General app guidance

When working, you need to communicate with Ministry of Justice (MoJ) colleagues and use business tools (‘apps’). You’ll also need to work with people outside the MoJ. There are various tools you might use, besides the standard email and telephone tools. This document gives guidance on the types of tools you can and cannot use for business purposes. This guidance applies to all staff and contractors who work for the MoJ.

Some ALBs, agencies, or other large groups within the MoJ might have their own, specific guidance regarding how to use certain apps for different purposes.

Access to tools

You can access tools through your MoJ-provided devices by downloading from:

• The Software Centre application on your device (for Dom1 or MoJO equipment).
• The Self Service application on your Mac (for IT Service Desk managed MacBook laptops).

For MoJ-provided devices that are not Dom1, MoJO, or IT Service Desk Managed MacBooks, seek guidance from your Line Manager to appropriately source software.

Corporate, work, and personal accounts

• A corporate account is for making official MoJ statements and providing official views. Only a small number of authorised people can use it.
• A work account is your normal MoJ account that you use every day for business as usual. Only you have access to your work account.
• A personal account is your own personal account, outside of the MoJ. You should never use a personal account for business purposes. To be clear: Never send your work material to your personal device or your personal email account.

Some applications make a distinction between general use with a work account, and use with a corporate account. Using a tool with a corporate account means you are providing views or statements on behalf of the MoJ. Never use a personal account for business purposes with any tool.

Remember, if you are authorised to use a corporate account, you are speaking and acting for the whole of the MoJ. When working with a personal account, you are speaking and acting as an MoJ employee and/or a civil servant.

Always follow all MoJ policies and guidelines regarding public information, including social media.

In particular, follow the Civil Service Code of Conduct.

Video conference hardware

There are specific security concerns when using video conferencing hardware. The hardware might need extra permissions, involving access to the MoJ network, or involving personally identifiable information.

Video conferencing hardware might also be in a ‘constant listening state’. This means that anything said within hearing distance, at any time, is ‘heard’ by the device. Similarly, anything in the line of sight might be ‘seen’ by the device. Some video conferencing hardware might record and even store the audio or video data outside the MoJ.

Video conferencing hardware for use within the MoJ shall meet the required security standards of the MoJ. Any devices that do not meet the security standards shall not be used. The reason is that the hardware might be insecure, and therefore unsafe to use for Official-Sensitive conversations.

Using video conference tools safely

The NCSC has excellent guidance on using video conferencing services safely.

Key things to remember before a call include:

• Make sure your video conferencing account (or the device or app you are using for video conferencing) is protected with a strong password.
• Test the service before making (or joining) your first call.
• Understand what features are available, for example recording the call or sharing files or screen information.

Key things to remember for every call include:

• Do not make the calls public, for example always require a password to join the call.
• Know who is joining the call, in particular check that everyone is known and expected to be present, and that people who have dialled in have identified themselves clearly and sufficiently.
• Consider your surroundings, for example checking what can be seen behind you (forgetting to check information on a whiteboard or noticeboard is an easy mistake).

MoJ guidance

Official and Official-Sensitive Information

Official information is the majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.

Official-Sensitive is not a classification. Sensitive is a handling caveat for a small subset of information marked Official that requires special handling by staff. You should apply the handling caveat where you wish to control access to that information, whether in a document, email, or other form.

Privacy and personal information (Data Protection)

Some communications tools expect to have a copy of your contacts list, which they may upload to a server. When selecting tools to use, think carefully about whether this is an acceptable risk, and whether it will negatively impact anyone else’s privacy.

Data protection legislation makes you responsible for keeping personal information you work with safe and secure. Specifically including the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

Complying with personal information requirements can be complex. Don’t hesitate to ask for advice:

• Email: DataProtection@justice.gov.uk
• Intranet: https://intranet.justice.gov.uk/guidance/knowledge-information/protecting-information/

Information Management

Many tools are only used for day-to-day communication. The information you work with is typically classified at Official.

It’s important to consider the MoJ information you work with when using these tools. What would happen if you lost your mobile device, or it was stolen? Voice or video calls may be overheard in a cafe, or read from your screen on a crowded train. What could the consequences be? If the consequences for the loss or exposure of the information is minimal, then the information can probably be safely communicated.

You have a duty of confidentiality and a responsibility to safeguard any HMG information or data that you access. This is Principle 2 of the Government Security Classifications. The MoJ trusts you to work with Official information. You’re trusted to make a reasoned judgement about whether it’s safe to use an approved tool, or whether you should use a different MoJ-provided work tool.

Never send work material to your personal devices or email accounts.

