Bring Your Own Device (BYOD) describes the practice and increasingly popular occurrence of staff using their own personal mobile devices such as a laptop, tablet or smartphone for business purposes either while at work or remotely.

A survey carried out by YouGov plc in 2013 revealed that of all UK adults:

  • 47% use their personal smartphone, laptop or tablet computer for work purposes;
  • email is the most common work activity carried out by a personal device;
  • 37% use their personal device to edit work documents;
  • 36% store work documents on a personal device; but
  • less than 3 in 10 were provided with guidance on how their devices should be used and how to protect personal data.

The benefits and increasing popularity of BYOD are:

  • it can lower the organisation’s overall cost of ownership of IT making it an attractive proposition;
  • personally owned devices are ‘always connected’, which can lead to increased accessibility and productivity; and
  • users are likely to find it convenient and flexible in terms of how, where and when they can work.

There are of course risks associated with BYOD:

  • employers have less control over how staff members work and use data since the device is owned by the staff member;
  • ultimately, legal responsibility for protecting personal information and compliance with the Data Protection Act 1998 (“DPA”) lies with the data controller,  the employer, and not the member of staff; and
  • BYOD carries the risk of data security breaches, and exposes an employer to confidential or sensitive business information leaks.

The case of the Royal Veterinary College’s (RVC) breach of the Data Protection Act 1998 (DPA) highlights and reminds us that organisations must ensure their data protection policies reflect the greater use of personal devices in the work place. The RVC were required to give an undertaking to the Information Commissioner’s Office (ICO) for breaching the DPA when a member of its staff had a personal camera stolen with a memory card containing passport images of multiple job applicants on it. The ICO’s investigation found that the RVC had not accounted for the possibility of employees using their own devices in the workplace that its data protection training was inadequate and there was a lack of staff awareness of information governance policies. The RVC had to give undertakings to provide (a) mandatory induction and refresher training in the requirements of the DPA to all staff whose role involved the routine processing of personal data and (b) to encrypt personal data that might be stored or transmitted on personal devices amongst other things.

In light of the widespread use of BYOD and the data protection risks presented, the Centre for the Protection of National Infrastructure (CPNI) has produced a set of guidance notes on risk management for organisations considering a BYOD approach (BYOD Guidance) and the Communications-Electronics Security Group (CESG) published these on 26 September 2014. The CPNI has also produced guidance on BYOD issues in the context of Windows To Go, Blackberry’s Secure WorkSpace and Excitor G/On OS.

The top 10 key issues the BYOD Guidance highlights are:

When considering how to create an effective BYOD policy, the CPNI advises employers to:

  • prevent any unauthorised devices from accessing sensitive business or personal information;
  • ensure that authorised devices are only able to access the data and services you are willing to share with BYOD employees;
  • highlight the risks of sharing business data with unauthorised users and how personal applications may affect your organisation’s applications, information and work services; and
  • avoid making policies too restrictive as this may lead to staff using unsafe alternatives to achieve business goals.

It warns of the risk via untrusted networks such as 3/4G and Wi-Fi and provides detailed guidance on device security considerations.

It emphasises the need to encrypt data with a strong password and allow only approved applications to access business data, particularly in light of an increasing number of devices using automatic backup services for example to a cloud service.

It recommends that organisations should provide that information is displayed to staff on their devices but not saved onto the device. This reduces accessibility to business information if the device is lost or stolen.

It suggests that organisations should have a clear procedure for dealing with a security incident and provides guidance on what to do should this occur.

It recommends that monitoring to detect attacks on devices and using a ‘service mediation layer’ which controls and organises the interaction between a device and an organisation’s core system, in terms of what information is provided and how it is presented, should be used to prevent devices from accessing data that they are not permitted to and that network separation should be used within the organisation’s networks.

It analyses the ways to reduce the risk of compromised sensitive business data.

It identifies risks when a device is used which can send and receive email from both personal and business accounts.

It encourages organisations to verify the identity of a user by asking them for their username and password before providing access to its data and to filter email access.

It provides a framework setting out  the key  issues for employers to consider:

  • limiting the information shared by devices;
  • creating an effective BYOD policy;
  • understanding the legal issues;
  • considering using technical controls;
  • planning for security incidents;
  • anticipating increased device support;
  • encouraging staff agreement; and
  • alternative ownership models.

The guidance in general provides helpful advice for organisations on what to consider and include in a BYOD policy, explains how to implement an effective BYOD policy and considers strategies and technological support requirements to ensure DPA compliance.

A full copy of the guidance can be found here:

Susanna Gilmartin and Carmina Campion of Thomson Snell & Passmore