As the dividing line between home and work blurs (how many of us take a sneaky peek at email whilst watching TV or cooking dinner?) so too does the division between personal and work devices.
But whilst it might seem sensible to let an employee carry one device that covers all bases, what does that mean in terms of data security? We explore what the Information Commissioner’s Office has to say on the subject.
For businesses that don’t have the resources to provide employees with smartphones and tablets for business use, using a personal device to carry out work and personal activities is an attractive option. Even for those with the luxury of complimentary home and work devices the convenience of using one rather than numerous devices is attractive.
The overriding issue is that secure corporate data is stored on a personal device. This remains the responsibility of the data controller. Policies and controls that are in place for corporate devices need to be revisited for the use of personal devices. These will need to consider:
• The type of data that is held
• Where it is stored
• How it is transferred
• The potential for data loss
• That corporate data may be used inappropriately
• That the business may end up processing the employee’s own data
• What to do if an employee leaves employment.
What does the law say?
The Data Protection Act 1998 requires that the data controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss of, destruction to, or damage to personal data.
Where to start?
Before you can create a policy you will need to audit who might use their own device, the type of device and the type of personal data that might be stored on the device. It may be that personal data needs to be categorised into a format which is considered acceptable for BYOD storage unless the device has particularly high levels of encryption. You may only permit certain devices manufacturers to be used to satisfy the level of security that you expect.
You also need to assess if moving to a BYOD policy would breach any protocols that you have with third party organisations that you deal with.
If you determine that a BYOD policy is appropriate, policy development must involve all the relevant departments (not just HR and IT) for example your legal advisers, security team, end users and line managers.
Remember that your policy needs to set out both the corporate data that can be stored and the acceptable use of the device in a personal capacity during the working day. For example sites that can be accessed, particularly social media sites and apps. The use of apps must be tightly controlled if they could compromise data.
Don’t simply consider the security of data that is held within the device itself but also data that may be stored in the cloud. If data is stored in the cloud or on a corporate network the security credentials must enable access to be revoked immediately if there is loss of data or the device is stolen.
Some personal devices might have portable storage that is not permitted on corporate equipment such as SD cards, the loss of which can go unnoticed for some time. Also consider transfer how a portable device will be wiped clean when the data is no longer needed by the user when he/she is no longer employed.
As a data controller the employer will need to be able to be able to delete data that is no longer required by the owner of the device if the owner decides to dispose of or sell the device.
Security
It may seem obvious but you must agree password protocols and that the device will lock or data will be deleted if the password is incorrectly input a certain number of times. Users must be made aware that data can be deleted remotely by the data controller where it is felt necessary to protect integrity.
Users should also be warned about the risks of using their device in unsecure locations such as hotels and coffee shops.
Updating security weaknesses will often be at the discretion of the mobile phone company or manufacturer; so that can compromise security routines and might mean data needs to be removed until any vulnerability is addressed.
Data transfer
It is during data transfer that personal data can be most vulnerable to external attack given the volumes that may be involved in the transfer. However transfer routines should not ignore the other more obvious transfer vulnerabilities such as sending data to the wrong email address or copying data on to portable memory devices that fall into the wrong hands.
Some devices will also have automated backup routines to the cloud that you must be aware of and include in your policy.
You must be of where the data might be at all times. If a SaaS provider is overseas what is the data protection regime in that country and can data be intercepted by law enforcement authorities or by the service provider?
Privacy
Whilst you will be most concerned about security, your employees will also want some reassurance about the privacy and security of their personal data as it is their device. Monitoring must not be excessive and any data obtained must only be used for the purpose for which it was carried out.
Make it clear too that you may, by default, end up monitoring the activities of other family members who might use the device at home.
The Information Commissioner’s Office employment practices code can assist you in this area.
Loss of data or device
This must be part of your policy. Register devices with any services that can delete data remotely before any loss is detected, rather than leaving this as an afterthought when an incident occurs.
Repairs
If users return their device to the manufacturer to have it repaired, you may want to be informed so that data can be safely removed before it is passed to a third party.
General data protection considerations
The Data Protection Act requires that data is kept up to date. Where data is stored on a BYOD device there is the additional consideration of whether data that is held remotely is being kept up to date.
It may also be more difficult to collate all data sources to respond to a data subject access request when data is held on multiple personal devices. For public sector bodies this consideration also extends to being able to answer Freedom of Information requests accurately and within the deadlines required.
