General app guidance
When working, you need to communicate with Ministry of Justice (MoJ) colleagues and use business tools (‘apps’). You’ll also need to work with people outside the MoJ. There are various tools you might use, besides the standard email and telephone tools. This document tells you about the tools you can, and cannot, use for business purposes. This guidance applies to all staff and contractors who work for the MoJ.
Some ALBs, Agencies, or other large groups within the MoJ might have their own, specific guidance regarding how to use certain apps for different purposes.
Access to tools
You can access tools that are provided through your MoJ provided devices by downloading from:
- The Software Centre application on your device (for Dom1 equipment).
- The Self Service application on your Mac (for IT Service Desk managed MacBook laptops).
Currently, access to the tools mentioned in this document is not available from Quantum devices.
For other MoJ provided devices, seek help from your Line Manager in the first instance.
Corporate, work and personal accounts
- A corporate account is for making official MoJ statements and providing official views. Only a small number of authorised people can use it.
- A work account is your normal MoJ account, that you use every day for business as usual. Only you have access to your work account.
- A personal account is your own personal account on gmail, hotmail, yahoo, and so on. You should never use a personal account for business purposes. To be clear: never send your work material to your personal device or your personal email account.
Some of the applications listed make a distinction between general use with a work account, and use with a corporate account. Using a tool with a corporate account means you are providing views or statements on behalf of the MoJ. Never use a personal account for business purposes with any tool.
Remember that if you are authorised to use a corporate account, you are speaking and acting for the whole of the MoJ. When working with a personal account, you are speaking and acting as an MoJ employee and a civil servant.
Always follow all MoJ policies and guidelines regarding public information, including social media. To access this information you’ll need to be connected to the MoJ Intranet.
In particular, follow the Civil Service Code of Conduct.
Video conference hardware
There are specific security concerns when using video conferencing hardware. The hardware might need extra permissions, involving access to the MoJ network, or involving personally identifiable information.
Video conferencing hardware might also be in a ‘constant listening state’. This means that anything said within hearing distance, at any time, is ‘heard’ by the device. Similarly, anything in the line of sight might be ‘seen’ by the device. Some video conferencing hardware might record and even store the audio or video data outside the MoJ.
Video conferencing hardware for use within the MoJ shall meet the required security standards of the MoJ. Any devices that do not meet the security standards shall not be used. The reason is that the hardware might be insecure, and therefore unsafe to use for Official-Sensitive conversations.
Using video conference tools safely
The NCSC has excellent guidance on using video conferencing services safely.
Key things to remember before a call include:
- Make sure your video conferencing account (or the device or app you are using for video conferencing) is protected with a strong password.
- Test the service before making (or joining) your first call.
- Understand what features are available, for example recording the call or sharing files or screen information.
Key things to remember for every call include:
- Do not make the calls public, for example always require a password to join the call.
- Know who is joining the call, in particular check that everyone is known and expected to be present, and that people who have dialled in have identified themselves clearly and sufficiently.
- Consider your surroundings, for example checking what can be seen behind you (forgetting to check information on a whiteboard or noticeboard is an easy mistake).
MoJ Policy and guidance
Official and Official-Sensitive Information
Official information is the majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
Official-Sensitive is not a classification. Sensitive is a handling caveat for a small subset of information marked Official that requires special handling by staff. You should apply the handling caveat where you wish to control access to that information, whether in a document, email, or other form.
Privacy and personal information (Data Protection)
Some communications tools expect to have a copy of your contacts list. The list is uploaded to the tool server in order to let the tool to function correctly. Think carefully about whether this is reasonable to do. Make sure that sharing your contacts list does not impact any one else’s privacy in a negative way.
Data protection legislation makes you responsible for personal information you work with. You must keep it safe and secure. In particular, you must follow data protection obligations. These include the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
Complying with personal information requirements can be complex. Don’t hesitate to ask for advice:
- Email: DataProtection@justice.gov.uk
- Intranet: https://intranet.justice.gov.uk/guidance/knowledge-information/protecting-information/
Many of the tools are only used for your day-to-day communication with colleagues. The information you work with is typically classified at Official.
Think about the MoJ information you work with when using these tools. What would happen if you lost your mobile device, or it’s stolen? Suppose the voice or video call was overheard in a cafe, or read from your screen on a crowded train. Could there be damaging consequences? If the answer is ‘No’, then it’s probably OK to use the tool to communicate that information with colleagues.
