Privacy & Information Security Law Blog

On March 7, 2013, the UK Information Commissioner’s Office (“ICO”) published guidance (the “Guidance”) on Bring Your Own Device (“BYOD”) to explain to data controllers “what they need to consider when permitting the use of personal devices to process personal data for which they are responsible.” BYOD refers to the use of individuals’ personal devices to access and store corporate information.

The Guidance outlines the data protection risks associated with the increasing use of BYOD, which include the fact that the “user owns, maintains and supports the device” and, as such, “the data controller will have significantly less control over the device than it would have over a traditional corporately owned and provided device.” The Guidance asserts that, in light of these circumstances, it is even more important for a data controller to ensure that personal data under its control complies with the Data Protection Act 1998 (“DPA”). The Guidance focuses on Principle 7 of the DPA, which requires a data controller to maintain appropriate technical and organizational measures to protect personal data against accidental, loss, destruction or damage. A serious breach of Principle 7 may lead to significant fines for data controllers.

The Guidance provides recommendations on how data protection risks can be minimized, starting with the implementation of a clear BYOD policy. A BYOD policy is important as it enables individuals who participate in a BYOD program to understand their responsibilities and the consequences of the interaction between their own devices and their employer’s IT systems. The Guidance makes the following recommendations:

• Implement and maintain an Acceptable Use Policy to provide guidance and promote accountability;
• Consider the need for a Social Media Policy if BYOD leads to an increased use of social media;
• Be clear about which types of personal data may be processed on personal devices and which may not;
• Use a strong password to secure the device;
• Use encryption to secure the data stored on the device;
• Ensure that access to the device is locked or that data automatically is deleted if an incorrect password is used too many times;
• Register the devices with a “remote locate and wipe facility” to maintain confidentiality of the data in the event of a loss or theft; and
• Conduct regular audits to ensure compliance with the BYOD policy.

The Guidance also addresses the issue of employee monitoring in the BYOD context. It acknowledges that the use of BYOD may increase the level of workplace monitoring, such as the recording of geolocation of devices and monitoring of Internet traffic. In connection with employee monitoring, the Guidance advises data controllers to adhere to the relevant guidance set forth in the ICO’s Employment Practices Code.