ICO publishes data protection guidance for BYOD

20 March, 2013
Photo: chinnian.

Image credit: chinnian.

The Information Commission Office (ICO) has recently published guidance for companies to help them avoid potential breaches of data protection laws when encouraging staff to use their personal laptops, tablet computers or smartphones for business purposes, a practice known as ‘bring your own device’ (BYOD).

A recent survey, commissioned by the ICO and carried out by YouGov, revealed that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But fewer than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.

The benefits of BYOD include employee satisfaction from being able to use devices of their choice, increased productivity particularly when out of the office and cost saving as a result of the decreased overheads for hardware. However, there are also risks associated with BYOD, one of the key ones being security.

The ICO’s guidance outlines some of the risks which businesses should consider when allowing personal devices to be used for work-related purposes and guidance explains how BYOD can be adopted in a manner that complies with the Data Protection Act 1998 (DPA).

Under the DPA, there are 8 principles of ‘good information handling’. As well as protecting individuals who are the subjects of this information, it imposes obligations upon those processing the information. Of most relevance is the seventh principle of maintaining ‘appropriate technical and organisational measures…[to protect] against accidental loss or destruction of, or damage to, personal data’.

The ICO’s guidance recommends a number of security measures which employers should put in place to avoid breaching their data protection obligations, these include:

  • auditing the types of personal data being processed and the devices used to access that data;
  • denying or restricting access to sensitive data on devices which lack a high level of encryption; and
  • controlling access to data and/or devices using passwords or PIN codes.

The guidance also explains how businesses should have remote locate and wipe facilities in place to maintain the confidentiality of data in the event of loss or theft and should, where possible, avoid the use of public cloud-based sharing and public backup services if the services have not been fully assessed.

Although implementing these controls will not be free of cost, the potential fines and reputational damage which could arise as a result of non-compliance with data protection legislation and the financial benefits of BYOD could far exceed the costs of putting in place appropriate security measures.

As data controllers, employers must ensure that all personal data is processed in accordance with the requirements of the DPA. The ICO’s guidance represents a useful tool for employers currently using or considering BYOD initiatives to ensure that they remain compliant with the DPA.

A copy of the ICO’s guidance is available here.