UK—ICO Issues ‘BYOD’ Guidance
By Brian Davidson, CIPP/E
The Information Commissioner’s Office (ICO) has published guidance on “Bring Your Own Device” (BYOD)—the term commonly used to describe employees' use of personal devices in the enterprise for work-related purposes, such as to store and access corporate information.
The main focus of the guidance is on employers having to take appropriate technical and organizational measures to protect personal data held on the employee’s device, in particular introducing a BYOD policy that clearly sets out the responsibilities of the device owners and ensuring compliance is monitored on an ongoing basis. In this regard, the guidance gives practical examples such as “sand-boxing” personal data via the use of certain apps so that there is a clear separation between personal data processed on behalf of the employer and personal data processed for the employee’s own personal purposes.
The guidance also makes clear that a BYOD policy should facilitate compliance with all aspects of the UK Data Protection Act, not just security. In particular, it suggests that devices should connect to a single repository of data—rather than copies of data being stored on multiple devices—to reduce the risk of data becoming inaccurate, out-of-date or retained for longer than is necessary and also to facilitate responding to subject access requests.
Finally, the guidance considers the potential privacy risks to the owner of the device, instructing employers to ensure that any technical and organizational measures used to protect corporate personal data are proportionate to and justified by real benefits. Individuals should be told about any device tracking and the consequences of such tracking, and also what data might be automatically or remotely deleted from their device and under what circumstances.
The guidance is available here.
Brian Davidson, CIPP/E, is a privacy and information advisor at Field Fisher Waterhouse, LLP.