Use of portable storage devices

1. Purpose

A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples include portable USB or ‘flash’ keys, memory cards, smartphones, tablets, laptops, notebooks, personal digital assistants, MP3 players, iPods, rewritable CDs, e-readers and any other device with inbuilt accessible storage.

PSDs are becoming ubiquitous in the workplace. Many employees have at least a smartphone.1 Agencies invariably have their own devices which are either issued to employees in the course of their employment (most usually a mobile telephone) or provided to employees on a temporary basis when business is conducted away from the employee’s desk (usually laptops or work-issued USB keys).

In addition to storage, tablets and smartphones have some computing capabilities and have the potential to be incorporated as a commonplace tool for some core business activities. When employees use their personal PSDs in this way it is known as ‘bring your own device’ (BYOD). BYOD includes home computers/laptops used under authorised ‘working from home’ arrangements.

This policy sets out permitted use of PSDs (including BYOD) at the Office of the Information Commissioner (OIC), based on the classification of OIC information. Its primary purpose is to ensure the security and integrity of OIC information and records.2

2. Relevant authority

A number of laws and policies are relevant to the use of PSDs at OIC, including:

  • Right to Information Act 2009 (Qld) (RTI Act)
  • Information Privacy Act 2009 (Qld) (IP Act)
  • Public Records Act 2002 (Qld)
  • Queensland Government Information Security Classification Framework3
  • Parliamentary Services Network Security & ICT Device Usage Policy4
  • OIC Code of Conduct.

This policy also draws on the guidance on record-keeping obligations for mobile and smart devices provided by Queensland State Archives (QSA).

3. Application

This policy applies to any person with access to the OIC network including OIC staff, temporary workers, contractors and service providers. Failure to comply with this policy is potentially a breach of OIC’s Code of Conduct.5

4. Classification of OIC information

This policy outlines different requirements for the use of PSDs based on the classification of information.

OIC is responsible for managing information which has been classified by other agencies as well as classifying information that it creates or sources from third parties. Parliamentary Services maintains the security of OIC’s information network. Overall, OIC’s network (shared drives, intranet, corporate e-mail, phones, faxes, printers) is secure and is suitable for storage of a range of confidential material such as staff-in-confidence, audit-in-confidence, legal-in-confidence etc.

Importantly, cabinet-in-confidence material is classified as ‘protected’. This means that cabinet-in-confidence material is not authorised to be stored or transferred on the OIC network. Cabinet-in-confidence material must never be stored on PSDs.

For the purposes of this policy6, OIC records will fall into one of three categories – ‘in-confidence’, ‘unclassified’ or ‘public’.

4.1 In-confidence information

‘Exempt information’ is information claimed by an agency or third party to be exempt as part of an external review under RTI Act or IP Act.7 Exempt information should be classified by the originating agency or third party. Where a classification has not been applied, OIC will generally treat the information as ‘in-confidence’. OIC has practices in place to ensure that exempt information is stored securely in hard copy and only added to the OIC network for limited purposes (such as redaction) and with limited access (such as through Contact or g:drive permissions).

Privacy complaint information and documents as defined in section 153(2) of the IP Act are also classified as ‘in-confidence’. Other information which will normally be classified as ‘in-confidence’ includes much of the information created in the performance of:

  • external review and other decision-making functions8
  • performance monitoring functions9
  • support functions (Information and Assistance, Training and Stakeholder Relations)10
  • budgetary functions11
  • some non-legislative functions (e.g. managing human resources and workplace security).

4.2 Unclassified information

Information assets that do not need special security controls are classed as ‘unclassified’. Unclassified information may include documents stored on the 'H drive' (e.g. staff members’ personal records, such as their resume) and working documents created for OIC support functions by Information and Assistance and Training and Stakeholder Relations.12

4.3 Public information

Public information is any document received or created by OIC which is normally accessible to the public including:

  • publicly-available OIC resources
  • research material such as cases and articles
  • approved training material.

