ISP-14 Mobile and remote working policy

This is a sub-policy of the ISP-01 Information security policy.

Summary

This policy outlines the security requirements for using mobile and remote devices to access University data. It applies to all University members and any other parties that have been granted access to University systems, and covers personally owned, University-owned, and third party devices. The policy aims to protect sensitive University data via security measures such as device encryption, secure passwords, and safe working environments, ensuring compliance with data protection laws and minimizing security risks when working remotely or using mobile devices. 
 

Control information Control detail
Owner Chief Information Security Officer, IT Services
Author Information Security Manager, IT Services
Sponsor Chief Information Security Officer, IT Services
Consulted Digital Spaces Manager, Digital Services Manager, Head of Digital Services, Information Governance and Security Advisory Board (IGSAB).
Approved by Information Governance and Security Advisory Board (IGSAB)
Responsible area IT Services
Version 4
Approval date 27 June 2025
Effective date 27 June 2025
Interim review effective date Not applicable
Full review period 1 year
Date of next full review 31 May 2026
EIA completion date Not applicable
DPIA completion date Not applicable
SIA completion date Not applicable
Reporting requirements The policy requires that the loss or theft of any device used to access, process, or store University data must be reported to IT Services, regardless of whether the device is University-owned, personally owned, or third party provided. This ensures prompt action can be taken to mitigate risks and secure University data. For further guidance on handling data loss, users are directed to the ISP-07 Information handling policy.
Applicable statutory, legal or best practice requirements The policy ensures compliance with UK Data Protection legislation, particularly in relation to the secure handling of personal data. It also aligns with best practices for information security, such as those outlined in the ISP-01 Information security policy and the ISP-07 Information handling policy. Additionally, it supports the University's adherence to international data protection standards, especially when devices are used outside the European Economic Area, ensuring data privacy and security across various jurisdictions. 
Keywords best practices, compliance, data privacy, device security, European economic area, information handling policy, information security, information security policy, international data protection, personal data, remote working, secure handling, UK data protection legislation

On this page

  1. Updates to this policy
  2. Introduction
  3. Scope
  4. Definitions
  5. Responsibilities
  6. Personally owned devices
  7. University owned devices
  8. Third party devices
  9. Remote working environment
  10. Reporting the loss of a device
  11. Further guidance

1. Updates to this policy

1.1. This policy has been updated to align to the new University of Bristol policy management framework.

1.2. Following an interim review in July 2025, the following updates were made:  

  • Scope (section 3): Extended to include external members.

  • Personally owned devices (section 6.2 j): Extra minimum security configuration requirement added.

  • Minor context clarifications. 

Back to top

2. Introduction

2.1. This Mobile and remote working policy is a sub-policy of the ISP-01 Information security policy and sets out the additional principles, expectations and requirements relating to the use of mobile computing devices and other computing devices not located on University premises when devices are used to access University data.  

2.2. The Mobile and remote working policy is designed to address the security risks and challenges associated with the use of mobile and remote devices to access University data. With an increasing reliance on mobile technology and remote working, the policy ensures that University data remains secure, particularly personal, financial, and sensitive information. It sets out clear guidelines for the use of personally owned, University-owned, and third party devices, aiming to comply with UK Data Protection legislation and best practices in information security. This policy supports the University’s commitment to safeguarding data while enabling flexible working arrangements. 

Back to top

3. Scope

3.1. This policy applies to all members of the University, together with any others who may have been granted permission to use the University provided information and communication technology facilities. This policy covers all mobile computing devices whether personally owned, supplied by the University or provided by a third party. Personally owned, University owned or third party provided non-mobile computers (for example desktops) used outside of University premises are also within scope. 

Back to top

4. Definitions

4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.

4.2. Auto-lock: A security feature that automatically locks a device after a set period of inactivity, typically to protect data from unauthorised access.

