How to use TikTok safely
HOW TO USE TIKTOK SAFELY
TikTok is a video-based social media platform and has rapidly become an important marketing and communications channel but it comes with risks which needs to be treated before it is used in the University.
TikTok has been banned from use on official Government devices in the UK since 16 Mar 23. The ban came in after Cabinet Office ministers ordered a security review, which looked at the potential vulnerability of government data from social media apps on devices and risks around how sensitive information could be accessed and used by some platforms.
At a glance
TikTok should only be used on a dedicated, office-based device.
The device should be isolated from the University network.
The device should not be used to access any University systems other than a specific email account associated with the use of TikTok (see below).
Data (videos, text and images) should be restricted to that classified as PUBLIC.
The Information Security Team recommends the following approach, to enable TikTok to be used for University business, while protecting internal and confidential information.
1. TikTok should only be used on a dedicated, office-based device. A smartphone or tablet is recommended for ease of connectivity and security.
2. The device should be isolated from the University network, with internet access achieved through a public network such as the 4G or 5G mobile network.
3. The device should not be used to access any University systems other than a specific email account associated with the use of TikTok (see below).
4. Personal accounts should not be used for university business and staff email addresses should not be used in creating accounts.
5. If you associate a mobile phone number with the account, it should be a number used solely for this purpose on a dedicated TikTok device.
6. We strongly advise that you request a generic (non-personal) mailbox and SSO account from IT Services. The generic account should only be accessed from the dedicated TikTok device. Contact IT Services to request a generic account.
7. A one-way trust (flow of data) to the device (for the uploading of videos, text and images) should be enforced through local operating procedures. No files or programs should be uploaded to university systems from the device.
8. Data exchange may be achieved by Airdrop (macOS and iOS) or Nearby Sharing (Windows and Android). Alternatively, OneDrive may be used to enable information to be accessed (read only) from the device. This OneDrive should be associated with the generic mailbox and SSO.
9. Data (videos, text and images) should be restricted to that classified as PUBLIC according to the university's information classification scheme.
10. The risks to data integrity should be considered before posting media content. Specifically, there is a high risk of replication and manipulation of videos and images once published. The use of AI software to manipulate videos is a particular threat.
11. The device used should receive all software updates in line with university policy and should be managed in line with the University’s device security guidance.
12. A Standard Operating Procedure (SOP) should be written, implemented, and working practices monitored to ensure usage adheres to these rules and all other relevant university policies.
The Information Security team (InfoSec) has considered the Government ban and concluded that TikTok should only be used by University staff for University purposes by exception, where there is a strong justification, and its use has been approved by the relevant Head of Department. This guidance only applies to setting official University TikTok accounts and not TikTok accounts used by staff or students for their personal lives.
