Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

ICO Guide to BYOD

The Information Commissioner has published helpful new guidance on how organisations can support the use of personally-owned devices for work, commonly known as Bring Your Own Device (BYOD). This appears to have been prompted by a survey suggesting that nearly half of employees use their own devices for work, but more than two thirds of them have no guidance from their employers. Since the law requires an employer to keep control of personal information for which they are responsible, it’s clear there is a problem.

A BYOD Policy must balance two privacy requirements: protecting the personal information for which the employer is responsible, but also protecting the employee’s own information from the employer.

The policy should start with an audit of what information is involved, and what devices might be used to access it. What corporate information can safely be processed on a personal device; and what personal information might the organisation inadvertently end up processing? Some corporate information and systems may need to be excluded from BYOD, either because it cannot be adequately protected, or because protecting it would represent too much of a threat to the personal use of the device.

The policy should consider where information might be stored: on the device, on organisational storage, or on a public cloud. In each case appropriate measures will be needed to protect it, for example when the device is lost, shared with family members or sold, or if it remains logged in to a remote storage server. Information also needs to be protected when it is transferred: the policy needs to address both deliberate attacks (so encrypted protocols should be used for transfers and some interfaces may need to be disabled by default) and accidents (such as an e-mail being sent to the wrong person).

The policy should also consider how the device will be kept technically secure: some devices and operating systems do not have security patches available, owners may wish to ‘jailbreak’ their devices, or to install applications of their own choice. Each of these may reduce the security of the device, so employers need to provide guidance on how to balance them with the sensitivity of the information the employee wishes to access. Those who expect to access more sensitive information or services may need to accept more restrictions on their choice and user of device.

Technical measures may help, but need to be planned carefully, both because they may need to be set up in advance and because they may themselves represent a threat to privacy. For example one approach to protecting transfers is to monitor the content of network traffic and report or block any apparent leakage of sensitive data. However using this monitoring during an employee’s (or a member of their family’s) personal use could represent a serious and unlawful breach of their privacy. Similarly, technology to securely delete information when a device is stolen is a good way to protect both the employer’s and the employee’s data, however it is often accompanied by location tracking software that could be a serious threat to privacy and safety if it were inappropriately used. Employer and employee need to agree that such measures are proportionate and adequately controlled.

Policy, supported by technology, is the most important tool for using BYOD safely. The policy should be developed with IT, HR and end users. It should contain guidance for both employee and employer on what can and cannot be done with a personally-owned device and how to do it. Since such devices contain information that is valuable to the employer and the employee, a good BYOD policy will benefit both.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *