How to use TikTok safely at Oxford

Using TikTok safely at Oxford 

TikTok has been banned from use on official Government devices in the UK since 16 March 2023. The ban came in after Cabinet Office ministers ordered a security review, which looked at the potential vulnerability of government data from social media apps on devices and risks around how sensitive information could be accessed

solen feyissa yaw9mfg9qfq unsplash

and used by some platforms.  

The Information Security team (InfoSec) has considered the Government ban and concluded that TikTok should only be used by University staff for University purposes by exception, where there is a strong justification, and its use has been approved by the relevant Head of Department. This guidance only applies to setting official University TikTok accounts and not TikTok accounts used by staff or students for their personal lives.  

For more information, read our full guidance

 

Did you know?

The National Cyber Security Centre (NCSC), part of GCHQ, has since conducted a technical assessment. Its advice is that "TikTok should not be installed or used on official public sector devices except for exceptional cases where there is considered to be a business need." The European Commission as well as governments in the Netherlands, the United States, Canada and New Zealand have also told officials they cannot use the mobile phone app on work devices over fears of ties to the Chinese government.

Like most companies, TikTok has a Privacy Policy, however, there is concern that Chinese intelligence law, that requires organisations to help the Communist Party when requested, will override this. This requirement from the Chinese government is fundamentally at odds with the protections outlined in the GDPR (General Data Protection Regulation), which protects EU and UK residents’ data regardless of the location of the data controller.

 

Checklist for Communications Professionals

If you are a Communications Professional at Oxford and are thinking about adding TikTok to your communications channels, then we advise you to follow the checklist below to keep yours and the University's data safe. 

  1. TikTok should only be used on a dedicated, office-based device. A smartphone or tablet is recommended for ease of connectivity and
    may gauthier kz4mhc0m q unsplash

    security

  2. The device should be isolated from the University network, with internet access achieved through a public network such as the 4G or 5G mobile network
  3. The device should not be used to access any University systems (Teams, Outlook etc.), other than a specific email account associated with the use of TikTok (see below)
  4. Personal TikTok accounts should not be used for University business and staff email addresses should not be used in creating accounts
  5. If you associate a mobile phone number with the account, it should be a number used solely for this purpose of using TikTok
  6. We strongly advise that you request a generic (non-personal) mailbox and SSO account from IT Services. The generic account should only be accessed from the dedicated TikTok device
  7. A one-way trust (flow of data) to the device (for the uploading of videos, text and images) should be enforced through local operating procedures. No files or programs should be uploaded to university systems from the device
  8. Data exchange may be achieved by Airdrop (MAC OS and iOS) or Nearby Sharing (Windows and Android). Alternatively, OneDrive may be used to enable information to be accessed (read only) from the device. This OneDrive should be associated with the generic mailbox and SSO.
  9. Data (videos, text and images) should be restricted to those that are classified as public according to the university's information classification scheme
  10. The risks to data integrity should be considered before posting media content
  11. Specifically, there is a high risk of replication and manipulation of videos and images once published. The use of AI software to manipulate videos is a particular threat
  12. The device used should receive all software updates in line with university policy and should be managed in line with the University’s device security guidance
  13. Remember, a Standard Operating Procedure (SOP) should be written, implemented, and working practices monitored to ensure usage adheres to these rules and all other relevant university policies
  14. For more information, read our full guidance

 

What if I have more questions?

If you have already started using TikTok for your unit and have questions about how to transition to a safer way of using TikTok, then please contact our GRC team, who will be able to advise you. 

Questions around procuring a work device to use TikTok on or about requesting a generic mailbox or SSO should be directed to your local IT office.