Forum menu
Just another thought, consider all the stuff that work provide for personal use like browsing the internet? The WiFi that you connect your personal device for checking your personal stuff. Work are asking you that a bit of kit that is already In place is used for a tiny proportion for everyones safety in the same way that stuff already there (browse to the internet) is used for everyone's personal benefit
Different point but also consider that MFA doesn't leave any work data on your phone or any personal stuff in work IT systems , it's the same principle as a passport in an airport, you keep it with you and half of a digital key is on your device with Microsoft having the other half- not even a whole key
What do you do with folk that do not own a smart phone or cannot use one?
You use a physical encryption key like a usb stick with a fingerprint reader on it, they just prove it's you like a passport in the airport
Hmmmm - open and shut disability discrimination case then? 🙂
For someone who clearly doesn't understand the topic you have had quite a go at this one. Bottom line is, we hear you in your desire to separate work and personal life. Most understand the principle but not the extent to which you go. However, as has been stated many, many times on this thread, IT and those responsible and accountable for security in general within an organisation are under significant pressure to deliver solutions that can help to protect the company, its systems, its data and its people. One of the least intrusive and most effective solutions at the moment is to use MFA. There are several flavours of it but the least costly, most flexible (for the vast majority) option is to use an authenticator app on your phone. If you really, really, really do object to that (or you do not have access to a smart phone) then you have the option of something like a FIDO2 key eg Yubikey etc. If you wanted to make the support crews desk a complete pain you could refuse to use the Yubikey and they could issue you a Temporary Access Pass. But that is unworkable for a y organisation once you get above 20 people. For places like the NHS, actually a Yubikey type device is likely to be preferable as it allows more flexibility to logon to shared computers - so you wouldn't have to carry your phone around with you. Also useful for those who work in restricted or secure zones where they aren't allowed to have their phones. At the end of the day, this is a simple technical solution that adds significant protection and can help to prevent your company being on the front pages as another victim of cyber crime. The worst hit, as we have already seen this year, actually go bust and cease to exist as companies. Which means everyone loses their jobs, their income and gets a whole heap of new stress to worry about.
or you simply do not mention work in anyway on your phone?
The downside there is that you can't call in sick. You have to go to work, tell them you're sick in person and then come home again.
I just want to keep that hard separation between work and home. I do not want work to tell me that I must do something with my personal property.
I'm so glad I never had to work with you 🙂
For places like the NHS, actually a Yubikey type device is likely to be preferable as it allows more flexibility to logon to shared computers
Which would be perfectly acceptable to me and is similar to the way my ex workplace works ( I think) Again - I am not refusing to use MFA. I am not wanting to use my personal stuff to do so
or you simply do not mention work in anyway on your phone?
The downside there is that you can't call in sick. You have to go to work, tell them you're sick in person and then come home again.
Again - not anything I have said. It is funny when folk make up things a person has supposedly said to then use against them
Which would be perfectly acceptable to me and is similar to the way my ex workplace works ( I think
What’s acceptable to you seems to be entirely arbitrary, satisfying some principle that you have concocted. I’m not sure how an employer can accommodate a workforce where each individual makes up rules about what’s “acceptable” to them.
I do not know how to explain it more simply
If work wants me to do something then it supplies the tools to do so. I do not think mandating how you use your personal property is acceptable. That phone belongs to me. Making me use it for work crosses a line for me.
fortunately my ex employer recognised this and actually makes using a personal phone at work a disciplinary offense so this never arose.
fortunately my ex employer recognised this and actually makes using a personal phone at work a disciplinary offense so this never arose.
FWIW, my current employer also recognizes it and has no issues with a £70/80 phone being sourced every 5 years.
They also paid for my desk, chair and few other genuinely helpful things. Probably part of the reason I'm still there and still highly motivated.
