A bring your own device (BYOD) policy raises a number of data protection concerns due to its ownership, and data controllers must ensure that all data processing remains in compliance with the Data Protection Act, the ICO has said.
Releasing guidance for BYOD policies, the Information Commissioner's Office (ICO) said that in these cases, the fact that a device is owned by the user rather than the data controller means greater emphasis is placed on compliance.
“Particularly in the event of a security breach, you must be able to demonstrate that you have secured, controlled or deleted all personal data on a particular device,” it said.
The ICO said that in the case of BYOD, "protecting data in the event of loss or theft of the device will need to be considered but not to the exclusion of other risks" and "data controllers must also remain mindful of the personal usage of such devices and technical and organisations used to protect personal data must remain proportionate to and justified by real benefits that will be delivered".
In the event of permitting a BYOD policy, it said that a controller will need to assess: what type of data is held; where data may be stored; how it is transferred; potential for data leakage; blurring of personal and business use; the device's security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device.
The ICO guidance also detailed the security implications of a personal device used for corporate purposes, as well as on suspicious or malicious applications and the transferring of data.
“A major risk to the security of the data in transit will be a ‘man-in-the-middle' attack, or other types of interception carried out during the transfer process,” it said.
“However, you should not ignore other risks of disclosure, such as an email being sent to the wrong address.
“Forcing all traffic through an encrypted channel such as a VPN, or HTTPS for individual services, can offer some security when using an untrusted connection, for example an open WiFi network in a coffee shop. However, if you are offering a VPN connection back through the corporate network you should be mindful of any internet monitoring software you have in operation, especially during periods of personal use.”
Simon Rice, group manager (technology) at the ICO, said: “Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a fail safe system so that the device can be wiped remotely if lost or stolen?”