The Information Commissioner has published helpful new guidance on how organisations can support the use of personally-owned devices for work, commonly known as Bring Your Own Device (BYOD). This appears to have been prompted by a survey suggesting that nearly half of employees use their own devices for work, but more than two thirds of them have no guidance from their employers. Since the law requires an employer to keep control of personal information for which they are responsible, it’s clear there is a problem.
A BYOD Policy must balance two privacy requirements: protecting the personal information for which the employer is responsible, but also protecting the employee’s own information from the employer.
The policy should start with an audit of what information is involved, and what devices might be used to access it. What corporate information can safely be processed on a personal device; and what personal information might the organisation inadvertently end up processing? Some corporate information and systems may need to be excluded from BYOD, either because it cannot be adequately protected, or because protecting it would represent too much of a threat to the personal use of the device.
The policy should consider where information might be stored: on the device, on organisational storage, or on a public cloud. In each case appropriate measures will be needed to protect it, for example when the device is lost, shared with family members or sold, or if it remains logged in to a remote storage server. Information also needs to be protected when it is transferred: the policy needs to address both deliberate attacks (so encrypted protocols should be used for transfers and some interfaces may need to be disabled by default) and accidents (such as an e-mail being sent to the wrong person).
The policy should also consider how the device will be kept technically secure: some devices and operating systems do not have security patches available, owners may wish to ‘jailbreak’ their devices, or to install applications of their own choice. Each of these may reduce the security of the device, so employers need to provide guidance on how to balance them with the sensitivity of the information the employee wishes to access. Those who expect to access more sensitive information or services may need to accept more restrictions on their choice and user of device.
Technical measures may help, but need to be planned carefully, both because they may need to be set up in advance and because they may themselves represent a threat to privacy. For example one approach to protecting transfers is to monitor the content of network traffic and report or block any apparent leakage of sensitive data. However using this monitoring during an employee’s (or a member of their family’s) personal use could represent a serious and unlawful breach of their privacy. Similarly, technology to securely delete information when a device is stolen is a good way to protect both the employer’s and the employee’s data, however it is often accompanied by location tracking software that could be a serious threat to privacy and safety if it were inappropriately used. Employer and employee need to agree that such measures are proportionate and adequately controlled.
Policy, supported by technology, is the most important tool for using BYOD safely. The policy should be developed with IT, HR and end users. It should contain guidance for both employee and employer on what can and cannot be done with a personally-owned device and how to do it. Since such devices contain information that is valuable to the employer and the employee, a good BYOD policy will benefit both.