Data protection risks from BYOD schemes

A Bring-Your-Own-Device (BYOD) scheme is an attractive option for organisations looking to provide a more flexible work environment by allowing employees to use their own phones, laptops and tablets for work purposes.  However, under the Data Protection Act 1998 (DPA), organisations must take appropriate technical and organisational measures against 'unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data'.

An employee's personal use of devices for work increases the possibility of damage or unauthorised access to corporate data for which the organisation is responsible, particularly if the user introduces a virus from downloading content or if the device is lost or stolen. Businesses should manage these risks by implementing a policy to control the use of personal devices for work purposes. Failure to implement appropriate security measures to protect personal data will be a breach of the DPA and could also put the organisation in breach of confidentiality provisions in its contracts. The Information Commissioner's Office (ICO) has the power to impose penalties which could include fines of up to £500,000 on the organisation, rather than the employee at fault.

The ICO has published guidance on how to manage the data protection risks from BYOD schemes which includes 'top tips' on the measures that organisations should be thinking of. A copy of the guidance can be found here.

New guidance from the ICO on social media

The Information Commissioner's Office (ICO) has published new guidance on the application of the Data Protection Act 1998 (DPA) to the use of social networking and online forums for business purposes.

Personal data processed for domestic purposes is exempt from the DPA principles but the ICO’s guidance states that 'the domestic purposes exemption cannot apply to the processing of personal data done by organisations through social networking sites'.  Processing on behalf of an organisation for the organisation’s corporate or organisational purposes will be subject to the principles of the DPA in the usual way, even if an employee processes such data through its own personal networking page. However, the ICO said it would consider it 'poor practice' to encourage or allow employees to use their personal networking pages for corporate purposes.

The purpose of the processing of personal data, and not the nature of the information itself, will determine whether or not the domestic purposes exemption applies. The ICO’s guidance provides many helpful examples to determine whether or not a social networking page is being used for domestic purposes. For example, whether or not comments made by an employee in response to a post made by another employee are made for 'domestic purposes' or not.  Organisations should have clear policies in place to control the use of social networking sites by its employees.

A copy of the ICO’s guidance can be found here.