acceptable Use Policy

Policy management

Review and revision of this policy and standard

This policy and standard will be reviewed and, if necessary, updated as is deemed appropriate but no less frequently than every 12 months.

Ownership

This policy is owned by Lisa Gannon, Director of Technology. Telephone number 03000 414341. Email lisa.gannon@kent.gov.uk.

Approvals

This policy has been approved by:

• Version 1 : Michael Lloyd. Head of Technology, Strategy and Commissioning on 27 April 2018.
• Version 2: Kathy Stevens, ICT Compliance and Risk Manager on 26 November 2019.
• Version 3: James Church, ICT Compliance and Risk Manager on 9 May 2024.