5. Types of PSDs

5.1 Corporate PSDs

Corporate PSDs are those owned by OIC and include encrypted USB keys and OIC-issued smart phones13 and laptops. Corporate PSDs are available to eligible staff on application from the Director, Engagement and Corporate Services (DECS). In general, officers will be eligible to use Corporate PSDs where there is a genuine business need to do so, such as conducting training or audits off-site. Only the OIC Executive is issued with smart phones on an ongoing basis.14

Corporate PSD are managed by DECS who maintain a register of which officers Corporate PSDs are issued to and the dates of issuance and return. Once an officer is issued a Corporate PSD they are the sole officer responsible for that device and are not permitted to loan it to anyone, including other OIC staff. Officers who wish to use a Corporate PSD should contact DECS.

Corporate PSDs should be used for work purposes only. The content on the Corporate PSD is subject to the laws and policies governing OIC records generally, including the Public Records Act 2002. If the PSD contains new content which constitutes a ‘public record’ (see section 8), then this must be transferred to the appropriate folder in OIC’s network before the PSD is returned to DECS. No user- generated content must be left on the PSD before its return to DECS.

5.2 BYOD

OIC does not generally encourage the use of BYODs. However, OIC acknowledges that BYODs have features that are not available from desktop PCs, and that Corporate PSDs do not always meet business needs. For example, the corporate-issued laptop does not have activated e-mail or text messaging capability. OIC also permits limited ‘working from home’ arrangements.

OIC also acknowledges that it will sometimes be necessary for officers to transfer personal information and/or personal records to their own devices. However, the use of BYOD is strictly limited by the terms of this policy and the use of BYOD may be subject to monitoring to ensure compliance with this policy.

The BYOD owner will be wholly responsible for all costs associated with the device, including repairs, maintenance and upgrades. The BYOD owner must also accept responsibility for the consequences of use of the device for work purposes. This can include a requirement that all files, personal and work related, be wiped remotely from the device in the event of loss or theft (see security requirements below).

Registered BYOD

Officers may apply to DECS to use BYODs for work purposes. In general, this will be limited to the use of home computers/laptops, smart phones or tablets to assist with conducting genuine OIC business. For example, enabling officers to work part-time at home or to have access to OIC email on their smartphone, or permitting tablets to be connected to the OIC network to transfer meeting notes and other documents. Corporate PSDs should be used in preference to BYOD wherever this is possible. Officers should not use their own USB keys for work purposes but should instead use a corporate-issued USB key.

DECS will maintain a register of approved BYOD arrangements. To apply for registration,officers should contact DECS.

The capacity exists for officers to access work e-mail accounts over the internet which can enable the officer to access their work e-mails on a BYOD. Access to ‘web-mail’ must be organised through DECS.

Security requirements for registered BYOD

If an employee is granted permission to use BYOD for work purposes, the following security measures are mandatory. If officers need assistance with installing and utilising the required security functions on their BYOD, assistance should be sought of DECS at the time of registration. If the intended BYOD does not have appropriate security capacities, registration may not be granted.

If the device is a smart phone or tablet:

  • The device must have password (or equivalent) locking functionality.
  • The password (or equivalent) must be enabled at all times.
  • The device must have current virus and malware protection.
  • The device must have the capacity to be remotely located and the data on the device remotely wiped.
  • All OIC data and information must be stored in a folder that has encryption capability and individual password protection. The password for the folder must be different to that of the device itself.
  • The device must have software that securely wipes files.15

If the device is any other PSD:

  • Access to the device must be password locked (or equivalent)
  • Any OIC data and information must be stored in a folder has encryption capability and individual password protection, unless the device or folder is incapable of encryption, in which case the information is encrypted before transfer.
  • The device must have software that securely wipes files.

If the device is an officer’s home computer/laptop:

  • The computer must have current virus and malware protection.
  • All OIC documents and records must be stored in a password-protected location on the computer.
  • The computer must have software installed that securely wipes files.

