Companies increasingly allow their employees, agents and subcontractors to access business data and customer data using privately owned devices (i.e. iPads, tablets, mobile phones and laptops). If staff access business data using a “bring your own device” (BYOD) you need to protect your own confidential business information from misuse. Additionally, you should be aware of, and comply with, your legal obligation to protect each customer’s personal data accessed via BYODs.
In 2013 the Information Commissioner’s Office (ICO) published guidelines providing advice on how to protect personal data accessed using a BYOD. The Commissioner underlined that companies are obliged to look after personal data in accordance with the Data Protection Act 1998 (Act) regardless of who owns the device on which the processing is carried out.
In order to protect your customer data and to comply with your duties under the Act, businesses who permit staff to access data on a BYOD should:
- ensure that the BYOD is password-protected;
- ensure that data is encrypted when it is transferred;
- ensure that data is encrypted when it is stored; and
- consider having a BYOD policy for staff.
Businesses should either prohibit the use of BYODs and the ability of staff to access customer data for work purposes on such devices entirely or they should permit access within the scope of a BYOD policy.
A BYOD policy should contain rules on the use of personal devices, setting out:
- who is allowed to use a BYOD, i.e. senior management;
- what types of devices may be used;
- which types of data may be accessed via the device;
- how devices will be protected against loss, theft or hacking i.e. by requiring the use of passwords, pins and/or encryption;
- how data should be deleted when an employee leaves or disposes of a device;
- how and when use of the device will be monitored; and
- sanctions for breaches of the BYOD policy.
Ownership and Deletion of Data
A BYOD policy should also state that any business information i.e. contact details or content i.e. confidential business documents accessed remains the property of the company.
Employees should agree to the company:
- deleting business information and content from any BYOD; and
- receiving copies of any business information and content if an employee leaves the company’s employment.
NB/ Customers are more likely to choose suppliers who demonstrate that they control and monitor the use of business and customer data on BYODs. Having a clear BYOD policy in place will often satisfy a customer’s security concerns about the use and storage of personal data on mobile devices.