SecurityPolicy.com.au
Home/ Australia/ Policy Library/ Remote work and BYOD policy
Australia Policy Library Policy template Reviewed 2026-07-12

Remote work and BYOD policy: a practical guide for Australian businesses

<5 minutes
ACSC recommended automatic screen-lock delay
Same day
ISM access removal when the business need ends
14 days
Standard NSW prior workplace-surveillance notice
26 Aug 2025
Right to disconnect start date for small-business employees
Why this guide exists

Personal-phone MFA, MDM visibility, remote wiping and the cost of using private equipment generate the strongest employee concern. Home-network security and offboarding are discussed less often, but they are recurring sources of preventable exposure.

What is a remote work and BYOD policy, and does my business actually need one?

A remote work and BYOD policy sets the conditions for working away from company premises and for using personally owned phones, tablets or computers to access business systems or data. It should identify who may work remotely, which locations, devices, accounts and information are approved, the security controls users must accept, and what happens when access ends. There is no single Australian law requiring every private business to use a document with this exact title, but APP 11, workplace-surveillance laws, employment instruments, contracts and cyber-security frameworks can make written controls necessary or strongly advisable. The policy should sit beneath the master information security policy and work with the acceptable-use and access-control policies rather than replacing them.

How this differs by situation
  • business with remote employees, contractors or outsourced service providers — Apply the policy to every person and device that can reach business systems or information, not only permanent employees.
  • APP entity covered by the Privacy Act — Remote and BYOD controls form part of the reasonable technical and organisational measures used to protect personal information under APP 11.
  • small business with annual turnover of $3 million or less — Do not assume the Privacy Act never applies; several categories of small business are covered, and contractual, sector and state obligations may still apply.
PUT THIS IN YOUR POLICY, EXACTLY

Remote work and access from a personally owned device are permitted only where the organisation has approved the user, work arrangement, device, applications, information and access method. Users must comply with the organisation’s acceptable-use, access-control, privacy and security requirements, maintain the required device and network safeguards, protect business information from household members and other unauthorised people, and immediately report loss, compromise or suspected unauthorised access.

What must it contain — the non-negotiable sections?

State the purpose, scope, eligibility and approval process, then identify permitted work locations, devices, operating systems, applications, accounts and information. Include minimum device and home-network security, MFA, remote access, data separation, storage and transfer rules, MDM or work-profile conditions, monitoring disclosures, support and cost arrangements, incident reporting and physical privacy. Add joining, role-change and leaving procedures, remote or selective wipe authority, exceptions, review ownership and the right to disconnect. The policy should say what the organisation can see or control on a personal device rather than relying on the vague label MDM.

How this differs by situation
  • New South Wales workforce subject to computer surveillance — Include or link to the prior written notice and notified policy required by the Workplace Surveillance Act 2005.
  • business handling sensitive or high-value information — Restrict access to organisation-issued or tightly managed devices where BYOD controls cannot reduce the residual risk to an acceptable level.
  • ISM-aligned organisation — Map the policy to the enterprise-mobility controls for private devices, MDM, encryption, data separation, mobile-device use and emergency sanitisation.
PUT THIS IN YOUR POLICY, EXACTLY

This policy covers eligibility and approval, work locations and hours, approved devices and platforms, minimum security configuration, home and public networks, remote access, multi-factor authentication, storage and transfer of business information, separation of work and personal data, mobile device management, monitoring and privacy, software and cloud services, technical and financial support, incident reporting, loss and theft, after-hours contact, exceptions, offboarding and removal of business access and data.

How do I secure remote work and home networks?

Require a supported and updated device, MFA, encryption where appropriate, automatic locking and a private workspace where screens, calls and papers cannot be seen by household members or visitors. Home users should change default Wi-Fi and router credentials, use the strongest available encryption, keep the router updated, disable remote management and Universal Plug and Play, and use a guest network for untrusted household devices. Avoid public Wi-Fi for sensitive work and use the organisation's approved VPN or remote-access method where required. A VPN helps protect traffic but does not make an infected, unpatched or phished device safe.

