The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Mobile devices, home or remote working and removable media

You have appropriate mechanisms in place to manage the security risks of using mobile devices, home or remote working and removable media.

Ways to meet our expectations:

  • You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.
  • You have protections in place to avoid the unauthorised access to or disclosure of the information processed by mobile devices, for example, encryption and remote wiping capabilities.
  • You implement security measures to protect information processed when home or remote working, for example VPN and two-factor authentication.
  • Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices as well as an entire class of devices.
  • You do not allow equipment, information or software to be taken off-site without prior authorisation and you have a log of all mobile devices and removable media used and who they are allocated to.

Can you answer yes to the following questions?

  • Can staff find the policies and procedures?
  • Are they aware of the main contents?
  • Would a sample of devices have appropriate encryption?
  • Could you demonstrate appropriate access arrangements for home or remote working?
  • Are staff working from home or remotely aware of the authorisation requirements?