Make it your organisation's New Year's resolution to have a clear personal device at work policy
8 January 2014
A survey before Christmas showed that sixty per cent of the UK population now own a smart phone and 20% a tablet. This is no doubt even higher as smart phones and tablets topped many people's Christmas gift lists, and an increasing number want to use their personal devices at work.
Known as 'bring your own device' this trend has many benefits including increased efficiency, flexibility and employee morale. But it also carries a number of risks organisations must consider when allowing employees' devices to be used to process work-related personal information.
Last year The Royal Veterinary College received a warning from the ICO after a member of staff lost a camera, which included a memory card containing the passport images of six applicants. The organisation had no guidance in place explaining how personal information stored for work should be looked after on personal devices.
Simon Rice, Group Manager (Technology), said:
"As the line between our personal and working lives becomes increasingly blurred it is critical employers have a clear policy about personal devices being used at work.
"The benefits must be balanced against the potential risks to work-related personal data but the organisation should not underestimate the level of effort which may be required to ensure that the processing of personal data with BYOD remains compliant with all 8 Principles of the Data Protection Act. Remember, it is the employer who is held liable for any breaches under the DPA."
The ICO's key 'bring your own device' recommendations are:
Ensure devices are secure
It is important to ensure that personal data is protected against unauthorised or unlawful access. There are a range of simple ways to achieve this but all need to be in place before an incident occurs.
Ensure devices are locked with a strong password;
Use encryption to store data on the device securely;
Maintain a clear separation between the employee's private and work data, for example, by only using apps which you have
approved for business use and use separate apps for personal use.
Ensure data transfers are secure
Transferring data between personal devices and organisation's systems presents its own set of risks, which need to be anticipated and minimised.
Transfers of personal data should be done via a secure channel;
Be careful of untrusted connections, for example open Wi-Fi networks in coffee shops;
Only use public cloud-based sharing and public backup services, which you have not fully assessed with extreme caution, if at all.
If the device is lost or stolen ensure you can prevent any work-related personal data from being accessed.
Register devices with a remote locate and wipe facility in the event of a loss or theft;
Make sure users know exactly which data might be automatically or remotely deleted and under which circumstances.
Have an 'end of contract' policy
When an employee leaves the company or an employee replaces their device, have a policy in place to secure work-related accounts and information.
Change the password and revoke all access to facilities such as the company email, intranet and social media
Provide information on how users should delete the data on the device prior to disposal, resale or recycling.
Have a clear Acceptable Use Policy
It's important both employer and employee understand their responsibilities.
Implement and maintain an Acceptable Use Policy to provide guidance and accountability of behaviour;
Consider if this needs to link to your Social Media Policy if BYOD leads to an increased use of social media;
Be clear about which types of personal data may be processed on personal devices and which may not;
Include all relevant departments (including employees, IT & HR) and the end users in the development of an Acceptable Use Policy.
Further guidance on BYOD is available within the ICO's Online and computing topic guides.
Notes to Editors
1. The Information Commissioner's Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
5. If you need more information, please contact the ICO press office on 0303 123 9070.