ICO tackles 'bring your own device' data threats

Mobile devices have become essential tools for many working people, fuelling a bring-your-own-device (BYOD) culture that could lead to unintended data breaches. In a bid to combat the problem, the Information Commissioner’s Office (ICO) has published guidance to help employers understand the risk of BYOD and ensure that their employees use BYOD safely and without compromising business or personal data.

BYOD: challenges for employers
There is no denying that there are huge benefits to BYOD, including increased employee motivation and job satisfaction, greater job efficiency and flexibility. However, employers need a BYOD policy to ensure all employees understand the risks associated with using their own devices.

BYOD raises a number of issues concerning the employers’ responsibilities under the Data Protection Act (DPA). These can provide challenges because the employer has limited control over how the device is used, after all, it is owned by the employee not the employer.

The DPA states that a data controller must take appropriate technical and organisational measures to prevent accidental loss, destruction or damage to personal data. The guidance looks at the risks raised by employees using their own smartphones or tablets for work purposes, and provides advice on minimising the risks to the data owned by the employer.

Employers are advised to audit their employees’ use of such devices, assessing, among other things, the type of data being held, where the data will be stored, how it is transferred, and the risks of loss of that data.

Where DMA members have employees that use their own electronic devices for work, they should look at the guidance and draft and implement their own policy to ensure the safety and integrity of the data they hold.

Janine Paterson, Solicitor, DMA