How this differs by situation
  • home-based employee using a shared household network — Use a guest network or separate work network where practical and do not share the work device or work account with household members.
  • business providing remote access to internal systems — Require approved, hardened devices and MFA in addition to a VPN; do not treat network encryption as a substitute for endpoint security.
  • worker using public or shared locations — Limit sensitive work, protect screens and conversations, avoid public Wi-Fi and use approved secure connectivity.
PUT THIS IN YOUR POLICY, EXACTLY

Remote work must be performed on an approved, supported and updated device using multi-factor authentication and the organisation’s approved remote-access method. Users must secure home routers and Wi-Fi by changing default credentials, using the strongest available encryption, applying updates, disabling remote management and Universal Plug and Play, and separating untrusted devices where practical. Work devices must automatically lock within five minutes, must not be shared, and must be protected from observation, overhearing, theft and unauthorised physical access.

What are the BYOD risks, and how do I separate business data?

BYOD reduces the organisation's assurance over patching, malware, local administrators, installed apps, backups and who else uses the device. Business information can leak into personal email, consumer cloud storage, messaging apps, photo libraries, browser profiles and backups unless the policy and technology enforce separation. Use an approved work profile, container, virtual desktop or managed application set, and keep work data in approved repositories rather than personal storage. For sensitive information, an organisation-issued and managed device may be the only proportionate option.

How this differs by situation
  • business allowing low-risk email or calendar access — A limited managed-app or browser-based approach may be sufficient if local storage, forwarding and personal backups are controlled.
  • business handling health, identity, financial, legal or other sensitive information — Prefer organisation-issued and fully managed devices or remote virtual access that prevents sensitive information being stored locally.
  • APP entity — Apply APP 11 controls to personal information wherever the organisation holds or controls it, including copies on approved personal devices and third-party services.
PUT THIS IN YOUR POLICY, EXACTLY

Business information may only be accessed, stored, created or transferred through approved work applications, managed profiles, virtual desktops and repositories. Users must not copy business information to personal email, consumer cloud storage, personal messaging services, photo libraries, removable media or personal backups. The organisation may prohibit local storage or require an organisation-issued device where the sensitivity of the information or the available controls make BYOD risk unacceptable.

Can my employer make me use MFA / an app on my personal phone?

There is no simple Australia-wide rule that makes every personal-phone requirement automatically lawful or automatically unlawful. Whether a direction is lawful and reasonable can depend on the employment contract, award or agreement, the role, the security need, cost, privacy impact, the app's capabilities and whether a practical alternative is available. Requiring strong MFA for work access is sound security practice, but an authenticator or passkey is not the same as enrolling the whole phone in MDM. A clear policy should provide an organisation-owned device or hardware token where a worker has no suitable phone, cannot safely enrol it or reasonably objects to broader device management, and should address any applicable allowance or reimbursement.

How this differs by situation
  • employee asked to install only an authenticator or passkey — Explain the app's permissions, data collected, support and alternatives; do not describe a simple authentication app as full-device management.
  • employee asked to enrol a private phone in MDM — Complete a privacy and employment-law assessment, disclose the control and wipe capabilities, obtain any required agreement and offer a managed work device where the intrusion is not proportionate.
  • award or enterprise-agreement workforce — Check whether the applicable instrument requires an allowance, reimbursement, consultation or other condition for using personal equipment or incurring work expenses.
PUT THIS IN YOUR POLICY, EXACTLY

Multi-factor authentication is mandatory for the systems designated by the organisation. Where authentication would require use of a personally owned device, the organisation will explain the application, permissions, information collected and support arrangements and will provide an approved alternative where the user has no suitable device or where personal-device use is not lawful, reasonable or proportionate. Full-device management of a personal phone is not implied by a requirement to use an authenticator and requires separate approval and disclosure.

MDM and monitoring — what can and can't a business do to a personal device?

MDM capabilities vary sharply: a managed work profile may control only work apps and data, while full-device enrolment can expose or control much more. The business should disclose the enrolment mode, information collected, settings enforced, location or network data used, administrators with access, retention, investigation process and exact wipe capability before enrolment. Monitoring should be necessary, proportionate and confined to legitimate security and business purposes; a BYOD agreement is not a blank cheque to inspect personal content. Privacy, employment and state surveillance laws still apply, and NSW employee computer surveillance generally requires prior written notice and a notified policy.