I do not know how to explain it more simply
You've described it very clearly. Still doesn't make sense except as part of your personal philosophy, which of course you're entitled to, and if your employer is happy to play along then everyone's satisfied.
you told me to unionise - make up your mind!Poly - it’s nothing to do with unions or anything like.
which in a modern workforce is virtually nobody - and if there are a few relics they either need to negotiate with IT as suggested or buy a device, sometimes there are costs of being employed - like the clothes we wear! You are making a mountain out of molehill - and still haven’t backed up your original claims which I challenged that this is in anyway something an employer cannot do.Its two things - one is thinking of those that do not have smartphones ( and several folk responsible for this stuff have said its no issue)
I wonder how you go through life with NHS logos everywhere on your days off that would obviously trigger you: if an MS MFA app would invite your personal work/home barrier.the other is about having a hard barrier between work and home. Again something others have as well.
you’ve retired - it possibly is still the case that your workplace employs the same rule but also they may have decided MFA trumps the other issues. However clearly if a company has a policy of no personal mobiles in the workplace it can’t also apply a policy of please use your personal mobile to authenticate. That doesn’t mean a workplace that doesn’t have a no personal devices rule is acting unreasonably in suggesting this is the simplest and possibly best way to do it.At my workplace having your own mobile in use when on duty is a disciplinary offense and so is plugging anything into USBs cougar 🙂
weirdly as a patient nobody has objected to me plugging in my phone charger! I know some organisations safety departments are run by idiots but the NHS could save a fortune if the stopped paying for PAT testing double insulated chargers with only a low voltage USB cable attached! By insisting that a “competent person” comes and sticks a label on it (there is nothing to test) they are saying that the NHS staff who are trusted to administer drugs etc can’t be trusted not to use a damaged plug! The union should probably point out the waste of money!
im not sure what that comment was in reference to - but there is nothing requiring an employer to preemptively make adjustments for disability - it’s too hard to cover every possible disability. The employee asks for a reasonable adjustment and the employer cooperates. Of course reasonable adjustment doesn’t apply to anyone who doesn’t have the same disability nor does it require the employer to make their security more vulnerable.Hmmmm - open and shut disability discrimination case then? 🙂
Anything that involves stuff give getting dirty, I’d expect PPE to be supplied, or an allowance to cover expenses
I've had many jobs over the years where wearing a suit was a requirement. It was the only place I'd ever wear a suit. Not once had I ever considered my employer should pay for the suits
you’ve retired - it possibly is still the case that your workplace employs the same rule but also they may have decided MFA trumps the other issues.
I checked with a colleague still working there
im not sure what that comment was in reference to
it was in reply to someone in NHS it stating that employees could only access various staff info on a smartphone
I've had many jobs over the years where wearing a suit was a requirement. It was the only place I'd ever wear a suit. Not once had I ever considered my employer should pay for the suits
I was thinking the same.
On the phone thing, when mobiles first became common, late 90's, I got given a company phone. Every month I had to go through the bill and pay for any non-work-related calls - ISTR this was actually an HMRC requirement if you didn't want the phone to be a taxable benefit. I considered calls to say I'd be late home to be work related. I didn't buy my own phone for quite a few years, but once I did I kept a pretty strict separation, and I never gave my personal number to colleagues or clients. More recently when BYOD became a thing, some people wanted the simplicity of only having one phone, I still asked for a company phone - I didn't want corporate MDM on my own phone.
So my position was basically that I wouldn't use their phone for personal stuff, and I wouldn't use mine for business stuff. But in this case, I think I'd be prepared to add an account to an authenticator, the intrusion really is so minor as to be irrelevant.
Just checked my one and only mobile phone
14 work apps on it plus an authenticator 😎
We have had the discussion in my team about staffing using personal devices when at work. I have explained to the team that using them in the morning if needed to log in doesn't justify people using it all day and as they are all adults they understood that. Using a personal phone historically meant you weren't working as virtually no one had cause to use it. I find that when I am onsite and using the same PC as normal I very rarely need to use MFA but sometimes do.
A lot of what TJ refers to might have been correct for his time and place but it's wrong in my experience of 6 trusts over 25 years.
You simply couldn't get to your locker if you left your badge at work as there are always multiple swipe card points between the front door and the locker room, you can't use your own padlock as lockers often have locks and your are given one to use and a key. This is to stop people leaving and a locker being locked shut.
