Date Established: 6/16/2016
Date Last Updated: 6/21/2018
Administration and Governance
Associate Vice President and Controller
Vice President for Finance and Administration
This policy provides guidance and a framework for decision-making regarding mobile communication devices and related services.
The University at Buffalo (UB, university) recognizes that the performance of certain job responsibilities may be facilitated by the use of various mobile communication devices. The university will accommodate employees with a valid business need for mobile communication devices and related services by issuing a department-owned mobile communication device or providing an allowance to offset the cost of a personally-owned mobile communication device (device acquisition and monthly service). This technology must be used for the benefit of the university in the performance of university business.
To be eligible for consideration of a department-owned mobile communication device or an allowance, the employee must have a valid business need for required or essential business communication resulting from:
With approval of the appropriate dean, vice president, or their designee, employees may receive a department-owned mobile communication device or allowance to offset the cost of a personally-owned mobile communication device and related services. This determination must be reviewed annually and revised when necessary.
Departments determine the appropriate communication device and service plan for each employee based on business need. Departments retain ownership, maintain inventory controls over the device, and administer the service plan. Approval for a mobile communication device and related services is subject to valid business need and budget considerations.
Employees are expected to conduct university business on devices purchased and maintained by departments. Minimal personal use of a department-owned device is permitted. These devices are the property of the department and must be returned to the university if changes in responsibility no longer require the employee to have a device or upon the employee’s departure or termination from the unit.
An employee who has been issued a department-owned mobile communication device is not eligible for an allowance for a personally-owned mobile communication device.
Departments may provide an allowance to offset the cost of a personally-owned mobile communication device and related services to an employee with a valid business need. The allowance is an amount toward a portion of the mobile communication device needed for business and will be paid through the University at Buffalo Foundation (UBF) payroll process. This method of payment eliminates the administrative burden of retaining monthly statements to distinguish business from personal use.
The allowance for each employee should be established by the department based on the portion of mobile communication device service needed for business and department budget considerations.
Departmental or unit policy for an allowance to offset the cost of a personally-owned mobile communication device and related services used for university business may be more, but not less, restrictive than university policy. A department or unit may provide an allowance or terminate an allowance based on business requirements or budget considerations.
Employees may request reimbursement for the occasional business use of personally-owned mobile technology and related services if they do not receive an allowance. Occasional business use may be a single event (e.g., international business trip) or occur over a limited time period (e.g., semester project) and includes voice and/or data that results in additional costs that are above and beyond the employee’s usual calling plan (i.e., excess minutes, roaming charges, international calling plan).
Generally, reimbursement for mobile communication devices and related services may not be charged to sponsored accounts. In instances where a Principal Investigator (PI) or project has obtained budgetary and sponsor approval to charge mobile communication devices and related services to a grant, the PI or other research personnel should submit an eRequisition to establish a separate contract with the service provider.
There may be additional restrictions on the use of sponsored funds to pay for mobile communication devices and related services. Contact your grant administrator for information.
The university does not provide reimbursement for internet connectivity from home; the employee is responsible for all costs related to this service.
The university standard for securing devices and information includes both university and personally-owned mobile communication devices. This is especially important for employees who receive or use Category 1 - Restricted Data or Category 2 - Private Data as defined in the Data Risk Classification Policy. Employees must safeguard mobile communication devices and protect the data stored on the devices. Category 1 - Restricted Data or Category 2 - Private Data may not be copied to or stored on mobile devices. While these devices can be used to view university business data, including Category 1 - Restricted Data and Category 2- Private Data, employees must not download this data to the device. Mobile communication devices that are used to access Category 1- Restricted Data and Category 2 - Private Data must use encryption to protect the data.
Pursuant to law and State University of New York (SUNY) policy, whenever the university reasonably anticipates that litigation legal proceeding (e.g., lawsuit, audit, investigation, Freedom of Information Law (FOIL) request) has been or will be commenced, it must take actions to preserve all electronically stored information that may be relevant. This requires the university to suspend the deletion, overriding, or other destruction or alteration of electronic information relevant to the proceeding. This preservation obligation includes all forms of electronic communications (e.g., email, word processing, calendars, text messages, voice messages, videos, photographs) wherever stored, including on a mobile communication device. This electronic information must be preserved so that it can be retrieved at a later time in connection with the legal proceeding. Mobile communication devices used to conduct university business, whether owned by the university or the individual, are subject to these preservation requirements and employees using such devices to conduct university business must comply with preservation and production notices.
Under New York State law, an individual cannot use a hand-held mobile telephone or portable electronic device to talk, text, or email while driving. If a portable electronic device is used while driving (except to call 911 or to contact medical, fire, or police personnel about an emergency), the driver can receive a traffic ticket and be subject to a fine, surcharge, and point assessment. Fines are the responsibility of the employee and will not be reimbursed by the university.
Use of a mobile communication device while operating a motor vehicle is strongly discouraged, even when a hands-free accessory is available. If it is absolutely necessary to use the device, university employees driving a motorized vehicle should:
University employees driving during the course of duty, regardless of vehicle ownership, are required to comply with all local and state driving regulations, in any jurisdiction in which they are driving.
The university provides essential, business-related tools for faculty and staff in a manner that promotes the proper stewardship of assets and is in accordance with a framework for consistent decision-making. While recognizing that properly used mobile communication devices facilitate university business, the university must manage the costs, risks, and administrative burden associated with such use.
The policy applies to all university employees and state, Research Foundation, University at Buffalo Foundation, and Faculty Student Association funds.
Category 1 – Restricted Data
Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, and debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.
Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)
Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.
Category 2 – Private Data
Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.
Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.
The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.
Mobile Communication Device
Collective term used to describe various types of devices including, but not limited to: cellular and satellite phones, smart phones, personal digital assistants (PDA’s), tablets, pagers, and other similar devices that facilitate voice and data communications.
Valid Business Need
The need to be readily accessible for contact with the public or with university faculty, staff, or students, coupled with the impracticality of a regular land-line telephone for required or essential business communication needs due to one of the following:
• the need to be readily accessible
• the need to receive or initiate communication in an emergency or time sensitive situations
• safety requirements while traveling on the road or in off-campus locations
• frequent and regular travel, with a travel plan as part of job responsibilities
• work locations in the field or at a job site where access to electronic and telecommunication devices is unavailable.
• Consider alternatives (e.g., pager, two-way radio) that will provide adequate but less costly service.
• Consult with Procurement and consider using a university recommended supplier to take advantage of negotiated rates and discounts.
Department-Owned Mobile Communication Device
Allowance for Personally-Owned Mobile Communication Device and Related Services
• Ensure that the service plan complies with any requirements established by the employee’s supervisor.
• Accept responsibility for all payments to the service provider.
• Accept responsibility for the repair or replacement of a damaged or lost mobile communication device.
|June 2018||Updated the policy to be consistent with the Protection of University Data Policy and the Data Risk Classification Policy: |
• Replaced the terms "regulated private data," "protected information," and "confidential information" with "Category 1 - Restricted Data" and "Category 2 - Private Data"
• Removed the definition of Regulated Private Data
• Added definitions for Category 1 - Restricted Data and Category 2 - Private Data