Royal Veterinary College data breach highlights importance of guidance on personal devices

16 Oct 2013 03:09 PM

The Information Commissioner’s Office (ICO) is warning organisations that they must make sure that their data protection policies reflect how the modern workforce are using personal devices for work.

With a YouGov survey earlier this year showing that 47% of all UK employees now use their smartphone, tablet PC or other portable device for work purposes there is a concern many organisations are failing to update their data protection policies to account for this growing trend.

The warning comes after the Royal Veterinary College breached the Data Protection Act when a member of staff lost their camera, which included a memory card containing the passport images of six job applicants. The incident occurred in December last year and the organisation had no guidance in place explaining how personal information stored for work should be looked after on personal devices.

ICO Head of Enforcement, Stephen Eckersley, said:

“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this. It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so its crucial employers are providing guidance and training to staff which covers this use.

“We have published guidance on this growing trend, commonly known as Bring Your Own Device (BYOD), and we would urge all organisations to make sure they follow our recommendations by ensuring their data protection policies reflect the way many of us are now using personal devices for work.”

The ICO’s guidance explains that some of the key issues organisations need to be aware of when allowing staff to use personal devices for work include:

Be clear with staff about which types of personal data may be processed on personal devices and which may not.

Use a strong password to secure your devices.

Enable encryption to store data on the device securely.

Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.

Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.

Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Secure
Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070.

	Be clear with staff about which types of personal data may be processed on personal devices and which may not.
	Use a strong password to secure your devices.
	Enable encryption to store data on the device securely.
	Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
	Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
	Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.