Bring Your Own Device - Information Commissioner's Office issues new guidance
The Information Commissioner's Office (ICO) has today published its guidance on Bring Your Own Device (BYOD) – the term used to describe the trend whereby personal devices are used to access and store
The Information Commissioner's Office (ICO) has today published its guidance on Bring Your Own Device (BYOD) – the term used to describe the trend whereby personal devices are used to access and store corporate information.
Unsurprisingly, a key focus of the guidance is on the need to take appropriate technical and organisational measures to protect the personal data held on the device, in particular having a BYOD policy that clearly sets out the responsibilities of device owners and ensuring that compliance with the policy is monitored on an on-going basis.
In order to determine what security measures are appropriate, data controllers will need to determine the risks posed by BYOD. In this regard, the guidance sets out the factors that need to be taken into consideration when undertaking a risk assessment, for example: what type of data is held; where it may be stored; how it is transferred; how it may be used (i.e. the potential for a blurring of business and personal use); and how the device can be controlled and secured.
A large part of the guidance is dedicated to discussing the technical and organisational measures that should be considered in a BYOD context, with many of the suggestions being made in the form of practical "top tips". Examples of top tips include using a strong password to secure devices, ensuring that any data stored on the device itself is encrypted and maintaining a clear separation between personal data processed on behalf of the data controller and personal data processed for the device owner's own purposes. In this regard, the guidance suggests that data controllers should consider "sand-boxing" or ring-fencing personal data within certain apps.
As well as technical measures, the guidance supports the implementation of an appropriate policy framework, e.g. a clear BYOD policy, an Acceptable Use Policy and a Social Media Policy (if BYOD leads to an increased use of social media) and points to the need to ensure that there is a process in place for quickly and effectively revoking device or user access in the event of a reported loss or theft. It suggests by way of a top tip that data controllers should register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
In addition, the guidance make makes clear that a BYOD policy should facilitate compliance with all aspects of the Data Protection Act, not just security. For example, it suggests that using devices to connect to a single central repository of data (rather than allowing copies of data to be stored on many different devices) can help mitigate the risk of data being inaccurate, out-of-date or retained longer than is necessary and makes it easier to respond to a data subject access.
As well as risks to the personal data for which the data controller is responsible, the ICO also considers the potential privacy risks to the owner of the device. The guidance makes clear that any technical and organisational measures used to protect personal data must be proportionate to and justified by real benefits that will be delivered. The ICO points out that device owners should be told about any device tracking and the consequences of such tracking for them. They should also know exactly which data might be automatically or remotely deleted and under which circumstances. The ICO refers to the existing guidance on the topic of monitoring at work and suggests that employers should be mindful of any internet monitoring software in place, especially during periods of personal use.
The ICO guidance on BYOD can be found at http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/byod.aspx
Unsurprisingly, a key focus of the guidance is on the need to take appropriate technical and organisational measures to protect the personal data held on the device, in particular having a BYOD policy that clearly sets out the responsibilities of device owners and ensuring that compliance with the policy is monitored on an on-going basis.
In order to determine what security measures are appropriate, data controllers will need to determine the risks posed by BYOD. In this regard, the guidance sets out the factors that need to be taken into consideration when undertaking a risk assessment, for example: what type of data is held; where it may be stored; how it is transferred; how it may be used (i.e. the potential for a blurring of business and personal use); and how the device can be controlled and secured.
A large part of the guidance is dedicated to discussing the technical and organisational measures that should be considered in a BYOD context, with many of the suggestions being made in the form of practical "top tips". Examples of top tips include using a strong password to secure devices, ensuring that any data stored on the device itself is encrypted and maintaining a clear separation between personal data processed on behalf of the data controller and personal data processed for the device owner's own purposes. In this regard, the guidance suggests that data controllers should consider "sand-boxing" or ring-fencing personal data within certain apps.
As well as technical measures, the guidance supports the implementation of an appropriate policy framework, e.g. a clear BYOD policy, an Acceptable Use Policy and a Social Media Policy (if BYOD leads to an increased use of social media) and points to the need to ensure that there is a process in place for quickly and effectively revoking device or user access in the event of a reported loss or theft. It suggests by way of a top tip that data controllers should register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
In addition, the guidance make makes clear that a BYOD policy should facilitate compliance with all aspects of the Data Protection Act, not just security. For example, it suggests that using devices to connect to a single central repository of data (rather than allowing copies of data to be stored on many different devices) can help mitigate the risk of data being inaccurate, out-of-date or retained longer than is necessary and makes it easier to respond to a data subject access.
As well as risks to the personal data for which the data controller is responsible, the ICO also considers the potential privacy risks to the owner of the device. The guidance makes clear that any technical and organisational measures used to protect personal data must be proportionate to and justified by real benefits that will be delivered. The ICO points out that device owners should be told about any device tracking and the consequences of such tracking for them. They should also know exactly which data might be automatically or remotely deleted and under which circumstances. The ICO refers to the existing guidance on the topic of monitoring at work and suggests that employers should be mindful of any internet monitoring software in place, especially during periods of personal use.
The ICO guidance on BYOD can be found at http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/byod.aspx