Mobile and Remote Working Policy (ISP-14)

  1. Introduction
  2. Scope
  3. Policy
  4. Further guidance

1. Introduction

This Mobile and Remote Working policy is a sub-policy of the Information Security policy (ISP-01) and sets out the additional principles, expectations and requirements relating to the use of mobile computing devices and other computing devices not located on University premises when devices are used to access University data.

While recognising the benefits to the University (and its members) of permitting the use of mobile devices and working away from the office, the University also needs to consider the unique information security challenges and risks that will necessarily result from adopting these permissive approaches. In particular, the University must ensure that any processing of personal data remains compliant with UK Data Protection legislation.

2. Scope

This policy applies to all members of the University and covers all mobile computing devices whether personally owned, supplied by the University or provided by a third party. Personally owned, University owned or third party provided non-mobile computers (for example desktops) used outside of University premises are also within scope.

2.1. Definitions

A mobile computing device is defined to be a portable computing or telecommunications device that can be used to store or process information. Examples include laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, flash/memory cards and wearable devices and smart devices.

University data is classified as any data belonging to the University. This includes emails, office documents, database data, personal and financial data. Data obtained from third parties, including research and clinical data obtained under a data sharing agreement with the University, would also be considered University data.

3. Policy

3.1. Personally owned devices

Whilst the University does not require its staff or postgraduate researchers to use their own personal devices for work purposes, it is recognised that this is often convenient and such use is permitted subject to the following minimum requirements and guidelines. Users must at all times give due consideration to the risks of using personal devices to access University data and in particular, information classified as confidential or above:

In addition to the minimum requirements above, the following recommendations will help further reduce risk:

3.2. University owned devices

The University may at times provide computing devices to some of its members. When it does, it will supply devices that are appropriately configured so as to ensure that they are as effectively managed as devices that remain within the office environment.

Devices supplied by the University must meet the minimum security requirements listed above for personally owned devices.

In addition, the following are required:

3.3. Third party devices

On occasion, staff and research postgraduates may be supplied with computing devices by third parties in connection with their research. These devices must be effectively managed, either by the third party, by the University or by the end user. In all cases, the device must meet the minimum security requirements listed above for personally owned devices. 

3.4. Remote working environment

When working remotely (either at home or elsewhere), steps must be taken to secure your working environment. In particular, where possible default passwords must be changed for all devices (including personal mobile devices accessing University data and wi-fi routers). 

Accessing data classified as confidential on publicly available devices or networks should be avoided. Data classified as confidential and sensitive or above must not be accessed on publicly available devices or networks. Publicly available devices and networks include shared computers and wireless networks in public libraries, hotels, and cafés or restaurants. When accessing data classified as confidential or above on public networks, a University VPN connection must be established prior to accessing the data.

When handling University data classified as confidential or above, the Information Handling policy (ISP-07) section 'Information on desks, screens and printers' must be followed.

3.5. Reporting losses

All members of the University have a duty to report the loss, suspected loss, unauthorised disclosure or suspected unauthorised disclosure of any University information asset to the information security incident response team (cert@bristol.ac.uk).

4. Further guidance

Mobile and Remote Working policy (ISP-14), version 1.4
Last reviewed: June 2022. Next review: June 2023.
This policy is also available as a PDF: ISP-14 Mobile and Remote Working Policy (PDF, 129kB)