EDINBURGH INTERNATIONAL FILM FESTIVAL LIMITED (the “Charity”)
A Charity Registered in Scotland – SC053218
Introduction
This Bring Your Own Device Policy is Edinburgh International Film Festival Ltd (hereafter referred to as “EIFF”, “us”, “we”, or “our”) policy regarding the safe use of personal devices used by our staff for work-related purposes.
Modern devices are capable of accessing and storing data, and running business applications. While the use of devices can bring many benefits, and help staff to better do their jobs, it also introduces a significant risk. That risk is that data, or access to that data, may fall into the wrong hands due to the loss or improper use of a device.
As an organisation we have taken a decision to allow staff to use their own device for work purposes. This policy has been developed to ensure that this organisation’s data is not put at risk from the use of devices in this manner. For those members of staff with a business requirement to access the organisation’s data with a device, this policy provides the necessary guidance so that it is done in a manner that does introduce unacceptable threats to the safety and integrity of this data.
Purpose
The purpose of this policy is to:
Provide effective controls to ensure that staff access to our data and any information systems through the use of a device is authorised, secure and confidential, in line with our business requirements
Ensure the remote processing of our data is operated in accordance with statutory requirements and all relevant guidance
Ensure that any risks associated with device based access are recognised, assessed and managed.
Scope
This policy applies to all staff.
Definitions
Personal Data: Information that relates to an identified or identifiable individual, as defined by the Data Protection Act 2018 and the GDPR.
Devices: A mobile phone, personal desktop computer or laptop that allows users to store information, use email and install programs.
User: Any person authorised to access EIFF’s IT systems and networks remotely.
Encryption: The process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing the key. The result of the process is encrypted information. Password protection is not a form of encryption.
Bring Your Own Device (BYOD): The term used to describe the approach of letting members of staff use their own device for work purposes. For example, an organisation might allow their staff to use their own devices to access work e-mail while out of the office, rather than supplying corporate owned devices for that specific task.
Authorised Users and devices
We maintain a log of all users who are authorised to access our data on their personal devices. This log is stored in secure location in company shared drive.
Users must inform their Line Manager when access to company databases/systems is no longer required, or when leaving the organisation.
User Responsibilities for the Security of devices
Users must not deliberately put their devices at undue risk of being stolen, lost or accessed by unauthorised persons.
Stolen or lost equipment must be reported as soon as possible to Line Management.
Where available users may connect their personal devices to the organisation’s guest wireless network to get internet access.
User Responsibility for the Security of Personal Confidential Data and Information
Users are responsible for ensuring that unauthorised individuals are not able to see or access our data or systems via the user’s device. Device screens should be locked when not actively being used.
The use of devices for accessing our data or services in a public area should be kept to an absolute minimum, due to the risk of information being viewed and the theft of an unlocked device.
Data should not be held on a device for longer than it is required and should be deleted or archived promptly to reduce the risk of the data being accessed by the wrong person.
Personal confidential data must not be stored on an unencrypted device (NB: Password protection is not a method of encryption and must not be relied upon as such).
Emails containing personal confidential data and other confidential information must not be sent to or from personal email accounts.
Reporting Security Incidents and Weaknesses to Line Management.
Staff are responsible for devices and all data held on them. In the event of loss, theft or any data security incidents associated with device use, users must inform Line Management.
Duties and Responsibilities
You should update the responsibilities below based on what makes sense for your organisation, the following are suggestions, you do not need to have someone in each of these roles if it does not make sense for your organisation.
Festival Director
The Festival Director is responsible for ensuring that the organisation complies with the statutory and good practice requirements governing device use outlined in this policy and is supported by the delegated management responsibilities outlined below.
All Managers
All Managers as Information Asset Owners are responsible for ensuring that their staff receive relevant training, guidance and support to understand and adhere to this policy and all appropriate supporting guidance.
All Staff
All staff must ensure that they are aware of their responsibilities for complying with device use requirements in accordance with this policy. All staff with authorised devices must safeguard our information and report immediately any associated security incidents.
Policy Last Amended: 23 April 2024
