Mobile ICT devices policy

1. Policy statement

The Office of the Information Commissioner (OIC) recognises the value of mobile ICT devices in supporting effective service delivery, including through flexible ways of working, adaption of service supporting technologies and the reduction of printing/paper consumption.

The OIC also acknowledges that mobile ICT devices require particular considerations to ensure the security and confidentiality of OIC information resources.

This policy provides guidance on the usage of mobile ICT devices by OIC staff.

2. Effective date

8 December 2020

3. Authority and related instruments

This policy derives its authority from and should be read in conjunction with:

Right to Information Act 2009 (RTI Act)
Information Privacy Act 2009 (IP Act)
Public Records Act 2002
Queensland Government Information Security Classification Framework
OIC Use of ICT Services, Facilities and Devices Policy
OIC Guideline on Portable storage devices and information privacy

4. Application

This policy applies to all OIC staff using provided or own (BYO) devices.

5. Mobile ICT devices

5.1 Types of devices
A mobile ICT device is capable of storing and transferring digital information. Examples include portable USB or ‘flash’ keys, memory cards, smartphones, tablets, laptops, notebooks, MP3 players, iPods, rewritable CDs, e-readers and any other device with inbuilt accessible storage.
5.2 OIC provided devices
OIC devices are provided to employees to support them in undertaking their roles. The below table outlines the categories of OIC provided portable devices and their approved usage.

Device	Approved usage
Laptops / Two-in-ones	OIC provides its employees with laptops or two-in-one laptop/tablets. These devices serve as both the desktop unit (connected to monitors) and mobile devices. Laptops/two-in-ones are able to be used for remote working. Staff are responsible for taking reasonable steps to maintain the security of the device. For example, using the provided tether in the office, ensuring the device is in their possession or securely stored when taken offsite, and by locking the computer when it is not in active use. These devices are configured to automatically connect to the OIC network when docked or connected to OIC Wi-Fi. The devices will not automatically connect to the OIC network from remote locations. Access is via the FortiClient VPN app on the laptops. Staff are permitted limited personal use of OIC provided devices in accordance with the OIC Use of ICT Services, Facilities and Devices Policy.
Mobile (smart) phones / tablets	The Information Commissioner may approve the provision of a mobile telephone and/or tablet. These devices will generally only be approved for members of the Executive Team in accordance with applicable Directives and the Director, Engagement and Corporate Services for security and business continuity purposes.
Other (e.g. USBs, rewritable CDs)	The OIC has a number of Iron Keys (secure USBs) that can be used when sensitive documents are transported offsite with approval from the relevant Assistant Information Commissioner/Director or above. OIC supplied USBs (unsecured) may only be used for public, non-sensitive / non-confidential information – e.g. power-points for training sessions. Rewritable CDs may be used to transfer information to stakeholders with permission from the relevant Assistant Information Commissioner/Director or above. It is, however, preferable to use Quatrix to securely transfer files.

Device

Approved usage

Laptops / Two-in-ones

OIC provides its employees with laptops or two-in-one laptop/tablets. These devices serve as both the desktop unit (connected to monitors) and mobile devices. Laptops/two-in-ones are able to be used for remote working. Staff are responsible for taking reasonable steps to maintain the security of the device. For example, using the provided tether in the office, ensuring the device is in their possession or securely stored when taken offsite, and by locking the computer when it is not in active use.

These devices are configured to automatically connect to the OIC network when docked or connected to OIC Wi-Fi.

The devices will not automatically connect to the OIC network from remote locations. Access is via the FortiClient VPN app on the laptops.

Staff are permitted limited personal use of OIC provided devices in accordance with the OIC Use of ICT Services, Facilities and Devices Policy.

Mobile (smart) phones / tablets

The Information Commissioner may approve the provision of a mobile telephone and/or tablet. These devices will generally only be approved for members of the Executive Team in accordance with applicable Directives and the Director, Engagement and Corporate Services for security and business continuity purposes.

Other (e.g. USBs, rewritable CDs)

The OIC has a number of Iron Keys (secure USBs) that can be used when sensitive documents are transported offsite with approval from the relevant Assistant Information Commissioner/Director or above.

OIC supplied USBs (unsecured) may only be used for public, non-sensitive / non-confidential information – e.g. power-points for training sessions.

Rewritable CDs may be used to transfer information to stakeholders with permission from the relevant Assistant Information Commissioner/Director or above. It is, however, preferable to use Quatrix to securely transfer files.

5.3 Bring your own (BYO) devices
BYO devices are devices owned by OIC employees that are approved for use by the employee in undertaking their OIC role. The below table outlines categories of BYO devices and their approved usage:

Device	Approved usage
Computers / laptops	BYO Computers/laptops are not permitted. OIC supply staff with corporate laptops.
Tablets	Information Commissioner approval required. Must demonstrate why an OIC provided device cannot meet needs.
Mobile telephones	Access to work emails is only permitted via the Microsoft Outlook app configured for OIC email account.
Other	Information Commissioner approval required.

Usage of BYO devices is also subject to the conditions set out in the OIC Use of ICT Services, Facilities and Devices Policy.
BYO devices must be cleared of all OIC information on cessation of employment after such information is saved onto the OIC network. Remote access to emails and/or the OIC network will cease on cessation of employment and may cease during extended absences.

6. Loss or theft

Loss or theft of a mobile ICT device (including a BYO device) must be reported as soon as possible to the relevant executive team member and the Director, Engagement and Corporate Services. OIC’s IT Services Provider will also be notified so that appropriate action can be taken.

All reasonable steps will be taken to minimise the risk associated with the loss or theft, which may include remote wiping of the device. Strong passwords that are not written down also help minimise the risks if a device is lost or stolen.