Remember that it is impossible to delete information after it is publicly released.

For more information about MoJ IT Security, look on the MoJ Intranet here.

Storage and data retention

Laws and regulations make the MoJ and its employees responsible for managing information. Some examples include:

• Freedom of Information Act 2000.
• Data Protection Act 2018 and UK General Data Protection Regulation.
• Public Records Acts 1967.

When we receive a request for information, we need to know where we hold all the relevant information. Storing business information on appropriate MoJ systems helps us, because:

• We can provide evidence about decisions.
• We understand the information held, and where to find it.
• We can transfer records to The National Archives.

Always store MoJ information in MoJ systems. If you use a tool for work tasks, make sure the key information is stored in an appropriate MoJ system. Guidance on what you must keep is available on the Intranet here. At regular and convenient intervals, transfer the information to an appropriate MoJ system. Do the same when you finish the work. Don’t forget to remove any redundant information from a tool by clearing or deleting data if it has been preserved in an MoJ system.

Many tools lets you export your data. You can then store it on an appropriate MoJ system. Sometimes it’s easier to copy and paste text into a new document. Make sure that only the correct people have access to the information. This is important after staff or organisational changes, for example.

For more guidance, read the Information Management section on the Intranet. There is also help on responding to requests for information.

Acceptable Use

You must use communications tools for business purposes in an acceptable way.

Be sensible when using communications tools for MoJ business purposes:

• Be extra careful with sensitive and personal information.
• Try to avoid using the same tool for business and personal use to avoid confusion.
• If the message you’re about to send might cause upset, offence, or embarrassment, it’s not acceptable.
• Context is important - a message you might think is funny could be upsetting to someone else.
• If something goes wrong, report it.

The bottom line is:

If there is doubt, there is no doubt - ask for help!

Password managers

MoJ guidance encourages the use of password managers where possible. To establish what options are available for an MoJ-issued device, check the official MoJ software and application installation tool provided with the device, to see whether it includes a facility to install optional software and whether a password manager is among the options.

Tools for sharing information internally and externally

For secure sharing and transfer of materials within MoJ bodies or external organisations including other government departments, the MoJ installation of Microsoft Teams is approved for use with data up to and including Official-Sensitive.

For secure sharing and transfer of materials with external organisations that cannot use Teams, the Criminal Justice Secure Exchange (CJSE) and Criminal Justice Secure Messaging (CJSM) tools are the preferred solution for data up to and including Official-Sensitive.

For secure sharing and transfer of materials with other government bodies, where the use of Teams, CJSE, or CJSM is not practicable, the use of official MoJ email systems is approved for data up to and including Official-Sensitive.

Always follow the guidance in the Data Handling and Information Sharing Guide when making such transfers. This applies particularly with regard to the sharing of data classified higher than Official.

If you need clarification or further assistance in selecting the appropriate tool, ask for help.

Proctoring software

You shall not install proctoring software onto MoJ equipment.

Some certification or examination organisations enable people to take assessments remotely. They do this by having ‘supervision’ software installed on the user’s computer. This software is often referred to as ‘proctoring software’. The tools make sure that the assessment is as fair as possible, by installing a variety of controls. For example, the software can take control of the camera and microphone of the device it is installed on.

The problem is that the controls give the proctoring software extensive access to the computer. This means that the tools could inspect information or other applications on the computer. In effect, the proctoring software might have uncontrolled access to MoJ information or materials on the computer. This is not acceptable.

If you need to use proctoring software, your options are:

• Install the proctoring software on a personal device.
• Contact the assessment organisation asking for alternative options.

Other tools

Some tools, such as Facebook, Instagram and LinkedIn, are approved for specific corporate accounts to use, for corporate communications messages. General use of these tools for work purposes is not permitted.

If you wish to use a tool that is not listed in any specific guidance, please consult our Guidance for using Open Internet Tools and ask for help.

Requesting that an app be approved for use

If there is an application or service that is not currently approved, but which you would like to use, you can request a security review.

Begin the request by filling in the Request a Security Review of a third-party service form, as best you can. The more information you provide, the better. But don’t worry if you have to leave some bits of the form blank.

When you submit the form, it is passed to the security team. The app is reviewed, to check things like how safe it is to use, and whether there are any Data Privacy implications. The security team will respond to you with an answer as quickly as possible.

Note: You should submit the request, and wait for a formal “approval” response, before you install or use the app on MoJ equipment or information.

If you have any questions about the process, ask for help.

Other information

Government policy and guidance

GDS Social Media Playbook

NCSC

Video conferencing services: using them securely

Secure communications principles

Using third-party applications

Contact and Feedback

For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.