The UK’s Information Commissioner’s Office (ICO) has today published new guidance for employers on the use personal (employee owned) devices for work purposes.
Bring Your Own Device (or BYOD) is a hot topic for many organisations. Many employees are seeking to use their own smartphone or tablet for work purposes. If properly implemented, a BYOD scheme can actually reduce the information security risks by making it easier for employees to access corporate data on their own device, thereby discouraging them from trying to find workarounds (such as emailing confidential information to a personal email address, or using a personal email address to carry out work business).
However, there are risks.
In November, Computer weekly reported that the number of BYOD devices in use was set to double by 2014. However, Gartner predicts that through 2014 employee owned devices will be compromised by malware at more than double the rate of corporate owned devices.
A survey by the ICO, published alongside the new guidance, reveals that some 47% of those polled have used a personal device (whether a smartphone, tablet or laptop) for work purposes. However, only 27% of respondents said that their organisation had provided guidance on the use of personal devices for work purposes.
This is worrying, as it opens up the employer and employee to a number of risks.
For example, if the employer turns a blind eye to BYOD (which would otherwise breach its information security policy), it will find itself in a very difficult position in the event of a data loss incident. Not just with the ICO and any potential fine for a breach of the Data Protection Act, but also in terms of the ability of the employer to take disciplinary action against the employee.
A lack of a BYOD policy means that the employer has no cogent BYOD strategy, setting out what is and isn’t acceptable. For example, the sorts of devices that are considered to have appropriate levels of security, password security, the employee’s responsibilities, and what happens if the device is lost or stolen.
The policy should also cover other issues such as who is responsible for voice and data costs, insurance, and what happens if the employee is unable to carry out his duties because the device has been lost or stolen.
The ICO’s guidance
The ICO’s guidance emphasises the importance of developing a BYOD policy contains the following key recommendations:
- Be clear with staff about which types of personal data may be processed on personal devices and which may not.
- Use a strong password to secure your devices.
- Enable encryption to store data on the device securely.
- Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
- Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
- Register devices with a remote locate and wipe facility (mobile device management) to maintain confidentiality of the data in the event of a loss or theft.
The guidance also reminds organisations in the public sector that information held by employees on a personal device may be subject to disclosure under freedom of information legislation.
On March 7, 2013