By Kate Upcraft
As the dividing line between home and work blurs (how many of us take a sneaky peek at email whilst watching TV or cooking dinner?) so too does the division between personal and work devices.
But whilst it might seem sensible to let an employee carry one device that covers all bases, what does that mean in terms of data security? We explore what the Information Commissioner’s Office has to say on the subject.
For businesses that don’t have the resources to provide employees with smartphones and tablets for business use, using a personal device to carry out work and personal activities is an attractive option. Even for those with the luxury of complimentary home and work devices the convenience of using one rather than numerous devices is attractive.
The overriding issue is that secure corporate data is stored on a personal device. This remains the responsibility of the data controller. Policies and controls that are in place for corporate devices need to be revisited for the use of personal devices. These will need to consider:
• The type of data that is held
• Where it is stored
• How it is transferred
• The potential for data loss
• That corporate data may be used inappropriately
• That the business may end up processing the employee’s own data
• What to do if an employee leaves employment.
What does the law say?
The Data Protection Act 1998 requires that the data controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss of, destruction to, or damage to personal data.
Where to start?
Before you can create a policy you will need to audit who might use their own device, the type of device and the type of personal data that might be stored on the device. It may be that personal data needs to be categorised into a format which is considered acceptable for BYOD storage unless the device has particularly high levels of encryption. You may only permit certain devices manufacturers to be used to satisfy the level of security that you expect.
You also need to assess if moving to a BYOD policy would breach any protocols that you have with third party organisations that you deal with.
If you determine that a BYOD policy is appropriate, policy development must involve all the relevant departments (not just HR and IT) for example your legal advisers, security team, end users and line managers.
Remember that your policy needs to set out both the corporate data that can be stored and the acceptable use of the device in a personal capacity during the working day. For example sites that can be accessed, particularly social media sites and apps. The use of apps must be tightly controlled if they could compromise data.
Don’t simply consider the security of data that is held within the device itself but also data that may be stored in the cloud. If data is stored in the cloud or on a corporate network the security credentials must enable access to be revoked immediately if there is loss of data or the device is stolen.
Some personal devices might have portable storage that is not permitted on corporate equipment such as SD cards, the loss of which can go unnoticed for some time. Also consider transfer how a portable device will be wiped clean when the data is no longer needed by the user when he/she is no longer employed.
As a data controller the employer will need to be able to be able to delete data that is no longer required by the owner of the device if the owner decides to dispose of or sell the device.
Security
It may seem obvious but you must agree password protocols and that the device will lock or data will be deleted if the password is incorrectly input a certain number of times. Users must be made aware that data can be deleted remotely by the data controller where it is felt necessary to protect integrity.
Users should also be warned about the risks of using their device in unsecure locations such as hotels and coffee shops.
Updating security weaknesses will often be at the discretion of the mobile phone company or manufacturer; so that can compromise security routines and might mean data needs to be removed until any vulnerability is addressed.
Data transfer
It is during data transfer that personal data can be most vulnerable to external attack given the volumes that may be involved in the transfer. However transfer routines should not ignore the other more obvious transfer vulnerabilities such as sending data to the wrong email address or copying data on to portable memory devices that fall into the wrong hands.
Some devices will also have automated backup routines to the cloud that you must be aware of and include in your policy.
You must be of where the data might be at all times. If a SaaS provider is overseas what is the data protection regime in that country and can data be intercepted by law enforcement authorities or by the service provider?
Privacy
Whilst you will be most concerned about security, your employees will also want some reassurance about the privacy and security of their personal data as it is their device. Monitoring must not be excessive and any data obtained must only be used for the purpose for which it was carried out.
Make it clear too that you may, by default, end up monitoring the activities of other family members who might use the device at home.
The Information Commissioner’s Office employment practices code can assist you in this area.
Loss of data or device
This must be part of your policy. Register devices with any services that can delete data remotely before any loss is detected, rather than leaving this as an afterthought when an incident occurs.
Repairs
If users return their device to the manufacturer to have it repaired, you may want to be informed so that data can be safely removed before it is passed to a third party.
General data protection considerations
The Data Protection Act requires that data is kept up to date. Where data is stored on a BYOD device there is the additional consideration of whether data that is held remotely is being kept up to date.
It may also be more difficult to collate all data sources to respond to a data subject access request when data is held on multiple personal devices. For public sector bodies this consideration also extends to being able to answer Freedom of Information requests accurately and within the deadlines required.
By Kate Upcraft
