The Information Commissioner’s Office (ICO) recently published guidance on bring your own device (BYOD). The guidance sets out what data controllers need to consider “when permitting the use of personal devices to process personal data for which they are responsible.” It provides a series of ‘top tips’ for addressing the multitude of questions that accompany BYOD. As expected, the main recommendation is for implementation of a clear BYOD policy to help minimise serious data protection risks and to comply with data protection related obligations.
Room for development
To this end the ICO suggests businesses put in place an Acceptable Use Policy and, if BYOD leads to an increased use of social media, a Social Media Policy too. The guidance also focuses on maintaining the personal data / business data split – by restricting employees’ utilisation of third party storage solutions and unauthorised applications for work related data – and on bolstering existing defences – through the use of multiple layered passwords, encryption, and automatic device-locking and device-wiping systems. There are also recommendations on the implementation of regular audits of employees’ use of devices and compliance with all related policies. Where the ICO leaves scope for further general guidance is not so much on access itself but on what to do once access has been gained. Certain specific areas are also likely to warrant greater attention in the future.
The quick obsolescence of BYOD devices is one such area warranting attention. Data is still largely generated on PCs, but as this data is increasingly accessed on user-owned, handheld devices with a shelf life of 1-2 years rather than 5-7 years, businesses are having to manage that data more pro-actively. With a burgeoning array of operating systems now available – including multiple versions of those operating systems – the challenge of managing the higher disposal/recycle frequency of such devices is one that quickly puts a high demand on resources.
Not only must obsolete devices have all confidential data wiped before being discarded, but new devices must be synchronised and brought up to par, and existing devices that are cyclically upgraded (mobile phone contracts that are renewed every 12 to 24 months, for instance) may have to be reconfigured. The ICO addresses this partially in its ‘Deleting Personal Data’ guidance (August 2012), and its ‘IT Asset Disposal for Organisations’ (November 2012).
Both of these guides provide an overview of best practice for businesses, though a number of BYOD issues are left unaddressed. Solid-state drives (SSDs), for example, are used in place of traditional hard drives on most smartphones and tablets, and standard data wiping techniques are commonly held to be less effective on SSDs. The use of enhanced, auditable wiping may be preferable in this instance, with the deletion processes as a whole calling for more detailed guidance.
While the BYOD guidance is an excellent starting point, it could go further. The ICO leaves room for detail on how sensitive data is to be kept confidential, and how any broader ‘control’ obligations are to be met. There is also a gap in how BYOD might be dealt with under certain litigation and discovery processes, and bring your own network (BYON) is developing at a pace that warrants greater consideration.