The only place I have seen a coded door lock in the last 15 years is the bike sheds.
The very least you would have to do is carry a locker key and a passcard. There is no justification for refusing and if someone did that today I can't imagine they would pass probation.
I can assure you that none of the Lothian hospitals have passkey entry. Most of them have open doors. that's up to date info from visits in the last year. those without open doors have coded locks.
no internal swipe card access. number pads for secure areas
no swipe cards that I have seen. certainly all staff do not have them
That simply isn't possible. It's the first thing you do on your first day of employment. Including where I have worked I must have visited 20+ hospitals and every single one has swipe card access based on user profile. Hospitals would be shut down without it
Induction info for medical students for the Royal
"Please note that Resident Doctors on the REH/RIE rota will also need to obtain an ID Badge (swipe card) from the RIE as they require this to gain access to the wards when on call. Time is factored into Induction for badges to be obtained."
and for the sick kids
Inform Security immediately via the NHSL FM Helpdesk or calling ext 50001 if you have lost your ID badge, to disable access, then complete the ID badge application to apply for a replacement.
fascinating. maybe for specific areas but I have been an in and outpatient over the last couple of years and just simply walked into the areas I wanted to go to. that's a surgical ward at wgh and multiple outpatients units at both wgh and Eri including imaging etc.
I avent been on a ward at eri for 4 years but again it was open access then
there are no swipe to access between the outside world and the lockers at wgh
maybe they close down at night at eri but 2 years ago at wgh I simply walked on and off the ward even at night
one of my opd visits was at the sick kids. open door and I just walked into imaging for my mri
.apart from anything else almost all wards have open visiting in the daytime.
I'm guessing eri must go to lockdown at night?
Locker was secured with my own padlock
Did you take the key home with you?
[a Yubikey] would be perfectly acceptable to me and is similar to the way my ex workplace works ( I think) Again - I am not refusing to use MFA. I am not wanting to use my personal stuff to do so
Would you have the Yubikey rattling around loose in your pocket or would you attach it to your keyring for safekeeping?
I've had many jobs over the years where wearing a suit was a requirement. It was the only place I'd ever wear a suit. Not once had I ever considered my employer should pay for the suits
Same, but I would fully expect to be reimbursed should those suits (OK, that suit) get damaged whilst at work.
Security in the NHS seems to vary. When visiting a relative at the Queen Elizabeth in Glasgow the wards were locked every time. Visiting hours or not. You needed a card or you needed to buzz the nurse station to get in. At the A and E dept you can't get past the waiting area without a card or a staff member letting you in.
I work at an NHS building. Only used by NHS staff no treatment areas or wards. You can't get past reception without a card. A card only grants to access to certain zones depending on your role.
If you needed glasses to see the computer would you refuse to use your own on the same basis that you are not prepared to use personal stuff for work? And if by some really stubborn workarounds you managed to get away with not wearing them outside work because of the constant reminder of work every time you wore them (I don’t read books, my partner reads all the labels on things, I ask people in the supermarket how much stuff is etc etc) then would you expect work to pay for your glasses?
Would you have the Yubikey rattling around loose in your pocket or would you attach it to your keyring for safekeeping?
He doesn't have to carry it at all times, you can shove that into a work stuff drawer and forget about it until the next shift. Same for ID cards and uniforms, but he'll have his personal phone on him constantly (to post here).
I think you probably need to start accepting that some of us have built (this stupid thread aside) fairly effective mental tactics over the years that enable us to put up barriers that 'mostly' block out work from non working hours. If you haven't done that, you either don't need to, or it sucks to be you, Those tactics likely being developed by necessity and individually over time with them not making all that much sense to an outsider, because by default there's going to be a largely random line in the sand.
There's an awful lot of reductive nonsense posted on this thread that, to TJ's situation is complete garbage.
E.g.
If you needed glasses to see the computer
None of you get to determine where TJs line is, nor do any of you get any say whatsoever as to whether it makes sense to TJ himself. Only TJ gets to determine that.
