Data Protection Policies and Personal Devices

A recent YouGov survey showed that 47 per cent of all UK employees now use their smartphone, tablet PC or other portable device for work purposes and the Information Commissioner’s Office (ICO) has now issued a warning that organisations are failing to update their data protection policies to account for this growing trend.

The warning comes after the Royal Veterinary College was found to have breached the Data Protection Act 1998 when a member of staff lost a camera that held a memory card containing the passport images of six job applicants. It emerged that the College had no guidance in place explaining how to safeguard personal information stored on personal devices for work purposes.

ICO Head of Enforcement Stephen Eckersley said, “Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this. It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so it is crucial employers are providing guidance and training to staff which covers this use.”

The ICO has made available guidance on this subject, entitled ‘Bring Your Own Device (BYOD)’. This highlights some of the key issues organisations need to be aware of when allowing staff to use personal devices for work. Recommendations include the following:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not;
  • Use a strong password to secure all devices;
  • Enable encryption to store data on the device securely;
  • Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times;
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all; and 
  • Register devices with a remote ‘locate and wipe’ facility to maintain confidentiality of the data in the event of a loss or theft.
The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.