Bring Your Own Device Policy

Last Updated: 28th May 2019

 

1.     Introduction

Under GDPR, businesses have a requirement to keep personal data safe and secure.  Travel Curious Ltd (“TCL”, “we/us/our”) takes such responsibilities seriously and this Policy is intended to protect our security and integrity in our data and technology infrastructure.  

Anyone covered by this Policy (“you”) may use an approved personal mobile device or laptop/desktop for business purposes, provided that they sign the declaration at the end of this Policy and adhere to its terms.

2.     Intended Purpose

No one is required to use their personal mobile device for business purposes. It is a matter entirely for each person's discretion. We have chosen to implement this Policy as we recognise that using personal mobile devices for business purposes can offer increased flexibility and autonomy for our staff. However, we also encourage our staff to consider carefully how and when you the device is used and maintain an effective balance between work and personal life.

This Policy applies to employees, officers, consultants, contractors, volunteers, interns, casual workers and agency workers and individuals (“employees and individuals”) who work remotely or who bring their computers and/or other electronic devices, such as smartphones, mobile phones and tablets into work and use them for work purposes. 

In light of our obligations under current data protection legislation, we have a duty to ensure that we remain in control of any personal data, for which we have responsibility for. All employees and individuals shall therefore agree to accept the terms of this Policy to enable them to connect to our network.

This Policy should be read in conjunction with our Data Protection Policy, IT Security Policy and Data Retention Policy.

3.     Acceptable Use

When you access our systems, you may be able to access data about us, our customers, clients, distributors, suppliers and other business connections, including information which is confidential, proprietary or private. The definition of data is very broad, and includes all written, spoken and electronic information held, used or transmitted by us or on our behalf, in whatever form (collectively referred to as “personal data” in this Policy).

Employees and Individuals who use their own devices at work, agree to accept responsibility for their own devices and how these might be used at work. They therefore agree to undertake to do the following:                    

  • Be familiar with the device and to ensure it has good security features implemented so as to ensure the safety of our information that is accessible. Further security measures are detailed later in this Policy. 

  • Carry out activities that directly or indirectly support our business.

  • Take all reasonable steps to prevent loss or theft of the device and any personal data.

  • Keep all of our information confidential, where appropriate.

  • Maintain our integrity in relation to our information and any personal data at all times.

  • Accept any responsibility for software downloaded on to the device.

In addition to the above, devices may not be used at any time to:

  • Store or transmit illicit materials

  • Engage in illegal activity

  • Harass others

Employees and individuals may use their mobile device to access the following company-owned resources (managed on G-Suite): email, calendars, contacts, documents, extranet and admin consoles, as well as approved 3rd party web applications such as: Slack, Monday.com, Zoho, Stripe, Xero, Trustpilot, Intercom, Bitbucket, Pingdom, GCP and AWS.

By accepting the terms in this Policy, consent is hereby given to us, without further notice to inspect the work account set up on your device and request that you delete all or part of the data on that account or applications it uses. You hereby agree to comply with such request with no delay to enable us to meet our obligations under GDPR.

In light of this Policy, employees and individuals agree that any personal device could be used as evidence in any Court proceedings or litigation, in the event that we are subject to this and such device is relevant to those proceedings.

4.     GDPR

The collection, holding and processing of all personal data (as defined in the General Data Protection Regulation 2016 (“GDPR”)) by us will be carried out in compliance with (i) GDPR and (ii) our Data Protection Policy. 

All employees or individuals that have access to, and handle personal data on our behalf, shall adhere to our Data Protection Policy and have a general awareness of the obligations imposed by GDPR.

GDPR requires us to process any personal data in accordance with the key data protection principles.  ‘Processing’ includes obtaining personal data, retaining and using it, allowing it to be accessed, disclosing it and disposing of it.  This Policy applies, in particular, to Article 5 which amongst others specifically requires us to ensure that personal data is protected by appropriate technical and organizational measures against unauthorised or unlawful processing or disclosure and against accidental loss, damage or destruction.

5.     Obligations Under this Policy

Any employee and individual must be aware of our and their obligations under the relevant data protection legislation when processing company data including GDPR. The personal data must only be used for the business purposes for which it was intended, and not used for a purpose different from that for which it was originally intended. 

5.1.   Security

  • In order to prevent unauthorised access, a separate work account should be set up on the devices (if supported by the OS) protected by a strong password with sufficient length and complexity for the particular type of device.

  • Set up a remote wipe facility if available and implement this in the event the device is lost or stolen.

  • Any device used must lock itself with a password or PIN if it is idle for five minutes.

  • Any device used must be capable of locking automatically if an incorrect password is entered after several attempts.

  • Employees or individuals must ensure that, if they transfer data, they do so via an encrypted channel.

  • Employees or individuals must not download unverified apps that may present a threat to the security of the information held on their devices.

  • Employees or individuals should not use unsecured networks.

  • Employees or individuals should not hold any information that is sensitive, personal or confidential on their devices. 

  • Where any information is used, employees or individuals must not keep personal data for longer than necessary for the purpose for which it is being used, unless there is a requirement to retain it for longer in order to comply with a legal obligation.

  • Report any such loss or theft of the device immediately to our IT Manager or alternatively a Line Manager. 

  • Report any attempted or data security breach immediately to our IT Manager upon discovery of the same.

5.2.   Devices and Support

Upon joining us, the employee or individual will report to our IT Manager with the devices as appropriate configuration of software may be necessary. All devices must be registered in our asset management system detailing their make, model, OS, serial and IMEI number (if relevant).

5.3.   Deletion of Personal Data

Employees an individuals must ensure that, if they delete information from a device, the information must be permanently deleted rather than left in the device’s trash system.

5.4.   Monitoring and Access

We will not routinely monitor employees and individual’s devices used for work purposes. However, we will monitor data protection compliance in general, and compliance with this Policy in particular. Before any monitoring is undertaken, we will identify the specific purpose of the monitoring and we reserve the right to:

  • Prevent access to a particular device from either wired / wireless networks.

  • Prevent access to a particular system. 

  • Take all necessary and appropriate steps to retrieve information owned by us. 

6.     Implementation of this Policy

This Policy shall be deemed effective as of 28th May 2019. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

7.     End of Employment

Prior to the last day of employment with us, all employees and individuals to whom this Policy shall apply, must delete work-related personal data on his/her own device and confirm in writing to us this has been completed.

8.     Third Parties

Employees and individuals must ensure that, in the event of friends or family using their devices, they are not able to access any information stored in the separate work account.