In all cases, (and specifically including unregistered BYOD):

  • before a device is connected to the OIC network any telecommunications, Bluetooth and/or Wi-Fi connections must be switched-off (such as activating ‘flight-mode’); and
  • once connected, officers must comply with all on-screen instructions concerning security and virus threat protection.

If there is a notification that a virus has been found on the PSD, do not access any files on the device. Contact IT immediately on x67400 and advise them of what has happened. Do not close any open windows or the notification message – IT will want to know exactly what they say.

File sharing

There are a number of mobile applications (apps) that facilitate remote sharing of files on the device. These include the variations of:

  • one device acting as a server or client to another device – ‘peer to peer’ or ‘P2P’
  • one device sharing the internet connection of another device – ‘tethering’
  • transfer of files between devices through physical contact16.

File sharing apps are a potential security hazard. Once they are set up, the apps are designed to work quietly in the background and the device owner may not even be aware of an individual exchange. Officers are responsible for ensuring that OIC information is not shared with any other device. Preferably, or whenever practicable, OIC data on a BYOD should only be accessed with the device’s Bluetooth and/or Wi-Fi functionality switched off (flight mode).

Unsecured wireless networks

Most mobile devices have Wi-Fi capability. There is an increasing prevalence of ‘mobile hotspots’ – sites that provide free or for a fee17 internet access using Wi-Fi technology. Mobile hotspots can be found at restaurants, food courts, libraries, transport hubs, public transport and increasingly public spaces such as malls and parks.18

If the wireless network is unsecured as it invariably will be with ‘Wi-Fi’ hotspots, and a mobile device is connected to the network, the device is vulnerable to unauthorised access and information sent using the Wi-Fi connection susceptible to interception. Accordingly, a BYOD must never connect to an unsecured wireless network when the device has OIC files on it.

Unregistered BYOD

Officers may only use their own Unregistered BYOD, without the permission of DECS, to transfer public or limited19 unclassified information. Unregistered BYODs are not to be connected to OIC computers or the OIC network for any other purpose.

Rewritable CDs and DVDs are classed as unregistered BYOD.

6. Permission to transfer

The table below summarises which categories of OIC information are permitted to be transferred to PSDs.

 Corporate PSDsRegistered BYODUnregistered BYOD
in-confidence informationNo permission neededPermission from DECS requiredNever
unclassified informationNo permission neededNo permission needed once device has been registeredNo permission needed but limited to personal information and/or records only.
public informationNo permission needed (purely personal information and/or records must not be transferred to corporate PSDs).No permission neededNo permission needed

7. DECS permission

OIC officers only may transfer ‘in-confidence’ information to a Registered BYOD with permission. Only DECS, the Information Commissioner, Privacy Commissioner or RTI Commissioner may give permission under this section. Permissions may be:

  • granted to an individual officer or team (for example, to provide training outside the office)
  • given for a specific event or time period (for example, to conduct a performance review)
  • subject to special conditions.

It is critical that officers observe the terms of the relevant permission before transferring any in-confidence information to a PSD and that the security requirements for registered BYODs set out in section 5.2 of this policy are met.

8. Record keeping

PSDs are to be used as a temporary business tool only. OIC information must remain on the device for the shortest practicable time.

OIC staff should ensure that any public record created or received on a PSD is transferred to the relevant OIC recordkeeping system as soon as practicable20. Officers who copy and edit documents on a PSD or BYOD must reintroduce those documents back into OIC’s recordkeeping system.

How to identify public records?

Not all information that is created or stored on PSDs will qualify as a public record. Using the QSA Checklist21 may assist in identifying public records which an officer will need to transfer from a PSD to the relevant OIC recordkeeping system.

QSA Checklist
Mobile and smart devices may contain public records if:
 they contain information applicable to the purpose and works of the public authority that is unique and not available anywhere else (e.g. not duplicated from websites or recordkeeping systems)
 they contain a primary source of evidence of a public authority’s policies, business, decisions, mission, etc.
 they are used in relation to the public authority’s work and generate evidence of work (e.g. notes added to meeting minutes, photographs taken to document damaged roads)
 use is authorised by the public authority
 they contain information that is required as a business need.

