ICO urges more care with personal data as Nursing and Midwifery Council receives £150,000 penalty
Sony fined £250,000 after millions of UK gamers’ details compromised
News release: 7 March 2013
A survey commissioned by the Information Commissioner’s Office (ICO) has shown many employers appear to have a ‘laissez faire’ attitude to allowing staff to use their personal laptop, tablet computer or smartphone for work business, which may be placing people’s personal information at risk.
The survey, carried out by YouGov, reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices.
The news comes as the ICO today published guidance explaining some of the risks organisations must consider when allowing personal devices to be used to process work-related personal information. The guidance explains how this approach, commonly known as ‘bring your own device’ (BYOD), can be adopted safely and in a manner that complies with the Data Protection Act.
Simon Rice, Group Manager (Technology), said:
“The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.
“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.
“Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?”
Today’s guidance from the ICO explains how organisations need to be clear on the types of personal data that can be processed on personal devices and have remote locate and wipe facilities in place so the confidentiality of the data can be maintained in the event of a loss or theft.
Other key recommendations from today’s guidance:
Be clear with staff about which types of personal data may be processed on personal devices and which may not.
Use a strong password to secure your devices.
Enable encryption to store data on the device securely.
Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times.
Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
The YouGov survey shows that email is the most common work activity carried out on a personal device, accounting for 55% of people who use their personal smartphone, laptop, or tablet computer for work purposes. This was followed by 37% who used a personal device to edit work documents and 36% to store work documents. All of these activities are likely to involve the processing of personal information.
Read our 'bring your own device' guidance (pdf)
Download the YouGov survey in full (.xls)
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection
4. All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 2151 adults. Fieldwork was undertaken between 27 February - 1 March 2013. The survey was carried out online. The figures have been weighted and are representative of all UK adults (aged 18+).
5. The ICO is on Twitter, Facebook and LinkedIn. Keep up to date on the ICO blog and e-newsletter.
6. If you need more information, please contact the ICO press office on 0303 123 9070.