Companies must control use of staff's own devices through pilot schemes and BYOD policies, say experts

Out-Law News | 08 Mar 2013 | 2:41 pm | 4 min. read

Businesses should avoid "drifting" into permitting staff to use their own mobile devices for work purposes because of the data security consequences they bring, two experts have said.

Information law specialist Charles Park and employment law specialist Edward Goodwyn of Pinsent Masons, the law firm behind, said that businesses should develop a comprehensive 'bring your own device' (BYOD) policy before staff are allowed to use their personal devices for work. Any policy will need to address data security as well as employee responsibilities, they said.

Park and Goodwyn were commenting after the UK's data protection watchdog, the Information Commissioner's Office (ICO), published new guidance for employers on the issue of BYOD. The ICO said that although BYOD is becoming more popular organisations should remember that they are duty-bound to look after the personal data they are responsible for under data protection laws "regardless of the ownership of the device used to carry out the processing".

In its guidance the ICO stressed that organisations that enable BYOD "must not introduce vulnerabilities into existing secure environments". (14-page / 325KB PDF) It said that organisations should have a clear BYOD policy, ensure devices are password-protected and that data is encrypted when being transferred as well as when stored.

The watchdog warned organisations to be wary of the risk of data being intercepted when using public cloud services and said they should review whether it is appropriate to use public cloud services "at all". It also said that organisations should consider whether device functions that enable data transfer functions should be disabled, such as Wi-Fi or Bluetooth. Staff should be issued with guidance on how to use Wi-Fi networks securely and should be made "aware that some devices may automatically connect to open Wi-Fi networks as they are found by the device", it added.

The watchdog said that organisations "must be able to demonstrate" that they have "secured, controlled or deleted all personal data on a particular device" in the event of a security breach. However, it said that organisations that elect to track devices in order to be able to remotely access and delete data, particularly in the event of a loss or theft of devices, should make sure that "data collected as part of a remote locate facility is only used for the specified purpose and not for on-going surveillance or monitoring of users".

Charles Park of Pinsent Masons said that the ICO's guidance had underlined how important it is for organisations to comply with the data security requirements set out in the Data Protection Act. BYOD does not change that reality, he said. Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

Park said many organisations would need to undergo a "culture change" before BYOD could be rolled out on a widespread basis.

"The convenience that BYOD offers is one thing but at the end of the day employers are controllers responsible for personal data processed by staff," Park said. "They have to be very careful about a BYOD free-for-all. Organisations need to think about policy implications of BYOD early, assess the security of individual devices, what functions staff will be allowed to perform using their own devices and the range of employees they wish to give those usage rights to. They need to assess the security of individual devices in light of the security requirements set out in the DPA and their own policies for staff."

"Businesses need to obtain a balance between meeting workers' growing demands for using mobile devices to carry out work tasks with retaining overall control over business and personal data. It may be that organisations, when they make these assessments, decide that it is better to provide staff with organisation-owned devices to use in order that processing can be monitored and controlled. However, where businesses are keen to exploit the technology, opportunity and benefits BYOD can bring, we have seen businesses first doing so on a selective trialling basis often involving tech-savvy or senior-level staff only," he said.

"In considering any wider deployment, the ICO has emphasised that businesses need to assess the suitability of individual devices and to what extent they can track devices in order to know where data is being processed. There will often need to be a significant cultural change in an organisation, supported by a pro-active employment policy, where staff are educated and given training so as to understand their company's policies on BYOD and good practice on data security. An example is in altering device settings, in order to avoid data leakage when in open Wi-Fi areas," Park said.

Edward Goodwyn also said that firms should implement a formal policy that addresses information security issues relating to BYOD.

"Any IT policy whether in a staff handbook or not, should already deal with risks around the use of the devices such as misconduct, discrimination and confidentiality, but the specific issues around security and the conditions under which employees are permitted to bring their own device should be specifically drawn out in a BYOD policy," Goodwyn said.

"It would be helpful to have recorded agreement from the employee, such as a signed acceptance of the policy or at least an evidence trail showing that the policy has been highlighted to them, which indicates their agreement to the conditions under which they are allowed to bring their own device into the office," he added. "This will help the organisation to deal with any breach of the policy as a disciplinary issue and also give it a basis to request devises for checking where issues arise."

"The policy should also make it clear that the work data content will remain the organisation’s property and include requirements for the individual to allow the content to be deleted  - from the device as well as any copies which have been made - if the employee resigns or is dismissed. Equally, the policy should ensure that users of devices know their responsibilities in terms of only using corporate data for corporate purposes," Goodwyn said.