On 7 March 2013, the Information Commissioner’s Office (“ICO”), which is responsible for enforcing the Data Protection Act 1998 (“DPA”) in the UK, published guidance (“Guidance”) for organisations on how ‘bring your own device’ (“BYOD”) schemes can be adopted safely and in a manner that complies with the DPA.
The Guidance came following the results of a survey, carried out by YouGov, which revealed that 47% of UK adults use their personal devices (e.g. smart phones, laptops or tablet computers) for work purposes but less than a third of those individuals received any guidance about how their devices should be used in this capacity.
BYOD raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller. It is crucial that the data controller ensures that all processing of personal data which is under its control remains in compliance with the DPA. The ICO confirms that security is a primary concern for data controllers who will therefore need to assess:
- what type of data is held;
- where data may be stored;
- how data is transferred;
- the potential for data leakage;
- the blurring of personal and business use;
- the device’s security capabilities;
- what to do if the person who owns the device leaves their employment; and
- how to deal with the loss, theft, failure and support of the device.
The ICO has emphasised that organisations need to be clear on the types of personal data that can be processed on personal devices and have remote locate and wipe facilities in place so the confidentiality of the data can be maintained in the event of a loss or theft.
The key recommendations from the ICO’s Guidance are as follows:
- Be clear with staff about which types of personal data may be processed on personal devices and which may not.
- Implement and maintain an Acceptable Use Policy to provide guidance and accountability of behaviour.
- Use a strong password to secure your devices.
- Enable encryption to store data on the device securely.
- Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
- Avoid using public cloud-based sharing and public backup services, which you have not fully assessed.
- Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
Link to the Guidance: http://www.ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/Data_Protection/Practical_application/ico_bring_your_own_device_byod_guidance.ashx