UK: Data Protection Breach Prompts The ICO To Issue A Fresh Warning Of The Need For Bring Your Own Device Policies

It is increasingly common for employees to use personal devices such as smart phones, laptops or tablet computers for work purposes and yet employers often appear unaware of the potential data protection issues involved in such use. In response to this trend, the Information Commissioner's Office ("ICO") published guidance in March of this year entitled "Bring Your Own Device" ("BYOD") which outlined what employers should consider if their employees are permitted to use personal devices to process personal data for work purposes. It is important that the employer ensures that all processing of personal data that is under his control complies with the Data Protection Act 1998 ("DPA"), which may be difficult where the device is owned by the employee.

The Royal Veterinary College ("RVS") recently suffered the consequences of neglecting properly to consider BYOD data protection issues when it committed a breach of the DPA when an employee lost his camera, which included a memory card containing passport images of six job applicants. RVS had no guidance in place explaining how personal information stored for work should be looked after on personal devices. RVS has since undertaken to comply with the seventh data protection principle under the DPA which obliges data controllers to take appropriate technical and organisational measures against unauthorised processing and accidental loss of person data. It will implement a series of measures designed to ensure its compliance, for example providing mandatory training to staff and encrypting all portable devices.

The breach prompted the ICO to issue a fresh warning to employers to ensure that their data protection policies reflect how the modern workforce are using personal devices for work. It has urged all employers to review and, where necessary, update their data protection policies and to provide staff with appropriate guidance and training.

The news release issued by the ICO, which provides further advice for employers, can be viewed in full at http://www.ico.org.uk/news/latest_news/2013/Royal-Veterinary-College-data-breach-highlights-importance-of-guidance-on-personal-devices-14102013 .

The ICO's BYOD Guidance can be accessed athttp://www.ico.org.uk/for_organisations/data_protection/topic_guides/online/byod .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.