Bring your own device: ICO publishes new guidance

Bring your own device: ICO publishes new guidance


Author: Aisling Duffy

A survey by the Information Commissioner's Office (ICO) has revealed that 47% of all UK adults now use their personal smart phone, laptop or tablet computer for work purposes - known as 'bring your own device' (BYOD).

However, fewer than three in 10 users had received guidance on how to use their devices for work. This raises concerns that users may not understand how to protect the personal information accessed and stored on these devices.

It is crucial that organisations understand that whilst their employee owns the device, the organisation is responsible for ensuring that all processing of personal data under its control is compliant with the Data Protection Act 1998 (DPA). In particular, organisations must ensure that it is processed in accordance with the seventh data protection principle, which states:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

In its recent guidance, the ICO explains key considerations that organisations should be thinking about as this trend increases and provides recommendations on how to protect personal data held on employee owned devices and to ensure that it is processed in accordance with the DPA.

The ICO identified a number of benefits of BYOD. For example, it may increase employee job satisfaction, morale, job efficiency and achieve cost savings. However, the ICO also acknowledged that BYOD must be controlled, and that organisations will need to invest in order to introduce appropriate controls.

In some instances, organisations may find the cost of implementing these controls outweigh the savings envisaged, but the reputational damage and other implications that could flow from a serious data security breach could far exceed the cost of putting in place appropriate controls in the first place.

The ICO's guidance sets out the following considerations that organisations need to assess if they are going to allow their employees to bring their own device:

  • what type of data may be held on them
  • where data may be stored
  • how is it transferred
  • potential for data leakage
  • blurring of personal and business use
  • the device's security capacities
  • what to do if the person who owns the device leaves their employment
  • how to deal with the loss, theft, failure and support of the device


Top tips from the ICO's guidance for organisations who wish to permit BYOD:

  • implement, maintain and enforce an acceptable use policy to provide guidance and accountability of behaviour; and involve all relevant departments (such as IT and HR) and the end users in development of your policy in order to ensure it is tailored to your business
  • consider your need for a social media policy if BYOD leads (or is likely to lead) to an increased use of social media
  • be clear about which types of personal data may be processed on personal devices and which may not
  • use and enforce a strong password to secure devices and ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times
  • register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of loss or theft, and make sure users know exactly which data might be automatically or remotely deleted and under what circumstances
  • use encryption effectively to store and transfer data
  • ensure that the device automatically locks if inactive for a period of time
  • maintain a clear separation between the personal data processed on behalf of the data controller and that processed for the device owner's own purposes; for example, by using different apps for business and personal use
  • be careful when using public cloud-based sharing and public back-up services
  • take care that monitoring technology remains proportionate and not excessive, especially during periods of personal use - do this by identifying the purpose(s) of any monitoring and ensuring that your employees are clear about the purpose(s) and are satisfied that it is justified by the real benefits that will be delivered
  • when drafting a BYOD acceptable use policy, consider the guidance in the ICO's Employment Practices Code
  • limit the choice of devices which can be used to those which you have assessed as providing an appropriate level of security for the personal data being processed
  • provide guidance to users about the risks to downloading unreliable or unverified apps


Additional considerations:

  • before you allow BYOD you should consider whether it would contravene any of your existing agreements
  • remember that the device is used by your employee for personal use and so any technical requirements and policies should be proportionate and justified
  • public authorities subject to the Freedom of Information Act 2000 (FOIA) should consider their obligations and how they will deal with requests for information within the time schedule if multiple copies of data are stored across different devices
  • remember that if you implement a policy, do not forget to monitor and enforce compliance
  • consider what you will do to manage the data you are responsible for if your employee sells or returns the device
  • you must be able to show that you have secured, controlled or deleted all personal data on a particular device if there is a security breach
  • you may want to train employees in how to access Wi-Fi networks securely and how to de-active interfaces like Bluetooth, which may automatically connect to other devices or networks
  • think about how you will deal with removable media (for example a USB stick) and/or storage media (for example a mini SD card), which can be easily removed and the loss of which may go unnoticed for some time


For further information, please contact Aisling Duffy at [email protected] or on 03700 865089.