On 7 March 2013, the Information Commissioner’s Office (ICO) published new guidance on “bring your own device” (BYOD), which explains the risks organisations must consider when allowing personal devices such as smart phones, laptops and tablets to be used to process work-related personal information.
The Data Protection Act 1998 (the Act) places obligations on organisations responsible for processing personal information. In particular, Principle 7 requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Data protection risks occur when there are a large number of devices used to process personal information outside the employer’s direct control.
According to a recent survey commissioned by the ICO and carried out by YouGov, many employers are at risk of failing to comply with the Act. In particular, it was identified that many employers’ approach to popular personal devices such as laptops, tablets and smart phones put personal information at risk.
This is increasingly relevant, as the survey indicates that nearly 50 per cent of all UK adults use personal devices for workrelated purposes, but only 30 per cent of those who do so have been provided with guidance from their employers on data protection policies. The ICO guidance explains how allowing employees to bring their own devices can be done safely, permitting the employing company to retain control of the personal information for which it is responsible, and ensuring compliance with the Act.
The key recommendations from the ICO guidance include the following:
- Employers should carry out detailed assessments of the types of data being processed and the nature and risks involved with the different personal devices used by its employees.
- Employers should implement a clear BYOD policy which will necessarily be unique to each employer and should be monitored for compliance regularly.
- Employers should be clear as to what types of personal information may be processed on personal devices.
- Personal devices should be password-protected. Strong passwords should be used and controls put in place for the automatic deletion of all data if an incorrect password is detected several times consecutively. Employees should be clear as to which information will be deleted.
- Encryption should be used to store data on the device securely.
- Employers should exercise extreme caution in any use of public cloud-based sharing or back-up services.
- Devices should have remote locate and wipe services in case of loss or theft.
- Monitoring technology should remain proportionate and not excessive, in particular during personal use.
Whilst many employers have experienced the increased efficiency and other benefits that modern personal devices can bring to their workforce, their potential for data protection breaches must not be ignored, in particular when devices are owned by the employees themselves. Employees’ personal devices are, by their nature, outside the control of employers. This is a particularly dangerous situation when they are also used to process personal information that is under the control of the employer.
The guidance should be welcomed by employers, as it offers clear insight into good practice when developing policies and implementing controls to keep personal information secure.