Make it your organisations New Years resolution to have a clear personal device at work policy
Submit Articles Back to Articles
8 January 2014
A survey before Christmas
showed that sixty per cent of the UK population now own a smart phone
and 20% a tablet. This is no doubt even higher as smart phones and
tablets topped many people’s Christmas gift lists, and an increasing
number want to use their personal devices at work.
Known as ‘bring your own
device’ this trend has many benefits including increased efficiency,
flexibility and employee morale. But it also carries a number of risks
organisations must consider when allowing employees’ devices to be used
to process work-related personal information.
Last year The Royal
Veterinary College received a warning from the ICO after a member of
staff last a camera, which included a memory card containing the
passport images of six applicants. The organisation
had no guidance in place explaining how personal information stored for
work should be looked after on personal devices.
Simon Rice, Group Manager
“As the line between our
personal and working lives becomes increasingly blurred it is critical
employers have a clear policy about personal devices being used at work.
“The benefits must be balanced
against the potential risks to work-related personal data but the
organisation should not underestimate the level of effort which may be
required to ensure that the processing of personal data with BYOD
remains compliant with all 8 Principle of the Data Protection Act.
Remember, it is the employer who is held liable for any breaches under
The ICO’s key ‘bring your own
device’ recommendations are:
Ensure devices are secure
It is important to ensure that
personal data is protected against unauthorised or unlawful access.
There are a range of simple ways to achieve this but all need to be in
place before an incident occurs.
- Ensure devices are locked with
a strong password;
- Use encryption to store data
on the device securely;
- Maintain a clear separation
between the employee’s private and work data, for example, by only
using apps which you have approved for business use and use separate
apps for personal
Ensure data transfers are secure
Transferring data between
personal devices and organisation’s systems presents its own set of
risks, which need to be anticipated and minimised.
- Transfers of personal data
should be done via a secure channel;
- Be careful of untrusted
connections, for example open Wi-Fi networks in coffee shops;
- Only use public cloud-based
sharing and public backup services, which you have not fully assessed
with extreme caution, if at all.
If the device is lost or
stolen ensure you can prevent any work-related personal data from being
- Register devices with a remote
locate and wipe facility in the event of a loss or theft;
- Make sure users know exactly
which data might be automatically or remotely deleted and under which
Have an ‘end of contract’ policy
When an employee leaves
the company or an employee replaces their device, have a policy in
place to secure work-related accounts and information.
- Change the password and revoke
all access to facilities such as the company email, intranet and social
Have a clear Acceptable Use Policy
- Provide information on how
users should delete the data on the device prior to disposal, resale or
It’s important both
employer and employee understand their responsibilities.
and maintain an Acceptable Use Policy to provide guidance and
accountability of behaviour;
if this needs to link to your Social Media Policy if BYOD leads to an
increased use of social media;
clear about which types of personal data may be processed on personal
devices and which may not;
all relevant departments (including employees, IT & HR) and the
end users in the development of an Acceptable Use Policy.
A full copy of the ICO’s
guidance on BYOD is available on the ICO website at:
About the Author
The Information Commissioner’s Office is the UK’s
independent authority set up to uphold information rights in the public
interest, promoting openness by public bodies and data privacy for
individuals. We do this by promoting good practice, ruling on
complaints, providing information to individuals and organisations and
taking appropriate action when the law is broken.
The ICO enforces and oversees the following
- Data Protection Act 1998
- Freedom of Information Act 2000
- Privacy and Electronic Communications
- Environmental Information Regulations
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2014-01-10 10:17:34 in Computer Articles
All ICO Articles