Susanna Gilmartin & Carmina Campion: Govt guidance on BYOD - what you need to know

Bring Your Own Device (BYOD) describes the practice and increasingly popular occurrence of staff using their own personal mobile devices such as a laptop, tablet or smartphone for business purposes either while at work or remotely.

A survey carried out by YouGov plc in 2013 revealed that of all UK adults:

47% use their personal smartphone, laptop or tablet computer for work purposes;
email is the most common work activity carried out by a personal device;
37% use their personal device to edit work documents;
36% store work documents on a personal device; but
less than 3 in 10 were provided with guidance on how their devices should be used and how to protect personal data.

The benefits and increasing popularity of BYOD are:

it can lower the organisation’s overall cost of ownership of IT making it an attractive proposition;
personally owned devices are ‘always connected’, which can lead to increased accessibility and productivity; and
users are likely to find it convenient and flexible in terms of how, where and when they can work.

There are of course risks associated with BYOD:

employers have less control over how staff members work and use data since the device is owned by the staff member;
ultimately, legal responsibility for protecting personal information and compliance with the Data Protection Act 1998 (“DPA”) lies with the data controller, the employer, and not the member of staff; and
BYOD carries the risk of data security breaches, and exposes an employer to confidential or sensitive business information leaks.

The case of the Royal Veterinary College’s (RVC) breach of the Data Protection Act 1998 (DPA) highlights and reminds us that organisations must ensure their data protection policies reflect the greater use of personal devices in the work place. The RVC were required to give an undertaking to the Information Commissioner’s Office (ICO) for breaching the DPA when a member of its staff had a personal camera stolen with a memory card containing passport images of multiple job applicants on it. The ICO’s investigation found that the RVC had not accounted for the possibility of employees using their own devices in the workplace that its data protection training was inadequate and there was a lack of staff awareness of information governance policies. The RVC had to give undertakings to provide (a) mandatory induction and refresher training in the requirements of the DPA to all staff whose role involved the routine processing of personal data and (b) to encrypt personal data that might be stored or transmitted on personal devices amongst other things.

In light of the widespread use of BYOD and the data protection risks presented, the Centre for the Protection of National Infrastructure (CPNI) has produced a set of guidance notes on risk management for organisations considering a BYOD approach (BYOD Guidance) and the Communications-Electronics Security Group (CESG) published these on 26 September 2014. The CPNI has also produced guidance on BYOD issues in the context of Windows To Go, Blackberry’s Secure WorkSpace and Excitor G/On OS.

The top 10 key issues the BYOD Guidance highlights are:

When considering how to create an effective BYOD policy, the CPNI advises employers to:

prevent any unauthorised devices from accessing sensitive business or personal information;
ensure that authorised devices are only able to access the data and services you are willing to share with BYOD employees;
highlight the risks of sharing business data with unauthorised users and how personal applications may affect your organisation’s applications, information and work services; and
avoid making policies too restrictive as this may lead to staff using unsafe alternatives to achieve business goals.

It warns of the risk via untrusted networks such as 3/4G and Wi-Fi and provides detailed guidance on device security considerations.

It emphasises the need to encrypt data with a strong password and allow only approved applications to access business data, particularly in light of an increasing number of devices using automatic backup services for example to a cloud service.

It recommends that organisations should provide that information is displayed to staff on their devices but not saved onto the device. This reduces accessibility to business information if the device is lost or stolen.

It suggests that organisations should have a clear procedure for dealing with a security incident and provides guidance on what to do should this occur.

It recommends that monitoring to detect attacks on devices and using a ‘service mediation layer’ which controls and organises the interaction between a device and an organisation’s core system, in terms of what information is provided and how it is presented, should be used to prevent devices from accessing data that they are not permitted to and that network separation should be used within the organisation’s networks.

It analyses the ways to reduce the risk of compromised sensitive business data.

It identifies risks when a device is used which can send and receive email from both personal and business accounts.

It encourages organisations to verify the identity of a user by asking them for their username and password before providing access to its data and to filter email access.

It provides a framework setting out the key issues for employers to consider:

limiting the information shared by devices;
creating an effective BYOD policy;
understanding the legal issues;
considering using technical controls;
planning for security incidents;
anticipating increased device support;
encouraging staff agreement; and
alternative ownership models.

The guidance in general provides helpful advice for organisations on what to consider and include in a BYOD policy, explains how to implement an effective BYOD policy and considers strategies and technological support requirements to ensure DPA compliance.

A full copy of the guidance can be found here: https://www.gov.uk/government/collections/bring-your-own-device-guidance.

Susanna Gilmartin and Carmina Campion of Thomson Snell & Passmore

1 Comment

Adam on Thursday, November 6, 2014 at 5:11 pm

The BYOD concept can be intimidating for IT staff, but there are strategies to minimize security risks and device management headaches. HTML5 technologies can allow users to connect to applications and systems without requiring IT staff to install anything on user devices. For example, Ericom AccessNow is an HTML5 RDP client that enables remote users to securely connect from iPads, iPhones and Android devices to any RDP host, including Terminal Server and VDI virtual desktops, and run their applications and desktops in a browser. This enhances security by keeping applications and data separate from personal devices.

Since AccessNow doesn’t require any software installation on the end user device IT staff end up with less support hassles. Any user that brings in their own device merely opens their HTML5-compatible browser and connects to the URL given them by the IT admin.

Visit http://www.ericom.com/BYOD_Workplace.asp?URL_ID=708 for more info.

Please note that I work for Ericom

News

HR News

Future of Work News

Equality, Diversity and Inclusion News

Employment Law

Wellbeing, Health & Safety News

Reward, Pay and Benefits News

Recruitment News

Learning and Development

Analysis

HR Opinion and Advice

Future of Work

Equality, Diversity & Inclusion

Employment Law

Wellbeing, Health & Safety

Reward, Pay and Benefits

Recruitment

Learning and Development

Resources

Live Trainer Workshops

On Demand Courses

HR in Review Premium Podcast

HR in Review Podcast Regular Episodes

Inside HR Webinars

White Papers

Suppliers & Services

Contact

Contact us

About Us

Newsletters

Advertiser Enquiries

Write for Us

Susanna Gilmartin & Carmina Campion: Govt guidance on BYOD – what you need to know

1 Comment

Leave a reply

Train Your Team

Recent Comments on Stories