The Information Commissioner's Office (ICO) has released a new guidance note that provides information to organisations on the considerations they will need to make when permitting employees to use their own devices to access and store personal data for work purposes.
The ICO accepts that in the current climate, it is increasingly common for employees to wish to use their smartphones and tablets to access company data. This activity is known as 'bring your own device', or BYOD (see Related links). Allowing employees to do this represents a risk area for data controllers, as they will have less control over the device in question than over corporate devices which they provide to their employees directly. This increases the likelihood that data stored on such devices may be lost or stolen.
The guidance document provides information to data controllers on a number of areas, which they will need to consider if they are to permit BYOD in their organisation. Data controllers should introduce a policy for their employees, explaining any rules and responsibilities which will apply when corporate personal data is stored on personal devices. It will also be necessary to consider where the personal data will be stored, how data will be transferred to the device, whether the device can be controlled remotely, the security features of the device, and whether it will be appropriate for the data controller to monitor usage of the device by employees.
The ICO guidance also includes information on the various steps which can be taken by a data controller to reduce the level of risk. These include the following:
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at April 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.