You have a duty of confidentiality and a responsibility to safeguard any HMG information or data that you access. This is Principle 2 of the Government Security Classifications. The MoJ trusts you to work with Official information. You’re trusted to make a reasoned judgement about whether it’s safe to use an approved tool, or whether you should use a different MoJ-provided work tool.
Never send work material to your personal devices or email accounts.
Remember that it is impossible to delete information after it’s released in public.
For more information about MoJ IT Security, look on the MoJ Intranet here.
Storage and data retention
Laws and regulations make the MoJ and its employees responsible for managing information. Some examples include:
- Freedom of Information Act.
- Data Protection Act and General Data Protection Regulation.
- Public Records Acts.
When we receive a request for information, we need to know where we hold all the relevant information. Storing business information on appropriate MoJ systems helps us, because:
- We can provide evidence about decisions.
- We understand the information held, and where to find it.
- We can transfer records to The National Archives.
Always store MoJ information in MoJ systems. If you use a tool for work tasks, make sure the key information is stored in an appropriate MoJ system. Guidance on what you must keep is available on the Intranet here. At regular and convenient intervals, transfer the information to an appropriate MoJ system. Do the same when you finish the work. Don’t forget to remove any redundant information from a tool by clearing or deleting data if it has been preserved in an MoJ system.
Many tools lets you export your data. You can then store it on an appropriate MoJ system. Sometimes it’s easier to copy and paste text into a new document. Make sure that only the correct people have access to the information. This is important after staff or organisational changes, for example.
You must use communications tools for business purposes in an acceptable way.
Be sensible when using communications tools for MoJ business purposes:
- Be extra careful with sensitive and personal information in tools.
- Try to avoid using the same tool for business and personal use - you can get confused who you’re talking with.
- If the message you’re about to send might cause problems, upset, offence, or embarrassment, it’s not acceptable.
- Context is important - a message you might think is funny could be upsetting to someone else.
- If something goes wrong, report it.
The bottom line is:
If there is doubt, there is no doubt - ask for help!
|Tool name||Tool type||Conditions/ constraints on use||Accessing /installing tool||Audience|
|Apple Facetime||Communication tool: Video||Avoid personal or sensitive data||Smartphone App||Internal/External|
|Apple iMessage||Text messaging||Avoid personal or sensitive data||Smartphone App||Internal/External|
|Google Meet (was Google Hangouts)||Communication tool: Video and/or voice||MoJ use approved for Official and Official-Sensitive||IT Service Desk controlled Mac - Self service, Web browser.||Internal/External|
|Microsoft Teams||Communication and collaboration tool: Video and/or voice||MoJ use approved for Official and Official-Sensitive||Dom1 Software centre, IT Service Desk controlled Mac - Self service, Web browser.||Internal/External|
|Miro||Collaboration tool: Whiteboarding||Avoid personal or sensitive data||Web browser.||Internal/External|
|Skype for Business||Communication tool: Video and/or voice||MoJ use approved for Official and Official-Sensitive||Dom1 Software centre, IT Service Desk controlled Mac - Self service, Web browser.||Internal/External|
|Slack||Text messaging, Voice/Video calls, etc.||Avoid personal or sensitive data||IT Service Desk controlled Mac - Self service, Web browser.||Internal/External|
|Slido||Q&A tool during presentations||Avoid personal or sensitive data||Web browser.||Internal|
|Trello||Project management tool, ‘Kanban’ cards||Avoid personal or sensitive data. An enterprise-wide MoJ licence is available. Ensure you create Trello boards in the MoJ workspace. Do not use a personal Trello account.||Web browser based use. Log in using your MoJ single sign-on account, for example a Digital & Technology Google account, or a Microsoft Office 365 account.||Internal|
|Text Messaging, Video transmission||Approved for MoJ Corporate account. Using a personal account to comment on work related issues is encouraged, as long as you follow the Civil Service Code of Conduct.||Web browser, Windows 10 App, Smartphone App.||Internal/External|
|Text messaging, Voice/Video calls||Avoid personal or sensitive data||Dedicated app on device, also web browser.||Internal/External|
|Yammer||Text messaging||Avoid personal or sensitive data||Dedicated app on device||Internal|
|YouTube||Video sharing tool: Video, streaming and chat||Avoid personal or sensitive data||Web browser based use.||Internal/External|
|Zoom||Communication tool: Video, voice and chat||Avoid personal or sensitive data||Web browser based use, or dedicated and installed app by approval||External meetings. For Internal meetings, use Microsoft Teams.|
MoJ guidance encourages the use of password managers where possible. To establish what options are available for an MoJ-issued device, check the official MoJ software and application installation tool provided with the device, to see whether it includes a facility to install optional software and whether a password manager is among the options.
