HealthForceGo Bring Your Own Device Policy (HFGo BYOD)

About this policy

As an employee of Newcross Healthcare Solutions (“us”/”our”/”we”/”the company”) you must maintain access to our mobile application (HealthForceGo) on your own personal device to meet the requirements of your employment with us. Note that you will not be allowed to use your personal device unless you have read and accepted the terms of this policy

Using your own device and HealthForceGo allows you greater flexibility and a whole host of other benefits, but it also means that we take on some increased risk in terms of IT security and protection of confidential information.

For example, when you access HealthForceGo you may be able to access data about us, our customers, clients, distributors, suppliers and other business connections, including information which is confidential, proprietary or private. When you access HealthForceGo using a device, we are exposed to a number of risks, including the loss or theft of the device (which could result in unauthorised access to our systems or company data), the threat of malware (such as viruses, worms, spyware, Trojans or other threats that could be introduced into our systems via a device) and the loss or unauthorised alteration of company data (including personal and confidential information which could expose us to the risk of non-compliance with legal obligations of confidentiality, data protection and privacy). Such risks could result in damage to our business and our reputation.

We have therefore chosen to implement this policy, in conjunction with elements of other policies (listed below), to manage those risks, protect HealthForceGo and our data whilst still enabling you to safely use your device.

This policy sets out the circumstances in which we may monitor your use of HealthForceGo on your device, access your device and retrieve, remove or destroy data on it and the action which we will take in respect of breaches of this policy. More information about how we monitor, record and process your personal data is contained in our separate Data Protection Policy and HealthForceGo Privacy Policy.

You must only access HealthForceGo on your device according to this HFG BYOD policy, and other relevant policies including those outlined below:

• The latest HealthForceGo T&Cs
• HealthForceGo Privacy Policy
• Newcross Privacy Policy
• (POL 008) Data Protection Policy
• (POL 210) Disciplinary Policy
• (POL 030) Access Control Policy
• (POL 219) Email and Internet Usage Policy
• (POL 033) Information Security Policy
• (POL 028) Laptop Policy
• (POL 025) Password Policy
• (POL 029) Remote Access and Mobile Policy

Scope of this policy

This policy applies to the device you use to access HealthForceGo, . It applies to the use of the device both during and outside of office hours and whether or not the use of the device takes place on client premises, at home, or elsewhere. If you have been given permission to use your device to access other company resources, such as e-mail, please refer to the Bring Your Own Device Policy (POL 038).

Breach of this policy may lead to us revoking your access to HealthForceGo, whether through a device or otherwise. It may also result in disciplinary action up to and including dismissal. Disciplinary action may be taken whether the breach is committed during or outside office hours and whether or not use of the device takes place on client premises, at home, or elsewhere.. You are required to co-operate with any investigation into suspected breach.

Acceptable Use

You must only use your device in accordance with this, and related, policies (see above) and HealthForceGo T&Cs (available from the ‘MyProfile’ section of HealthForceGo).

Devices may not be used at any time to:

• Store or transmit illicit materials
• Store or transmit proprietary information belonging to another company
• Harass others
• Engage in outside business activities if they conflict with your duties to us
• discriminate against staff or third parties

Permission can be withdrawn at the discretion of Newcross Healthcare Solutions and employees will be required to remove such company resources when requested.

Newcross email accounts should only be set up with the MS Exchange protocol on the mobile device.

Employees should never save company data or company owned work related documents to a private device such as a laptop, pen drive or mobile device (e.g. by taking screenshots of data on HealthForceGo).

Newcross Healthcare Solutions has a zero-tolerance policy for using HelathForceGo while driving.

Devices and Support

Any queries regarding HealthForceGo should be raised via the Help & Support section of HealthForceGo. No technical support will be provided to employees regarding their individual devices.

Security

You must comply with all relevant policies (see above) when using your device to connect to our systems or use HealthForceGo.

All devices should have a strong passcode of at least seven characters long and with the latest secure firmware or IOS or Android version installed and with up to date virus protection where appropriate. HealthForceGo must be protected by an additional four digit passcode/or biometric (finger print) access.

The device must lock itself with a password, pin or biometric access if it’s idle for five minutes.

Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing HealthForceGo.

Upon termination of employment any previous access to company-owned resources (including HealthForceGo) must be removed.

In addition, you must:

• at all times, use your best efforts to physically secure the device against loss, theft or use by persons who we have not authorised to use the device.
• comply with our device configuration requirements;
• not download or transfer any company data unless specifically authorised to do so. You must immediately erase any such information that is inadvertently downloaded to the device;
• not backup the device locally or to cloud-based storage or services where that might result in the backup or storage of company data. Any such backups inadvertently created must be deleted immediately; and
• not use a device to capture images, video, or audio, whether native to the device or through third-party applications, within the workplace.

We reserve the right, without further notice or permission, to inspect your device and access data and applications on it (see more under ‘monitoring’ below).

If we discover or reasonably suspect that there has been a breach of this policy, including any of the security requirements listed above, we shall immediately remove access to HealthForceGo, and where appropriate, remove any company data from the device. Although we do not intend to wipe other data that is personal in nature (such as photographs or personal files or e-mails), it may not be possible to distinguish all such information from company data in all circumstances. You should therefore regularly backup any personal data contained on the device.