Most of you need barring for life from any job where empathy is required.
I would fully expect to be reimbursed should those suits (OK, that suit) get damaged whilst at work.
Haha - I’d pay money to see the manager’s face when that expense claim went in.
None of you get to determine where TJs line is, nor do any of you get any say whatsoever as to whether it makes sense to TJ himself. Only TJ gets to determine that.
True, of course, but TJ cannot require everyone else to facilitate his personal religion.
Same as work cannot require every staff member to use a personal device for work?
Some of you would refuse to put work email or teams on your personal phone - how is my stance different?
TJ's line is Tj's line, fair enough
BUT
MFA will be enforced no doubt, and TJ will have to either add the account to authenticator or transport another device to and from work
Email and teams most likely requires mobile device management on a device. ie these apps become controlled by the business. You grant the business control over an area of your phone. The boundaries of which are explained when setting up. It is possible to set these apps up uncontrolled, but that isn't ideal for business security. If you like the apps are isolated from the rest of the phone.
An authenticator account isn't controlled by the business (it can be but not necessary)
this is where the line is very different
and HMRC explicitly says they can’t without it being a taxable benefit - unless it is a uniform used to identify staff.Anything that involves stuff give getting dirty, I’d expect PPE to be supplied, or an allowance to cover expenses
I've had many jobs over the years where wearing a suit was a requirement. It was the only place I'd ever wear a suit. Not once had I ever considered my employer should pay for the suits
I don’t think anyone objects to TJ having his own personal set of rules and being willing to stand up for his convictions and either make a fuss or leave if his employer has the audacity to we have a different view. I do however think it’s wrong of him to suggest that his arbitrary line is in anyway a universally recognised/legal requirement. Or that employers who don't draw the line in the same place are fundamentally doing something wrong. There are horrible employers around but if I was making a list of things that set off my red flags about employers - using personal devices for MFA wouldn't even register. It really isn't anywhere near uncommon. He’s quite guilty of applying his NHS experience and assuming the rest of the world does or should work the same way. I’m really surprised that physical security is not better implemented in NHS Lothian. My recollection as a user of ERI was there were access control pads all over the place but as I never needed to go anywhere that was not public I don't know if they were in use. I think he used to work in police stations and I think care homes too - my experience of both of those are that access is controlled quite tightly. Really never had a phone number for any of them in his phone? Never had a key or access card to access the site or even the car park/bike shed?
Being a little bit more up on the technology, I thought TJ's view of authenticators was flawed and needed reconsidering. They're a small fairly basic unobtrusive utility with one purpose only, a tool without bells or whistles, and which you have a choice and control over. That's why there has been (what I assume were referred to as reductive statements) comparisons with glasses, calculators, and hammers.
At my last workplace, they wanted us to like every single one of their social media posts. I don't have social media on my mobile (only on desktop with non-memorable passwords), so managed to get away with it. Had it been otherwise, I'd probably have been pushed into it, peer pressure etc.
Additionally, some of us were swapped with a team from another room, and to facilitate the fact that one of the important finishing processes required lots of communication between us all, they started using Whatsapp for the process. Two of us tried to push back against this, saying it crossed boundaries and we don't use our personal mobiles for work, and that we're often too focused on our work to stop to keep checking our mobiles.
The rest were younger, and consisted of people closer to the boss than us (ie family/friends), so we were alone on that matter and just had to suck it up. I muted the notifications of the workplace whatsapp groups I was in, because they contained lots of distracting nonsense. When it came to my active involvement I used Android's Caffeine mode to keep the screen awake so I would see in real time when messages came through for me. The rest of the time I'd only check for messages when I was good and ready and generally didn't get involved. So I felt I was able to keep some sort of line there even though it was a bit closer to my personal side than I would have liked.
^^
whatsapp for business use, without a business license breaks the licensing terms..
so technically there's 2 things there, they should have asked you if it was ok to pay for a business license for you, and if youd be happy to use it. You could have had notifications automatically turn off out of hours etc
I think he used to work in police stations and I think care homes too - my experience of both of those are that access is controlled quite tightly. Really never had a phone number for any of them in his phone? Never had a key or access card to access the site or even the car park/bike shed?