How this differs by situation
  • New South Wales employee subject to computer surveillance — Give the statutory prior notice, ordinarily at least 14 days, and conduct computer surveillance under a policy notified in advance so the employee can reasonably be assumed to understand it.
  • APP entity collecting device or employee information — Assess whether the monitoring itself is privacy-invasive and limit collection, access, retention and disclosure to what is reasonably necessary.
  • personal device using a managed work profile — State precisely whether the organisation can view device compliance, work applications and work data, and whether it can selectively wipe only the work container.
PUT THIS IN YOUR POLICY, EXACTLY

Before a personal device is enrolled, the organisation must disclose the management mode, permissions, information collected, monitoring performed, settings enforced, people authorised to access management data, retention period and whether the organisation can selectively wipe work data or erase the entire device. Monitoring and management must be lawful, necessary and proportionate and must be limited to approved security, compliance, support and investigation purposes. Personal content must not be accessed merely because the device is enrolled.

How does offboarding and remote wipe work?

Offboarding must be driven by the organisation, not left to the departing worker to delete a few apps. Disable accounts, active sessions, tokens, certificates, VPN access and recovery methods at the agreed time, then transfer business records and remove approved work profiles, apps and data from personal devices. Prefer selective wipe or cryptographic removal of the managed work container because a full-device wipe can destroy personal information and create liability. Remote wipe is an emergency control, not proof that every copy has disappeared, so the organisation should also address personal backups, downloaded files, cloud synchronisation and devices that remain offline.

How this differs by situation
  • routine resignation or end of contract — Schedule access removal for the same day the legitimate business need ends and obtain confirmation that managed work data and profiles were removed.
  • lost, stolen or maliciously used device — Revoke access immediately, preserve relevant evidence and use selective or emergency sanitisation where technically available and proportionate.
  • APP entity with personal information on a private device — Verify that personal information no longer needed is destroyed or de-identified across controlled copies, subject to lawful retention obligations.
PUT THIS IN YOUR POLICY, EXACTLY

When a user leaves, changes duties, loses a device or no longer has a business need, the organisation must promptly disable relevant accounts, sessions, tokens, certificates and remote access and remove organisational profiles, applications and data. Selective removal of the managed work container must be used wherever available. A full-device wipe may only be authorised where the capability, circumstances, consent or other legal basis and risk justify it. The organisation must verify removal and address downloaded files, synchronised copies and personal backups rather than relying on remote wipe alone.

How does it relate to the acceptable-use and access-control policies?

The remote work and BYOD policy is the device-and-location overlay for rules established elsewhere. The acceptable-use policy says what people may do with systems, accounts, internet, email, data and AI tools; the access-control policy says who receives access, how identity and MFA work, and how access is reviewed and removed. The remote work and BYOD policy adds which private or company devices may be used, the home-network and physical-security conditions, what management and monitoring occur, and how work data is separated and wiped. All three should use the same definitions, approval roles, incident route, exception process and joiner-mover-leaver records.

How this differs by situation
  • business with a master information security policy — Place acceptable use, access control and remote work and BYOD beneath the master policy and define precedence where requirements overlap.
  • business using SaaS and personal phones without a corporate network — The relationship still matters: access-control rules govern identities and MFA, acceptable-use rules govern behaviour, and BYOD rules govern the endpoint and data boundary.
  • business using an MSP — Require the provider to implement the same approved-device, identity, monitoring, logging and offboarding controls and retain evidence.
PUT THIS IN YOUR POLICY, EXACTLY

This policy must be read with the Information Security Policy, Acceptable Use Policy, Access Control Policy, Privacy Policy and Incident Response Plan. The Acceptable Use Policy governs permitted behaviour; the Access Control Policy governs identity, authentication, authorisation and access removal; and this policy governs the devices, networks, locations, management controls and data-separation conditions for remote access. Where requirements differ, the more protective lawful requirement applies unless an approved exception states otherwise.

The common gaps and red flags?

Red flags include informal BYOD with no approved-device register, unsupported or rooted devices, shared household use, default router credentials and business data in personal email, messaging, cloud storage or backups. Employment and privacy warning signs include mandatory private-device use with no disclosed app permissions or alternative, full-device MDM described as a simple authenticator, monitoring without required notice, and remote-wipe wording that ignores personal data. Security gaps include MFA without endpoint hardening, permanent local administrator rights, no expiry for contractor access and offboarding that reaches only the main email account. A policy should also avoid creating an expectation that a work app or second SIM makes an employee permanently contactable outside working hours.