4.3. Biometric authentication: A security process that uses unique physical characteristics, such as fingerprints or facial recognition, to verify a user's identity.

4.4. Data wipe: The process of completely removing data from a device to ensure it cannot be recovered, typically before disposal or transferring ownership.

4.5. Encryption: Encryption is a mathematical function using a secret value - the key - which encodes (scrambles) data so that only users with access to that key can read the information. In many cases, encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of data.

4.6. Firewalls: A combination of software and hardware that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

4.7. Jailbreaking: The process of bypassing the built-in restrictions on an iOS device, often to allow the installation of unauthorised software.

4.8. Mobile computing device / ‘device': A portable computing or telecommunications device that can be used to store or process information. Examples include laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, flash/memory cards and wearable devices and smart devices.

4.9. Rooting: The process of bypassing the built-in restrictions on an Android device, often to allow the installation of unauthorised software.  

4.10. Shoulder surfing: The act of observing someone’s screen or device without their knowledge to gain access to confidential information.

4.11. University data: Classified as any data belonging to the University. This includes emails, office documents, database data, personal and financial data. Data obtained from third parties, including research and clinical data obtained under a data sharing agreement with the University, would also be considered University data.

4.12. VPN (Virtual Private Network): An encrypted connection between your device and the University network, used to access University resources.

Back to top

5. Responsibilities

5.1. University Members: Must ensure that any personally owned devices used to access University data and systems comply with the security requirements set forth in this policy and that secure behaviours are followed. Members must also ensure that personal devices used to access University data and systems are wiped and disposed of securely. Loss or theft of such personal devices must be reported to IT Service promptly.

5.2. External Users of University systems: Individuals external to the University who have been provisioned with access to University of Bristol systems must also ensure that devices used to access University data and systems comply with the security requirements set forth in this policy and that secure behaviours are followed.

5.3. Third Party Device Providers: External parties providing devices for research purposes must ensure their devices meet the minimum security standards required by this policy.

5.4. IT Services: Support and enable secure remote working capability at the University by ensuring that managed devices meet the security configurations set forth in this policy, by maintaining secure systems, and by providing guidance and resources for secure remote working practices. IT Services also assist with device loss/theft incidents and ensure members’ continued ability to work remotely.

5.5. Supervisors and Line Management: Must ensure that direct reports are informed of and adhere to the University’s Information Security Policies, providing adequate resources and support for secure remote working and where necessary ensuring IT Services are engaged with and notified of questions surrounding security standards and remote working requirements.

Back to top

6. Personally owned devices

6.1. Whilst the University does not require its staff or postgraduate researchers to use their own personal devices for work purposes, it is recognised that there are instances where some University members prefer to use their personal devices. Users must always give due consideration to the risks of using personal devices to access University data and in particular, information classified as Confidential or above according to the Information Classification Scheme - IGP-10 (PDF, 68kB).

6.2. The use of personally owned devices is only permitted subject to the following minimum security configuration requirements, and access to University systems may be restricted if these are not met: 

  1. Devices must run a supported version of its Operating System (OS) and must also have the latest security update installed, both for the OS and any installed applications. A supported version is defined to be one for which security updates continue to be produced and made available to the device. Beta and development versions of Operating Systems and software may not be considered secure as they are not guaranteed support and updates from the vendor.

  2. University data stored or processed on mobile devices must be encrypted.

  3. An appropriate passcode or password aligned with the University's password guidance, must be set for all accounts which give access to the devices. The use of biometric authentication methods is also acceptable.

  4. A password/biometric protected screen saver/screen lock must be configured.

  5. Devices that are capable must run Anti-Virus software, with the exception of personally owned smartphones and tablets.

  6. Software firewalls must not be disabled or updates postponed.

  7. The security of the device must not be undermined (for example by “jail breaking” or “rooting” a smartphone).

  8. Devices must be configured to “auto-lock” after a period of inactivity (no more than 15 minutes).

  9. Devices should be configured to “auto-wipe” to protect against brute force password attacks where this facility is available, for example the ‘Erase Data’ feature on iOS.