POlice - had to be buzzed in. No access card given to me. couldn't leave the building during my shift, couldn't leave my work area. Never had a phone number for them. didn't own a mobile then
Care homes one was open door open access, others were keypad locks. More than ten years ago didn't own a mobile then
never had a swipe card for anything nor an access key even when I was manager
Thinking further about the swipe cards at ERI. Some areas did use them and staff working there did have them but during the day everywhere I went in the ERI was open access. I assume that they locked down at night. the piece alan posted specifically states for on call access to wards. My last visit to a ward there was longer ago than 4 years - I confused visits but it was open access during the day. Last visit there a couple of months ago for OPD scanning done in the sick kids. walk in thru an unlocked door into the building, walk up to scanning dept. Walk into scanning dept. Main corridors and OPD all open access
WGH - Numerous out and inpatient visits most recently a few months ago. Open doors to outside world, open access thru all parts of the hospital. Open access to surgical ward 2 years ago - maybe a keypad to the ward? I cannot be sure but I know I was going in and out of the ward without bothering the staff so if there was a keypad they gave me the number and i was going in and out of the main hospital doors even at night
Unfortunately there is a lot of traumatic memories associated with those hospitals so I fully accept my memory may not be clear. However I am 100% certain that the main doors to the hospitals are open access during daytimes and that you can freely wander around the corridors and use stairs and lifts
whatsapp for business use, without a business license breaks the licensing terms..
They also completely ignored the requirement for a license to listen to the radio (much to my chagrin) so I doubt that would have persuaded them either, unfortunately.
MFA will be enforced no doubt, and TJ will have to either add the account to authenticator or transport another device to and from work
As I explained in another post. Access to TRAK still does not require an app on your phone. Smart cards and two layers of login to get to TRAK. Insert card into machine gets you to the basic log on screen. Log in with user name and password. That gets you to the basic computer then a further different user name and password to get into secure areas of the database. its a secure intranet which can only be accessed from work computers.
The smart cards did NOT identify the person as far as I am aware. We had some communal cards. all they did was unlock the log in swcreen
that is still the situation today. No authenticator app, no device needed
my bad
I got derailed into thinking it's your thread TJ
I rephrase, if it came to it, that would be your choices, and the OP's
for the rest of us, that's where we are at now
Yes, the world has moved on in the last 10 yrs and it would not have been that unusual to have no phone or certainly a "dumb" phone in 2015. It really will be exceptional today to have someone who is employed in a professional setting who uses a computer for their job who doesn't have a smartphone. Just as well you weren't a police officer with a warrant card - that really would be a reminder of work outside working hours. I think you'll recognise that most people with a work pass can't leave it "in the office" behind a poorly secured door with a flimsy padlock to protect it - as they will need that pass to get into work in the first place.POlice - had to be buzzed in. No access card given to me. couldn't leave the building during my shift, couldn't leave my work area. Never had a phone number for them. didn't own a mobile then
Care homes one was open door open access, others were keypad locks. More than ten years ago didn't own a mobile then
However I am 100% certain that the main doors to the hospitals are open access during daytimes and that you can freely wander around the corridors and use stairs and lifts
I can confirm that as a patient/visitor you can walk into most (all?) NHS Lothian hospitals and wander round without any access controls. You may or may not be able to get on individual wards at some or all times without a code, a card or being buzzed in. The surprising bit was you could get to a staff locker room with nothing more than a pin pad - given staff leave their valuables there that would seem to me to be a far bigger issue than being asked to use your own phone for MFA. Perhaps the petty thieves of the lothians have a moral compass and won't nick NHS staff property? It would be ironic if there's one part of the workforce arguing they shouldn't have to leave their fancy phone in the cupboard and another faction arguing that the perfect reason for having your phone on your person is an infringement of your work life balance! How do you reconcile those differences if the split is 99:1 ? What if the representative of the 100 is the vocal minority?
that really would be a reminder of work outside working hours
Once again - its not about being reminded of work outside of work hours. Its about work wanting me to use a personal device during work time for work activities. Want me to do something then provide me the tools. do not rely on me using my personal property for work. Its like if work want you to supply your own pens or keyboard
Same as work cannot require every staff member to use a personal device for work?
