Bring Your Own Device - Data Contollers' Obligations

The Data Protection Act 1998 (DPA) requires data controllers to take appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Where an employer allows workers to use their own personal devices, such as laptops, smartphones and tablet computers, this raises a number of data protection concerns. The trend, commonly known as ‘bring your own device’ or BYOD, can mean that workers’ own devices are used to access and store corporate information, including personal data. It is therefore important for data controllers to remember that they have a duty to remain in control of the personal data for which they are responsible, regardless of who owns the device used to carry out the processing.

The Information Commissioner’s Office has produced comprehensive guidance, entitled ‘Bring your own device (BYOD)’, to help data controllers comply with their duties in this respect. This recommends having a BYOD policy covering the types of personal data you are processing and the devices, including ownership, on which these will be held. The policy should be clearly understood by users connecting their own devices to your IT systems and regular checks should be carried out to ensure compliance. When drawing up the policy, the data controller will need to assess:

•what type of data is held;
•where data may be stored;
•how data is transferred;
•the potential for data leakage;
•blurring of personal and business use;
•the device’s security capacities;
•what to do if the person who owns the device leaves your employment; and
•how to deal with the loss, theft, failure and support of a device.

The guidance gives tips on each of these areas, including the use of passwords, data encryption and other security measures that may be introduced, such as ensuring that access to the device is locked or data automatically deleted if an incorrect password is repeatedly input and the facility to locate devices remotely and to delete data on demand.

There is also a section on making sure the BYOD policy facilitates compliance with other aspects of the DPA.

The guidance can be found here.

View my profile
    • 01245 453813
    • 01206 711302
    • View profile
Data security is an important but widely neglected issue for many organisations. Failure to follow adequate data protection procedures can have severe consequences, not only from the point of view of fines, but also damage to reputation and possible claims for losses suffered by those whose data has been compromised. We can assist you in helping to make sure that your legal risks due to data loss are minimised.
The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.