Bring Your Own Device - Data Contollers' Obligations
The Data Protection Act 1998 (DPA) requires data controllers to take appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. More recently, data protection law has been harmonised across Europe in the form of the General Data Protection Regulation, which will be enforced in the UK from May 2018.
Where an employer allows workers to use their own personal devices, such as laptops, smartphones and tablet computers, this raises a number of data protection concerns. The trend, commonly known as ‘bring your own device’ or BYOD, can mean that workers’ own devices are used to access and store corporate information, including personal data. It is therefore important for data controllers to remember that they have a duty to remain in control of the personal data for which they are responsible, regardless of who owns the device used to carry out the processing.
The Information Commissioner’s Office has produced comprehensive guidance, entitled ‘Bring your own device (BYOD)’, to help data controllers comply with their duties in this respect. This recommends having a BYOD policy covering the types of personal data you are processing and the devices, including ownership, on which these will be held. The policy should be clearly understood by users connecting their own devices to your IT systems and regular checks should be carried out to ensure compliance. When drawing up the policy, the data controller will need to assess:
•what type of data is held;
•where data may be stored;
•how data is transferred;
•the potential for data leakage;
•blurring of personal and business use;
•the device’s security capacities;
•what to do if the person who owns the device leaves your employment; and
•how to deal with the loss, theft, failure and support of a device.
The guidance gives tips on each of these areas, including the use of passwords, data encryption and other security measures that may be introduced, such as ensuring that access to the device is locked or data automatically deleted if an incorrect password is repeatedly input and the facility to locate devices remotely and to delete data on demand.
There is also a section on making sure the BYOD policy facilitates compliance with other aspects of the DPA.