Monitoring

The contents of our systems and company data are our property. All materials, data, communications and information created on, transmitted to, received or printed from, or stored or recorded on a device (including via HealthForceGo) during the course of business or on our behalf is our property, regardless of who owns the device.

We reserve the right to inspect your device and your use of HealthForceGo and monitor, intercept, review, copy, disclose, wipe and erase, without further notice, all content on the device that has been created for us or on our behalf. This might include, without limitation, the monitoring, interception, accessing, recording, disclosing, inspecting, reviewing, retrieving and printing of transactions, messages, communications, postings, log-ins, recordings and other uses of the device, whether or not the device is in your possession. This expressly includes taking such action remotely if necessary.

Although we will endeavour to avoid accessing your non-business personal data wherever possible, it is possible that personal data may be inadvertently monitored, intercepted, reviewed or erased. We have set out some steps you can take to help us prevent this under ‘personal data’ below.

Monitoring, intercepting, reviewing or erasing of content will only be carried out to the extent permitted by law in order for us to comply with a legal obligation or for our legitimate business purposes, including, without limitation, in order to:

• inspect the device for unauthorised applications or software;
• prevent misuse of the device and protect company data;
• investigate or resolve a security incident or unauthorised use of HealthForceGo;
• ensure compliance with our rules, standards of conduct and policies in force from time to time (including this policy);
• conduct any relevant compliance obligations (including in relation to concerns regarding confidentiality and data protection);
• monitor performance at work; and
• ensure that staff members do not use our facilities or systems for any unlawful purposes or activities that may damage our business or reputation.

Whilst this is unlikely to be necessary, we may also store copies of any content for a period of time after they are created and may delete such copies from time to time without notice. We may obtain and disclose copies of such content for litigation or investigations.

You must co-operate with us to enable such inspection, access and review, including providing any passwords or PIN numbers necessary to access the device or relevant applications. A failure to co-operate with us in this way may result in disciplinary action being taken, up to and including dismissal.

Personal data

We have a legitimate basis on which to access and protect company data stored or processed on your device, including the data involved in accessing and using HealthForceGo. However, we recognise the need to balance our obligation to process data for legitimate purposes, with your expectations of privacy in respect of your personal data. Therefore, when taking (or considering taking) action to access your device or delete data on your device (remotely or otherwise) in accordance with this policy, we will, where practicable:

• consider whether the action is proportionate in light of the potential damage to the company, our customers or other people impacted by company data;
• consider if there is an alternative method of dealing with the potential risks to the company's interests (recognising that such decisions often require urgent action);
• take reasonable steps to minimise loss of your personal data on your device, although we shall not be responsible for any such loss that may occur; and
• delete any such personal data that has been copied as soon as it comes to our attention (provided it is not personal data which is also company data).

Lost or stolen devices and unauthorised access

In the event of a lost or stolen device, or where you believe that a device may have been accessed by an unauthorised person or otherwise compromised, you must report the incident to the IT Department immediately.

Appropriate steps will be taken to ensure that company data on or accessible from the device is secured, including remote wiping of the device where appropriate (see ‘security’) above.

Procedure on termination of employment and selling, transferring or replacing the device

On your last day of work, or your last day before commencing a period of garden leave, or when you intend to sell or transfer your device to anyone else, all company data and HealthForceGo must be removed from the device. We reserve the right to require you to submit your device to the IT Department to remove any company data and HealthForceGo. You must provide all necessary co-operation and assistance to the IT Department in relation to this process.

Risks/Liabilities/Disclaimers

We have no liability to you for any loss of or damage to your device that was not directly caused by us.

You must pay for your own device costs under this policy, including but not limited to voice and data usage charges and any purchase and repair costs

HealthForceGo App

As a mandatory requirement, Newcross Healthcare requires all Healthcare staff to have access to a fit for purpose iOS or Android smartphone with enough available memory to download and install the HealthForceGo app at all times during employment with us.

• The device must be capable of running the minimum version of iOS & Android operating systems supported by the HealthForceGo app as recommended by Newcross Healthcare – please contact your local branch if you need to confirm the current minimum version we are running on.
• The device must be capable of transmitting data over the internet via a 3G/4G/5G connection and must not rely solely on Wi-Fi for transmitting data.
• It is required that your device must have GPS capability for you to be able to complete elements of your role such as having your timesheet signed. Please note that your device will not be accessible by Newcross Healthcare at any time and this function is only required for work-related purposes whilst you are on a shift for us.
• For full functionality of the HealthForceGo app, it is advised that your device supports a minimum screen resolution as recommended by Newcross Healthcare.

Location Services

HealthForceGo requires location services to be enabled in order to access the following features:

• Timesheet details of a booked Establishment shift
  • We use location to verify the timesheet is signed on the client premises
• Shift details of a booked Complex Care shift
  • We use location to automatically check staff in to and out of Complex Care shifts
  • We use location to verify the staff checked in and out of the client location
• Shift details of an available shift

As mentioned above, more information about how we monitor, record and process your personal data is contained in our separate Data Protection Policy and HealthForceGo Privacy Policy.