How this differs by situation
  • business with informal or employee-led BYOD — Inventory existing devices and access paths before writing the policy; otherwise unauthorised arrangements will remain outside the control set.
  • multi-state employer — Use a national core policy plus jurisdiction-specific surveillance and privacy notices rather than assuming the NSW position applies everywhere.
  • business unable to meet a control immediately — Record an owner, reason, compensating controls and expiry date for the exception rather than silently treating the gap as compliant.
PUT THIS IN YOUR POLICY, EXACTLY

Unapproved devices, rooted or jailbroken devices, shared user accounts, personal email or cloud storage for business information, undisclosed monitoring, unmanaged copies and standing remote access without a current business need are prohibited. Every exception must record the affected user and device, business reason, risk, compensating controls, approver and expiry date. Possession of a work application, account, device or SIM does not by itself require a user to monitor or respond to contact outside working hours.

What's my next step?

Common misconceptions

  • Allowing remote work automatically means employees may use any personal device they choose. INFERRED
  • A VPN makes an unpatched, infected or phished personal device safe. INFERRED
  • Every MDM enrolment lets the employer read every personal message, photo and browser history. INFERRED
  • An authenticator app and full-device management are the same thing. INFERRED
  • Australian law gives every employer an automatic right to require any employee to buy and enrol a personal smartphone for work. INFERRED
  • A successful remote-wipe command proves every business file and backup has been removed from a personal device. INFERRED
  • APP 11 applies only when personal information is stored on company-owned hardware. VERIFIED
  • A work phone, work app or second SIM makes an employee permanently contactable after hours. VERIFIED
  • Removing access at the next periodic review is sufficient after a worker leaves or no longer needs it. VERIFIED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
APP 11 security of personal information Office of the Australian Information Commissioner An APP entity holds personal information, including information it possesses or controls through remote work, personal devices or third-party services. Ongoing while the personal information is held.
APP 11 destruction or de-identification Office of the Australian Information Commissioner An APP entity no longer needs personal information for a permitted purpose and no Australian law, court or tribunal order or Commonwealth-record exception requires retention. Take reasonable steps when the information is no longer needed, including across controlled copies and backups.
NSW prior workplace-surveillance notice NSW Government An employer proposes camera, computer or tracking surveillance of an employee while the employee is at work in New South Wales. Generally at least 14 days' prior written notice; relevant new employees must receive notice before starting work where the surveillance has commenced or will commence within 14 days.
NSW computer-surveillance policy NSW Government An employer conducts computer surveillance of an employee at work in New South Wales, including through relevant equipment or resources used remotely. The surveillance must be conducted under an employer policy notified in advance so it is reasonable to assume the employee is aware of and understands it.
Fair Work right to disconnect Fair Work Ombudsman and Fair Work Commission An employee refuses to monitor, read or respond to employer or third-party contact outside working hours. Applied from 26 August 2024 for employees of non-small businesses and from 26 August 2025 for employees of small-business employers.
Award, agreement or contractual equipment and expense entitlements Fair Work Ombudsman and Fair Work Commission An employee is required to use personal equipment or incurs work-related expenses and an applicable award, enterprise agreement or contract provides an allowance or reimbursement. As specified by the applicable industrial instrument or contract.
ISM same-day access removal or suspension Australian Signals Directorate, Australian Cyber Security Centre An ISM-aligned organisation determines that a worker no longer has a legitimate requirement for remote or other system access. The same day the legitimate requirement ends; as soon as practicable where malicious activity is detected.

Sources

  1. Security tips for remote working primary
  2. Guidelines for enterprise mobility primary
  3. Risk management of enterprise mobility (including Bring Your Own Device) primary
  4. Bring Your Own Device for executives primary
  5. Implementing multi-factor authentication primary
  6. Guidelines for personnel security primary
  7. Chapter 11: APP 11 Security of personal information primary
  8. Guide to securing personal information primary
  9. Notifiable Data Breaches Report: January to June 2023 primary
  10. Workplace monitoring and surveillance primary
  11. Flexible working arrangements best practice guide primary
  12. Right to disconnect primary
  13. Allowances primary
  14. Workplace Surveillance Act 2005 No 47 primary
  15. Company is requiring us to use our personal phone forum
  16. Combining work phone on personal mobile forum
  17. Forced to install work app on personal device forum
  18. Laptop monitoring forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.