Bring Your Own Device to Work Policy

Protection of Morgan Sindall Group plc and its subsidiaries’ (hereinafter the “Group”) business information and systems is essential. It is Group policy to ensure that all weekly paid staff that may have access to Information Systems operated by the Group (‘employee’) complies with this BYOD Policy.

POLICY STATEMENT

The Group recognises that many of our staff have personal mobile devices (such as tablets, smartphones and handheld computers) or personal desktops, which they could use for business purposes, and that there can be benefits for both us and staff, including increased flexibility in our working practices, in permitting such use. However, the use of personal mobile devices for business purposes gives rise to increased risk in terms of the security of our IT resources and communications systems, the protection of confidential and proprietary information and reputation, and compliance with legal obligations.

Anyone covered by this policy may use an approved personal mobile device for business purposes, provided that they sign the declaration at the end of this policy and adhere to its terms.

No one is required to use their personal mobile device for business purposes. It is a matter entirely for each person’s discretion. [We have chosen to implement this policy as we recognise that using personal mobile devices for business purposes can offer increased flexibility and autonomy for our staff. However, we also encourage our staff to consider carefully how and when you use your device, and maintain an effective balance between work and personal life.]

This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our IT acceptable use policy, data protection policy, document retention policy and other IT related policies, which are available on the intranet.

SCOPE AND PURPOSE OF THE POLICY  

This policy applies to selected employees who use a personal mobile device including any accompanying software or hardware (referred to as a device in this policy) for business purposes. It applies to use of the device both during and outside office hours and whether or not use of the device takes place at your normal place of work.

This policy applies to all personal devices used to access our IT resources and communications systems (collectively referred to as systems in this policy), which may include (but are not limited to) smartphones, mobile or cellular phones, tablets, and laptop or notebook computers.

When you access the Group’s systems you may be able to access data about us or our group companies, our customers, clients, distributors, suppliers and other business connections, including information which is confidential, proprietary or private. The definition of data is very broad, and includes all written, spoken and electronic information held, used or transmitted by us or on our behalf, in whatever form (collectively referred to as company data in this policy).

When you access our systems using a device, we are exposed to a number of risks, including the loss or theft of the device (which could result in unauthorised access to our systems or company data), the threat of malware (such as viruses, worms, spyware, Trojans or other threats that could be introduced into our systems via a device) and the loss or unauthorised alteration of company data (including personal and confidential information which could expose us to the risk of non-compliance with legal obligations of confidentiality, data protection and privacy). Such risks could result in damage to our systems, our business and our reputation.

The purpose of this policy is to protect our systems and company data, and to prevent company data from being deliberately or inadvertently lost, disclosed or altered, while enabling you to access our systems using a device. This policy sets out the circumstances in which we may monitor your use of our systems, access your device and retrieve, remove or destroy data on it and the action which we will take in respect of breaches of this policy. More information about how we monitor, record and process your personal data is contained in our separate privacy notice and data protection policy.

Breach of this policy may lead to us revoking your access to our systems, whether through a device or otherwise. It may also result in disciplinary action up to and including dismissal and in the case of a breach of this policy by a contractor, consultant, casual or agency worker, the termination of the engagement. Disciplinary action may be taken whether the breach is committed during or outside office hours and whether or not use of the device takes place at your normal place of work. You are required to co-operate with any investigation into suspected breach, which may involve providing us with access to the device and any relevant passwords and login details.

Some devices may not have the capability to connect to our systems. We are not under any obligation to modify our systems or otherwise assist staff in connecting to our systems.

MONITORING  

The contents of our systems and company data are the property of the Group. All materials, data, communications and information, including but not limited to e-mail (both outgoing and incoming), telephone conversations and voicemail recordings, instant messages and internet and social media postings and activities, created on, transmitted to, received or printed from, or stored or recorded on a device (collectively referred to as content in this policy) during the course of business or on our behalf is our property, regardless of who owns the device.

We reserve the right to monitor, intercept, review and erase, without further notice, all content on the device that has been created for us or on our behalf in accordance with the Group’s Acceptable Use policy. It is possible that personal data may be inadvertently monitored, intercepted, reviewed or erased and the user should have no expectation of privacy in any data on the device. The Group reserves the right to disconnect devices or disable services without notification.

SECURITY REQUIREMENTS  

You must comply with all of the Group’s IT policies when using your device to connect to our systems and should never access or use our systems or company data through a device in a way that breaches any of our other policies.

You may use any device, as long as;

  1. The device has to be unlocked using a minimum 4 digit code, pattern sequence or password (lock options will vary depending on the vendor of the device)
  2. The device is set to automatically lock after a maximum of 5 minutes of inactivity
  3. You only use your own login credentials as supplied by Morgan Sindall when accessing services using the device.
  4. You do not save any files or data from the available services on to the device.
  5. If you are using a laptop or desktop computer to connect to services, a suitable virus protection application should be installed, working and up to date.

You must ensure that your login password is kept confidential, known only to you - If your password becomes known by others (Family members, friends, colleagues or otherwise) you must change it immediately using the Password reset tool or by calling the IT Service Desk.

LOST OR STOLEN DEVICES AND UNAUTHORISED ACCESS  

In the event of a lost or stolen device, or where a staff member believes that a device may have been accessed by an unauthorised person or otherwise compromised, the staff member must report the incident to the Service Desk at the earliest opportunity but no later than the next business working day. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.

COSTS REIMBURSEMENT

The employee shall be solely responsible for meeting any costs or charges associated with accessing Group services through a personal device and accepts that the Group will not reimburse the employee for any charges incurred.

RESPONSIBILITIES

All Employees are responsible for ensuring compliance with this IT Acceptable Use Policy and the above requirements.

CONFLICT

In the event that Group and Divisional policy are conflicting, this Group policy is overriding.

ENFORCEMENT

Any employee found to have violated this policy may be subject to disciplinary action up to and including dismissal.

Please note that in using any element of this site you are agreeing to the three policies below. Click on the below for more info.