On March 7th the UK’s Information Commissioner’s office released some welcome guidance on the tricky range of data protection issues to be considered and addressed when adopting so called “BYOD” or “Bring Your Own Device” schemes.
No longer confined to keeping a few highly paid generation X or Y folk in California’s silicon valley happy, BYOD is rapidly maturing into a serious strategy for corporate technology enhancement rollout from shop floor to the board room in a wide range of sectors. Chances are that if you don’t already officially have this, your corporate IT department is already looking at this or indeed some of your colleagues might unofficially be trialling it. According to the YouGov survey published alongside the ICO guidance, some 47% of UK adults use their personal smartphone, laptop or tablet computer for work purposes.
BYOD rollout raises a myriad of legal issues to be thought through so that data, whether personal or corporate is appropriately protected. The ICO Guidance focuses on the protection of personal data where the device is being used for work related personal data and also potentially the individuals own data, raising awareness of the breadth of impact assessment required by data controllers if they are to adopt BYOD and still continue to comply with their obligations. Helpfully, it certainly dispels the notion that all that is needed is for the staff member to sign a consent form. The way in which these issues play out in each organisation will differ and so will the solutions to address those issues.
Some of the points that come through from the ICO’s BYOD Guidance are:
- The theme of accountability for data controllers continues in a similar vein as it did in the recent “cloud” guidance. Your responsibilities doesn’t end or reduce because you don’t own the device that you are choosing to allow to access the data. The same degree of control and protection is still expected notwithstanding that it might be more “difficult”. Introducing new vulnerabilities won’t be “excused”. The regulator’s expectation is that the threats should be identified and resolved.
- Collaborative effort is key; as with so many aspects of data protection bringing together data protection, IT, HR, legal and other relevant folk internally is an important part of working through the impacts and solutions.
- The importance of clear communication with staff about what they can use the device for, and their responsibilities in respect of that device. A clear BYOD policy is an important part of that, but it should also be backed up by training and audit.
- Steps to assess and then address the range of threats to security of the data, for example potential access by other family members, use of public cloud facilities, use of non-corporate networks to access the data, attachment of peripherals and automated back up faciliities or downloading of rogue apps.
- The continued need to retain “control” and address issues such as loss of the device, for example through remote wiping.
- Being alert to the wider impact of some of the possible “solutions” to protect the corporate personal data so you don’t create more compliance issues than you solve. For example some data loss prevention tools and mobile device management services can also bring with them other data protection issues where these monitoring controls intrude into the “private” life and personal data of the user. For example if there is a location tracking aspect is that switched off when the user isn’t working?
Whilst this guidance is a helpful starting point, it is important to bear in mind that there are broader legal and compliance issues to be considered with BYOD, particularly for those in regulated sectors. Whilst the ICO refers to FOIA, other particular issues include considerations in relation to confidentiality, broader “control” obligations and litigation and discovery processes. A copy of the ICO’s guidance can be found here.