Make sure that your data protection policies reflect how a workforce is using personal devices for work. So warns the Information Commissioner’s Office (ICO), the data protection watchdog.
This comes after the Royal Veterinary College breached the Data Protection Act, in December 2012, when a member of staff lost their camera, which included a memory card containing the passport images of six job applicants. The device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace.
ICO Head of Enforcement, Stephen Eckersley, said: “Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this. It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so its crucial employers are providing guidance and training to staff which covers this use. We have published guidance on this growing trend, commonly known as Bring Your Own Device (BYOD), and we would urge all organisations to make sure they follow our recommendations by ensuring their data protection policies reflect the way many of us are now using personal devices for work.”
For the ‘Bring your own device’ advice, visit the ICO website.
The RVC has had to agree to annual refresher training for staff, and training for starters. Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, have to be encrypted using encryption software. And the college has to look to its physical security. For the RVC’s full undertaking visit the ICO website.
The ICO’s guidance covers issues organisations need to be aware of when allowing staff to use personal devices for work. The ICO says:
Be clear with staff about which types of personal data may be processed on personal devices and which may not.
Use a strong password to secure your devices.
Enable encryption to store data on the device securely.
Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
BYOD defined by ICO
Bring your own device is a term which refers to when employees use their personal computing devices (typically smart phones and tablets) in the workplace.
Meanwhile the ICO has issued Cardiff and Vale University Health Board with an undertaking after a breach of the Data Protection Act. A consultant psychiatrist was cycling home and lost a bag off the back of their bike which contained sensitive personal data including a mental health act tribunal report relating to a patient, a solicitor’s letter and five CV’s for consultant job applications.
The ICO was informed about the breach in November 2012 and on contacting the health board was informed that alternative means of transporting the data, such as the use of an encrypted portable device, or remote server access was available. However these options had not been clearly communicated to staff and the staff member involved had not received training at the time.
Responding to the announcement ICO Assistant Commissioner for Wales, Anne Jones, said: “Given the sensitive personal information health boards handle, it is clear that they must have adequate policies in place to keep patients’ details secure, including rules to ensure that information is only taken off site when absolutely necessary.
“This data breach was entirely avoidable. Having measures in place to keep information secure only works if staff are properly informed of those measures. Staff should not be carrying round sensitive papers because they’re unaware they can remotely access a secure network. It is simply not good enough that a consultant psychiatrist had not received adequate training and had no knowledge of the more secure options available. That is why we have obliged Cardiff and Vale University Health Board to take action.”
