One of the most important policies for an organisation to have in place in terms of aiding and ensuring compliance with the Data Protection Act 1998 is an Information Security policy. A good Information Security policy will explain to employees what they are and are not permitted to do with the data they handle as part of their everyday employment. This will include rules and guidance on the storing, sharing, transferring and disposal or destruction of data, including personal data, and will generally cover issues such as passwords, encryption and use of employer-owned portable devices, such as laptops and BlackBerries.
One area that can often be overlooked in an Information Security policy is the use by employees of their own personal devices for work purposes. The ever-increasing sophistication of electronic devices, such as smart phones and tablets, have resulted in a surge of requests from employees at all levels, from board members to administrative staff, to use their own personal devices for carrying out part or all of their job.
Permitting the use of personal devices can have a beneficial impact for an employer, such as creating greater job satisfaction for its employees, allowing for increased flexibility in work patterns and thereby increased efficiency in the work force.
However, where use of personal devices is permitted, unless appropriate controls and policies are in place to govern such use, there is a real risk that the employer will lose control of at least some of the personal data for which it is responsible.
To assist employers understand and manage the risks created by the use of personal devices, the Information Commissioner’s Office recently published new guidance entitled “Bring Your Own Device (BYOD)”. The purpose of this guidance is to highlight the various factors that an employer needs to bear in mind when considering allowing the use of personal devices by employees for the processing of personal data.
The guidance points out that the biggest issue posed by the use of personal devices is that it is the employee who will own, maintain and support the device, not the employer (the data controller). As a result, an employer will have little control over the device. This therefore places an employer in a difficult position as regards its compliance with the seventh data protection principle, which requires a data controller to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
In order to maintain control over the personal data for which it is responsible, the guidance advises employers to carry out an impact assessment, assessing among other things the type of data that may be stored on such devices, the potential for leaks or losses of information, the security capabilities of such devices and what happens if an employee who uses a personal device in connection with their job leaves their employment.
Following such an assessment, the guidance advises that a specific BYOD policy be created and communicated to all employees, which policy clearly sets out the parameters surrounding the use of personal devices and the responsibilities of the employees who use personal devices in carrying out their job.
The guidance provides some tips as to some of the key features of such a BYOD policy, including the use of passwords and encryption, a ban on the use of personal devices for processing sensitive personal data, a ban on the use of personal devices that do not meet a certain minimum threshold of security and a requirement for permission to be given for the employer to remotely access the personal device for the purposes of deleting data owned by the employer.
A robust BYOD policy will help to reduce the risks created by the use of personal devices, however, as with all employment policies, it will only have real value if compliance with the policy is actively monitored and enforced by the employer.