The Data Protection Act places obligations on organisations, including employers, who process information. One key plank of the data protection regime is the security principle – organisations must have appropriate security in place to prevent personal data held by them from being accidently or deliberately compromised. In particular, in the event of a security breach, organisations must be able to demonstrate that they have secured, controlled or deleted all personal information on a device.
"Bring your own device" (BYOD) raises a number of concerns for employers because personal data may be processed on smart phones, tablets or other devices over which employers do not have direct control. The Information Commissioner has published guidance on the data protection implications of allowing employees to use personal computing devices in the workplace.
Some practical suggestions for employers from the guidance include:
- loss or theft of the device is a major risk factor in BYOD - ensure strong passwords and encryption are used by employees; consider the use of remote "locate and wipe" so that data can be removed from a device (but don't forget to tell employees if you are going to use this sort of mobile device management)
- limit the choice of devices to those you have assessed as providing an appropriate level of security for the data
- be clear about which types of data may be processed on devices, for example, by prohibiting the storage of particularly sensitive data, or restricting it to devices with a high level of encryption
- decide how to support devices - for example, if a BYOD user's device breaks and is returned to the manufacturer, can you ensure the protection of corporate personal data?
- check that controls are in place to deal with the possibility of the device user's own non-corporate personal data being processed
- implement and maintain an "acceptable use" policy, for IT and HR departments as well as end users, and also consider the need for a social media policy - BYOD may lead to an increased use.