9. Loss or theft of PSD

Loss of public records stored on PSDs (whether copies or originals) present the potential for considerable recordkeeping and privacy risks.

Loss of a Corporate PSD or Registered BYOD must be reported immediately to DECS. If the device contained in-confidence information, this must be reported immediately to the Information Commissioner.

OIC may take a number of steps to mitigate any damage that might result from the loss of information, including (but not limited to):

  • activating any mobile device management solutions installed on the device (e.g. ‘remote wipe’ and/or ‘remote lock’)
  • notifying individuals of loss of personal information; and
  • submitting notification of lost public records form to QSA.

10. Audit

The Information Commissioner is authorised to monitor compliance with Parliamentary Services Network Security & ICT Device Usage Policy. This includes instituting policies for the conduct of OIC business on PSDs, including Registered BYOD.

11. Disposal

Information

Once information on a Corporate PSD or Registered BYOD is no longer required, including for recordkeeping purposes, the information should be wiped from the device22. It is the officer’s responsibility to securely wipe information off their BYOD or their home computer or laptop. Information can simply be deleted from Corporate PSDs. DECS will regularly wipe the data storage of Corporate PSDs.

Devices

Once a Corporate PSD is no longer required by the OIC, or no longer works properly, the device must be destroyed in accordance with Information Standard 13 (IS13) - Procurement and Disposal of ICT Products and Services. This must be carried out with DECS supervision in line with QGISSF requirements and recorded in the PSD register.

12. Last updated

This policy was last updated on 6 March 2013.

13. Review cycle

Due to the diversity and frequent release of new devices, OIC will continually review and re-evaluate recordkeeping solutions developed for PSDs. Accordingly, this policy will be reviewed at least annually.

1 In April 2011, 37 per cent of the adult mobile user population in Australia was estimated to be using a smartphone - Australian Communications and Media Authority (ACMA) Communications report 2010–11.
2 In particular, information received or created in performance of the Information Commissioner’s functions.
3 Queensland Government Information Security Classification Framework.
4 Parliamentary Services Network Security & ICT Device Usage Policy.
5 3.1 Commit to our roles in public service
Our role is to undertake our duties, and to give effect to the policies of the elected government, regardless of its political complexion.
We will:…
e. adhere to the policies, organisational values and organisational documents of our employing agency.
6 Classification of information is based on the Queensland Government Information Security Classification Framework (QGISCF). OIC is currently reviewing and updating its more comprehensive document classification policy
7 Also known as ‘matter in issue’.
8 Sections 129 and 130 of the RTI Act.
9 Section 131 of the RTI Act.
10 Section 128 and 132 of the RTI Act.
11 Section 133 of the RTI Act.
12 Section 128 and 132 of the RTI Act.
13 Currently iPhones.
14 OIC-issued smart phones cannot be borrowed or shared amongst officers.
15 There are numerous free or affordable subscription software available from the internet. Examples include Ccleaner, Erase, Disk Wipe, Avast, and Malware Bytes. The software must be specific to the device’s operating system and type of drive.
16 For example – the popular ‘Bump’ app for Android and iOS devices.
17 Sometime the ‘fee’ consists of the user having to purchase a product from the Wi-Fi provider in order to obtain log on credentials.
18 Officers should not be accessing OIC information and records where there is a vulnerability to ‘shoulder surfing’ - someone situated behind you seeing both what is on your device and your use of the device.
19 The only records that can be transferred to an unregistered BYOD are the Officer’s personal files which should commonly be stored on the H: drive.
20 See 5.1 earlier.
21 At the time of publication of this policy the checklist and associated decision tree was drawn from QSA’s draft guideline on mobile and smart devices which has been distributed for consultation, but has not yet been published.
22 Simply deleting data during everyday use doesn't remove the data from the drive; instead, it merely erases the pointer to that data. Deleted data can still be recovered using simple software tools. To remove data permanently, specialist software literally writes gibberish over the existing data.