Mobile and Remote Working Policy (ISP-14)

  1. Introduction
  2. Scope
  3. Policy
  4. Further Guidance

1. Introduction

This Mobile and Remote Working Policy is a sub-policy of the Information Security Policy (ISP-01) and sets out the additional principles, expectations and requirements relating to the use of mobile computing devices and other computing devices not located on University premises when devices are used to access University data.

While recognising the benefits to the University (and its members) of permitting the use of mobile devices and working away from the office, the University also needs to consider the unique information security challenges and risks that will necessarily result from adopting these permissive approaches. In particular, the University must ensure that any processing of personal data remains compliant with UK Data Protection legislation.

2. Scope

This policy applies to all members of the University and covers all mobile computing devices whether personally owned, supplied by the University or provided by a third party. Personally owned, University owned or third party provided non-mobile computers (for example desktops) used outside of University premises are also within scope. 

2.1. Definitions

A mobile computing device is defined to be a portable computing or telecommunications device that can be used to store or process information. Examples include laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, flash/memory cards and wearable devices and smart devices.

University data is classified as any data belonging to the University. This includes emails, office documents, database data, personal and financial data. Data obtained from third parties, including research and clinical data obtained under a data sharing agreement with the University, would also be considered University data.

3. Policy

3.1. Personally Owned Devices

Whilst the University does not require its staff or postgraduate researchers to use their own personal devices for work purposes, it is recognised that there are instances where some University members prefer to use their personal devices. Users must always give due consideration to the risks of using personal devices to access University data and in particular, information classified as Confidential or above according to the University’s Information Classification Scheme

The use of personally owned devices is only permitted subject to the following minimum security configuration requirements, and access to University systems may be restricted if these are not met:

In addition to the minimum security configuration requirements above, the following secure behaviours are required:

3.2. University Owned Devices 

The University provided computing devices may be used for remote working. These devices are appropriately configured to ensure that they are as effectively managed as devices that remain within the office environment and meet the minimum security configuration requirements listed above for personally owned devices. 

When using University owned devices, the following are required:

3.3. Third Party Devices

On occasion, staff and postgraduate researchers may be supplied with computing devices by third parties in connection with their research. These devices must be effectively managed, either by the third party, by the University or by the end user. In all cases, the device must meet the minimum security requirements listed above for personally owned devices. 

3.4. Remote Working Environment

3.5. Reporting the Loss of a Device

The loss or theft of a device that was used to access, process or store University data must be reported to IT Services. This includes all devices whether they are University, personally or third party owned. 

For information on loss of University data see Information Handling Policy (ISP-07).

4. Further Guidance

Mobile and Remote Working policy (ISP-14), version 2.0
Last reviewed: July 2023. Next review: July 2024.
This policy is also available as a PDF: ISP-14 Mobile and Remote Working Policy (PDF, 173kB)