We've all been there: sending a quick email to a client on the train into work, or reading through a document in the house at the weekend. More often than not, such out of office working is a positive thing – it may help you to push through a deal before a deadline and will certainly add value in the client's eyes. If you are an employee, you may even be considered a hard worker or a team player (or, for the cynics out there, simply to have poor time management skills).
With recognition and appreciation, however, comes responsibility.
A recent YouGov survey identified that 47% of all UK adults now use their smartphones, laptops or tablets for work purposes ("bring your own device" or "BYOD" as it is termed by the ICO). This can mean accessing and dealing with people's personal information remotely.
Unfortunately, it would seem that the security of this personal information is no more than an afterthought – the same YouGov survey revealed that less than 3 in 10 people using personal technology for work purposes had received guidance on how to do so safely.
Despite the increase in identity thefts - and the ease with which laptops, phones etc can be lost or stolen (not to mention fines of up to £500,000 which the ICO can impose on organisations breaching their data protection obligations and the subsequent reputational damage caused) - there is little understanding about how to BYOD properly.
In response, the ICO has published its own practical BYOD guidance. The aim of this guidance is to highlight the issues which organisations should consider when implementing data protection-friendly controls and adopting a clear BYOD policy. Although each BYOD policy must be individually tailored, there are recurring matters that all organisations should address: what type of data is held? Where is personal data being stored at any one time? Is there potential for data leakage? How secure are the devices that will be used? What will happen to personal data held on an employee's device when they leave? How to deal with loss, theft, failure and support of devices holding personal data.
The ICO also provides top tips for avoiding compromising situations involving personal data. These tips include: communicating to staff the types of personal data which may not be processed on personal devices, restricting the type of personal devices which can be used by employees, enabling encryption to store data, using strong passwords, registering devices with a remote “locate and wipe” facility (to maintain confidentiality in the event of loss or theft) and providing guidance on the risks involved.
The issue of data protection is ever-present in organisations who handle personal information. As employees become increasingly mobile in conjunction with advances in technology, data protection compliance becomes especially acute.