  10. Device tracking/location services should be enabled to assist in the event of theft or loss.

6.3. In addition to the minimum security configuration requirements above, the following secure behaviours are required:

  1. Use of personal devices by others (family or friends) must be controlled in such a way as to ensure that these others do not have access to University data classified as Confidential or above.

  2. Personally owned devices must not be used for activities that require administrative access. For more detail see Access Control section in ISP-11 System management policy.

  3. Avoid storing University data locally on the device and do not store any data classified as Confidential or above.

  4. Access University information assets via the University’s remote access services wherever possible rather than transferring the information directly to a device.

  5. See page for more information on remote access: https://uob.sharepoint.com/sites/itservices/SitePages/remote-access.aspx.

  6. If a personally owned device needs to be repaired, ensure that the company you use is subject to a contractual agreement which guarantees the secure handling of any data stored on the device.

6.4. Devices must be disposed of securely, including the removal of University data before disposal, in accordance with the Disposal of Information section of the ISP-07 Information handling policy..

Back to top

7. University owned devices

7.1. The University provided computing devices may be used for remote working. These devices are configured to ensure that they are as effectively managed as devices that remain within the office environment and meet the minimum security configuration requirements listed above for personally owned devices.

7.2. When using University owned devices, the following are required:

  1. Non-members of the University (including family and friends) must not make any use of the supplied devices.

  2. No unauthorised changes may be made to the supplied devices.

  3. Devices assigned to a specific user should only be used by that user.

  4. All devices supplied must be returned to the University when they are no longer required or prior to the recipient leaving the University, irrespective of how they were purchased (for example, grant funding).

Back to top

8. Third party devices

8.1. On occasion, staff and postgraduate researchers may be supplied with computing devices by third parties in connection with their research. These devices must be effectively managed, either by the third party, by the University or by the end user. In all cases, the device must meet the minimum security requirements listed above for personally owned devices.

Back to top

9. Remote working environment

9.1. When working remotely (either at home or elsewhere), steps must be taken to secure your working environment. Where possible default passwords must be changed for all devices (including personal mobile devices accessing University data and Wi-Fi routers).

9.2. Accessing data classified as Confidential or above on publicly available networks should be avoided. If access to data classified as Confidential or above on public networks is absolutely necessary, a University VPN connection must be established prior to accessing the data. Publicly available networks include wireless networks in public areas such as libraries, hotels, cafés or restaurants.

9.3. Data classified as Confidential and Sensitive or above must not be accessed on publicly available devices. Publicly available devices include shared computers in public libraries, hotels, cafés or restaurants.

9.4. When handling University data classified as Confidential or above, the ISP-07 Information handling policy section 'Information on Desks, Screens and Printers' must be followed.

9.5. Be mindful of the risks of using open (unsecured) wireless networks. For personally owned devices, consider configuring your device not to connect automatically to unknown networks.

9.6. Do not leave mobile devices unattended in public or unsecured places to minimize the risk of theft.

9.7. Be aware of your surroundings and protect yourself against “shoulder surfing”.

9.8. Reduce the risk of inadvertently breaching UK Data Protection legislation by ensuring that all personal data pertaining to University business, which is subject to the legislation and is stored on the device, is removed before taking the device to a country outside of the European Economic Area that is not deemed to have an adequate data protection regime. See Data and international travel guidance for more information on data handling when travelling abroad.

Back to top

10. Reporting the loss of a device

10.1. The loss or theft of a device that was used to access, process or store University data must be reported to IT Services urgently via the IT Service Desk. This includes all devices whether they are University, personally or third party owned.

10.2. For information on loss of University data see ISP-07 Information handling policy.

Back to top

11. Further guidance

Back to top

Request this policy in an alternative format

If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.

Back to top