You keep saying that - but haven't provided anything to substantiate it. Certainly for new employees it's perfectly possible to make it a condition of employment. I doubt a tribunal would find it was unfair dismissal if the only thing an employee was in dispute about was the authentication method to the network - perhaps 5 years ago, but now with so much concern around randsomware/phishing it seems good security should be a number one priority. I'd happily contend that in many workplaces a personal phone is more secure than a device that is only ever used for logging in - people are naturally more careful and don't lend them out willy nilly etc. The tribunal panel probably need to use their own phones to access your court papers and are going to roll their eyes! Now you can ask the question if forcing it on people who dont like it is the best way to build a relationship, but that is a different question from can they.
I think this shows you don't know what these authenticator apps are like or do. The reason people are talking about passes and keys is that is the analogy - your pass or keys don't contact you are 10pm on Sat evening, an authenticator app is either completely silent until you open it (google) or only pops up on your phone when you try to log in on a computer (microsoft). Unless someone is trying to hack your account you will never see or use it except when you want to - during working hours.Some of you would refuse to put work email or teams on your personal phone - how is my stance different?
No it shows you do not understand my point. Its using my personal property for work purposes. Its nothing to do with what that usage is. Its that I do not want work to use my personal property for any purpose.
Passes and keys are not my personal property. Thats not the same in any way
that really would be a reminder of work outside working hours
Once again - its not about being reminded of work outside of work hours. Its about work wanting me to use a personal device during work time for work activities. Want me to do something then provide me the tools. do not rely on me using my personal property for work. Its like if work want you to supply your own pens or keyboard
It's probably not uncommon for people to supply their own pens!
Whilst you wore a uniform so were provided with it (I assume), many employees provide their own clothes - did officers promoted from uniformed PC to CID refuse to come to work in civvies because the force weren't paying for them? They are basic essentials for the workplace. I'm guessing you provided your own shoes? Did you use a fob watch or similar? Was that provided? Did you have a similar OMG no way attitude to stuff going the other way - wearing a pair of gloves to fix a chain issue on your bike before you cycled home? Using a bit of micropore tape to stop your bar tape unravelling? Finding that you've brought a work pen home - and making sure nobody uses the ink to sign a document?
What I am suggesting is that you are a bit out of touch with what is normal practice in many normal workplaces. The NHS is a weird place to work: most people in there have only every worked there and have become institutionalised. Things which might seem "impossible" or "mandatory" because thats how the NHS has done it and nobody would dare challenge it are not necessarily the law, or even best practice, or normal in other places. I've seen employees who try to be a PITA about trivial stuff; it's essentially career-limiting - that's not about the cost saving of the device its about the attitude, and its not usually management who get pissed off first - its all the other people who actually (at least sort of) enjoy coming to work and find the "they can't make us do this" workplace stuff culture destroying.
None of you get to determine where TJs line is, nor do any of you get any say whatsoever as to whether it makes sense to TJ himself. Only TJ gets to determine that.
Fundamentally, I think the issue is that TJ himself either doesn't or won't understand what the request actually entails.
The reason he's getting the pushback he is is because his stance - whilst otherwise laudable and I've said several times now that I agree with him - on this particular point is akin to arguing "I'm not going into the office because I'm frightened of zombies." If we were take him round and show him that there were, in fact, no zombies in the office and he still maintained his stance then fair enough. But as it is it's a viewpoint born - by his own admission - from a point of ignorance, and that's not something IMHO we should be rallying to defend.
Haha - I’d pay money to see the manager’s face when that expense claim went in.
I've provided my own tools for work before now. When one broke in the line of duty, they replaced it.
If you want me to wear a suit rather than appropriate clothing to crawl around under desks running cables and I wear the knees out of expensive trousers, I would expect the same to apply or I'm coming into work in cargo pants tomorrow.