A YouGov survey commissioned by the Information Commissioner’s Office indicates that many employers appear to exhibit a lackadaisical attitude to allowing staff to use their own devices in the workplace … a situation that may be placing people's personal information at risk.
The survey reveals that 47% of all UK adults now use their laptop, smartphone or tablet for work purposes, yet fewer than 3 in 10 who do so are provided with guidance on how to do so.
The ICO has published guidance explaining some of the risks organisations must consider with ‘bring your own device’ (BYOD), with advice on how it can be adopted safely and in a manner that complies with the Data Protection Act (DPA).
The ICO's Group Manager (Technology) Simon Rice, said: “The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure."
Mr Rice continued: “The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now. Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?”
The ICO guidance explains how organisations need to be clear on the types of personal data that can be processed on personal devices. Organisations need to have remote locate and wipe facilities in place to safeguard confidentiality in the event of a loss or theft.
Other key recommendations include:
– Be clear with staff about which types of personal data may be processed on personal devices and which may not.
– Use a strong password to secure your devices.
– Enable encryption to store data on the device securely.
– Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
– Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
– Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.