Teal blue graphic

New ICO guidance note on use of personal devices by employees

The Information Commissioner's Office (ICO) has released a new guidance note that provides information to organisations on the considerations they will need to make when permitting employees to use their own devices to access and store personal data for work purposes.

The ICO accepts that in the current climate, it is increasingly common for employees to wish to use their smartphones and tablets to access company data. This activity is known as 'bring your own device', or BYOD (see Related links). Allowing employees to do this represents a risk area for data controllers, as they will have less control over the device in question than over corporate devices which they provide to their employees directly. This increases the likelihood that data stored on such devices may be lost or stolen.

The guidance document provides information to data controllers on a number of areas, which they will need to consider if they are to permit BYOD in their organisation. Data controllers should introduce a policy for their employees, explaining any rules and responsibilities which will apply when corporate personal data is stored on personal devices. It will also be necessary to consider where the personal data will be stored, how data will be transferred to the device, whether the device can be controlled remotely, the security features of the device, and whether it will be appropriate for the data controller to monitor usage of the device by employees.

The ICO guidance also includes information on the various steps which can be taken by a data controller to reduce the level of risk. These include the following:

  •  Using encryption to ensure that data on devices is stored and transferred securely;
  •  Ensuring that devices automatically lock if left inactive for a certain period of time;
  •  Separating the corporate personal data held on a device from the employee's own personal data
  •  Including the ability to remotely locate stolen devices and to delete personal information held on such devices.
This latest set of guidance will be of interest to businesses which wish to implement an effective BOYD policy. It follows a number of other recent guidance notes from the ICO, including one on the proper way to delete personal data from IT system and another on the safe disposal of IT assets (see Related publications).

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at April 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.

Insights & events View all