The Information Commissioner’s Office (ICO) is warning organisations that they must make sure that their data protection policies reflect how the modern workforce are using personal devices for work.
With a YouGov survey earlier this year showing that 47% of all UK employees now use their smartphone, tablet PC or other portable device for work purposes there is a concern many organisations are failing to update their data protection policies to account for this growing trend.
The warning comes after the Royal Veterinary College breached the Data Protection Act when a member of staff lost their camera, which included a memory card containing the passport images of six job applicants. The incident occurred in December last year and the organisation had no guidance in place explaining how personal information stored for work should be looked after on personal devices.
ICO Head of Enforcement, Stephen Eckersley, said:
“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this. It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so its crucial employers are providing guidance and training to staff which covers this use.
“We have published guidance on this growing trend, commonly known as Bring Your Own Device (BYOD), and we would urge all organisations to make sure they follow our recommendations by ensuring their data protection policies reflect the way many of us are now using personal devices for work.”
The ICO’s guidance explains that some of the key issues organisations need to be aware of when allowing staff to use personal devices for work include:
Be clear with staff about which types of personal data may be processed on personal devices and which may not.
Use a strong password to secure your devices.
Enable encryption to store data on the device securely.
Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.