Tools for sharing information internally and externally
For secure sharing and transfer of materials within MoJ bodies or external organisations including other government departments, the MoJ installation of Microsoft Teams is approved for use with data up to and including Official-Sensitive.
For secure sharing and transfer of materials with external organisations that cannot use Teams, the Criminal Justice Secure Exchange (CJSE) and Criminal Justice Secure Messaging (CJSM) tools are the preferred solution for data up to and including Official-Sensitive.
For secure sharing and transfer of materials with external organisations where the use of Teams, CJSE, or CJSM is not practicable, the following tools are approved for data up to and including Official-Sensitive:
For use within MoJ bodies, these products may only be installed on MoJ-issued devices. For advice on installation and configuration of these products, consult the team responsible for the supply and configuration of your devices.
For secure sharing and transfer of materials with other government bodies, where the use of Teams, CJSE, CJSM, Egress, or Galaxkey is not possible, the use of official MoJ email systems is approved for data up to and including Official-Sensitive.
Always follow the guidance in the Data Handling and Information Sharing Guide when making such transfers. This applies particularly with regard to the sharing of data classified higher than Official.
If you need clarification or further assistance in selecting the appropriate tool, ask for help.
You shall not install proctoring software onto MoJ equipment.
Some certification or examination organisations enable people to take assessments remotely. They do this by having ‘supervision’ software installed on the user’s computer. This software is often referred to as ‘proctoring software’. The tools make sure that the assessment is as fair as possible, by installing a variety of controls. For example, the software can take control of the camera and microphone of the device it is installed on.
The problem is that the controls give the proctoring software extensive access to the computer. This means that the tools could inspect information or other applications on the computer. In effect, the proctoring software might have uncontrolled access to MoJ information or materials on the computer. This is not acceptable.
If you need to use proctoring software, your options are:
- Install the proctoring software on a personal device.
- Contact the assessment organisation asking for alternative options.
NHS Track and Trace
The official NHS Covid-19 app was designed by the NHS. Both NCSC and Cabinet Office have been involved in the security of the system. The app provides contact tracing, local area alerts and venue check-in. It enables you to protect yourself and your loved ones. Installation is optional, but recommended.
After installing the app, you’ll receive an alert if you have been in close contact with other people who have tested positive for coronavirus. You can then take action to avoid passing the virus on, for example by self-isolating.
From a security perspective, it is safe for you to use the app on your personal or MoJ issued devices. There are no extra risks for colleagues with security clearance, such as SC and DV.
If you wish to install the app, start at the NHS site.
Note: The NHS app may not work on some older MoJ devices. Installation might not be possible, for example on Quantum smartphones.
You might have both a personal and an MoJ issued device. Think about which device makes most sense to use with the app. It’s best to install on the device that you carry with you and use most of the time. You could install on all your devices if you prefer.
To reduce the likelihood of false alerts on the app, turn off the app’s Bluetooth mode. Do this when:
- You are working in environments with protective Covid measures in-place, for example plexiglass separators.
- You need to leave your personal or work device in a locker, for example during a sports activity or to work in a secure MoJ facility.
Some tools, such as Facebook, Instagram and LinkedIn, are approved for specific corporate accounts to use, for corporate communications messages. General use of these tools for work purposes is not permitted.
Requesting that an app be approved for use
If there is an application or service that is not currently approved, but which you would like to use, you can request a security review.
Begin the request by filling in the Request a Security Review of a third-party service form, as best you can. The more information you provide, the better. But don’t worry if you have to leave some bits of the form blank.
When you submit the form, it is passed to the security team. The app is reviewed, to check things like how safe it is to use, and whether there are any Data Privacy implications. The security team will respond to you with an answer as quickly as possible.
Note: You should submit the request, and wait for a formal “approval” response, before you install or use the app on MoJ equipment or information.
If you have any questions about the process, ask for help.
Government policy and guidance
For any further questions or advice relating to security, contact: email@example.com.
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: firstname.lastname@example.org.