In BYOD we trust...

Against a backdrop of data security scares arising from increasing use by employees of their own devices, the Information Commissioner's Office (ICO) recently warned that organisations must ensure that their data protection policies reflect the working practices of their employees and Bring Your Own Device (BYOD) issues in particular.

The warning was given in the context of a report of an incident involving the loss of a Royal Veterinary College (RVC) staff member's camera.   The camera contained a memory card on which the passport images of six job applicants were recorded.  The exact circumstances of how and why the images were on an employee's personal device are not detailed, but there is nothing to suggest there was any malicious intent behind it and it is notable that the RVC themselves chose to inform the ICO of the loss.

This incident has been discussed in some depth in the context of the growing 'trend' of BYOD.  That is perhaps to take a slightly narrow view of its applicability.  It is an admirable function of the human condition that people will use whatever tools are at their disposal in a creative manner to get the job done. Of course, when that conflicts with the rights of others (here the data subjects'), regulation is required.  However, if an employee's instinct to find a solution is to be hindered, it is in the interests of their employer to implement effective policies and training to explain why and how that is done.

Thankfully, in most circumstances, organisations do not want their employees to behave like drones, unwaveringly following set procedures.  An organisation devoid of people with the creativity and initiative to manoeuver around immediate difficulties is unlikely to be in business for long. Furthermore, the overly-zealous application of regulation-driven procedures, especially in areas such as data protection, risks playing into the hands of those who complain that the regulators 'don't understand business' and those who would wish to sacrifice personal data protections on the altar of business competitiveness.  The answer lies, as it so often does, in the application of common sense guidance that allows initiative to flourish while promoting the personal data security that we all value.  To that end, the ICO produced some helpful guidance earlier this year which explains some of the key issues organisations need to be aware of, notably :

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not.
  • Use a strong password to secure your devices.
  • Enable encryption to store data on the device securely.
  • Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.

It is commendable that, in these circumstances, the ICO allowed positive undertakings to be given by the RVC.  As well as providing for technical security measures, the undertakings given serve to bolster the understanding of employees as to the importance of data security, put policies in place to regulate use and encourage a culture of awareness and concern for the security of personal data.

Subscribers to Lexis®PSL IP&IT will find the precedent BYOD policy and practice note useful.  In-house lawyers and practitioners charged with ensuring employee awareness of BYOD issues and policies should see the associated training materials.

Area of Interest