On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance on the use of personal devices for business purposes. The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov. According to the survey, 47% of adults in the UK use personal smart mobile phones, laptops or tablets for work purposes, but less than 30% are given guidance on secure use and the risks relating to personal data loss or theft.
UK companies have in recent years been increasingly amenable to allowing employees to use personal devices for business purposes, a practice known as “bring your own device” to work, or BYOD. The driving forces behind the trend for BYOD include cost considerations and a rise in flexible working practices. The ICO guidance reminds employers that their responsibilities as data controllers apply equally in the context of BYOD. In other words, employers remain liable for any data loss, theft, or damage to personal data that occurs, regardless of whether processing takes place in their secure corporate IT environment or on the personal devices of their employees.
In light of the inherent security risks, the ICO recommends that companies which permit BYOD carefully consider the types of data held; where data may be stored; how data are transferred; the blurring between personal and business use; the security capabilities of personal devices; what to do if the person who owns the device leaves employment; and how to deal with the loss, theft, failure and support of a device.
In its guidance, the ICO has proposed a number of practical steps that employers can adopt to mitigate the risks associated with BYOD. These include:
- Acceptable Use Policy. An Acceptable Use Policy should clearly set out employees’ responsibilities, including by specifying the types of data that may be processed on a personal device and the data that can only be processed in a secure IT environment.
- Social Media Policy. Employers should consider implementing a Social Media Policy, particularly where the use of social media for corporate purposes is allowed or encouraged.
- Data security and access control. The use of strong passwords and encryption is key to effective access control to data (and the device). Some devices may also offer the ability to restrict access to certain applications and data types based on geographical location or an additional level of authentication. Devices should lock automatically if inactive or if multiple incorrect passwords are entered. Where possible, a clear separation between personal data processed on behalf of the data controller and data processed by the device owner for personal purposes should be maintained, for example, by using different applications.
- Securing data transfers. Transferring all data through an encrypted channel, such as a VPN, will minimize the risk of interception, but may have privacy implications in respect of information shared during periods of personal use. Employers should use public cloud-based storage and back-up services with extreme caution. Any monitoring technology should be deployed only if proportionate to the pursued aims.
- Controlling and securing devices. Employers should consider how to manage personal data on an employee’s personal device on termination of employment. Devices can be registered with a remote locate and wipe facility to ensure data security and confidentiality. However, employers should ensure that data collected as part of the remote facility is not used for ongoing monitoring of users or for other unrelated purposes. The choice of devices should be limited to those the employer has deemed sufficiently secure for the type of personal data processed.
While monitoring devices may seem a sensible risk mitigation measure, it will have privacy implications and employers should ensure that any monitoring is “proportionate” and justified by real business need and benefits. As outlined in the ICO’s Employment Practices Code, employees have “legitimate expectations that they can keep their personal lives private” and that they are entitled to some privacy at work. Therefore, employers should normally conduct an impact assessment and also notify employees in the appropriate company policy before carrying out any monitoring.